Cybersecurity News Headlines Update on September 29, 2020

Largest Ransomware Attack? UHS Hospital Network. Universal Health Service (UHS) suffered a ransomware attack over the weekend. The attack prompted the organization to shut down systems at its healthcare facilities in the US. Reports from UHS employees indicate that facilities in several US states, including California, Texas, and Florida, were without access to phone systems and computers. Affected facilities are redirecting ambulances to other hospitals, and patients who require surgery are being transferred. A public statement from UHS says that its “IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue.” Read more in:

• A Ransomware Attack Has Struck a Major US Hospital Chain
• UHS hospital network hit by ransomware attack
• UHS hospitals hit by reported country-wide Ryuk ransomware attack
• UK, US hospital computers are down, early unofficial diagnosis is a suspected outbreak of Ryuk ransomware
• UHS confirms hospitals hit by cyberattack, some systems down
• Statement from Universal Health Services

Ransomware Impacts Many State and Local Governments: Tyler Technologies. A company that provides IT services to US state and local governments has confirmed that a cyber incident reported last week was a ransomware attack. Some Tyler Technologies customers have reported detecting suspicious logins. The company is urging its customers to change their passwords for remote access accounts. Read more in:

• Suspicious logins reported after ransomware attack on US govt contractor
• Tyler Technologies warns clients to change remote support passwords
• Tyler Technologies confirms cyberattack was ransomware
• Tyler Technologies says clients reported suspicious logins after hack
• Tyler Technologies customers report suspicious logins after ransomware attack
• Information on Tyler’s Security Incident Response

School Data Leaked After Ransomware Demand is Not Paid. Ransomware operator’s published data stolen from the Clark County (Nevada) School District after the district declined to pay the ransomware demand. The Clark County School District has 320,000 students; the leaked data include Social Security numbers, grades, and other personal information. (Please note that the WSJ story is behind a paywall.) Read more in:

• Nevada school district refuses to submit to ransomware blackmail, hacker publishes student data
• Hacker Releases Information on Las Vegas-Area Students After Officials Don’t Pay Ransom (paywall)

$6.85M Penalty for HIPAA Data Breach Violation. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a financial penalty of $6.85 million on Premera Blue Cross for violating the Health Insurance Portability and Accountability Act (HIPAA). A 2014 data breach affected the protected health information (PHI) of 10.4 million patients. An OCR investigation of the breach found “systemic noncompliance” with HIPAA rules. Read more in: OCR Imposes $6.85M Penalty Over Data Breach

Former Employee Sentenced for Damaging Company Computers. A US District Judge has sentenced a former tech support person to a year and a day in prison for accessing his former employer’s computer system, deleting file storage drives, and changing the storage management system password. Shannon Stafford was also ordered to pay his former employer nearly $200,000 in restitution. Stafford was found guilty of intentional damage to a computer and attempted intentional damage to a computer. Stafford’s responsibilities included “disabling company users’ network access credentials at the end of their employment.” Read more in:

• IT guy whose job was to stop ex-staff running amok on the network is jailed for running amok on the network
• Maryland Man Sentenced to Prison for Intentionally Damaging the Computers of His Former Employer

Microsoft Source Code Leaked. Source code for Microsoft Windows XP, Windows Server 2003, and other older operating systems has been leaked online. The data have been posted by a 4chan user. Microsoft is investigating the issue. It appears that much of what was made available was previously leaked material. Read more in:

• Microsoft claims to love open source – this alleged leak of Windows XP code is probably not what it had in mind, tho
• Windows XP source code leaked online, on 4chan, out of all places
• The Windows XP source code was allegedly leaked online
• Source Code of Windows XP, Server 2003 Allegedly Leaked
• Windows XP source code leak sheds light on Microsoft’s OS history

Twitter Fixes Caching Bug That May Have Exposed API Keys. Twitter has warned developers that a caching bug in developer.twitter.com may have exposed API keys and access tokens. Twitter says it has fixed the issue by changing caching instructions so that browsers will no longer store information about developer accounts or apps. Read more in:

• Twitter Warns Developers of API Bug That Exposed App Keys, Tokens
• Twitter warns of possible API keys leak
• Twitter bug may have exposed API keys, access tokens
• Twitter is warning devs that API keys and tokens may have leaked

Microsoft Pulls Azure Apps Being Used to Support Phishing Attacks. Microsoft has pulled 18 Azure Active Directory apps after determining that they were components of a command-and-control structure supporting malicious activity of China-based cyberthreat actors. The apps were being used to help the group launch phishing attacks. Read more in:

• Microsoft Security—detecting empires in the cloud
• Microsoft Says China-Linked Hackers Abused Azure in Attacks
• Microsoft Shutters Azure Apps Used by China-Linked Hackers

Student Arrested for Allegedly Launching Attacks Against Indiana School District System. Authorities in Indiana have arrested a 13-year-old middle school student in connection with a series of cyberattacks against the computer network of the Valparaiso School District. The student is believed to be responsible for a string of attacks that disrupted remote learning activities. Read more in: Student Arrested Over Cyber-attacks on Indiana Schools

911 Emergency Service Outages Affect Several US States. At least 14 US states reported outages of 911 emergency service lines on Monday, September 28. Most of the systems are now operational. The outages were reported in Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Missouri, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania, and Washington. Read more in:

• 911 services down in multiple US states
• 911 outages reported nationwide

Microsoft Office 365 Outage. A Microsoft Office 365 outage on Monday, September 28 affected users in the US and Australia. The outage started at 21:25 UTC Microsoft first attempted to fix the problem by rolling back a change identified as causing the outage, but the roll back did not resolve the problem. Microsoft then began “rerouting traffic to alternate systems to provide further relief to the affected users.” As of 4:00 UTC Tuesday, September 29, Microsoft says the issue has been resolved. Read more in:

• Microsoft Office 365 is down in the USA, shows ‘transient’ error
• Office 365 outage with roll back failure ends after more than six hours

Apple announced to release four security updates which, patched vulnerabilities affecting macOS Catalina, High Sierra and Mojave including:

• CVE-2020-9973: Out-of-bounds read vulnerability affected the Model I/O component reported by the Cisco Talos researcher Aleksandar Nikolic.
• CVE-2020-9961: Arbitrary code execution vulnerability that affects the ImageIO component reported by the researcher Xingwei Lin from Ant Group Light-Year Security Lab.
• CVE-2020-9968: Sandbox vulnerability which and can be exploited by a malicious application to access restricted files reported by Adam Chester of TrustedSec.
• CVE-2020-9941: Mail component vulnerability in the High Sierra OS which can be exploited by a remote attacker reported by researchers from the FH Münster University of Applied Sciences in Germany.

Pastebin added new features called ‘Burn After Read’ and ‘Password Protected Pastes’ allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password. Security export warns those features will make it easier to disguise malware operations.

We’re excited to announce 2 great new features for #Pastebin, we think you’ll enjoy using them! In the interest of #security, the first is: Burn After Read, and the second is: Password Protected Pastes. Head on over to https://t.co/K5LoklQIn8 to check them out 🕵️ pic.twitter.com/rQGs5PsMC9

— Pastebin (@pastebin) September 25, 2020

CISA: Federal Agency Hacked, Data Exfiltrated. The US Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis report detailing a cyberattack against a federal agency’s enterprise network. The threat actor gained access to the unnamed agency’s system and exfiltrated data. The report provides information about the methods used to gain access to the network. The breach was detected through EINSTEIN, CISA’s intrusion detection system. The threat actor was able to gain persistent network access through reverse Socket Secure proxies. Read more in:

• CISA says a hacker breached a federal agency
• Analysis Report (AR20-268A) | Federal Agency Compromised by Malicious Cyber Actor

Operation DisrupTor Nets 179 Arrests. Authorities in six countries have arrested a total of 179 people in connection with Dark Web activity. The enforcement effort, known as Operation DisrupTor, also seized 500 kilograms of drugs and confiscated $6.5 million in cash and cryptocurrency. Suspects were arrested in the US, Germany, the Netherlands, the UK, Austria, and Sweden. Read more in:

• 179 Arrested in Massive Global Dark Web Takedown
• International Sting Against Dark Web Vendors Leads to 179 Arrests

Polish Hacker Gang Shut Down. Authorities in Poland have shut down a hacking groups that has allegedly been involved in a variety of cybercrimes. Four people have been arrested and another four are under investigation. The group’s alleged activities include spreading ransomware, other malware, SIM swapping, and bank fraud. Read more in:

• Polish police shut down hacker super-group involved in bomb threats, ransomware, SIM swapping
• 4 Hackers Arrested in Poland in Nation-Wide Action Against Cybercrime

Contractor Sentenced for Using Employers System to Mine Cryptocurrency. A man in Australia has been sentenced for using his former employer’s systems to mine cryptocurrency. The man worked as an IT contractor at Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO). His responsibilities included data archiving and software support. The man altered data to use the computers to mine AU$9,400 (US$6,800) in cryptocurrency, while costing the company AU$76,000 (US$55,000) in computing time. The unnamed man received a 15-month non-custodial sentence. Read more in: Contractor convicted of pinching supercomputer cycles to mine cryptocurrency

Cisco Patches Vulnerabilities in IOS XE. On Thursday, September 24, Cisco released fixes for numerous security issues affecting Cisco IOS XE software. The vulnerabilities addressed could be exploited to cause denial-of-service conditions, overwrite files, and launch input validation attacks. Read more in:

• Cisco Patch-Palooza Tackles 29 High-Severity Bugs
• Cisco Security Advisories

British Pilots Not Satisfied with Proposed MCAS Software Fixes for Boeing 737 Max. The British Airline Pilots’ Association (BALPA) says it is not satisfied with proposed fixes to Boeing Manoeuvring Characteristics Augmentation System (MCAS) software for the 737 Max aircraft. BALPA detailed the issue in public comments submitted to a US Federal Aviation Administration (FAA) notice of proposed rulemaking (NPRM). The NPRM proposes fixes and procedures for pilots to follow if a problem arises. BALPA warned that a proposed workaround for an MCAS failure could lead to a crash. Read more in: Proposed US fix for Boeing 737 Max software woes does not address Ethiopian crash scenario, UK pilot union warns

Microsoft: ZeroLogon is Being Actively Exploited; Patch Now. Microsoft is urging users to patch vulnerable systems against the ZeroLogon flaw, which is being actively exploited to. The vulnerability lies in Microsoft’s Netlogon protocol. It can be exploited to bypass authentication measures to obtain domain level admin access in networks. Last week, CISA issued an Emergency Directive instructing agencies to apply the patch by midnight on Monday, September 21. Read more in:

• Microsoft Warns of Attackers Now Exploiting ‘Zerologon’ Flaw
• Zerologon Patches Roll Out Beyond Microsoft
• Microsoft: Attackers Exploiting ‘ZeroLogon’ Windows Flaw
• Microsoft: Hackers using Zerologon exploits in attacks, patch now!
• You know that Microsoft ZeroLogon bug you’ve been dragging your feet on? It’s getting pwned in the wild now
• One of this year’s most severe Windows bugs is now under active exploit

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.

— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020

Microsoft Updates Security Update Guide. Microsoft has updated its Security Update Guide, which contains information about all of the security updates Microsoft releases. Microsoft says that the “new version will provide a more intuitive user experience to help protect our customers regardless of what Microsoft products or services they use in their environment.” It is now easier to generate a list of all CVEs from Patch Tuesday, and the display can be personalized. Read more in:

• New and improved Security Update Guide!
• Security Update Guide
• Microsoft Overhauls Patch Tuesday Security Update Guide

Ransomware: US School Districts Targeted. Networks belonging to at least 16 school districts in the US have been hot with ransomware in the past few months. In some of the districts, the attacks pushed back the first day of school; in others, classes were cancelled for a day or more. Having a functioning IT system is especially crucial to school districts as so many are holding classes remotely. Read more in: Cybercriminals Strike Schools Amid Pandemic

Ransomware: Tyler Technologies. Systems at Tyler Technologies, a company that provides software and IT services to state and local governments across the US, has been hit with what appears to be a ransomware attack. The company has not specified the nature of the attack, but the details that have emerged are consistent with a system beset with ransomware. In an email to clients, Tyler’s CIO wrote, that after discovering “that an unauthorized intruder had disrupted access to some of our internal systems, …out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem.” Read more in:

• Govt. Services Firm Tyler Technologies Hit in Apparent Ransomware Attack
• Government software provider Tyler Technologies hit by ransomware
• Tyler Technologies reports apparent cyberattack
• Tyler Technologies’ Internal Systems Hit by Ransomware

Texas County eMail Hacked.The Hamilton County (Texas) email system suffered a malware attack. Individuals who emailed the county clerk received maliciously-crafted replies that included an attached file and a password to open the file. The attachments contained malware. The county had not implemented two-factor authentication (2FA) or DMARC for its email system email. Read more in: Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns

NSA Cybersecurity Information Sheets. The US National Security Agency (NSA) has published two cybersecurity information sheets. The first, “Compromised Personal Network Indicators and Mitigations,” is for government teleworkers; it “provides guidance to users who have received authorization to connect GFE (government furnished equipment) to personal networks.” The second document, “Performing Out-of-Band Network Management,” provides information for system admins on isolating management traffic from operational traffic. Read more in:

• NSA Issues Cybersecurity Guidance for Remote Workers, System Admins
• Compromised Personal Network Indicators and Mitigations (PDF)
• Performing Out-of-Band Network Management (PDF)

FERC/NERC Report Looks at Electric Utility Cyber Incident Response. A report from the U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) outlines best practices for cybersecurity incident response. The report is based on information gleaned from cybersecurity incident response plans of eight US utilities. Read more in:

• FERC, NERC Conduct Study on Cyber Incident Response at Electric Utilities
• Cybersecurity incident response – best practices from the US
• Cyber Planning for Response and Recovery Study (CYPRES) (PDF)

CISA Emergency Directive on Windows Server Vulnerability. On Friday, September 18, the US’s Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive ordering federal agencies to patch a critical vulnerability in Windows Server for which Microsoft issued a fix in August. The flaw lies in an Active Directory authentication component called Microsoft Windows Netlogon Remote Protocol (MS-NRPC). Agencies have been directed to “update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020.” The privilege elevation vulnerability has been given a CVSS score of 10. Read more in:

• US govt orders federal agencies to patch dangerous Zerologon bug by Monday
• CISA orders agencies to patch dire Window flaw
• US Cybersecurity agency issues super-rare Emergency Directive to patch Windows Server flaw ASAP
• CISA orders agencies to quickly patch critical Netlogon bug
• Critical Zerologon bug uses weak cryptography to spoof network users
• Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
• CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Researchers: Rampant Kitten Hacking Campaign Uses an Arsenal of Data-Stealing Malware. Researchers at Check Point have detected a long-standing surveillance campaign used by Iranian entities to target dissidents and expatriates. Dubbed Rampant Kitten, the campaign employs malware to steal information, including two-factor authentication (2FA) SMS codes, take screenshots, and record sounds near infected devices. Read more in:

• RampantKitten: An Iranian Surveillance Operation unraveled
• Telegram messages are a focus in newly uncovered hack campaign from Iran
• Iranian hacker group developed Android malware to steal 2FA SMS codes
• Android Malware Bypasses 2FA And Targets Telegram, Gmail Passwords

Hijacking Flaw in Firefox for Android is Fixed in Version 79. Firefox for Android users are urged to update their apps to version 79 or newer to protect the browser from being hijacked. An attacker on the same Wi-Fi network as someone running a vulnerable version of Firefox for Android could cause a new browser window to open. The issue lies in the browser’s Simple Service Discovery Protocol (SSDP) engine. Read more in:

• Firefox bug lets you hijack nearby mobile browsers via WiFi
• Firefox for Android Bug Allows ‘Epic Rick-Rolling’

Internet Archive and Cloudflare Collaborate to Archive More Website Content. A partnership between the Internet Archive and Cloudflare will automatically archive content of websites that use Cloudflare’s Always Online service. The Always Online feature serves cached static versions of websites when the sites are experiencing downtime. The partnership will help increase the number of sites the Internet Archive’s Wayback Machine archives. Read more in:

• The Wayback Machine and Cloudflare Want to Backstop the Web
• Wayback Machine and Cloudflare team up to archive more of the Web

Another Patch for Discount Rules for WooCommerce WordPress Plugin. The developers of the Discount Rules for WooCommerce WordPress plugin have released an update to address a pair of high-severity cross-site scripting vulnerabilities. This is the third time that updates have been issued to address the flaws; two earlier versions did not sufficiently fix the problem. Users are urged to update to version 2.2.1. Read more in:

• Stubborn WooCommerce Plugin Bugs Gets Third Patch
• High-Severity Vulnerabilities Patched in Discount Rules for WooCommerce

Jekyll Island Authority Systems Hit with Ransomware. The Jekyll Island Authority (JIA) has acknowledged that its network was hit with a ransomware attack last week. (Jekyll Island is located off the coast of the US state of Georgia.) The JIA executive director said, “All of our computer systems … were impacted, and it’s a very serious situation.” JIA employed a third-party IT services provider that is working on restoring JIA systems. Read more in: Jekyll Island Authority Targeted by Ransomware Attack

Ransomware Operators Stole Data from ArbiterSports. ArbiterSports has acknowledged that its network suffered a ransomware attack in July. According to its website, “ArbiterSports provides a complete suite of tools and technology that caters to the needs of Assigners, Coordinators, Business Offices, Game officials and Athletic or Federal Program Directors.” The company said that the attackers stole data belonging to 540,000 users. Although ArbiterSports paid the demanded ransom and the hackers said they deleted the stolen files, there is no guarantee that the information is not still in their possession. Read more in: Details of 540,000 sports referees taken in failed ransomware attack