Cybersecurity News Headlines Update on September 09, 2020

Security and Assurance portion of Operation Warp Speed consisting of people from DDS, NSA, FBI, the Department of Homeland Security and the Department of Health and Human Services, running behind the scenes for months to provide cybersecurity advice, guidance, and services to pharmaceutical companies developing a vaccine or working on manufacturing and distribution, as well as government agencies participating in OWS, according to CyberScoop > How the government is keeping hackers from disrupting coronavirus vaccine research.

North Carolina School District Hit With Ransomware Last Month. North Carolina’s Haywood County School District was the target of a ransomware attack in August. The district shut down its network and paused remote learning due to the attack. Remote learning has resumed as on August 31, but some services remain unavailable. The operators of the SunCrypt ransomware also stole files from the school district’s systems. Read more in:

UK Universities Suffer Ransomware Attacks. Networks at two UK universities were recently hit with ransomware attacks. The attack on Northumbria University forced the school to reschedule exams and to close its campus while they restored their IT systems. Newcastle University said that it was the target of a cyberattack and expected recovery to take several weeks. Read more in:

Chilean Bank Hit with Ransomware. Chile’s BancoEstado has shut down all branches after ransomware infected the bank’s network. The malware reportedly gained a foothold in the system through a backdoor installed by a malicious Office document. BancoEstado, one of the three largest banks in Chile, disclosed the incident over the weekend. Read more in: Chilean bank shuts down all branches following ransomware attack

Netwalker Ransomware Infects Government Agency in Argentina. Argentina’s immigration agency has been hit with Netwalker ransomware. The attack temporarily prevented border crossings into and from the country. The attack may be the first reported ransomware attack against a government agency that has had a significant operational impact. Read more in: Netwalker ransomware hits Argentinian government, demands $4 million

Thanos Ransomware Variant Has MBR Overwrite Component. Researchers at Palo Alto Networks say that ransomware known as Thanos was used in attacks against systems at two state-run organizations in the Middle East and North Africa earlier this summer. The malware was configured to overwrite the master boot record. In these two cases, the overwrite did not work because of an error in the code. Read more in:

Facebook’s Third-Party Vulnerability Disclosure Policy. Facebook now has a vulnerability disclosure policy that lays out how the company will disclose security flaws it finds in third-party products. According to the policy, third-party companies will have 21 days to acknowledge Facebook’s initial report and then 90 days to remediate the issue. If the company misses either one of the deadlines, Facebook may disclose the flaw publicly. Facebook also notes that if there are mitigating circumstances – a flaw that is being actively exploited, for example – the disclosure timeline may differ. Read more in:

WhatsApp Security Bug Disclosures. WhatsApp has launched a dedicated security advisory page in an effort to be more transparent about flaws in its app. The page discloses six vulnerabilities in WhatsApp that have been patched this year. Read more in:

Visa Warns of Baka JavaScript Skimmer. Visa’s Payment Fraud Disruption (PFD) group has issued a warning about JavaScript skimming malware that has features to help it evade detection, including functionality that allows it to remove itself from memory. PFD first detected Baka in February 2020. Read more in:

Flash Support Ending at Year’s End. Microsoft has confirmed that its browsers will no longer support Adobe Flash Player after December 31, 2020. As of January 1, 2021, Adobe Flash Player will be disabled by default and versions of Flash older than the June 2020 release will be blocked. Adobe will stop updating and distributing Flash at the end of the year. Read more in:

Tower Semiconductor Suffers Cyberattack. Systems at Israeli chipmaker Tower Semiconductor were hit with a cyberattack. The company has temporarily shut down some servers and some manufacturing operations. Read more in: Israel’s Tower Semi halts some operations after cyber attack

Government Funded Mobile Phones in US Preloaded with Code that Uploads Adware. Some mobile phones provided to low-income users under the US government’s Lifeline program are preloaded with malware. A device examined by a researcher at Malwarebytes was found to contain code that uploads aggressive adware that displays pop-up ads that cover the phone’s screen, obstructing their use. The apps that upload the adware cannot be removed from the phone without rendering it unusable. Read more in: Phones for low-income users hacked before they’re turned on, research finds

US Supreme Court to Hear CFAA Case. US Supreme Court will hear a case that could determine whether the 1986 Computer Fraud and Abuse Act (CFAA) is overly broad. The Electronic Privacy Information Center (EPIC) has filed an amicus brief on behalf of the plaintiff, a police officer who was convicted of violating the CFAA when he accessed a law enforcement database to obtain personal information for a third party. Voting app maker Voatz has submitted an amicus brief on behalf of the US government in the case, arguing that researchers who do not have permission to examine code for vulnerabilities should not be exempt from prosecution under CFAA. Read more in:

European ISPs Hit by DDoS Attacks. Multiple European Internet service providers (ISPs) were hit with distributed denial-of-service (DDoS) attacks last week. The attacks affected ISPs in France, Belgium, and the Netherlands. Some experts have suggested that last week’s CenturyLink outage in the US may have been triggered by a DDoS attack; two separate analysis reports say that the CenturyLink outage was due to a problem with a tool commonly used while mitigating DDoS attacks.

Read more in: European ISPs report a mysterious wave of DDoS attacks

Student Admits Launching DDoS Attacks Against Online School Platform. A Florida high school student has been arrested for orchestrating distributed denial-of-service (DDoS) attacks against the Miami-Dade schools’ online learning platform. The attacks disrupted teachers’ and students’ access to virtual classrooms. The 16-year-old has been “charged with felony computer use in an attempt to defraud and misdemeanour interference with an educational institution.”

Read more in:

Fix Available for One of Two Vulnerabilities in MAGMI Magento Plugin. Two vulnerabilities in the Magento Mass Import (MAGMI) plugin could be exploited to allow remote code execution. An authentication bypass vulnerability exists because MAGMI versions 0.7.23 and older “allow default … credentials to be used in the event a database connection fails.” The issue has been fixed in MAGMI v.0.7.24. A cross-site forgery vulnerability exists because of a lack of CSRF tokens. There is not yet a fix for this issue. The flaws were detected by researchers at Tenable.

Read more in:

MIT CSAIL Researchers Develop Cyber Risk Platform. Researchers at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) have developed “a [cryptographic] platform for securely measuring cyber risk.” Dubbed SCRAM (Secure Cyber Risk Aggregation and Measurement), the platform allows organizations to assess their risk without exposing sensitive data.

Read more in:

Cisco Updates for Jabber Flaw Available. Cisco has released fixes for a critical vulnerability affecting Jabber for Windows. The flaw, which “is due to improper validation of message contents,” affects multiple versions of the desktop collaboration application. The vulnerability can be exploited with no user interaction to remotely execute code with the privileges of the targeted user. The issue does not affect Jabber for macOS or for mobile platforms.

Read more in:

WordPress File Manager Plugin Flaw is Being Actively Exploited. Developers of the File Manager plugin for WordPress have released an updated version to address a vulnerability that affects File Manager versions 6.0 through 6.8. Users are urged to update to version 6.9. The flaw could be exploited to allow “unauthenticated users to execute commands and upload malicious files on a target site.” File Manager has been installed more than 700,000 times.

Read more in:

Cyberattack on Norway’s Parliament Affected eMail Accounts. Authorities in Norway are investigating a “significant” cyberattack that compromised the email accounts of several members and employees of Stortinget, the country’s parliament. Stortinget administrator Marianne Andreassen said the attackers downloaded data.

Read more in:

CISA: Agencies Must Have Vulnerability Disclosure Policies. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) that requires federal government agencies to establish vulnerability disclosure policies. The Office of Management and Budget (OMB) has issued a memorandum supporting the BOD and establishing deadlines for implementation.

Read more in:

National Guard Cyber Exercise Will be Entirely Virtual. The US National Guard’s annual cyber exercise, Cyber Shield, will be entirely online this year. The event will take place over a two-week period later this month. Cyber Shield exercise director George Battistelli says this year’s exercise will focus on information operations.

Read more in:

Five Eyes Countries Issue Joint Cybersecurity Advisory. A joint advisory from cybersecurity authorities in Australia, Canada, New Zealand, the UK, and the US “highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of [the] report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.”

Read more in:

Cisco’s Product Security Incident Response Team (PSIRT) discovered attempted exploitation of the zero-day vulnerability on Aug. 28. The vulnerability discovered in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco’s IOS XR Software used in some of its networking equipment, caused by insufficient queue management for Internet Group Management Protocol (IGMP) packets. This zero-day vulnerability published in CVE-2020-3566 was found during the resolution of a Cisco TAC support case, according to the advisory.

The U.S. Cyber Infrastructure and Security Agency (CISA), the Department of the Treasury, the FBI and U.S. Cyber Command issued a joint advisory alert for ATM cash-out scheme as FastCash 2.0 by BeagleBoyz. The malware family names attributed to the BeagleBoyz by CISA include: ECCENTRICBANDWAGON, VIVACIOUSGIFT, and FASTCASH for Windows, according to Fortinet’s threat analysis report > Joint Technical Alert – “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks”

What is smishing? How phishing via text message (SMS) works. Smishing (a portmanteau of ‘SMS’ and ‘phishing’) is a cyberattack that uses misleading text messages (SMS) to trick victims into sharing valuable information, installing malware, or giving away money.

Shlayer Snuck Through Apple’s Software Vetting Process. Malware known as Shlayer managed to slip past Apple’s software vetting process. Apple established an automated notarization process in February 2020; developers submit software to be notarized. If the software passes the checks, macOS Gatekeeper allows it to run.

Read more in:

Cisco Zero-day is Being Actively Exploited. Cisco has issued an advisory warning of a vulnerability in its IOS XR software that is being actively exploited. Cisco has not yet released a fix for the flaw, which “is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets.” The vulnerability can be exploited “to cause memory exhaustion, resulting in instability of other processes.”

Read more in:

New Zealand Stock Exchange Hit With More DDoS Attacks. The New Zealand Stock Exchange (NZX), which suspended trading last week due to distributed denial-of-service (DDoS) attack, was hit with a new round of attacks on Monday, August 31. NZX was able to resume trading after moving to a contingency plan.

Read more in:

Former Cisco Employee Pleads Guilty to Damaging Company’s Network. A former Cisco employee has pleaded guilty to intentionally accessing a protected computer without authorization and recklessly causing damage. Sudhish Kasaba Ramesh resigned his position at Cisco in April 2018; five months later, he accessed Cisco’s AWS-hosted cloud infrastructure and “deployed code” that resulted in the deletion of more than 450 virtual machines for Cisco’s WebEx Teams application.

Read more in:

Chinese Citizen Arrested, Charged with Theft of Trade Secrets. US federal authorities have arrested a Chinese citizen on charges of “accessing a computer without authorization, or exceeding authorization to obtain information from a protected computer and theft of trade secrets.” Haizhou Hu has been conducting research at the University of Virginia. Hu allegedly stole research simulation code.

Read more in: University of Virginia Researcher Charged with Theft of Trade Secrets and Computer Intrusion

Chinese Researcher Faces Charges for Allegedly Destroying Hard Drive Related to Investigation. A Chinese citizen conducting research at the University of California, Los Angeles (UCLA) is facing charges for allegedly destroying evidence related to an investigation into illegal transfer of US technology to China. Guan Lei allegedly threw a hard drive into a dumpster near his home before attempting to board a flight to China. When Guan refused to allow authorities to search his computer, he was not permitted to board the flight.

Read more in:

Slack Fixes RCE Flaw in Older Versions of Desktop App. Slack has fixed an HTML code injection vulnerability affecting older desktop versions of the collaboration app. The flaw could be exploited to take control of the app, allowing access to private channels, passwords, and other sensitive information. A bug-hunter found the vulnerability and reported it to Slack in January 2020. The issue, which affected version 4.2 and 4.32 of the desktop app for Linux, macOS, and Windows, was fixed in March.

Read more in:

DoJ is Attempting to Seize Hackers’ Cryptocurrency Accounts. The US Department of Justice has filed a civil forfeiture complaint seeking to obtain control of 280 cryptocurrency accounts it alleges are being used by North Korean hackers to launder stolen funds. The complaint describes two 2019 attacks in which North Korean hackers allegedly targeted cryptocurrency exchanges.

Read more in:

Hackers Exploiting Old Firmware Flaw in Unpatched QNAP NAS Devices. Researchers at Qihoo say that hackers are scanning for QNAP network attached storage (NAS) devices that are running outdated versions of QNAP firmware. When the hackers find QNAP NAS devices running vulnerable versions of the firmware, they exploit a flaw to install a backdoor on the device. The vulnerability was addressed in a QNAP firmware update in July 2017.

Read more in: Hackers are backdooring QNAP NAS devices with 3-year old RCE bug

New TLS/SSL Certificates Now Limited to 13-Month Validity Period. As of Tuesday, September 1, 2020, all new TLS/SSL certificates issued will be valid for no more than 397 days (roughly 13 months). The new rule does not affect existing certificates with longer validity periods.

Read more in: You have two days left to purchase 2-year TLS/SSL certificates

New Qbot Trojan (Pinkslipbot) evolved called Emotet, exhibited new features and a new command-and-control infrastructure to insert itself into the legitimate email threads and distributing ransomware, according to CheckPoint research report: An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods.

Bug Discovered to Bypass PIN in Visa Contactless Payment Transactions by altering data involved including the fields that control transaction details and if the card owner has been verified. Also discovered a second security issue impacting both Mastercard and Visa using EMVerify, a modified version of Tamarin. For more detail, refer to The EMV Standard: Break, Fix, Verify, scheduled to present findings at the IEEE Symposium on Security and Privacy in May 2021.

Malicious Email Attachments Remain a Cybercriminal Favorite, according to the 2020 Verizon Data Breach Investigations Report (DBIR). Almost 20% of malware attacks being deployed via email attachments. Email links are the top vector with 40% of attacks using malicious email attachments such as ZIPs, PDF, and MS office files (including DOC and XLSM file attachments) or newer attachments – like disc image files (ISO or IMG).

Thomas Apel Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.