Cybersecurity News Headlines Update on September 09, 2020

Security and Assurance portion of Operation Warp Speed consisting of people from DDS, NSA, FBI, the Department of Homeland Security and the Department of Health and Human Services, running behind the scenes for months to provide cybersecurity advice, guidance, and services to pharmaceutical companies developing a vaccine or working on manufacturing and distribution, as well as government agencies participating in OWS, according to CyberScoop > How the government is keeping hackers from disrupting coronavirus vaccine research.

North Carolina School District Hit With Ransomware Last Month. North Carolina’s Haywood County School District was the target of a ransomware attack in August. The district shut down its network and paused remote learning due to the attack. Remote learning has resumed as on August 31, but some services remain unavailable. The operators of the SunCrypt ransomware also stole files from the school district’s systems. Read more in:

• SunCrypt Ransomware shuts down North Carolina school district
• Haywood schools close for entire week due to cyber attack, which requires rebuilding of network

UK Universities Suffer Ransomware Attacks. Networks at two UK universities were recently hit with ransomware attacks. The attack on Northumbria University forced the school to reschedule exams and to close its campus while they restored their IT systems. Newcastle University said that it was the target of a cyberattack and expected recovery to take several weeks. Read more in:

• Northumbria University hit by cyber attack
• Northumbria Uni Campus Closed After Serious Cyber-Attack
• Newcastle University cyber attack ‘to take weeks to fix’

Chilean Bank Hit with Ransomware. Chile’s BancoEstado has shut down all branches after ransomware infected the bank’s network. The malware reportedly gained a foothold in the system through a backdoor installed by a malicious Office document. BancoEstado, one of the three largest banks in Chile, disclosed the incident over the weekend. Read more in: Chilean bank shuts down all branches following ransomware attack

Netwalker Ransomware Infects Government Agency in Argentina. Argentina’s immigration agency has been hit with Netwalker ransomware. The attack temporarily prevented border crossings into and from the country. The attack may be the first reported ransomware attack against a government agency that has had a significant operational impact. Read more in: Netwalker ransomware hits Argentinian government, demands $4 million

Thanos Ransomware Variant Has MBR Overwrite Component. Researchers at Palo Alto Networks say that ransomware known as Thanos was used in attacks against systems at two state-run organizations in the Middle East and North Africa earlier this summer. The malware was configured to overwrite the master boot record. In these two cases, the overwrite did not work because of an error in the code. Read more in:

• Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
• Ransomware hits two state-run organizations in the Middle East and North Africa

Facebook’s Third-Party Vulnerability Disclosure Policy. Facebook now has a vulnerability disclosure policy that lays out how the company will disclose security flaws it finds in third-party products. According to the policy, third-party companies will have 21 days to acknowledge Facebook’s initial report and then 90 days to remediate the issue. If the company misses either one of the deadlines, Facebook may disclose the flaw publicly. Facebook also notes that if there are mitigating circumstances – a flaw that is being actively exploited, for example – the disclosure timeline may differ. Read more in:

• Facebook to blab bugs it finds if it thinks code owners aren’t fixing fast enough
• Facebook announces new details on how it will disclose bugs found in third-party products
• Facebook Debuts Third-Party Vulnerability Disclosure Policy
• Facebook’s Vulnerability Disclosure Policy

WhatsApp Security Bug Disclosures. WhatsApp has launched a dedicated security advisory page in an effort to be more transparent about flaws in its app. The page discloses six vulnerabilities in WhatsApp that have been patched this year. Read more in:

• WhatsApp Discloses 6 Bugs via Dedicated Security Site
• WhatsApp Security Advisories

Visa Warns of Baka JavaScript Skimmer. Visa’s Payment Fraud Disruption (PFD) group has issued a warning about JavaScript skimming malware that has features to help it evade detection, including functionality that allows it to remove itself from memory. PFD first detected Baka in February 2020. Read more in:

• ‘Baka’ JavaScript Skimmer Identified (PDF)
• Visa warns of new Baka credit card JavaScript skimmer
• Visa: New Baka Skimmer Designed to Avoid Detection
• Baka credit card skimmer bundles stealth, anti-detection capabilities, warns Visa

Flash Support Ending at Year’s End. Microsoft has confirmed that its browsers will no longer support Adobe Flash Player after December 31, 2020. As of January 1, 2021, Adobe Flash Player will be disabled by default and versions of Flash older than the June 2020 release will be blocked. Adobe will stop updating and distributing Flash at the end of the year. Read more in:

• Update on Adobe Flash Player End of Support
• Update for Enterprise Customers Using Adobe Flash Player
• Microsoft to finally kill Adobe Flash support by January 2021

Tower Semiconductor Suffers Cyberattack. Systems at Israeli chipmaker Tower Semiconductor were hit with a cyberattack. The company has temporarily shut down some servers and some manufacturing operations. Read more in: Israel’s Tower Semi halts some operations after cyber attack

Government Funded Mobile Phones in US Preloaded with Code that Uploads Adware. Some mobile phones provided to low-income users under the US government’s Lifeline program are preloaded with malware. A device examined by a researcher at Malwarebytes was found to contain code that uploads aggressive adware that displays pop-up ads that cover the phone’s screen, obstructing their use. The apps that upload the adware cannot be removed from the phone without rendering it unusable. Read more in: Phones for low-income users hacked before they’re turned on, research finds

US Supreme Court to Hear CFAA Case. US Supreme Court will hear a case that could determine whether the 1986 Computer Fraud and Abuse Act (CFAA) is overly broad. The Electronic Privacy Information Center (EPIC) has filed an amicus brief on behalf of the plaintiff, a police officer who was convicted of violating the CFAA when he accessed a law enforcement database to obtain personal information for a third party. Voting app maker Voatz has submitted an amicus brief on behalf of the US government in the case, arguing that researchers who do not have permission to examine code for vulnerabilities should not be exempt from prosecution under CFAA. Read more in:

• Van Buren v. the United States
• Surprise! Voting app maker roasted by computer boffins for poor security now begs US courts to limit flaw finding

European ISPs Hit by DDoS Attacks. Multiple European Internet service providers (ISPs) were hit with distributed denial-of-service (DDoS) attacks last week. The attacks affected ISPs in France, Belgium, and the Netherlands. Some experts have suggested that last week’s CenturyLink outage in the US may have been triggered by a DDoS attack; two separate analysis reports say that the CenturyLink outage was due to a problem with a tool commonly used while mitigating DDoS attacks.

Read more in: European ISPs report a mysterious wave of DDoS attacks

Student Admits Launching DDoS Attacks Against Online School Platform. A Florida high school student has been arrested for orchestrating distributed denial-of-service (DDoS) attacks against the Miami-Dade schools’ online learning platform. The attacks disrupted teachers’ and students’ access to virtual classrooms. The 16-year-old has been “charged with felony computer use in an attempt to defraud and misdemeanour interference with an educational institution.”

Read more in:

• Miami high school student charged in DDoS attacks against the school district
• Miami-Dade Public Schools’ remote learning platform endures days of cyberattacks

Fix Available for One of Two Vulnerabilities in MAGMI Magento Plugin. Two vulnerabilities in the Magento Mass Import (MAGMI) plugin could be exploited to allow remote code execution. An authentication bypass vulnerability exists because MAGMI versions 0.7.23 and older “allow default … credentials to be used in the event a database connection fails.” The issue has been fixed in MAGMI v.0.7.24. A cross-site forgery vulnerability exists because of a lack of CSRF tokens. There is not yet a fix for this issue. The flaws were detected by researchers at Tenable.

Read more in:

• MAGMI Multiple Vulnerabilities
• CVE-2020-5776
• CVE-2020-5777
• Attackers could exploit flaws in MAGMI Magento plugin to hijack admin sessions
• Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws
• Magento plugin Magmi vulnerable to hijacking admin sessions

MIT CSAIL Researchers Develop Cyber Risk Platform. Researchers at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) have developed “a [cryptographic] platform for securely measuring cyber risk.” Dubbed SCRAM (Secure Cyber Risk Aggregation and Measurement), the platform allows organizations to assess their risk without exposing sensitive data.

Read more in:

• SCRAM: A Platform for Securely Measuring Cyber Risk (PDF)
• MIT SCRAM: a new analysis platform for prioritizing enterprise security investments

Cisco Updates for Jabber Flaw Available. Cisco has released fixes for a critical vulnerability affecting Jabber for Windows. The flaw, which “is due to improper validation of message contents,” affects multiple versions of the desktop collaboration application. The vulnerability can be exploited with no user interaction to remotely execute code with the privileges of the targeted user. The issue does not affect Jabber for macOS or for mobile platforms.

Read more in:

• Patch now: Cisco warns Jabber IM client for Windows has a critical flaw
• Attackers Can Exploit Critical Cisco Jabber Flaw With One Message
• Cisco fixes critical code execution bug in Jabber for Windows
• Cisco Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability

WordPress File Manager Plugin Flaw is Being Actively Exploited. Developers of the File Manager plugin for WordPress have released an updated version to address a vulnerability that affects File Manager versions 6.0 through 6.8. Users are urged to update to version 6.9. The flaw could be exploited to allow “unauthenticated users to execute commands and upload malicious files on a target site.” File Manager has been installed more than 700,000 times.

Read more in:

• Hackers are exploiting a critical flaw affecting >350,000 WordPress sites
• WordPress File Manager plugin flaw causing website hijack exploited in the wild
• 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin

Cyberattack on Norway’s Parliament Affected eMail Accounts. Authorities in Norway are investigating a “significant” cyberattack that compromised the email accounts of several members and employees of Stortinget, the country’s parliament. Stortinget administrator Marianne Andreassen said the attackers downloaded data.

Read more in:

• Norwegian Parliament discloses cyber-attack on the internal email system
• Norway is investigating a cyberattack on its parliament
• Norway’s Parliament Says It Was Hit by ‘Significant’ Cyber Attack

CISA: Agencies Must Have Vulnerability Disclosure Policies. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) that requires federal government agencies to establish vulnerability disclosure policies. The Office of Management and Budget (OMB) has issued a memorandum supporting the BOD and establishing deadlines for implementation.

Read more in:

• CISA orders agencies to set up vulnerability disclosure programs
• U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021
• OMB Issues Final Vulnerability Disclosure Policies Guidance for Agencies
• OMB Starts Clock on Agencies Implementing Policies to Welcome Public Security Research
• Memorandum: Improving Vulnerability Identification, Management, and Remediation (PDF)
• Binding Operational Directive 20-01 | Develop and Publish a Vulnerability Disclosure Policy

National Guard Cyber Exercise Will be Entirely Virtual. The US National Guard’s annual cyber exercise, Cyber Shield, will be entirely online this year. The event will take place over a two-week period later this month. Cyber Shield exercise director George Battistelli says this year’s exercise will focus on information operations.

Read more in:

• National Guard cyber exercise to increase focus on information operations
• National Guard plans all-virtual cyber exercise

Five Eyes Countries Issue Joint Cybersecurity Advisory. A joint advisory from cybersecurity authorities in Australia, Canada, New Zealand, the UK, and the US “highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of [the] report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.”

Read more in:

• ‘Five Eyes’ Nations Release Joint Cybersecurity Advisory
• CISA, International Counterparts Highlight Mistakes Organizations Make After a Cyber Intrusion
• Alert (AA20-245A) Technical Approaches to Uncovering and Remediating Malicious Activity
• Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity (PDF)

Cisco’s Product Security Incident Response Team (PSIRT) discovered attempted exploitation of the zero-day vulnerability on Aug. 28. The vulnerability discovered in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco’s IOS XR Software used in some of its networking equipment, caused by insufficient queue management for Internet Group Management Protocol (IGMP) packets. This zero-day vulnerability published in CVE-2020-3566 was found during the resolution of a Cisco TAC support case, according to the advisory.

The U.S. Cyber Infrastructure and Security Agency (CISA), the Department of the Treasury, the FBI and U.S. Cyber Command issued a joint advisory alert for ATM cash-out scheme as FastCash 2.0 by BeagleBoyz. The malware family names attributed to the BeagleBoyz by CISA include: ECCENTRICBANDWAGON, VIVACIOUSGIFT, and FASTCASH for Windows, according to Fortinet’s threat analysis report > Joint Technical Alert – “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks”

What is smishing? How phishing via text message (SMS) works. Smishing (a portmanteau of ‘SMS’ and ‘phishing’) is a cyberattack that uses misleading text messages (SMS) to trick victims into sharing valuable information, installing malware, or giving away money.

Shlayer Snuck Through Apple’s Software Vetting Process. Malware known as Shlayer managed to slip past Apple’s software vetting process. Apple established an automated notarization process in February 2020; developers submit software to be notarized. If the software passes the checks, macOS Gatekeeper allows it to run.

Read more in:

• Apple Approved Malware | malicious code …now notarized!? #2020
• Apple Accidentally Approved Malware to Run on MacOS
• Apple Accidentally Notarizes Shlayer Malware Used in Adware Campaign
• Malware authors trick Apple into trusting malicious Shlayer apps

Cisco Zero-day is Being Actively Exploited. Cisco has issued an advisory warning of a vulnerability in its IOS XR software that is being actively exploited. Cisco has not yet released a fix for the flaw, which “is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets.” The vulnerability can be exploited “to cause memory exhaustion, resulting in instability of other processes.”

Read more in:

• Attackers are trying to exploit a high-severity zeroday in Cisco gear
• Cisco warns of actively exploited IOS XR zero-day
• Cisco warns of actively exploited bug in carrier-grade routers
• Cisco Warns of Exploits Against IOS XR Flaw
• Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability

New Zealand Stock Exchange Hit With More DDoS Attacks. The New Zealand Stock Exchange (NZX), which suspended trading last week due to distributed denial-of-service (DDoS) attack, was hit with a new round of attacks on Monday, August 31. NZX was able to resume trading after moving to a contingency plan.

Read more in:

• NZX shifts to Akamai – says trading continues despite site being down again
• NZX business as usual, despite cyber attacks
• New Zealand bourse website hit by fresh cyberattack, but keeps trading

Former Cisco Employee Pleads Guilty to Damaging Company’s Network. A former Cisco employee has pleaded guilty to intentionally accessing a protected computer without authorization and recklessly causing damage. Sudhish Kasaba Ramesh resigned his position at Cisco in April 2018; five months later, he accessed Cisco’s AWS-hosted cloud infrastructure and “deployed code” that resulted in the deletion of more than 450 virtual machines for Cisco’s WebEx Teams application.

Read more in:

• Ex-Cisco Employee Pleads Guilty to Deleting 16K Webex Teams Accounts
• Former engineer pleads guilty to Cisco network damage, causing Webex Teams account chaos
• Cisco engineer resigns then nukes 16k WebEx accounts, 456 VMs
• San Jose Man Pleads Guilty To Damaging Cisco’s Network

Chinese Citizen Arrested, Charged with Theft of Trade Secrets. US federal authorities have arrested a Chinese citizen on charges of “accessing a computer without authorization, or exceeding authorization to obtain information from a protected computer and theft of trade secrets.” Haizhou Hu has been conducting research at the University of Virginia. Hu allegedly stole research simulation code.

Read more in: University of Virginia Researcher Charged with Theft of Trade Secrets and Computer Intrusion

Chinese Researcher Faces Charges for Allegedly Destroying Hard Drive Related to Investigation. A Chinese citizen conducting research at the University of California, Los Angeles (UCLA) is facing charges for allegedly destroying evidence related to an investigation into illegal transfer of US technology to China. Guan Lei allegedly threw a hard drive into a dumpster near his home before attempting to board a flight to China. When Guan refused to allow authorities to search his computer, he was not permitted to board the flight.

Read more in:

• Chinese researcher charged with destroying evidence relating to illegal transfer of US tech
• Chinese National Charged with Destroying Hard Drive During FBI Investigation into the Possible Transfer of Sensitive Software to China

Slack Fixes RCE Flaw in Older Versions of Desktop App. Slack has fixed an HTML code injection vulnerability affecting older desktop versions of the collaboration app. The flaw could be exploited to take control of the app, allowing access to private channels, passwords, and other sensitive information. A bug-hunter found the vulnerability and reported it to Slack in January 2020. The issue, which affected version 4.2 and 4.32 of the desktop app for Linux, macOS, and Windows, was fixed in March.

Read more in:

• Critical Slack Bug Allows Access to Private Channels, Conversations
• Slack pays stingy $1,750 reward for a desktop hijack vulnerability
• Critical vuln that lets miscreants hijack people’s computers via Slack *sucks in air* We’ll give you $1,750 for it

DoJ is Attempting to Seize Hackers’ Cryptocurrency Accounts. The US Department of Justice has filed a civil forfeiture complaint seeking to obtain control of 280 cryptocurrency accounts it alleges are being used by North Korean hackers to launder stolen funds. The complaint describes two 2019 attacks in which North Korean hackers allegedly targeted cryptocurrency exchanges.

Read more in:

• DoJ Aims to Seize 280 Cryptocurrency Accounts Used by Hackers
• US wants to seize cryptocurrency stolen by North Korean hackers
• United States Files Complaint to Forfeit 280 Cryptocurrency Accounts Tied to Hacks of Two Exchanges by North Korean Actors

Hackers Exploiting Old Firmware Flaw in Unpatched QNAP NAS Devices. Researchers at Qihoo say that hackers are scanning for QNAP network attached storage (NAS) devices that are running outdated versions of QNAP firmware. When the hackers find QNAP NAS devices running vulnerable versions of the firmware, they exploit a flaw to install a backdoor on the device. The vulnerability was addressed in a QNAP firmware update in July 2017.

Read more in: Hackers are backdooring QNAP NAS devices with 3-year old RCE bug

New TLS/SSL Certificates Now Limited to 13-Month Validity Period. As of Tuesday, September 1, 2020, all new TLS/SSL certificates issued will be valid for no more than 397 days (roughly 13 months). The new rule does not affect existing certificates with longer validity periods.

Read more in: You have two days left to purchase 2-year TLS/SSL certificates

Bug Discovered to Bypass PIN in Visa Contactless Payment Transactions by altering data involved including the fields that control transaction details and if the card owner has been verified. Also discovered a second security issue impacting both Mastercard and Visa using EMVerify, a modified version of Tamarin. For more detail, refer to The EMV Standard: Break, Fix, Verify, scheduled to present findings at the IEEE Symposium on Security and Privacy in May 2021.

Malicious Email Attachments Remain a Cybercriminal Favorite, according to the 2020 Verizon Data Breach Investigations Report (DBIR). Almost 20% of malware attacks being deployed via email attachments. Email links are the top vector with 40% of attacks using malicious email attachments such as ZIPs, PDF, and MS office files (including DOC and XLSM file attachments) or newer attachments – like disc image files (ISO or IMG).