Cybersecurity News Headline Updated on 27 June 2020 – Patch Exchange Servers Now, Australia is Under State-Sponsored Cyberattack, and more

The headline on 27 June 2020

Microsoft: Patch Exchange Servers Now. In a recent blog post, the Microsoft Defender ATP Research Team describes a recent increase in attacks targeting Microsoft Exchange servers. The attacks exploit a critical flaw in the Internet Information Service (IIS) component of Exchange servers. Fixes for the vulnerability have been available since February 2020.

Read more in:

Lion Breweries are Operational Again After Ransomware Attack. Australian beverage company Lion says that all of its breweries are up and running, and that it’s dairy and juice facilities are operational. Lion suffered a ransomware attack earlier this month.

Read more in:

Maze Ransomware Operators Say They Stole Data From LG Electronics Network. Operators of the Maze ransomware claim they have stolen proprietary data from LG Electronics. They also claim to have encrypted the company’s network. As of Thursday afternoon, June 25, LG has not commented.

Read more in: LG Electronics allegedly hit by Maze ransomware attack

Sodinokibi/REvil Ransomware Group Scanning Compromised Networks for POS Systems. Researchers at Symantec have detected a Sodinokibi/REvil ransomware campaign that in some cases, also scans infected networks for point-of-sale (POS) software. It is unclear whether the Sodinokibi/REvil operators are seeking to encrypt POS systems or if they are looking to steal payment card data.

Read more in:

Google Will Enable Auto-Delete for User Data by Default on New Accounts. New Google accounts will now “automatically and continuously” delete user data after 18 months by default. Last year, Google introduced an opt-in data deletion feature; users could choose to have their data deleted after three months or after 18 months. If users already have the feature enabled, their settings will not be changed.

Read more in:

Legislators Introduce Bill Requiring Breakable Encryption. Three US senators have introduced a bill that would compel technology companies to help law enforcement by helping them obtain access to encrypted data on their networks when the request is accompanied by a warrant. The bill would apply to both data at rest and data in motion. The bill would not apply to products and services sold and operated outside the US.

Read more in:

Cyberbunker Analysis. Last September, German police raided a cold-war era nuclear bunker outside of Frankfurt. The facility was being used by “Cyberbunker,” a criminal organization that provided hosting services for various illegal purposes. A few months ago, the Internet Storm Center was able to access the Cyberbunker’s IP address space. SANS.edu graduate student Karim Lalji’s analysis found evidence of various illegal activities including several botnets with thousands of hosts trying to reach command-and-control servers months after law enforcement took them down.

Read more in:

Akamai Mitigated Massive Packet-per-Second Based DDoS Attack. In a June 25, 2020 blog post, Akamai writes that it “mitigated the largest packet per second (pps) distributed denial-of-service (DDoS) attack ever recorded on the Akamai platform.” The 809 million packets-per-second attacks targeted an unnamed European bank on June 21. The blog also draws a distinction between DDoS attacks measured in bits per second (bps), which aim “to overwhelm the inbound internet pipeline,” and attacks measured in packets per second (pps), which “are largely designed to overwhelm network gear and/or applications in the customer’s data center or cloud environment.”

Read more in:

Lucifer Malware Exploits Multiple Known Windows Vulnerabilities. Malware that has been dubbed Lucifer exploits a number of known high and critical severity Windows vulnerabilities, some dating back several years. The malware is multi-faceted: once it infects computers, it uses its resources for crypto mining or for launching distributed denial-of-service attacks.

Read more in:

Ripple20. The 19 vulnerabilities in the Treck TCP/IP stack, known collectively as Ripple20, affect millions of IoT devices. The health care industry appears to have significantly more affected devices than other sectors, according to information from Forescout. The Bleeping Computer article includes a list of vendors with products that are confirmed to be affected by Ripple20.

Read more in:

Suzette Kent is Leaving Government Service. US Federal CIO Suzette Kent has announced that she will leave her government position next month. Kent has served as Federal CIO since January 2018.

Read more in:

Prison Sentence for Botnet Creator. Kenneth Currin Schuchman has been sentenced to 13 months in prison for his role in the creation of numerous Internet-of-Things (IoT)-based botnets. Schuchman had earlier pleaded guilty to violating the Computer Fraud and Abuse Act (CFAA). Two accomplices have been charged with conspiracy to commit fraud in connection with the scheme.

Read more in:

The headline on 24 June 2020

Prime Minister: Australia is Under State-Sponsored Cyberattack. At a press conference on Friday, June 19, Australian Prime Minister Scott Morrison warned that the country’s public sector is under cyber attack from a state-backed actor. The attacks have targeted organizations in a range of sectors including government, private industry, education, health and essential services, and operators of critical infrastructure. Morrison declined to identify the country he believes is responsible for the attacks. A technical advisory from the Australian Signals Directorate (ASD) describes the “tactics, techniques, and procedures used to target multiple Australian networks.”

Read more in:

Group Posts 269 GB of Data Stolen from US Law Enforcement Databases. A group calling itself Distributed Denial of Secrets has posted 269 gigabytes of police data online. According to a memo from the National Fusion Center Association obtained by Brian Krebs, the data were taken from state-owned and operated law enforcement fusion centers, which serve to coordinate communications between state, local, federal, tribal, territorial, private law enforcement partners. The memo notes that “Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise.”

Read more in:

VMware Update for macOS. A denial-of-service vulnerability affecting VMware tools for macOS. Updates are available. The flaw is in the Host-Guest File System implementation. Users should update to VMware Tools for macOS 11.1.1.

Read more in: VMware Tools for macOS update addresses a denial-of-service vulnerability (CVE-2020-3972)

Australia’s Lion Brewery Suffers Another Cyberattack. Australian beverage company Lion, which has been in the process of recovering from a June 8 ransomware attack, reportedly suffered a second cyberattack over the weekend. As a result, the company has shifted its focus from recovery to defense. The company is struggling to meet demands for its beer, dairy, and juice products.

Read more in:

Former FEMA IT Specialist Arrested for Allegedly Hacking University of Pittsburgh Medical Center. The US Department of Justice announced the arrest of Justin Sean Johnson, who was indicted on charges of conspiracy, wire fraud, and aggravated identity theft for his alleged role in a cyberattack against human resources databases at the University of Pittsburgh Medical Center in 2014. Johnson, who was formerly an information technology specialist at the Federal Emergency Management Agency (FEMA), allegedly sold personally identifiable information stolen in that attack.

Read more in:

Crozer-Keystone Health System Suffers Ransomware Attack. The Crozer-Keystone Health System in Philadelphia was recently the victim of a ransomware attack. Operators of the NetWalker ransomware claim to have stolen information from Crozer-Keystone and are threatening to publish it later this week. Crozer-Keystone has taken “necessary systems offline to prevent further risk,” according to an emailed statement from a Crozer-Keystone spokesperson.

Read more in:

Open Letter to Congress Urges it to Save the Open Technology Fund After Head of USAGM is Replaced. Nearly 400 organizations and more than 2,300 individuals have signed a letter asking Congress to preserve funding for the Open Technology Fund. OTF has received funding from the US Agency for Global Media (USAGM) since 2012. Last week, the current administration replaced the head of USAGM and fired heads of associated non-profits that USAGM sponsors. OTF’s CEO resigned last week; in her resignation letter, Libby Liu wrote that she had “become aware of lobbying efforts to convince the new USAGM CEO to interfere with the current FY2020 OTF funding stream and redirect some of our resources to a few closed-source circumvention tools.”

Read more in:

Flash End-of-Life is December 31, 2020. Adobe is recommending that users uninstall Flash by the end of this calendar year. Adobe announced in July 2017 that Flash’s planned EOL will be December 31, 2020. After that date, Adobe will no longer distribute or issue updates for the software. “Users will be prompted by Adobe to uninstall Flash Player on their machines later this year and Flash-based content will be blocked from running in Adobe Flash Player after the EOL date.”

Read more in:

Former Defense Intelligence Agency Analyst Sentenced to Prison for Leaking Data. A former analyst for the US Defense Intelligence Agency (DIA) has been sentenced to two-and-a-half years in prison for leaking data to journalists. In February 2020, Henry Kyle Frese pleaded guilty to the willful transmission of Top Secret national defense information. Frese was employed at DIA from February 2018 through October 2019 as a counter-terrorism analyst.

Read more in:

US Government Websites Will be Accessible Through HTTPS Only After September 1. Starting September 1, 2020, new US government websites (.gov) will be available only through HTTPS. The entire .gov top-level domain (TLD) will eventually be pre-loaded, which means that site visitors will automatically have a secure connection when they visit a .gov website.

Read more in:

NSO Group Spyware Used to Track Moroccan Journalist, Says Amnesty International. An Amnesty International investigation revealed evidence that spyware made by NSO Group was used to target Moroccan journalist and activist Omar Radi between January 2019 and January 2020. Attacks against Radi’s phone to install the Pegasus spyware occurred on at least three dates. One of the attacks occurred just three days after “NSO Group publicly committed to abiding by the UN Guiding Principles on Business and Human Rights.”

Read more in: