Cybersecurity News Headline Updated on 08 Aug 2020 – FBI Warns on Windows 7; NSA on Mobile Devices Location Data; Canon and Lafayette (CO) Hit With Ransomware, and more

The headline on 08 Aug 2020

FBI Issues Warning on Windows 7 EOL. On Monday, August 3, the FBI sent out a private industry notification urging organizations to upgrade systems still running on Windows 7. Microsoft ended support for Windows 7 more than six months ago. Microsoft allows Windows 7 systems to upgrade to Windows 10 at no cost. However, older hardware may not have the capacity to support Windows 10, so an upgrade would necessitate purchasing new equipment.

Read more in:

• FBI issues warning over Windows 7 end-of-life
• Computer Network Infrastructure Vulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks
• Windows 7 support ended on January 14, 2020

NSA: Mobile Devices Expose Location Data. The US National Security Agency (NSA) has released an advisory that enumerates ways in which mobile devices leak location data, often by design. The advisory includes suggestions for users to limit the ways they are tracked through their mobile devices. Recommendations include turning off services like find-my-phone, Wi-Fi, and Bluetooth when they are not needed.

Read more in:

• NSA Warns Smartphones Leak Location Data
• Beware of find-my-phone, Wi-Fi, and Bluetooth, NSA tells mobile users
• NSA warns that mobile device location services constantly compromise snoops and soldiers
• Here’s the NSA’s advice for reducing the exposure of cellphone location data
• Limiting Location Data Exposure (PDF)

Lafayette, Colorado, Paid Ransomware Demand. The city of Lafayette, Colorado, paid $45,000 to regain access to encrypted data following a ransomware attack. The July 27 attack caused city email, phones, online payments, and reservations to be temporarily unavailable.

Read more in:

• Cyberattack causes Lafayette computer outage; officials pay $45,000 ransom
• Colorado City Pays $45,000 Ransom After Cyber-Attack
• Cyberattack causes City computer outage

ES&S Releases New Vulnerability Disclosure Policy. Voting machine manufacturer Electronic Systems and Software (ES&S) has announced a new vulnerability disclosure policy in an effort to improve the security of its products. The “policy applies to all digital assets owned and operated by ES&S, including corporate IT networks and public facing websites. (Please note that the WSJ story is behind a paywall.)

Read more in:

• Voting Machine Makers Are Finally Playing Nice With Hackers
• US voting hardware maker’s shock discovery: Security improves when you actually work with the community
• Black Hat 2020: In a Turnaround, Voting Machine Vendor Embraces Ethical Hackers
• Hackers Get Green Light to Test Election Voting Systems (paywall)

Twitter Fixes Flaw in Android App. Twitter has fixed a vulnerability in its app for Android devices. The flaw could be exploited to access others’ direct messages and other private information. The high-severity flaw lies in a security issue in the Android OS versions 8 and 9.

Read more in:

• Twitter Fixes High-Severity Flaw Affecting Android Users
• Twitter for Android vulnerability gave access to direct messages

Trend Micro Report: ICS Protocol Gateway Vulnerabilities. Researchers at Trend Micro discovered vulnerabilities in protocol gateways, which translate communications between devices used at industrial plants. The most critical of the flaws could be exploited to disable temperature monitoring sensors; the vendor does not plan to release a patch as it considers the product “end-of-life.” Other security issues they found include weak encryption implementation and “specific scenarios wherein an attacker could exploit vulnerabilities in the translation function to issue stealth commands that can sabotage the operational process.”

Read more in:

• Lost in Translation: When Industrial Protocol Translation Goes Wrong
• Lost in Translation: When Industrial Protocol Translation Goes Wrong (PDF)
• Researchers uncover vulnerabilities in devices used at industrial facilities

York, PA: Physical IT Attack Prompts City Hall Closure. The York, Pennsylvania, city hall has been closed following a physical attack on IT infrastructure there. On Wednesday evening, August 5, a press release noted that “access to ALL city landline phone numbers are down. Additionally, access to city files and services are limited. Some web services may be unavailable as our staff works to repair the damage.” Emergency services and other critical operations are functioning.

Read more in: York, Pa., City Hall Closes After Attack on IT Infrastructure

Capital One Fined $80M Over 2019 Breach. The US Office of the Comptroller of the Currency (OCC) has announced that it is imposing an $80 million fine on Capital One for “the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.” In 2019, a data breach compromised information belonging to more than 100 million Capital One customers. OCC is an independent bureau of the Department of the Treasury.

Read more in:

• Capital One fined $80 million for 2019 hack
• US financial regulator fines Capital One $80 million over data breach
• OCC Assesses $80 Million Civil Money Penalty Against Capital One

Operation Skeleton Key Stole IP from Taiwanese Semiconductor Companies. Researchers from Taiwanese cybersecurity firm CyCraft say they have found evidence that hackers believed to have ties to China have stolen intellectual property from seven Taiwanese semiconductor companies. The stolen data include source code, software development kits, and chip designs.

Read more in:

• Chinese Hackers Have Pillaged Taiwan’s Semiconductor Industry
• Black Hat: Hackers are using skeleton keys to target chip vendors

Intel Data Leaked Online. Intel is investigating the leak of 20GB of its internal documents online. The documents include source code, schematics, and other intellectual property that belongs to the chip maker. An Intel spokesperson said that the leaked documents include data that is shared with partners and customers under non-disclosure agreements (NDAs).

Read more in:

• More than 20GB of Intel source code and proprietary data dumped online
• Intel investigating breach after 20GB of internal documents leak online
• Intel NDA blueprints – 20GB of source code, schematics, specs, docs – spill onto web from partners-only vault

The headline on 05 Aug 2020

Ransomware Operators Publish Data Allegedly Stolen from LG, Xerox. Maze ransomware operators have published data they claim to have taken from internal networks at LG and Xerox after the companies declined to pay a ransom. In a June email exchange with ZDNet, Maze operators say they did not launch ransomware on LG’s network, but only exfiltrated data. Read more in: Ransomware gang publishes tens of GBs of internal data from LG and Xerox

Blackbaud Paid Ransomware Demand. Blackbaud’s CEO says the company “discovered and stopped a sophisticated attempted ransomware attack.” Blackbaud paid the ransomware demand in May 2020; the attack was publicly disclosed in July. Blackbaud provides customer relationship management (CRM) software for colleges and universities, non-profit groups, and others. Read more in: ‘We stopped ransomware’ boasts Blackbaud CEO. And by ‘stopped’ he means ‘got insurance to pay off crooks’

Bleeping Computer: Garmin Paid Ransomware Demand. According to a report in Bleeping Computer, Garmin received the WastedLocker ransomware encryption key on July 25, two days after its network was hit with the malware. While it is not known how much Garmin paid the WastedLocker operators, the initial demand was reportedly $10 million. Bleeping Computer obtained “access to an executable created by the Garmin IT department to decrypt a workstation and then install a variety of security software on the machine.” Read more in:

• Confirmed: Garmin received decryptor for WastedLocker ransomware
• Garmin Pays Up to Evil Corp After Ransomware Attack — Reports

Texas School District Will Pay Ransomware Demand. The Athens (Texas) Independent School District (ISD) will pay $50,000 to ransomware operators to regain access to the data in its servers that have been encrypted. The district’s board of trustees voted to pay the ransom, which will be covered by insurance. The attack will postpone the start of the school year by at least a week. Read more in: Texas School District Forks Over $50K in Ransomware Attack

No More Ransom Website Helps Ransomware Victims. The No More Ransom decryption tool repository was established four years ago this month. No More Ransom offers free tools to decrypt 140 strains of ransomware. “The website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.” Read more in:

• No More Ransom: How 4 Millions Victims of Ransomware Have Fought Back Against Hackers
• No more ransom!

Three Arrested in Connection With the Twitter Hack. Authorities have arrested and charged three people in connection with the July 15 Twitter hack that took over several high-profile accounts and used them in a Bitcoin fraud scheme. The attackers allegedly used social engineering to gain access to internal Twitter tools. One of the suspects, a 17-year-old, faces 30 felony charges and will be tried as an adult. Read more in:

• Three Charged in July 15 Twitter Compromise
• How the Alleged Twitter Hackers Got Caught
• How the FBI tracked down the Twitter hackers
• Florida teen charged as “mastermind” in Twitter hack hitting Biden, Bezos, and others

GandCrab Suspect Arrested. Authorities in Belarus have arrested an individual allegedly involved in the distribution of the GandCrab ransomware. GandCrab ceased operations in June 2019. The FBI released master encryption keys for GandCrab, and Bitdefender released a decryptor. Read more in:

• GandCrab ransomware distributor arrested in Belarus
• GandCrab ransomware operator arrested in Belarus

FastPOS Author Pleads Guilty to RICO Conspiracy. A Moldovan citizen has pleaded guilty to RICO (Racketeer Influenced and Corrupt Organizations) conspiracy in a Nevada courtroom for his role in the Infraud cybercriminal organization. In a plea agreement, Valerian Chiochiu admitted to creating malware known as FastPOS, which was designed to facilitate payment card data theft. Chiochiu is the second person in just over a month to plead guilty in connection with Infraud; in late June, Sergey Medvedev also pleaded guilty to RICO conspiracy.
Read more in:

• Author of FastPOS malware revealed, pleads guilty
• Another guilty plea in $568 million Infraud crime ring
• Malware Author Admits Role in $568m Cyber-Fraud
• Malware Author Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses

Taidoor RAT. The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense have issued a joint malware analysis report about malware that China has been using since 2008. Taidoor, as the malware is known, is a remote access trojan (RAT) and has been used in cyberespionage campaigns. Read more in:

• DHS Exposes Chinese Malware Tools
• DOD, FBI, DHS release info on malware used in Chinese government-led hacking campaigns
• US govt exposes Chinese espionage malware secretly used since 2008
• CISA, DOD, FBI expose new Chinese malware strain named Taidoor
• Malware Analysis Report (AR20-216A) | MAR-10292089-1.v1 – Chinese Remote Access Trojan: TAIDOOR

BootHole Fix is Causing Problems. Users are urged to take steps to mitigate the issue. Linux distributions have released fixes for the GNU GRUB2 bootloader vulnerability, a.k.a. BootHole. However, some users are reporting that these fixes are causing problems themselves. Users are rebooting booting and dual-booting issues in Debian, Ubuntu, Red Hat, CentOS, and Fedora. The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories that include suggestions for mitigating the BootHole vulnerability. Read more in:

• BootHole fixes causing boot problems across multiple Linux distros
• Red Hat and CentOS systems aren’t booting due to BootHole patches
• NSA and CISA push guidance for BootHole fix
• GRUB2 bootloader is vulnerable to buffer overflow

Update Available for WordPress Newsletter Plugin Flaws. Flaws in the Newsletter plugin for WordPress can be exploited to establish backdoors, create admin accounts, and possibly take control of vulnerable sites. The plugin’s developers have released an updated version, Newsletter 6.8.3, which addresses these vulnerabilities.
Read more in:

• Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites
• Newsletter plugin bugs let hackers inject backdoors on 300K sites

Citizen Lab: NSO Used to Spy on Clergy, Supporters of Political Opposition in Togo. A report from Citizen Lab says that spyware made by NSO Group was used to target political opposition members and members of the clergy in Togo. All of the targets had spoken out about the need for government reform in the West African country.
Read more in:

• Religious and Secular Voices for Reform in Togo Targeted with NSO Spyware
• NSO Spyware Was Used to Hack Clergy in Togo