Cybersecurity News Headline Updated on 08 July 2020

The headline on 08 July 2020

US CYBERCOM Warning on Palo Alto Technologies OS Vulnerability; Patch Now! On June 29, US Cyber Command issued a cybersecurity alert regarding a critical flaw affecting Palo Alto Networks PAN-OS, the operating system that runs on the company’s firewalls and VPN appliances. The alert urges users to “patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use.” US Cyber Command expects that foreign adversaries will likely begin to exploit the vulnerability soon.

Read more in:

• Foreign adversaries likely to try exploiting critical networking bug, US says
• US Cyber Command says foreign hackers will attempt to exploit new PAN-OS security bug
• Securing your SAML Deployments
• CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication

Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.

https://t.co/WwJdil5X0F

— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020

NSA Issues Guidance on Securing IPsec VPNs. The US National Security Agency (NSA) has released guidance to help organizations secure their IPsec virtual private networks (VPNs). Many organizations are using these to allow their employees to work from home. The BNSA has also released a document with information about configuring IPsec VPNs.

Read more in:

• NSA releases guidance on securing IPsec Virtual Private Networks
• Securing IPsec Virtual Private Networks (PDF)
• Configuring IPsec Virtual Private Networks (PDF)

New macOS Ransomware ThiefQuest Found on Torrent Sites. Researchers at Malwarebytes have detected new ransomware that targets devices running macOS. Dubbed ThiefQuest, the ransomware also has spyware capabilities: it can exfiltrate files, search for cryptocurrency wallets and passwords, and log keystrokes. ThiefQuest has been detected bundled with other software on torrent sites.

Read more in:

• New Mac ransomware spreading through piracy
• EvilQuest: Inside A ‘New Class’ of Mac Malware
• New Mac Ransomware Is Even More Sinister Than It Appears
• Things that happen every four years: Olympic Games, Presidential elections, and now new Mac ransomware

#macOS #ransomware impersonating as Google Software Update program with zero detection.

MD5:
522962021E383C44AFBD0BC788CF6DA3 6D1A07F57DA74F474B050228C6422790 98638D7CD7FE750B6EAB5B46FF102ABD@philofishal @patrickwardle @thomasareed pic.twitter.com/r5tkmfzmFT

— Dinesh_Devadoss (@dineshdina04) June 29, 2020

Managed Service Provider Xchanging Hit by Ransomware. In an 8-K form filed with the US Securities and Exchange Commission (SEC), DXC technologies disclosed that systems at one of its subsidiaries were hit with a ransomware attack. The company, Xchanging, is a managed service provider that focuses primarily on the insurance industry but has customers in other sectors as well. According to the filing, “DXC is actively working with affected customers to restore access to their operating environment as quickly as possible.”

Read more in:

• Ransomware attack on insurance MSP Xchanging affects clients
• DXC Identifies Ransomware Attack on Part of its Xchanging Environment

Barclays Website Was Calling Javascript File from Internet Archive. The Barclays Bank website appears to have been calling a Javascript file from the Internet Archive’s Wayback Machine. This meant that if the Internet archive went down, the Barclays website would be down as well. Barclays has fixed the issue.

Read more in: Barclays Bank appeared to be using the Wayback Machine as a ‘CDN’ for some Javascript

F5 Releases Patches for Flaws in BIG-IP Networking Devices; POC Exploit Code Released. F5 has released fixes to address a critical flaw in its BIG-IP networking equipment that could be exploited to take complete control of vulnerable devices. US Cyber Command tweeted last week that patching this vulnerability is urgent. On Sunday, July 5, CISA Director Christopher Krebs tweeted. “If you didn’t patch by this morning, assume compromised.” Proof-of-concept exploit code for the critical vulnerability, which has been given a CVSS score of 10, has been released. Hackers have begun exploiting the vulnerability. F5 has also released fixes for a high-severity cross-site scripting vulnerability in the BIG-IP Configuration utility.

Read more in:

• PoC exploits released for F5 BIG-IP vulnerabilities, patch now!
• F5 fixes critical vulnerability discovered by Positive Technologies in BIG-IP application delivery controller
• Hack Brief: Hackers Are Exploiting a 5-Alarm Bug in Networking Equipment
• Cyber Command backs ‘urgent’ patch for F5 security vulnerability
• Hackers are trying to steal admin passwords from F5 BIG-IP devices
• F5 patches vulnerability that received a CVSS 10 severity score
• F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren’t internet-facing while you ready a patch
• K52145254: TMUI RCE vulnerability CVE-2020-5902
• K43638305: BIG-IP TMUI XSS vulnerability CVE-2020-5903

European Authorities Infiltrated Encrypted Communication Platform Used by Criminals. Law enforcement authorities in Europe countries were able to infiltrate EncroChat, an encrypted communication platform frequented by criminals. Hundreds of people have been arrested; large quantities of luxury items and illegal drugs and nearly EUR 20 million in cash have been seized.

Read more in:

• How Police Secretly Took Over a Global Phone Network for Organized Crime
• Police infiltrate encrypted phones, arrest hundreds in organized crime bust
• E.U. Authorities Crack Encryption of Massive Criminal and Murder Network
• Euro police forces infiltrated encrypted phone biz – and now ‘criminal’ EncroChat users are being rounded up
• Hundreds arrested after encrypted messaging network takeover
• European police crack encrypted phone network, arrest hundreds of alleged criminals

Cisco Fixes XSS Flaw in Small Business VPN Router Firmware. Cisco has released fixes for a cross-site scripting vulnerability that affects two of its small business VPN routers. The flaw is the result of “insufficient validation of user-supplied input by the web-based management interface of the affected software.” The issue affects Cisco Small Business RV042 and RV042G Routers running firmware releases older than 4.2.3.14.

Read more in:

• Zero-day XSS vulnerability found in Cisco small business routers
• Cisco SMB kit harbors cross-site scripting bug: One wrong link click… and that’s your router pwned remotely
• Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability

Cisco Releases Firmware Updates for Vulnerability in Small Business Switches. Cisco has released a security update to fix a high-severity flaw in its Small Business Smart and Managed Switches. The vulnerability, which “is due to the use of weak entropy generation for session identifier values,” could be exploited to gain administrator privileges. The issue is fixed in version 2.5.5.47 of the firmware release for affected products that ae still supported.

Read more in:

• Cisco Warns of High-Severity Bug in Small Business Switch Lineup
• Cisco Small Business Smart and Managed Switches Session Management Vulnerability

Apple’s Decision Forces Shortening of Digital Certificate Lifespans. Starting September 1, 2020, Apple software, Chrome, and Firefox will identify new TLS certificates that are valid for more than 398 days as invalid. The changes arises from a unilateral decision Apple made earlier this year, bypassing the expected practice of bringing issues like this one to the CA/B Forum, “a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing.” The intent of reducing certificates’ lifespans is to force websites and apps to issue new certificates every year. This will introduce more certificates that use the newest cryptographic standards.

Read more in:

• Remember when we warned in February Apple will crack down on long-life HTTPS certs? It’s happening: Chrome, Firefox ready to join in, too
• Apple strong-arms entire CA industry into one-year certificate lifespans
• CA/Browser Forum

Microsoft Releases Two Out-of-Cycle Patches for Windows. On June 30, Microsoft released two unscheduled patches to address remote code execution vulnerabilities in the Windows Codecs Library. Microsoft took the unusual step of delivering the fixes through the Microsoft Store rather than through Windows Update. The advisories for the vulnerabilities say, “Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update.”

Read more in:

• Windows 10’s Microsoft Store Codecs patches are confusing users
• Unscheduled fixes released for critical flaw in optional Windows codec
• Microsoft releases emergency security update to fix two bugs in Windows codecs
• Microsoft Releases Emergency Security Updates for Windows 10, Server
• CVE-2020-1425 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability
• CVE-2020-1457 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability

Home Router Study Finds “Alarming” Security Issues. A study of 127 home routers from seven manufacturers found numerous security issues. The Fraunhofer Institute for Communication (FKIE) in Germany looked at each router’s most current firmware, focusing on five security aspects: when the firmware was last updated; which operating systems are used and how many known flaws they have; what exploit mitigation techniques the vendors use; whether the firmware images contain private cryptographic key material; and whether there are any hard-coded login credentials. Among the report’s findings: 46 of the routers had not had a security update in the past year; some vendors ship firmware updates that contain known vulnerabilities, and just one of the seven vendors did not publish private cryptographic keys in its firmware.

Read more in:

• Home Router Security Report 2020 (PDF)
• Home router warning: They’re riddled with known flaws and run ancient, unpatched Linux

Top Three Network Intrusion Signatures Used Against Federal Agencies in May 2020. The top three network intrusion signatures detected by the US Department of Homeland Security’s (DHS’s) EINSTEIN intrusion detection system during May 2020 are the NetSupport Manager Remote Access Tool (RAT) – legitimate software that is also being used in phishing campaigns; the Kovter fileless Trojan; and the XMRig cryptocurrency miner. EINSTEIN gathers and analyzes traffic flowing into and out of federal civilian organizations systems and networks.

Read more in:

• Alert (AA20-182A) | EINSTEIN Data Trends – 30-day Lookback
• CISA’s hit parade of malware aimed at federal agencies

The headline on 01 July 2020

California’s Top Medical Research University Pays Ransomware Actors. The University of California, San Francisco (USCF) has paid a ransomware demand of more than $1.4m. A “limited number of servers” at the public health research facility were encrypted by Netwalker ransomware. UCSF disclosed the incident on June 3. BBC News was able to observe a live chat on the dark web involving UCSF ransom negotiations.

Read more in:

• University of California San Francisco pays ransomware gang $1.14m as BBC publishes ‘dark web negotiations’
• UCSF paid $1.4 million ransom in NetWalker attack
• California university pays $1 million ransom amid coronavirus research
• How hackers extorted $1.14m from University of California, San Francisco
• Update on IT Security Incident at UCSF

Hackers are Wiping Old Lenovo/Iomega NAS Devices and Demanding Ransom. Hackers have been breaking into old LenovoEMC/Iomega network-attached storage (NAS) devices, wiping them, and demanding between $200 and $275 in ransom for the return of the data. The attacks targeted NAS devices that exposed their management interface on the Internet with no password protection. Similar attacks were reported a year ago. The LenovoEMC and Iomega NAS lines were discontinued in 2018.

Read more in: A hacker gang is wiping Lenovo NAS devices and asking for ransoms

Magecart Card Skimming Malware Found on Government Websites in Eight US Cities. Researchers at Trend Micro found that local government websites in eight US cities were infected with Magecart card skimming malware. The common factor appears to be that all the affected sites were using the Click2Gov municipal payment software. The attacks began on April 10 and appear to still be active. This is not the first time that Click2Gov has been the target of attacks.

Read more in:

• US Local Government Services Targeted by New Magecart Credit Card Skimming Attack
• 8 U.S. City Websites Targeted in Magecart Attacks
• Eight cities using Click2Gov targeted in Magecart skimming attacks
• Click2Gov breaches in eight cities attributed to Magecart hackers

British Tech Companies Urge Reworking Computer Misuse Act. A group of British technology organizations and individuals have signed a letter to Prime Minister Boris Johnson, urging him to act to reform the Computer Misuse Act (CMA). The law was created 30 years ago, when less than one percent of the UK’s population used the Internet and “the concept of cyber security and threat intelligence research did not exist.” The letter also notes that “the CMA inadvertently criminalises a large proportion of modern cyber defence practices.”

Read more in:

• Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform
• Letter to PM Boris Johnson (PDF)

Michigan House of Representatives Passes Bill Prohibiting Employers From Requiring Implanted Microchips for Workers. The Michigan State House of Representatives has passed a bill that would prohibit employers from requiring workers to have RFID chips implanted. The measure is proactive; there have not been instances in which employers have actually imposed this requirement. A Wisconsin company has used implantable ID chips for their employees on a voluntary basis. The Microchip Protection Act now heads to the Michigan State Senate for consideration.

Read more in:

• Michigan tackles compulsory microchip implants for employees with new bill
• Bill requires employers to keep implanted microchips voluntary for workers
• HOUSE BILL NO. 5672 (as passed by the Michigan House)

Magento 1.x EOL is June 30; Merchants Urged to Upgrade. Magento 1.x will no longer be supported after June 30, 2020. Payment processors are urging merchants to update; Visa informed merchants that failing to update to Magento 2.x will eventually cost them PCI DSS (Payment Card Industry Data Security Standard) compliance. Adobe’s Security Bulletin for Magento updates last week included a reminder: “Support for Magento Commerce 1.14 and Magento Open Source 1 is ending in June 2020. This will be the final security patches available for these editions.”

Read more in:

• Adobe, Mastercard, Visa warn online store owners of Magento 1.x EOL
• Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance
• Security Updates Available for Magento | APSB20-41

Tax Software Required by Chinese Bank Installs Backdoor on Companies’ Systems. At least two western companies opening offices in China were forced to install tax software on their systems; the software has been found to download and install a backdoor. The companies said that a bank in China “required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes.” The backdoor, which has been named GoldenSpy, operates with SYSTEM-level privileges.

Read more in:

• The Golden Tax Department and the Emergence of GoldenSpy Malware
• Chinese bank requires foreign firm to install app with covert backdoor
• Chinese bank forced western companies to install malware-laced tax software
• Tax software used by Chinese bank clients installs GoldenSpy backdoor
• Chinese Bank Forces Firms to Download Backdoored Software

Cardplanet Operator Aleksei Burkov Sentenced to Nine Years in Prison. Aleksei Burkov has been sentenced to nine years in prison for his role in operating the Cardplanet carding website, which sold payment card information that was used to make millions of dollars in fraudulent transactions. Burkov was arrested in Israel in December 2015; he was extradited to the US in 2019. Earlier this year, he pleaded guilty to access device fraud, conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud, and money laundering.

Read more in:

• Russian Cybercrime Boss Burkov Gets 9 Years
• ‘Cardplanet’ Operator Sentenced to 9 Years for Selling Stolen Credit Cards
• UNITED STATES OF AMERICA V. ALEKSEI YURIEVICH BURKOV (PDF)
• Russian National Sentenced to Prison for Operating Websites Devoted to Fraud and Malicious Cyber Activities

Medvedev Guilty Plea. Sergey Medvedev has pleaded guilty to RICO conspiracy for his role in “an Internet-based cybercriminal enterprise” known as Infraud. The group’s activity resulted in more than $586m in losses. US authorities have indicted 36 people in connection with Infraud.

Read more in:

• Russian national pleads guilty to being part of $568 million fraud ring
• Admin of carding portal behind $568M in losses pleads guilty
• Russian National Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses

Cyber Flag 20-2 Participants Used New Remote Cyber Training Tool. US Cyber Command’s Cyber Flag 20-2 training exercise took place earlier this month. More than 500 people participated; there were 17 teams from five countries. For the first time, participants had access to a new remote access training tool. The Persistent Cyber Training Environment (PCTE) “is an online client that allows Cyber Command’s cyber warriors, as well as partner nations, to log on from anywhere in the world to conduct individual or collective cyber training as well as mission rehearsal.” The Cyber Flag exercise is run by US Cyber Command.

Read more in: This training tool could be the answer to stop mass cyberattacks

Palo Alto Networks Fixes Critical Flaw in Firewall Operating System. Palo Alto Networks has released fixes for a critical authentication bypass vulnerability that affects PAN-OS, the operating system used in many its firewalls. According to the Palo Alto Advisory, “Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources.” If SAML authentication is not enabled, the flaw cannot be exploited. The affected versions of the operating system are PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected.

Read more in:

• CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication
• Palo Alto Fixes Critical Authentication Bypass Flaw
• Palo Alto Networks patches critical vulnerability in firewall OS