Cybersecurity News Headline Updated on 08 July 2020 – US CYBERCOM: Patch Palo Alto Now!; NSA Guidance Securing IPsec VPNs; macOS Ransomware; MSP Hit by Ransomware, and more

The headline on 08 July 2020

US CYBERCOM Warning on Palo Alto Technologies OS Vulnerability; Patch Now! On June 29, US Cyber Command issued a cybersecurity alert regarding a critical flaw affecting Palo Alto Networks PAN-OS, the operating system that runs on the company’s firewalls and VPN appliances. The alert urges users to “patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use.” US Cyber Command expects that foreign adversaries will likely begin to exploit the vulnerability soon.

Read more in:

NSA Issues Guidance on Securing IPsec VPNs. The US National Security Agency (NSA) has released guidance to help organizations secure their IPsec virtual private networks (VPNs). Many organizations are using these to allow their employees to work from home. The BNSA has also released a document with information about configuring IPsec VPNs.

Read more in:

New macOS Ransomware ThiefQuest Found on Torrent Sites. Researchers at Malwarebytes have detected new ransomware that targets devices running macOS. Dubbed ThiefQuest, the ransomware also has spyware capabilities: it can exfiltrate files, search for cryptocurrency wallets and passwords, and log keystrokes. ThiefQuest has been detected bundled with other software on torrent sites.

Read more in:

Managed Service Provider Xchanging Hit by Ransomware. In an 8-K form filed with the US Securities and Exchange Commission (SEC), DXC technologies disclosed that systems at one of its subsidiaries were hit with a ransomware attack. The company, Xchanging, is a managed service provider that focuses primarily on the insurance industry but has customers in other sectors as well. According to the filing, “DXC is actively working with affected customers to restore access to their operating environment as quickly as possible.”

Read more in:

Barclays Website Was Calling Javascript File from Internet Archive. The Barclays Bank website appears to have been calling a Javascript file from the Internet Archive’s Wayback Machine. This meant that if the Internet archive went down, the Barclays website would be down as well. Barclays has fixed the issue.

Read more in: Barclays Bank appeared to be using the Wayback Machine as a ‘CDN’ for some Javascript

F5 Releases Patches for Flaws in BIG-IP Networking Devices; POC Exploit Code Released. F5 has released fixes to address a critical flaw in its BIG-IP networking equipment that could be exploited to take complete control of vulnerable devices. US Cyber Command tweeted last week that patching this vulnerability is urgent. On Sunday, July 5, CISA Director Christopher Krebs tweeted. “If you didn’t patch by this morning, assume compromised.” Proof-of-concept exploit code for the critical vulnerability, which has been given a CVSS score of 10, has been released. Hackers have begun exploiting the vulnerability. F5 has also released fixes for a high-severity cross-site scripting vulnerability in the BIG-IP Configuration utility.

Read more in:

European Authorities Infiltrated Encrypted Communication Platform Used by Criminals. Law enforcement authorities in Europe countries were able to infiltrate EncroChat, an encrypted communication platform frequented by criminals. Hundreds of people have been arrested; large quantities of luxury items and illegal drugs and nearly EUR 20 million in cash have been seized.

Read more in:

Cisco Fixes XSS Flaw in Small Business VPN Router Firmware. Cisco has released fixes for a cross-site scripting vulnerability that affects two of its small business VPN routers. The flaw is the result of “insufficient validation of user-supplied input by the web-based management interface of the affected software.” The issue affects Cisco Small Business RV042 and RV042G Routers running firmware releases older than 4.2.3.14.

Read more in:

Cisco Releases Firmware Updates for Vulnerability in Small Business Switches. Cisco has released a security update to fix a high-severity flaw in its Small Business Smart and Managed Switches. The vulnerability, which “is due to the use of weak entropy generation for session identifier values,” could be exploited to gain administrator privileges. The issue is fixed in version 2.5.5.47 of the firmware release for affected products that ae still supported.

Read more in:

Apple’s Decision Forces Shortening of Digital Certificate Lifespans. Starting September 1, 2020, Apple software, Chrome, and Firefox will identify new TLS certificates that are valid for more than 398 days as invalid. The changes arises from a unilateral decision Apple made earlier this year, bypassing the expected practice of bringing issues like this one to the CA/B Forum, “a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing.” The intent of reducing certificates’ lifespans is to force websites and apps to issue new certificates every year. This will introduce more certificates that use the newest cryptographic standards.

Read more in:

Microsoft Releases Two Out-of-Cycle Patches for Windows. On June 30, Microsoft released two unscheduled patches to address remote code execution vulnerabilities in the Windows Codecs Library. Microsoft took the unusual step of delivering the fixes through the Microsoft Store rather than through Windows Update. The advisories for the vulnerabilities say, “Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update.”

Read more in:

Home Router Study Finds “Alarming” Security Issues. A study of 127 home routers from seven manufacturers found numerous security issues. The Fraunhofer Institute for Communication (FKIE) in Germany looked at each router’s most current firmware, focusing on five security aspects: when the firmware was last updated; which operating systems are used and how many known flaws they have; what exploit mitigation techniques the vendors use; whether the firmware images contain private cryptographic key material; and whether there are any hard-coded login credentials. Among the report’s findings: 46 of the routers had not had a security update in the past year; some vendors ship firmware updates that contain known vulnerabilities, and just one of the seven vendors did not publish private cryptographic keys in its firmware.

Read more in:

Top Three Network Intrusion Signatures Used Against Federal Agencies in May 2020. The top three network intrusion signatures detected by the US Department of Homeland Security’s (DHS’s) EINSTEIN intrusion detection system during May 2020 are the NetSupport Manager Remote Access Tool (RAT) – legitimate software that is also being used in phishing campaigns; the Kovter fileless Trojan; and the XMRig cryptocurrency miner. EINSTEIN gathers and analyzes traffic flowing into and out of federal civilian organizations systems and networks.

Read more in:

The headline on 01 July 2020

California’s Top Medical Research University Pays Ransomware Actors. The University of California, San Francisco (USCF) has paid a ransomware demand of more than $1.4m. A “limited number of servers” at the public health research facility were encrypted by Netwalker ransomware. UCSF disclosed the incident on June 3. BBC News was able to observe a live chat on the dark web involving UCSF ransom negotiations.

Read more in:

Hackers are Wiping Old Lenovo/Iomega NAS Devices and Demanding Ransom. Hackers have been breaking into old LenovoEMC/Iomega network-attached storage (NAS) devices, wiping them, and demanding between $200 and $275 in ransom for the return of the data. The attacks targeted NAS devices that exposed their management interface on the Internet with no password protection. Similar attacks were reported a year ago. The LenovoEMC and Iomega NAS lines were discontinued in 2018.

Read more in: A hacker gang is wiping Lenovo NAS devices and asking for ransoms

Magecart Card Skimming Malware Found on Government Websites in Eight US Cities. Researchers at Trend Micro found that local government websites in eight US cities were infected with Magecart card skimming malware. The common factor appears to be that all the affected sites were using the Click2Gov municipal payment software. The attacks began on April 10 and appear to still be active. This is not the first time that Click2Gov has been the target of attacks.

Read more in:

British Tech Companies Urge Reworking Computer Misuse Act. A group of British technology organizations and individuals have signed a letter to Prime Minister Boris Johnson, urging him to act to reform the Computer Misuse Act (CMA). The law was created 30 years ago, when less than one percent of the UK’s population used the Internet and “the concept of cyber security and threat intelligence research did not exist.” The letter also notes that “the CMA inadvertently criminalises a large proportion of modern cyber defence practices.”

Read more in:

Michigan House of Representatives Passes Bill Prohibiting Employers From Requiring Implanted Microchips for Workers. The Michigan State House of Representatives has passed a bill that would prohibit employers from requiring workers to have RFID chips implanted. The measure is proactive; there have not been instances in which employers have actually imposed this requirement. A Wisconsin company has used implantable ID chips for their employees on a voluntary basis. The Microchip Protection Act now heads to the Michigan State Senate for consideration.

Read more in:

Magento 1.x EOL is June 30; Merchants Urged to Upgrade. Magento 1.x will no longer be supported after June 30, 2020. Payment processors are urging merchants to update; Visa informed merchants that failing to update to Magento 2.x will eventually cost them PCI DSS (Payment Card Industry Data Security Standard) compliance. Adobe’s Security Bulletin for Magento updates last week included a reminder: “Support for Magento Commerce 1.14 and Magento Open Source 1 is ending in June 2020. This will be the final security patches available for these editions.”

Read more in:

Tax Software Required by Chinese Bank Installs Backdoor on Companies’ Systems. At least two western companies opening offices in China were forced to install tax software on their systems; the software has been found to download and install a backdoor. The companies said that a bank in China “required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes.” The backdoor, which has been named GoldenSpy, operates with SYSTEM-level privileges.

Read more in:

Cardplanet Operator Aleksei Burkov Sentenced to Nine Years in Prison. Aleksei Burkov has been sentenced to nine years in prison for his role in operating the Cardplanet carding website, which sold payment card information that was used to make millions of dollars in fraudulent transactions. Burkov was arrested in Israel in December 2015; he was extradited to the US in 2019. Earlier this year, he pleaded guilty to access device fraud, conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud, and money laundering.

Read more in:

Medvedev Guilty Plea. Sergey Medvedev has pleaded guilty to RICO conspiracy for his role in “an Internet-based cybercriminal enterprise” known as Infraud. The group’s activity resulted in more than $586m in losses. US authorities have indicted 36 people in connection with Infraud.

Read more in:

Cyber Flag 20-2 Participants Used New Remote Cyber Training Tool. US Cyber Command’s Cyber Flag 20-2 training exercise took place earlier this month. More than 500 people participated; there were 17 teams from five countries. For the first time, participants had access to a new remote access training tool. The Persistent Cyber Training Environment (PCTE) “is an online client that allows Cyber Command’s cyber warriors, as well as partner nations, to log on from anywhere in the world to conduct individual or collective cyber training as well as mission rehearsal.” The Cyber Flag exercise is run by US Cyber Command.

Read more in: This training tool could be the answer to stop mass cyberattacks

Palo Alto Networks Fixes Critical Flaw in Firewall Operating System. Palo Alto Networks has released fixes for a critical authentication bypass vulnerability that affects PAN-OS, the operating system used in many its firewalls. According to the Palo Alto Advisory, “Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources.” If SAML authentication is not enabled, the flaw cannot be exploited. The affected versions of the operating system are PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected.

Read more in: