Cybersecurity News Headline Updated on 27 June 2020 – Patch Exchange Servers Now, Australia is Under State-Sponsored Cyberattack, and more

The headline on 27 June 2020

Microsoft: Patch Exchange Servers Now. In a recent blog post, the Microsoft Defender ATP Research Team describes a recent increase in attacks targeting Microsoft Exchange servers. The attacks exploit a critical flaw in the Internet Information Service (IIS) component of Exchange servers. Fixes for the vulnerability have been available since February 2020.

Read more in:

• Defending Exchange servers under attack
• Microsoft: Patch your Exchange servers, they’re under attack
• Microsoft: Attackers increasingly exploit Exchange servers
• CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Lion Breweries are Operational Again After Ransomware Attack. Australian beverage company Lion says that all of its breweries are up and running, and that it’s dairy and juice facilities are operational. Lion suffered a ransomware attack earlier this month.

Read more in:

• Lion Cyber incident update 26 June 2020
• Lion gets breweries up and running following ransomware attack

Maze Ransomware Operators Say They Stole Data From LG Electronics Network. Operators of the Maze ransomware claim they have stolen proprietary data from LG Electronics. They also claim to have encrypted the company’s network. As of Thursday afternoon, June 25, LG has not commented.

Read more in: LG Electronics allegedly hit by Maze ransomware attack

Sodinokibi/REvil Ransomware Group Scanning Compromised Networks for POS Systems. Researchers at Symantec have detected a Sodinokibi/REvil ransomware campaign that in some cases, also scans infected networks for point-of-sale (POS) software. It is unclear whether the Sodinokibi/REvil operators are seeking to encrypt POS systems or if they are looking to steal payment card data.

Read more in:

• Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
• REvil ransomware scans victim’s network for Point of Sale systems
• Sodinokibi Ransomware Now Scans Networks For PoS Systems

Google Will Enable Auto-Delete for User Data by Default on New Accounts. New Google accounts will now “automatically and continuously” delete user data after 18 months by default. Last year, Google introduced an opt-in data deletion feature; users could choose to have their data deleted after three months or after 18 months. If users already have the feature enabled, their settings will not be changed.

Read more in:

• Keeping your private information private
• Google adds automatic data deletion for new accounts
• Google Will Delete Your Data by Default—in 18 Months

Legislators Introduce Bill Requiring Breakable Encryption. Three US senators have introduced a bill that would compel technology companies to help law enforcement by helping them obtain access to encrypted data on their networks when the request is accompanied by a warrant. The bill would apply to both data at rest and data in motion. The bill would not apply to products and services sold and operated outside the US.

Read more in:

• New Bill Targeting ‘Warrant-Proof’ Encryption Draws Ire
• US Republican Senators develop Bill to end use of ‘warrant-proof’ encryption
• Republicans Who Don’t Understand Encryption Introduce Bill to Break It
• New Bill Takes Direct Aim At Encrypted Devices and Services
• After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors
• Lawful Access to Encrypted Data Act (PDF)

Cyberbunker Analysis. Last September, German police raided a cold-war era nuclear bunker outside of Frankfurt. The facility was being used by “Cyberbunker,” a criminal organization that provided hosting services for various illegal purposes. A few months ago, the Internet Storm Center was able to access the Cyberbunker’s IP address space. SANS.edu graduate student Karim Lalji’s analysis found evidence of various illegal activities including several botnets with thousands of hosts trying to reach command-and-control servers months after law enforcement took them down.

Read more in:

• Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider
• Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute

Akamai Mitigated Massive Packet-per-Second Based DDoS Attack. In a June 25, 2020 blog post, Akamai writes that it “mitigated the largest packet per second (pps) distributed denial-of-service (DDoS) attack ever recorded on the Akamai platform.” The 809 million packets-per-second attacks targeted an unnamed European bank on June 21. The blog also draws a distinction between DDoS attacks measured in bits per second (bps), which aim “to overwhelm the inbound internet pipeline,” and attacks measured in packets per second (pps), which “are largely designed to overwhelm network gear and/or applications in the customer’s data center or cloud environment.”

Read more in:

• Largest Ever Recorded Packet Per Second-Based DDoS Attack Mitigated By Akamai
• European bank suffers biggest PPS DDoS attack, new botnet suspected
• There are DDoS attacks, then there’s this 809 million packet-per-second tsunami Akamai says it just caught
• Two record DDoSes disclosed this week underscore their growing menace

Lucifer Malware Exploits Multiple Known Windows Vulnerabilities. Malware that has been dubbed Lucifer exploits a number of known high and critical severity Windows vulnerabilities, some dating back several years. The malware is multi-faceted: once it infects computers, it uses its resources for crypto mining or for launching distributed denial-of-service attacks.

Read more in:

• Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
• Lucifer Malware Aims to Become Broad Platform for Attacks
• Lucifer: Devilish malware that abuses critical vulnerabilities on Windows machines
• New Lucifer DDoS malware creates a legion of Windows minions

Ripple20. The 19 vulnerabilities in the Treck TCP/IP stack, known collectively as Ripple20, affect millions of IoT devices. The health care industry appears to have significantly more affected devices than other sectors, according to information from Forescout. The Bleeping Computer article includes a list of vendors with products that are confirmed to be affected by Ripple20.

Read more in:

• List of Ripple20 vulnerability advisories, patches, and updates
• Identifying and Protecting Devices Vulnerable to Ripple20

Suzette Kent is Leaving Government Service. US Federal CIO Suzette Kent has announced that she will leave her government position next month. Kent has served as Federal CIO since January 2018.

Read more in:

• Suzette Kent leaving government in July
• Federal CIO Suzette Kent Tells Staff She’s Retiring
• Federal CIO Suzette Kent Stepping Down in July

Prison Sentence for Botnet Creator. Kenneth Currin Schuchman has been sentenced to 13 months in prison for his role in the creation of numerous Internet-of-Things (IoT)-based botnets. Schuchman had earlier pleaded guilty to violating the Computer Fraud and Abuse Act (CFAA). Two accomplices have been charged with conspiracy to commit fraud in connection with the scheme.

Read more in:

• New Charges, Sentencing in Satori IoT Botnet Conspiracy
• DDoS botnet coder gets 13 months in prison
• Washington Man Sentenced for Role in Developing “Mirai” Successor Botnets
• Indictment (PDF)

The headline on 24 June 2020

Prime Minister: Australia is Under State-Sponsored Cyberattack. At a press conference on Friday, June 19, Australian Prime Minister Scott Morrison warned that the country’s public sector is under cyber attack from a state-backed actor. The attacks have targeted organizations in a range of sectors including government, private industry, education, health and essential services, and operators of critical infrastructure. Morrison declined to identify the country he believes is responsible for the attacks. A technical advisory from the Australian Signals Directorate (ASD) describes the “tactics, techniques, and procedures used to target multiple Australian networks.”

Read more in:

• Morrison reveals malicious ‘state-based’ cyber attack on governments, industry
• Australia says the state-based actor is behind the surge of sophisticated cyberattacks
• Australian PM says nation under serious state-run ‘cyber attack’ – Microsoft, Citrix, Telerik UI bugs ‘exploited’
• Advisory 2020-008: Copy-Paste Compromises – tactics, techniques, and procedures used to target multiple Australian networks (PDF)

Group Posts 269 GB of Data Stolen from US Law Enforcement Databases. A group calling itself Distributed Denial of Secrets has posted 269 gigabytes of police data online. According to a memo from the National Fusion Center Association obtained by Brian Krebs, the data were taken from state-owned and operated law enforcement fusion centers, which serve to coordinate communications between state, local, federal, tribal, territorial, private law enforcement partners. The memo notes that “Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise.”

Read more in:

• ‘BlueLeaks’ Exposes Files from Hundreds of Police Departments
• Millions of documents from >200 US police agencies published in “BlueLeaks” trove
• Hack Brief: Anonymous Stole and Leaked a Megatrove of Police Documents
• BlueLeaks: Data from 200 US police departments & fusion centers published online
• ‘Distributed Denial of Secrets’ publishes ‘Blue Leaks,’ a trove of law enforcement records
• ‘BlueLeaks’: Group Releases 270GB of Sensitive Police Documents

VMware Update for macOS. A denial-of-service vulnerability affecting VMware tools for macOS. Updates are available. The flaw is in the Host-Guest File System implementation. Users should update to VMware Tools for macOS 11.1.1.

Read more in: VMware Tools for macOS update addresses a denial-of-service vulnerability (CVE-2020-3972)

Australia’s Lion Brewery Suffers Another Cyberattack. Australian beverage company Lion, which has been in the process of recovering from a June 8 ransomware attack, reportedly suffered a second cyberattack over the weekend. As a result, the company has shifted its focus from recovery to defense. The company is struggling to meet demands for its beer, dairy, and juice products.

Read more in:

• ‘Cyber crisis’ deepens at Lion as the second attack bites beer giant
• Australia’s Lion brewery hit by the second cyber attack as nation staggers under suspected Chinese digital assault
• Lion Cyber incident update 19 June 2020

Former FEMA IT Specialist Arrested for Allegedly Hacking University of Pittsburgh Medical Center. The US Department of Justice announced the arrest of Justin Sean Johnson, who was indicted on charges of conspiracy, wire fraud, and aggravated identity theft for his alleged role in a cyberattack against human resources databases at the University of Pittsburgh Medical Center in 2014. Johnson, who was formerly an information technology specialist at the Federal Emergency Management Agency (FEMA), allegedly sold personally identifiable information stolen in that attack.

Read more in:

• Feds cuff Detroit man for allegedly hacking University of Pittsburgh Medical Center
• FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy
• Hacker arrested for stealing, selling PII of 65K hospital employees
• Michigan Man Arrested for 2014 Hack of UPMC HR Databases and Theft of Employees’ Personal Information
• Indictment filed May 20, 2020 (PDF)

Crozer-Keystone Health System Suffers Ransomware Attack. The Crozer-Keystone Health System in Philadelphia was recently the victim of a ransomware attack. Operators of the NetWalker ransomware claim to have stolen information from Crozer-Keystone and are threatening to publish it later this week. Crozer-Keystone has taken “necessary systems offline to prevent further risk,” according to an emailed statement from a Crozer-Keystone spokesperson.

Read more in:

• Philadelphia-area health system says it ‘isolated’ a malware attack
• NetWalker claims credit for attack on Crozer-Keystone Health System

Open Letter to Congress Urges it to Save the Open Technology Fund After Head of USAGM is Replaced. Nearly 400 organizations and more than 2,300 individuals have signed a letter asking Congress to preserve funding for the Open Technology Fund. OTF has received funding from the US Agency for Global Media (USAGM) since 2012. Last week, the current administration replaced the head of USAGM and fired heads of associated non-profits that USAGM sponsors. OTF’s CEO resigned last week; in her resignation letter, Libby Liu wrote that she had “become aware of lobbying efforts to convince the new USAGM CEO to interfere with the current FY2020 OTF funding stream and redirect some of our resources to a few closed-source circumvention tools.”

Read more in:

• Save Internet Freedom: Support the Open Technology Fund
• CEO of Open Technology Fund Resigns After Closed-Source Lobbying Effort
• 400 organizations sign open letter to save the Open Technology Fund (OTF)

Flash End-of-Life is December 31, 2020. Adobe is recommending that users uninstall Flash by the end of this calendar year. Adobe announced in July 2017 that Flash’s planned EOL will be December 31, 2020. After that date, Adobe will no longer distribute or issue updates for the software. “Users will be prompted by Adobe to uninstall Flash Player on their machines later this year and Flash-based content will be blocked from running in Adobe Flash Player after the EOL date.”

Read more in:

• Adobe Flash Player EOL General Information Page
• Adobe wants users to uninstall Flash Player by the end of the year
• Adobe Prompts Users to Uninstall Flash Player As EOL Date Looms

Former Defense Intelligence Agency Analyst Sentenced to Prison for Leaking Data. A former analyst for the US Defense Intelligence Agency (DIA) has been sentenced to two-and-a-half years in prison for leaking data to journalists. In February 2020, Henry Kyle Frese pleaded guilty to the willful transmission of Top Secret national defense information. Frese was employed at DIA from February 2018 through October 2019 as a counter-terrorism analyst.

Read more in:

• Former DIA Analyst Sentenced to Prison Over Data Leak
• DIA Analyst Jailed for Disclosing Secrets to Journalist Girlfriend
• Former DIA Analyst Sentenced for Leaking Classified Information to Journalists (June 2020)
• Former DIA Employee Pleads Guilty to Leaking Classified National Defense Information to Journalists (February 2020)

US Government Websites Will be Accessible Through HTTPS Only After September 1. Starting September 1, 2020, new US government websites (.gov) will be available only through HTTPS. The entire .gov top-level domain (TLD) will eventually be pre-loaded, which means that site visitors will automatically have a secure connection when they visit a .gov website.

Read more in:

• Making .gov More Secure by Default
• It should be easy to identify governments on the internet.
• US govt to enforce HTTPS on new .gov sites starting September 1