Cybersecurity News Headline Updated on 31 July 2020 – Bootloader Vulnerability Affects Millions of Devices; Netgear to Refuses Update Vulnerable Devices; Excellent Ransomware Case Study, and more

The headline on 31 July 2020

GRUB2 Bootloader Vulnerability Affects Millions of Devices. A vulnerability in the GRUB2 (Grand Unified Bootloader version 2) bootloader could be exploited to run malicious firmware during startup. The issue affects most Linux devices and Windows devices that use Secure Boot. Researchers at Eclypsium discovered the issue and disclosed it to “including OS vendors, computer manufacturers, and CERTs” prior to public disclosure. Linux distributions have begun making fixes available, although not without hiccups: Red Hat’s fix for the BootHole vulnerability is reportedly causing problems for some users – when the patch is installed, their systems will not boot.

Read more in:

Netgear Will Not Release Patches for 45 Devices Vulnerable to RCE Flaw. A remote code execution vulnerability affecting Netgear home routers was disclosed in June. Netgear will not release fixes for 45 of the affected router models, identifying them as “outside the security support period.” Proof-of-concept exploit code for the stack buffer overflow vulnerability has been released.

Read more in:

Ryuk Ransomware Infection Case Study. A Ryuk ransomware attack took down the network of an unidentified food and beverage manufacturer. AT&T Cybersecurity investigated the incident and helped the company recover from the attack without paying a ransom. The incident also offers reminders of actions organizations can take to better protect their networks, including replacing old hardware, changing default passwords, patching systems, and adhering to cyber hygiene.

Read more in: Ransomware: How clicking on one email left a whole business in big trouble

Microsoft is Retiring SHA-1 Windows Content. On Monday, August 3, Microsoft will remove all Windows downloads signed with SHA-1 from the Microsoft Download Center. SHA-1 is vulnerable to collision attacks, a fact which could be exploited to create forged digital certificates.

Read more in:

Nefilim Ransomware Group Releases Files Stolen from DKA. Operators of the Nefilim ransomware have published files stolen from Dresdner Kühlanlagenbau GmbH (DKA), a subsidiary of the Dussmann Group, a multi-service provider in Germany. The Dussmann Group has confirmed that DKA was recently the victim of a ransomware attack.

Read more in: Business giant Dussmann Group’s data leaked after ransomware attack

Lazarus Hacking Group is Using Ransomware. Researchers at Kaspersky have found that the Lazarus hacking group, which is believed to operate on behalf of North Korea’s government, has turned to ransomware. Lazarus hackers used ransomware identified as VHD in attacks against a company in France and a company in Asia earlier this year.

Read more in:

McAfee: North Korean Hackers Launched Spear Phishing Attacks Against US Companies. Researchers from McAfee Advanced Threat Research say that North Korean state-sponsored hackers launched phishing campaigns against US defense and aerospace companies earlier this year. The spear-phishing emails sent to employees at targeted companies pretended to be information about job offers from other defense contractors. McAfee has dubbed the campaign “Operation North Star.”

Read more in:

Cisco Releases Fix for Critical Flaw in Data Center Network Manager. Cisco has released a fix for a critical flaw in its Data Center Network Manager (DCNM). The authentication bypass vulnerability has been given a CVSS base score of 9.8. The issue lies in the REST API of the DCNM software. Cisco also released fixes for several high- and medium-severity flaws in DCNM.

Read more in:

Update Available to Address Critical Flaw in wpDiscuz WordPress Plugin. A critical remote code execution flaw in the wpDiscuz comment plugin for WordPress could be exploited by unauthenticated users to take control of vulnerable websites. Users are urged to update to wpDiscuz version 7.0.5.

Read more in:

Zoom Fixes Meeting Password Cracking Vulnerabilities. Zoom has fixed a security issue that could be exploited to crack meeting passwords. The default password protection for Zoom meetings was, before the fix, a six-digit numeric code. Because Zoom did not rate-limit password attempts, hackers could launch brute-force password attacks. Zoom has addressed the issues by “requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer.”

Read more in:

European Union Sanctions Russia, China, and North Korea for Cyberattacks. The European Union has imposed economic sanctions, including travel bans and asset freezes, against Russia, China, and North Korea over cyberattacks conducted against EU citizens. Russia was sanctioned for Not Petya and “for an attempted cyber-attack on the Organisation for the Prohibition of Chemical Weapons (OPCW).” China was sanctioned for intrusions into cloud providers’ networks. North Korea was sanctioned for WannaCry.

Read more in:

The headline on 29 July 2020

Most Sought-After (Pre-)Cybersecurity Skills. Brian Krebs writes that people considering careers in cybersecurity frequently reach out to him, asking which specialization or certification he would recommend, but rarely do they ask, “which practical skills they should seek to make themselves more appealing candidates for a future job.” A recent SANS survey asked more than 500 people who work in cybersecurity which skills they consider most valuable in job candidates, and which are most often missing. (Read the comments for more insights.)

Read more in: Thinking of a Cybersecurity Career? Read This

The Number of Databases Deleted by Meow is Growing. The number of databases that have been wiped by the mysterious Meow hacker has grown to nearly 4,000 as of Saturday, July 25. The attacks appear to be targeting any database that is accessible from the Internet and is not adequately secured. The attacks are being conducted through a ProtonVPN IP address. It is still not clear why the attacker is deleting the vulnerable databases.

Read more in: New ‘Meow’ attack has deleted almost 4,000 unsecured databases

Garmin Acknowledges Ransomware Attack was Responsible for Outage. In a post on Monday, July 27, Garmin acknowledged that the outage it suffered last week was due to ransomware. The company says they are in the process of getting its systems up and running. The attack occurred in the middle of last week.

Read more in:

SEI Customer Data Compromised in Ransomware Attack on Vendor. A ransomware attack on the network of M.J. Brunner, a service provider, exposed data belonging to the customers of one of its clients, SEI Investments. The attackers stole files containing usernames, emails, and other personal information associated with the SEI dashboard that Brunner developed and supports. Brunner refused to pay the demanded ransom, and the malware operators posted the stolen data online earlier this month. (Please note that the WSJ story is behind a paywall.)

Read more in:

CISA and NCSC Urge Users to Patch QNAP NAS Devices. A joint alert from the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Center (NCSC) warns users to patch their QNAP network attached storage (NAS) devices to protect them from QSnatch malware. QSnatch attacks were detected as long ago as 2014, but the agencies noted a significant uptick in infections: in October 2019, 7,000 devices were affected, in mid-June 2020, more than 62,000 devices were infected. The newest version of QSnatch can steal passwords, exfiltrate data, and can be used to execute arbitrary code.

Read more in:

Hackers are Actively Exploiting Flaws in F5 BIG-IP and Cisco Network Products. Hackers are actively exploiting a high-severity directory traversal vulnerability that affects Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software firewall products. Cisco has released a fix for the issue. Hackers are also actively exploiting a critical vulnerability in F5 BIG-IP advanced delivery controller; F5 released fixes for the flaw on July 9.

Read more in:

Russian Hackers Targeted US Government, Education, and Energy Sectors. A hacking group with ties to Russian military intelligence launched previously undisclosed attacks against US targets between December 2018 and May 2020. In that 18-month period, Fancy Bear, also known as APT 28, conducted cyberattacks against networks at government agencies, educational institutions, and organizations in the energy sector. The attacks were largely focused on breaking into email servers, VPN servers, and Office 365 and email accounts. Earlier this year, the FBI notified organizations that had been targeted.

Read more in: Russia’s GRU Hackers Hit US Government and Energy Targets

Former Raytheon Employee Sentenced for Retaining National Defense Information. A former Raytheon systems engineer has been sentenced to 18 months in prison for taking home sensitive data. In January 2020, Ahmedelhadi Yassin Serageldin pleaded guilty to willfully retaining national defense information. According to a Department of Justice press release, Serageldin “retained 31,000 pages of information that was marked as classified, some of which pertained to U.S. missile defense and was classified at the SECRET level, and altered or obliterated the classification markings on documents.” Serageldin worked at Raytheon for nearly 20 years.

Read more in:

FBI Warning on New DDoS Attack Vectors. Last week, the FBI issued a Private Industry Notification warning of several new network protocols and a web application that are being abused to conduct distributed denial-of-service (DDoS) attacks. They are CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service, and Jenkins web-based automation software.

Read more in:

CISA ICS Advisory Warns of Vulnerabilities in Schneider Products. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an ICS advisory regarding five vulnerabilities in Schneider Electric Triconex TriStation and Tricon Communication Module. The vulnerabilities include cleartext transmission of sensitive information, uncontrolled resource consumption, hidden functionality, and improper access control. One of the vulnerabilities – the improper access control issue – has been given a CVSS v3 base score of 10.

Read more in:

The headline on 25 July 2020

CISA and NSA Urge “Immediate Action” to Secure Critical Infrastructure Operations Technology and Control Systems. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that foreign hackers are targeting systems that support US critical infrastructure, The advisory urges critical infrastructure operators to secure their operational technology and control systems as soon as possible. The advisory lists several “recently observed tactics, techniques, and procedures,” including spear phishing, ransomware, connecting to Internet-accessible PLCS that do not require authorization for initial access, and modifying control logic and parameters on PLCs.

Read more in:

Alleged Chinese Hackers Indicted on Multiple Charges for Stealing Intellectual Property. The US Department of Justice (DoJ) has unsealed a July 7, 2020 indictment charging two Chinese citizens in connection with a decade of hacking. Li Xiaoyu and Dong Jiazhi allegedly hacked into networks at numerous companies around the world and stole intellectual property and other sensitive data. The defendants allegedly hacked both for personal gain and on behalf of various Chinese government agencies. They also allegedly attempted to extort cryptocurrency by threatening to post stolen source code online. Li and Dong are facing charges of conspiracy to commit computer fraud; conspiracy to commit theft of trade secrets; conspiracy to commit wire fraud; unauthorized access of a computer; and aggravated identity theft.

Read more in:

Mysterious “Meow” Attacks Wiping Databases. A hacker has been wiping misconfigured databases for no apparent reason other than that they were accessible on the Internet. The attacker overwrites data with the word “Meow.” At least 1,800 databases have been affected.

Read more in:

NY Financial Regulators Charge First American Financial in Connection with Data Leak. The New York State Department of Financial Services (NYSDFS) has charged First American Financial Corp. with exposing millions of documents containing sensitive information between October 2014 and May 2019. The compromised data include driver’s license, bank account, and Social Security numbers. This is the first cybersecurity enforcement action NYSDFS has taken.

Read more in:

NIST Enters Next Round of Review in Public Key Cryptographic Algorithm Selection. The US National Institute of Standards and technology (NIST) has begun the third round of public review of submissions for the Post-Quantum Cryptography Standardization Process. The initial 65 submissions have been winnowed town through two rounds and now stand at 15. NOST mathematician Dustin Moody said, “At the end of this round, we will choose some algorithms and standardize them.”

Read more in:

Additional Information Emerging About Twitter Hack. Twitter says that the hackers who hijacked high profile accounts last week accessed private messages from 36 accounts, including one that belongs to an elected official from the Netherlands.

Read more in:

Adobe Releases Unscheduled Patches. On Tuesday, July 21, Adobe released four unscheduled security updates that address a total of 13 vulnerabilities in Adobe Reader Mobile, Prelude, Photoshop, and Bridge. Twelve of the vulnerabilities are rated critical.

Read more in:

Prometei Cryptominer Botnet. The Prometei cryptocurrency mining botnet spreads in several ways, including through the Eternal Blue exploit for Windows Server Message Block. The malware campaign appears to have been active since March.

Read more in:

Diebold Nixdorf Warns ATM’s Own Software Stack Used in Jackpotting Attacks. Diebold Nixdorf has issued a warning that jackpotting attacks against some of their ATMs are being conducted with black boxes that contain part of the targeted machines’ software stack. Diebold recommends that terminal operators make sure their software is up-to-date, that encryption is enabled on the terminal, and to implement hard-disk encryption and limit physical access to the machines.

Read more in:

Garmin Mobile App Unavailable Due to Apparent Ransomware Attack. Garmin’s mobile application and related services are down due to a probable ransomware attack. The company has not acknowledged that it was hit with ransomware, but employees have talked about it on social media. Garmin has informed its staff that the company will be offline for planned maintenance on July 24 and 25.

Read more in:

Blackbaud Ransomware Attack Affects Multiple Universities. A May 2020 ransomware attack against Blackbaud, a cloud-based education, administration, and fund-raising management software company, compromised personal information belonging to staff and students from at least 10 colleges and universities, as well as non-profits such as Human Rights Watch and Young Minds. Blackbaud disclosed the incident on July 16, noting that it had ”paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”

Read more in:

GEDmatch Breach Resulted in Data Exposure. DNA analysis website GEDmatch has acknowledged that following a breach earlier this month, users’ permissions were reset, which allowed law enforcement agencies to access their information during searches. GEDmatch gained notoriety in 2018 when police used information in the company’s database to catch a serial killer. Following that incident, GEDmatch allowed users to choose whether or not to allow their information to appear in law enforcement search results. The reset permissions were exposed for about three hours before the company became aware of the situation and took the site offline. As of the evening of Thursday, July 23, the site was still unavailable.

Read more in:

The headline on 22 July 2020

Brampton, Ontario Becomes The First “Cyber Talent” City. Five hundred Brampton, Ontario, students are getting a head start on preparing for computer science and cybersecurity careers during COVID-19 through the Catalyst Cyber Camp, a public-private partnership of Rogers Communications, the City of Brampton, Ryerson, and Cybersecure Catalyst. This first-of-its-kind camp provides free, online programming to youth ages 13-18 in Brampton, Ontario, through the city and its community partners. Campers engage in up to 400 hours of cutting-edge games, activities, and puzzles of increasing complexity while learning how to solve security challenges, write computer programs, and find flaws in web sites. The students compete to collect points along the way and win prizes. Top performers will be recognized by city and business leaders for their success in the camp and learning new skills.

Read more in:

Netwalker Ransomware Hits Maryland Health Services Organization. Computer systems/network at Lorien Health Services, an eldercare and nursing services organization in Maryland, was hit with Netwalker ransomware in June. The attackers stole and encrypted data. Lorien did not pay the ransom, and the malware’s operators began posting the stolen data online. The compromised information includes names, Social Security numbers, and medical diagnoses and treatments. The incident affects close to 50,000 people.

Read more in:

Sodinokibi Ransomware Operators Demand $7.5M from Argentinian ISP. Internet service provider Telecom Argentina’s internal network was hit with Sodinokibi (REvil) ransomware on Saturday, July 18. The operators are demanding a payment of $7.5 million. The ransomware affected more than 18,000 workstations. The attack did not affect Internet connectivity, telephony, or cable, but some company websites have been unavailable since Saturday. Telecom Argentina has not issued a statement; employees have been sharing information about the incident on social media.

Read more in: Ransomware gang demands $7.5 million from Argentinian ISP

WordPress All in One SEO Plugin Updated to Fix XSS Flaw. A cross-site scripting vulnerability in the All in One SEO Pack WordPress plug-in could be exploited to hijack websites. The plugin has been installed more than two million times. The developers have fixed the problem in All in One SEO Pack version 3.6.2.

Read more in:

More Twitter Hack Details. Twitter has released more information about a hack that took over high profile accounts to use in a cryptocurrency scam. After the hackers managed to gain access to Twitter’s internal system, they used Twitter’s tech support tools to target 130 accounts. They changed passwords of 45 accounts and downloaded data from eight accounts.

Read more in:

Emotet Botnet is Back. The Emotet botnet, which has been dormant since early February 2020, has re-emerged. On Friday, the botnet became active again, sending spam in an attempt to infect new users with the malware using malicious Word and Excel documents.

Read more in:

Many F5 BIG-IP Network Devices Still Not Patched. Thousands of F5 BIG-IP network devices remain unpatched against a critical vulnerability that is being actively exploited. F5 released fixes late last month. In a July 3 tweet, US Cyber Command urged users to apply the fixes as soon as possible. Proof of concept exploits started appearing on July 5. Researchers say that as of July 15, there were roughly 8,000 installations that had not been updated.

Read more in: Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover

Magento Introducing Two-Factor Authentication Across its Platform. The Magento ecommerce platform has begun offering two-factor authentication. Adobe says that it is “supporting (and in some cases requiring) two-factor authentication (2FA) across multiple areas of the Magento ecosystem:” Magento.com accounts, Cloud Admin, and Magento Admin. 2FA is now an option for Magento.com accounts and will be an option for Cloud Admin with the release of Magento 2.4. In both instances, users must enable the feature as it will not be enabled by default. 2FA will be enabled by default in Magento Admin starting in version 2.4; it cannot be disabled.

Read more in:

UK’s COVID-19 Test and Trace Program Did Not Complete Required Privacy Assessment Prior to Launch. The UK’s Department of Health has admitted that it launched its COVID-19 test and tracing effort without conducting a Data Protection Impact Assessment (DPIA) as required by the general data protection regulation (GDPR). The Open Rights Group, a digital rights organization, says that the acknowledgment means the program “has been operating unlawfully since its launch on 28th May 2020.” The organization that runs the test and trace program says it is working to complete the DPAI.

Read more in:

Cloudflare DNS Failure Caused Problems Last Week. Cloudflare says that a network outage on Friday, July 17 was caused by an error in a router configuration update. When the problematic update was applied, “a router on [Cloudflare’s] global backbone announced bad routes and caused some portions of the network to not be available.” The outage lasted less than half an hour and affected only certain geographic areas.

Read more in:

Cyberattacks Targeted Two Israeli Water Management Facilities in June. Israel’s Water Authority said that two more of its water management facilities were targeted by cyberattacks in June. Another attack targeting Israeli water treatment systems was reported in April. The Israel National Cyber-Directorate have issued an alert, urging water treatment facilities to change passwords for Internet-connected equipment, and recommending that they take systems offline if they cannot change passwords.

Read more in: Two more cyber-attacks hit Israel’s water system

Hacking Suspect Extradited to US from Cyprus. A 21-year-old individual from Cyprus has been extradited to the US to face charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud and identity theft, and extortion related to a protected computer. Joshua Polloso Epifaniou allegedly hacked into websites, stole data, and threatened to leak the data if he did not receive payment. He arraignment was scheduled for Monday, July 20, 2020.

Read more in:

Microsoft Sets TLS Deprecation Date for Office 365. Microsoft will no longer support Transport Layer Security (TLS) 1.0 and 1.1 in Office 365 after October 15, 2020. Microsoft initially intended to make the change sooner but pushed back the cutoff date due to COVID-19.

Read more in: