US Department of the Interior OIG Audit Report Details Wireless Network Security Problems. According to an audit report from the Department of the Interior Office of Inspector General (DOIOIG), “the Department did not deploy and operate secure wireless network infrastructure, as required by the National Institute of Standards and Technology (NIST) guidance and industry best practices.” Penetration testers were able to access DOI’s internal wireless network with a smartphone and about $200 of equipment stashed in a backpack. They were able to intercept and decrypt traffic. The attacks the pen testers conducted were not detected by DOI employees. Read more in:
- Feeling bad about your last security audit? Check out what just happened to the US Department of Interior
- The Interior Department OIG clearly had some fun hacking the agency’s Wi-Fi networks
- Interior Department watchdog ‘highly successful’ at hacking agency’s networks
- Evil Twins, Eavesdropping, and Password Cracking: How the Office of Inspector General Successfully Attacked the U.S. Department of the Interior’s Wireless Networks (PDF)
DOJ Charges Seven in Connection with Multiple Cyberattacks. The US Department of Justice has charged seven individuals in connection with a series of cyberattacks against software, pharmaceutical and technology companies, non-profit organizations, and universities. Two of the individuals have been arrested in Malaysia; the other five remain at large in China. Some of those charged are allegedly part of the APT41 hacking group. Read more in:
- Feds Charge Chinese Hackers With Ripping Off Video Game Loot From 9 Companies
- Good: US boasts it collared two in Chinese hacking bust. Bad: They aren’t the actual hackers, rest are safe in China
- Hammer drops on hackers accused of targeting game and software makers
- APT41 Operatives Indicted as Sophisticated Hacking Activity Continues
- US Charges Five Alleged Members of APT41 Group
- Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally
The US Charges Alleged Iranian Hackers. The US Department of Justice has filed charges against two Iranian men, Hooman Heidarian and Mehdi Farhadi, for allegedly launching numerous cyberattacks over the past seven years. The targeted organizations include universities, a defence contractor, a foreign policy organization, and government agencies. Prosecutors believe that Heidarian and Farhadi shared stolen data with Iranian government intelligence officials. Heidarian and Farhadi have not been arrested; they are on the FBI’s wanted list. Read more in:
The US Indicts Three for Alleged Theft of Intellectual Property and Other Information. The US Department of Justice has indicted three Iranian individuals, Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati, for allegedly hacking aerospace and satellite companies. Their campaign allegedly ran from July 2015 until at least February 2019 and targeted organizations in the US as well as in other countries. The campaign was allegedly orchestrated “to steal critical information related to United States aerospace and satellite technology and resources.” Read more in:
- Iranian Hackers Indicted for Stealing Aerospace & Satellite Tracking Data
- US charges Iranian hackers for breaching US satellite companies
- Iranian Hackers Indicted for Stealing Data from Aerospace and Satellite Tracking Companies
Criminal Charges and Financial Sanctions in Cryptocurrency Phishing Case. The US Department of the Treasury’s Office of Foreign Assets Control has officially sanctioned two Russian individuals, Danil Potekhin and Dmitrii Karasavidi, in connection with a phishing campaign “that targeted customers of two U.S.-based and one foreign-based virtual asset service providers.” In addition, the Department of Justice has filed charges against Potekhin and Karasavidi for allegedly stealing millions of dollars’ worth of cryptocurrency. They remain at large. Read more in:
- Two Russians Charged in $17M Cryptocurrency Phishing Spree
- US charges two Russians for stealing $16.8m via cryptocurrency phishing sites
- Treasury Sanctions Russian Cyber Actors for Virtual Currency Theft
- Superseding Indictment
German Authorities Investigating Patient Death After Ransomware Attack on Hospital. In the wake of ransomware on its network, Dusseldorf University Hospital determined that it would not be equipped to conduct scheduled and outpatient procedures or offer emergency care. A patient with a life-threatening condition was rerouted to a different hospital, which resulted in the treatment being delayed by an hour; the patient did not survive. German authorities are investigating the incident as negligent manslaughter. Read more in:
- Patient dies after ransomware attack reroutes her to remote hospital
- First death reported following a ransomware attack on a German hospital
- Ransomware attack at German hospital leads to death of patient
- Hospital currently only accessible to a very limited extent – patient care limited (in German)
NCSC Warns of Ransomware Attacks Against Education Sector. The UK’s National Cyber Security Centre (NCSC) has issued an alert warning of an increasing number of ransomware attacks targeting schools and universities. The alert describes common ransomware infection vectors (phishing emails, Remote Desktop Protocol, and unpatched hardware and software vulnerabilities) and provides a list of suggested mitigations. Read more in:
- Alert: Targeted ransomware attacks on the UK education sector by cyber criminals
- GCHQ agency ‘strongly urges’ Brit universities, colleges to protect themselves after spike in ransomware infections
- Ransomware warning: Hackers are launching fresh attacks against universities
Ransomware Attack Disrupts Online Learning for California School District. A ransomware attack affecting the network of the Newhall School District in Valencia, California, resulted in a temporary shutdown of remote learning. District servers remain shut down to allow a forensic investigation. Read more in:
- California Elementary Kids Kicked Off Online Learning by Ransomware
- Ransomware attack hits Newhall schools, halting online classes
Adobe Patches Flaws in Media Encoder. Adobe has released an unscheduled update for Media Encoder to address “out-of-bounds read vulnerabilities that could lead to information disclosure in the context of the current user.” The flaws affect Adobe Media Encoder versions 14.3.2 and earlier. Read more in:
- Adobe releases out-of-band security update for Adobe Media Encoder
- Adobe out-of-band patch released to tackle Media Encoder vulnerabilities
- Security Updates Available for Adobe Media Encoder | APSB20-57
BLESA: Bluetooth Low Energy Spoofing Attacks Vulnerability. Researchers from Purdue University have uncovered “design weaknesses” in Bluetooth Low Energy protocol that could put devices at risk of spoofing attacks. The researchers note that “BLE requires limited or no user interaction to establish a connection between two devices.” The weaknesses lie in the fact that “link-layer encryption/authentication is optional” and that authentication procedure can be circumvented. Read more in:
- Billions of devices vulnerable to new ‘BLESA’ Bluetooth security flaw
- Bluetooth Spoofing Bug Affects Billions of IoT Devices
- BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy (PDF)
Apple iOS Security Updates. Apple has released updates for iOS and iPadOS. The newest versions – iOS 14 and iPadOS 14 – fix 11 security issues, including a privilege elevation vulnerability that can be exploited if users are manipulated into opening a maliciously crafted file. Apple has also issued updates for Safari, tvOS, and watchOS. Read more in:
- Hands on with iOS 14’s new data breach notification feature
- Apple Bug Allows Code Execution on iPhone, iPad, iPod
- About the security content of iOS 14.0 and iPadOS 14.0
2,000 eCommerce Sites Running Magento were Hacked Over the Weekend. Nearly 2,000 eCommerce sites running on the Magento platform were compromised over the weekend. The attackers installed malicious code to log payment card data. Most of the hacked sites were running Magento version 1, which is no longer supported. Magento 1.x reached EOL at the end of June 2020. Read more in:
- Magecart Attack Impacts More Than 10K Online Shoppers
- Magento stores hit by largest automated hacking attack since 2015
- Magento online stores hacked in the largest campaign to date
Malvertising Sneaks Into Banner Ads on Adult Sites, Exploits Flaws in Flash and IE. Hackers have placed malicious banner ads on numerous adult websites. The ads redirect users to malicious sites that attempt to install malware through vulnerabilities in Adobe Flash and Internet Explorer. Read more in:
- Porn site users targeted with malicious ads redirecting to exploit kits, malware
- Porn surfers have a dirty secret. They’re using Internet Explorer
Update Available for WordPress Email Subscribers & Newsletters Plugin Flaw. Developers of the Email Subscribers & Newsletters plugin for WordPress have released an updated version to fix a spoofing vulnerability. The plugin has more than 100,000 active installations. Users are urged to upgrade to version 4.5.6. Read more in:
- Vulnerability in WordPress email marketing plugin patched
- WordPress Plugin Flaw Allows Attackers to Forge Emails
- Unauthenticated email forgery/spoofing in WordPress Email Subscribers plugin
USPS OIG: Vulnerable Apps Could Have Exposed Data. According to a July 27, 2020, memorandum from the US Postal Service (USPS) Office of Inspector General, USPS has been using six applications that contained known vulnerabilities and which remained unpatched for years. The flaws in the apps could have been exploited to gain access to sensitive data. USPS has since addressed the security issues. Read more in:
- Postal Service Used Apps That Had ‘Catastrophic’ Vulnerabilities for Years
- Postal Service left vulnerable IT applications unaddressed for years, inspector general finds
- Management Alert – Risks Associated with Information Technology Applications (Report Number 20-251-R20) (PDF)
Dept. of Veterans Affairs Breach Affects 46,000. A data breach affecting the US Department of Veterans Affairs (VA) Financial Service Center (FSC) compromised personal information belonging to 46,000 veterans. The malicious actors accessed a FSC application without authorization. FSC has taken the application offline. Read more in:
- VA notifies Veterans of compromised personal information
- VA reports data breach affecting 46,000 veterans
- Personal information of 46,000 veterans was compromised in the breach
- VA hit by data breach impacting 46,000 veterans
- 46,000 Veterans’ Data Exposed In Financial Services Center Breach
Fairfax County, Virginia, School System Suffers Ransomware Attack. Fairfax County (Virginia) Public Schools (FCPS) is investigating a ransomware attack on “some of [its] technology systems.” While the attack did not disrupt the district’s remote learning program, FCPS is working with federal authorities and “cybersecurity consultants to investigate the nature, scope and extent of any possible data compromise.” Read more in:
- Ransomware Investigation Update
- Virginia’s Largest School System Hit With Ransomware
- Hackers Break Into FCPS Network, Hold Info for Ransom
- Fairfax County schools hit by Maze ransomware, student data leaked
Artech Information Systems Hit with Ransomware Last January. Artech Information Systems has disclosed that its systems were targeted in a ransomware attack in January 2020. While investigating reports of unusual activity on a user account, Artech discovered ransomware on several of its systems. The company brought in a third-party forensic investigation firm, which “determined that an unauthorized actor had access to certain Artech systems between January 5, 2020, and January 8, 2020.” The compromised systems contained sensitive information, including health and financial data. Read more in:
Tutanota’s DDoS Defense Prevented Users From Accessing Accounts. Tutanota, a company that offers encrypted email service, has apologized to its users for unintentionally shutting them out of their accounts while the company dealt with a distributed denial-of-service (DDoS) attack. Tutanota experienced DDoS attacks on at least five occasions in the past month. Read more in: Sorry we shut you out, says Tutanota: Encrypted email service weathers latest of ongoing DDoS storms
CISA and FBI Alert Warns of China’s State-Sponsored Hackers. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint alert warning that cyber threat actors affiliated with China’s Ministry of State Security (MSS) have been targeting US government agencies. According to the alert, the Chinese hackers are exploiting vulnerabilities in Microsoft Exchange Server, F5 Big-IP, Pulse Secure VPN, and Citrix VPN. Patches are available for the flaws. Read more in:
- What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds
- CISA: Chinese state hackers are exploiting F5, Citrix, Pulse Secure, and Exchange bugs
- Alert (AA20-258A) | Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
IRS Seeks Technology to Help it Trace Cryptocurrency. The US Internal Revenue Service (IRS) is seeking proposals that will allow the agency to trace cryptocurrency transactions as part of its investigations into money laundering and other cybercrimes. The deadline for proposals is Wednesday, September 16. Read more in:
- IRS Wants to Be Able to Trace ‘Untraceable’ Digital Currencies
- IRS offers grants for software to trace privacy-focused cryptocurrency trades
- IRS Seeks Fresh Ways to Trace Cryptocurrency Transactions
- Pilot IRS Cryptocurrency Tracing
Researchers and Tech Companies Respond to Voatz’s CFAA Supreme Court Amicus Brief. Nearly 70 individuals and organizations in the cybersecurity community have signed a letter criticizing the argument put forth in an amicus brief submitted to the US Supreme Court regarding a case that could have wide-reading implications for security research. Voatz’s brief argues that the Computer Fraud and Abuse Act (CFAA) should not protect security researchers who do not have explicit permission to examine code for vulnerabilities. The signatories say that “As representatives of the security community, including pioneers of coordinated vulnerability disclosure, bug bounties, and election security, it is our opinion that Voatz’s brief to the Court fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure, and that the broad interpretation of the CFAA threatens security research activities at a national level.” Read more in:
- Researchers, Companies Slam Mobile Voting Firm Voatz for ‘Bad Faith’ Attacks
- Security researchers slam Voatz brief to the Supreme Court on anti-hacking law
- Cybersecurity Leaders Oppose Voatz
- Response to Voatz’s Supreme Court Amicus Brief
FBI Warns Financial Institutions of Credential Stuffing Attacks. An FBI warning sent to US organizations in the financial sector warns of an increase in credential stuffing attacks targeting their institutions. Suggested mitigations include advising customers and employees to use unique passwords for accounts and to change Internet login page responses so that they do not indicate if just one component of the login is correct. Read more in:
- FBI says credential stuffing attacks are behind some recent bank hacks
- Private Industry Notification: Cyber Actors Conduct Credential Stuffing Attacks Against US Financial Sector
Microsoft: Russian Hackers Are Targeting US Presidential Campaigns. In a blog post, Microsoft writes that it “has detected cyberattacks targeting people and organizations involved in the upcoming presidential election.” Microsoft has seen malicious activity from hacking groups operating from Russia, China, and Iran. The attacks are targeting “candidates and campaign staffers, but also those they consult on key issues.” Read more in:
- New cyberattacks targeting U.S. elections
- Russia’s Fancy Bear Hackers Are Hitting US Campaign Targets Again
- Microsoft Warns of Cyberattacks on Trump, Biden Election Campaigns
- Microsoft confirms Chinese, Iranian, and Russian cyber-attacks on Biden and Trump campaigns
Zoom Will Offer Two-Factor Authentication to All Users. Zoom has announced plans to roll out two-factor authentication (2FA) to all users. There will be several 2FA options for users to choose from: authentication apps like Google Authenticator, Microsoft Authenticator, and FreeOTP, or code from Zoom sent via SMS or a phone call. Read more in:
- Secure Your Zoom Account with Two-Factor Authentication
- Zoom Brings Two-Factor Authentication to All Users
Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to the US. Facebook has received a preliminary order to stop sending the European Union (EU) user data to the US. Facebook has until mid-September to respond to the order from the Irish Data Protection Commission. The order grew out of a July 2020 ruling from the Court of Justice of the European Union (CJEU) that invalidated Privacy Shield, the current EU-US data transfer agreement because the protections it offered against US Surveillance laws were found to be inadequate to protect the rights of EU data subjects. The CJEU ruling left in place Standard Contractual Clauses (SCC), which provide for data transfers between EU and non-EU countries. The Irish Data Protection Commission believes that the SCC provisions are not sufficient and is therefore asking Facebook to stop data transfers. (Please note that the WSJ story is behind a paywall.) Read more in:
- Ireland to Order Facebook to Stop Sending User Data to U.S. (paywall)
- Facebook to stop moving data from EU to US: 5 things you need to know
- Ireland unfriends Facebook: Oh Zucky Boy, the pipes, the pipes are closing…from glen to US, and through the EU-side
- Privacy concerns prompt Irish regulators to ask Facebook to stop sending EU user data to the US
- Securing the Long Term Stability of Cross-Border Data Flows
School Openings Delayed Due to Ransomware and Other Digital Disruptions. School districts in Connecticut, North Carolina, Nevada, and other US states have been hit with ransomware, interrupting plans for both online and in-person classes. In some districts, online classes have been interrupted by Zoom-bombing and distributed denial-of-service (DDoS) attacks. Hartford (Connecticut) Public Schools, which are resuming both in-person and remote classes, postponed the first day of school after suffering a ransomware attack. Read more in:
- Ransomware Attacks Disrupt School Reopenings
- Ransomware And Zoom-Bombing: Cyberattacks Disrupt Back-to-School Plans
- HPS Opening Postponed: Tuesday Sept 8
- City of Hartford postpones first day of school after ransomware attack
- Classes Begin in Hartford After Ransomware Attack Postponed First Day of School
Pakistani Power Company Hit with Ransomware. Systems at K-Electric, the company that provides electricity to Karachi, Pakistan, were infected with Netwalker ransomware. The attack disrupted billing and online services. The attack reportedly occurred on September 7. Read more in: Netwalker ransomware hits Pakistan’s largest private power utility
Equinix Internal Systems Hit with Ransomware. Data colocation centre company Equinix has acknowledged that its internal systems were hit with ransomware. In a blog post, Equinix writes, “Note that as most customers operate their own equipment within Equinix data centres, this incident has had no impact on their operations or the data on their equipment at Equinix.” Read more in:
- Data center giant Equinix discloses ransomware incident
- Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom
- Equinix Statement on Security Incident
Microsoft Patch Tuesday. Microsoft’s monthly security update release for September includes fixes for 129 security issues. Twenty-three of the vulnerabilities are considered critical. One of the more worrisome flaws patched earlier this week is a memory corruption issue in Microsoft Exchange that could be exploited simply by sending a maliciously-crafted email. Read more in:
- Enjoyed the US Labor Day weekend? Because it’s September 2020 and Exchange Server can be pwned via email
- Microsoft fixes 129 flaws, 23 critical, in massive Patch Tuesday
- Microsoft Patch Tuesday, Sept. 2020 Edition
- Microsoft’s Patch Tuesday Packed with Critical RCE Bugs
- Security Update Summary
Adobe Patch Tuesday. On Tuesday, September 8, Adobe released fixes for vulnerabilities in Experience Manager, Framemaker, and InDesign. Nine of the 11 vulnerabilities fixed in Experience Manager could be exploited to execute arbitrary JavaScript in the browser. The two fixes for Framemaker could be exploited to allow arbitrary code execution, as could the five memory corruption flaws fixed in InDesign. Read more in:
- Adobe releases update to patch critical flaws that could leave networks, data vulnerable
- Critical Adobe Flaws Allow Attackers to Run JavaScript in Browsers
- Adobe fixes critical vulnerabilities in InDesign and Framemaker
- Security Bulletins and Advisories
CodeMeter Vulnerabilities. US-CERT has released industrial control systems (ICS) advisory warning of multiple vulnerabilities affecting Wibu-Systems CodeMeter. The flaws could be exploited “to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter.” Read more in:
- Critical Flaws in 3rd-Party Code Allow Takeover of Industrial Control Systems
- ICS Advisory (ICSA-20-203-01) | Wibu-Systems CodeMeter
Bluetooth Vulnerability. A high-severity flaw in the pairing process for Bluetooth implementations 4.0 – 5.0 could be exploited to snoop on vulnerable devices. Devices that use the pairing process, known as Cross-Transport Key Derivation (CTKD) in implementations supporting pairing and encryption with both Bluetooth BR/EDR and LE in Bluetooth Specifications 4.2 through 5.0, are vulnerable to key overwrite. Attackers would need to be within wireless range of targeted devices. Read more in: