Cybersecurity News Headlines Update on October 09, 2020

DHS Acting Secretary Speaks About Election Security. US Department of Homeland Security (DHS) Acting Secretary Chad Wolf told an audience at the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Summit 2020 that DHS has “not identified any threats that would prevent Americans from voting, or that would change vote tallies.” He also noted that final election tallies may not be available on election night. Ninety-two percent of jurisdictions are using voting systems with auditable paper trails. Read more in: DHS Sees No Threat to Vote Tallies, Warns of Election Outcome Lag

Ransomware Closes Schools in Massachusetts. Springfield (Massachusetts) Public Schools have been closed in the wake of a ransomware attack on its IT network. Students were told to shut down district-owned devices. The district has been teaching remotely since the start of the school year. Read more in: Massachusetts school district shut down by ransomware attack

SEC Agrees to Settle Complaint Against Trader Who Used Stolen Data. The US Securities and Exchange Commission (SEC) has agreed to settle a complaint against Kyungja Cho, a trader who used information stolen in a hack of the SEC’s EDGAR filing system to conduct lucrative transactions. Settlement agreements must be reviewed and approved by SEC Commissioners before they become binding. Read more in:

• SEC settles with trader accused of illegal trades using hacked data
• Civil Action No. 19-cv-505 (PDF)

Wisepay Pulls Site Offline After Spoofing Attempt. Wisepay, a UK school payments company, took its website offline after it became aware that someone was attempting to spoof its card payment page. The website has been “down for maintenance” since Sunday, October 4; on Monday, the site displayed a “down for maintenance” message. Read more in:

• Wisepay ‘outage’ is actually the school meal payments biz trying to stop an intruder from stealing customer card details
• Wisepay: School payments service hit by cyber-attack

Kraken Fileless Malware Exploits Windows Error Reporting. A fileless attack method, dubbed Kraken, hides itself in the Microsoft Windows Error Reporting (WER) service to evade detection. The malware is spreading through a phishing campaign; the messages purport to be information about a worker’s compensation claim. Read more in:

• Release the Kraken: Fileless APT attack abuses Windows Error Reporting service
• APT Attack Injects Malware into Windows Error Reporting
• Hackers exploit Windows Error Reporting service in new fileless attack

UHS is Restoring Networks After Cyberattack. Universal Health Services is restoring services to facilities affected by a cyberattack that began on September 27. According to an October 5 statement from UHS, “the UHS IT Network has been restored and applications are in the process of being reconnected.” Read more in:

• UHS Recovering From Malware Infection
• Statement from Universal Health Services: Updated Monday, October 5, 2020, 12:30 PM ET

US Seizes Domains Associated with Disinformation Campaigns. The US Department of Justice (DoJ) has announced the takedown of 92 domains owned by Iran’s Islamic Revolutionary Guard Corps (IRGC); several of the domains have been used to spread propaganda in the US. All 92 of the domains were being used in violation of sanctions against Iran and against IRGC. Read more in:

• United States Seizes Domain Names Used by Iran’s Islamic Revolutionary Guard Corps
• Takedown of 92 Iran-owned domains includes 4 used for disinformation in US, feds say
• US Seizes Domains Used to Spread Disinformation
• US seizes 92 domains used by Iran for ‘global disinformation campaign’

Boom! Mobile Acknowledges Skimming. A page on the Boom! Mobile telecommunications company website has been infected with malware that steals payment card information and sends it to a server controlled by criminals. Boom! Mobile is urging customers who made purchases between September 30 and October 5, 2020, “to take the necessary precautions with their credit card company.” Boom!’s shopping cart provider said that the malware has been removed. Read more in:

• Boom! Hacked page on mobile phone website is stealing customers’ card data
• Skimming Attack on Boom! Mobile
• Boom! Mobile falls prey to Magecart card-skimming attack

Cisco Security Updates Include Fixes for Three High Severity Flaws. Cisco has made fixes available to address three high-severity vulnerabilities affecting the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras, Webex Teams for Windows, and the Cisco Identity Services Engine. Cisco has also released security updates to address 11 medium security vulnerabilities in a variety of products. Read more in:

• Cisco security warning: Patch Webex Teams for Windows and surveillance camera now
• Cisco Fixes High-Severity Webex, Security Camera Flaws
• Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability
• Cisco Webex Teams Client for Windows DLL Hijacking Vulnerability
• Cisco Identity Services Engine Authorization Bypass Vulnerability
• Cisco Security Advisories

Adobe Creative Cloud Outage. An outage is preventing Adobe Creative Cloud users from logging in or accessing stored data and applications to which they subscribe. The problem began at about 9:30am EST. Adobe acknowledged the issue on the status.adobe.com page but has not offered details. Read more in: Adobe Creative Cloud down: Users report login, data access issues

Azure App Services Flaws. A pair of security flaws in Azure App Services could be exploited to take control of vulnerable administrative servers. Microsoft was notified of the flaws in July and has fixed the issues. Read more in:

• Microsoft Azure Flaws Open Admin Servers to Takeover
• Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure

Europol: Ransomware Attacks are Going Unreported. According to a report from Europol, many ransomware attacks are not reported to police. In some cases, organizations targeted by ransomware bring in “private sector security firms” to manage the response to the attack. The Internet Organised Crime Threat Assessment 2020 “provides a unique law enforcement focused assessment of emerging challenges and key developments in the area of cybercrime.” Read more in:

• Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
• Internet Organised Crime Threat Assessment (IOCTA) 2020

Ransomware Attack Affects Software Used in COVID Treatment Clinical Trials. A ransomware attack affecting eResearchTechnology (ERT) has impacted clinical trials of potential COVID treatments. ERT sells software that is used in clinical trials. The attack did not affect the patients participating in the trials, but organizations using the software were unable to access their digital data and resorted to recording information with pen and paper. Read more in:

• Clinical Trials Hit by Ransomware Attack on Health Tech Firm
• Ransomware Disrupts COVID-19 Medical Trials

NJ Hospital Paid Ransom to Stop More Data from Being Leaked. A hospital in New Jersey paid ransomware operators $670,000 to not publish data they had stolen during a ransomware attack that took place in early September. University Hospital New Jersey (UHNJ) in Newark, NJ, paid the demanded ransom after the ransomware actors published 48,000 documents they had stolen in September. The ransomware operators agreed to provide UHNJ with a decryption key, a security report, the stolen data, and a promise not to attack the hospital again. Read more in: New Jersey hospital paid ransomware gang $670K to prevent data leak

Microsoft Provides More Information About Last Week’s Office 365 Outage. According to a preliminary report from Microsoft, last week’s Office 265 outage was caused by an improperly deployed Azure Active Directory (AD) service update. The September 28 outage prevented users from accessing Microsoft apps and services for several hours. Read more in:

• Microsoft’s Azure AD authentication outage: What went wrong
• Microsoft explains the cause of the recent Office 365 outage
• RCA – Authentication errors across multiple Microsoft services and Azure Active Directory integrated applications (Tracking ID SM79-F88)

FBI: Chinese Hackers Targeting Users with US Government Security Clearances. The FBI is warning that hackers with ties to China’s government are targeting individuals with US government security clearances through social media sites. The document’s resources include a list of indicators that you are being targeted and suggestions of steps to take to protect yourself. Read more in: The China Threat: Foreign Intelligence Services Use Social Media Sites to Target People with Security Clearances

Telstra Apologizes for Inadvertent BGP Hijacking. Australian telecommunications company Telstra has apologized for a technical error that caused some traffic bound for the ProtonMail encrypted mail service to be diverted through Telstra’s servers. The inadvertent Border Gateway Protocol (BGP) hijacking occurred when “a technical error early on Wednesday morning (AEST) [caused] approximately 500 IPv4 prefixes [to be] incorrectly advertised as Telstra’s.” Once Telstra realized what was happening, they fixed the problem. Read more in: Aussie telco Telstra says soz after accidentally diverting traffic meant for encrypted email biz through its servers

Visa Security Alert: New Malware Samples Found in Point-of-Sale Terminal Compromises. According to a Security Alert from Visa, the company’s Payment Fraud Department “analyzed malware samples recovered from the independent compromises of two North American merchants.” The attackers targeted the point-of-sale (POS) systems of the two unnamed companies. The incidents occurred earlier this year; both victims are in the hospitality industry. Read more in:

• New Malware Samples Identified in Point-of-Sale Compromises (PDF)
• Visa Warns of Attack Involving Mix of POS Malware
• Two North American hospitality merchants hacked in May and June

Ttint Botnet Exploits Unpatched Flaws in Tenda Routers. A pair of zero-day vulnerabilities in Tenda routers are being exploited to spread a variant of the Mirai Internet of Things (IoT) botnet known called Ttint. Ttint is capable of launching distributed denial-of-service (DDoS) attacks as well as spreading remote access trojans (RATs) and spyware. Read more in:

• New Ttint IoT botnet caught exploiting two zero-days in Tenda routers
• Tenda Router Zero-Days Emerge in Spyware Botnet Campaign

WordPress: Vulnerabilities Fixed in Post Grid and Team Showcase Plugins. Developers of the Post Grid and Team Showcase WordPress plugins have released updated version to address two high severity security issues – a cross-site scripting flaw and a PHP object-injection issue – that affect both plugins. Users are urged to update to Post Grid version 2.0.73 and Team Showcase version 1.22.16. Read more in:

• Post Grid WordPress Plugin Flaws Allow Site Takeovers
• High Severity Vulnerabilities in Post Grid and Team Showcase Plugins

International Maritime Organization Hit by Cyberattack. The United Nations agency for regulating international shipping, the International Maritime Organization (IMO), experienced a cyberattack at the end of September. The agency’s Global Integrated Shipping Information Systems (GISIS) database, document repository IMODOCS, and its Virtual Publications service were temporarily unavailable. According to an IMO statement, “The interruption of web-based services was caused by a sophisticated cyber-attack against the Organization’s IT systems that overcame robust security measures in place.” Read more in:

• UN Shipping Agency Forced Offline After Cyber-Attack
• IMO web services – update 02/10/2020 Access to the www.imo.org website restored

“Technical Issue” Delays Reporting of COVID Test Results in England. Public Health England (PHE) has acknowledged that a “technical issue” caused nearly 16,000 cases of COVID from being reported between September 25 and October 2. PHE aggregates test result data from both public and private entities and publishes daily statistics. While the people who tested positive received their results in a timely manner, the error delayed contact-tracing efforts. PHE has not confirmed the source of the problem; reports in several news sources suggest that it was due to limits on the size of Excel files. Read more in:

• PHE statement on delayed reporting of COVID-19 cases
• Botched Excel import may have caused loss of 15,841 UK COVID-19 cases
• An Excel error may have led England to under-report COVID-19 cases
• Excel spreadsheet error blamed for UK’s 16,000 missing coronavirus cases
• Why using Microsoft’s tool caused Covid-19 results to be lost
• In U.K.’s Test and Trace: Now You See ’em, Now You Don’t

US Treasury Advisory: Sanction Risks for Paying Ransomware Operators. According to a recent advisory from the US Treasury Department’s Office of Foreign Assets Control, organizations that pay ransomware demands to certain groups could be fined if the recipients of the payments are under economic sanctions. The rule applies not only to the organizations that suffer the attacks, but also to the third-party companies they bring in to help manage the problem. Read more in:

• Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam
• Paying ransomware demands could land you in hot water with the feds
• US govt warns of sanction risks for facilitating ransomware payments
• US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers
• Treasury Department Warns Ransomware Payment Facilitators of Legal Implications
• Helping to pay off ransomware hackers could draw big penalties from the feds
• Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (PDF)

Universal Health Services Still Working on Restoring Systems After Ransomware Attack. As of Thursday, October 1, Universal health Services (UHS) is still “work[ing] through an IT network security issue caused my malware.” The attack began over the weekend; UHS shut down its network to prevent the malware from spreading further. While UHS has facilities in the UK and the US, the issue affects only US facilities. Read more in:

• Statement from Universal Health Services
• Universal Health Services says its network is ‘still down’: spokeswoman

Lawrence General Hospital Investigating “Data Security Incident”. Lawrence General Hospital (LGH) in Massachusetts is working with a third-party forensic organization to investigate a “data security incident” that took place in mid-September. During the incident, LGH took its systems offline to secure its data. The hospital was able to continue to care for patients, but those arriving by ambulance were diverted to other facilities for approximately 36 hours. Read more in: Massachusetts Hospital Investigates ‘Data Security Incident’

Pakistan Power Company Data Published Following Ransomware Attack. Ransomware operators have published data stolen from Pakistan’s K-Electric power company. K-Electric suffered a ransomware attack last month and did not pay the $3.85 million demanded as ransom. The September 7th attack disrupted the company’s billing services but did not interrupt power supply. Read more in: Hackers leak files stolen in Pakistan’s K-Electric ransomware attack

Swatch Group Acknowledges Cyberattack. Swatch Group, the Swiss company that makes the eponymous watches, says that its network was hit with a cyberattack over the weekend. Once the company detected the attack, it shut down IT systems to prevent further damage. Swatch group did not provide details about the nature of the attack. Read more in:

• Swiss watchmaker Swatch shuts down IT systems to stop cyberattack
• Swatch Group Hit by Likely Ransomware Attack

Nikulin Sentenced. A judge in California has sentenced Yevgeniy Nikulin to more than seven years in prison for his role in hacking into and stealing data from LinkedIn, Dropbox, and Formspring. He will be credited for time served following his arrest. Read more in:

• Russian hacker, described as ‘brilliant’ by judge, gets seven years in a US clink for raiding LinkedIn, Dropbox
• Russian National Sentenced to 7+ Years for Hacking US Tech Firms
• Russian Hacker Sentenced to Over 7 Years in Prison for Hacking into Three Bay Area Tech Companies

North Korean Hackers Targeted UN Security Council Members in Phishing Attacks. According to a report from the United Nations (UN), a hacking group with alleged ties to North Korea’s government has been launching phishing attacks against UN Security Council members earlier this year. At least 28 individuals have been targeted. Read more in: North Korea has tried to hack 11 officials of the UN Security Council

US 911 Emergency System Outage. An outage affecting 911 emergency system availability in more than a dozen US states on Monday, September 28 appears not to be related to a Microsoft outage the same day, as some had speculated. Instead, the issues are likely due to an issue with Intrado, a company that provides 911 and emergency communications infrastructure, systems, and services or with Lumen, its service provider. Read more in: Who’s Behind Monday’s 14-State 911 Outage?

Unpatched Exchange Servers. Nearly 250,000 Internet-facing Microsoft Exchange Servers remain unpatched against a critical remote code execution flaw in the Exchange Control Panel component. Microsoft released a fix for the issue nearly eight months ago. In March, the US Cybersecurity and Infrastructure Security Agency (CISA) and the NSA both urged organizations to patch the vulnerability as it was already being exploited in the wild. Read more in:

• Microsoft Exchange Servers Still Open to Actively Exploited Flaw
• Over 247K Exchange servers unpatched for actively exploited flaw
• CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Zerologon Attacks Spike. Cisco Talos has noted a significant increase in attempts to exploit the Zerologon vulnerability. The privilege elevation flaw can be exploited to take control of Active Directory identity services. Microsoft has released an updated instructions for patching the vulnerability. Read more in:

• Microsoft Netlogon exploitation continues to rise
• Zerologon Attacks Against Microsoft DCs Snowball in a Week
• Microsoft Issues Updated Patching Directions for ‘Zerologon’
• How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

QNAP Warns of AgeLocker Ransomware Targeting its NAS Devices. An advisory from QNAP warns of ransomware attacks targeting its network attached storage (NAS) devices. Dubbed AgeLocker, the ransomware exploits a vulnerability in older versions of the Photo Station app. The advisory includes update instructions to secure vulnerable devices. Read more in:

• QNAP warns customers of recent wave of ransomware attacks
• AgeLocker Ransomware

Blackbaud SEC Filing Discloses That Breach Compromised Bank Account Data. Months after disclosing a ransomware attack that compromised data belonging to many clients, customer relationship management (CRM) software provider Blackbaud is now acknowledging that the attackers may have accessed more than just names and email addresses. Bank account information may have been compromised. The additional information came to light in an 8-K filing Blackbaud made with the US Securities and Exchange Commission (SEC) on September 29. The attack occurred in May. Blackbaud paid a ransom demand after the attackers said they destroyed the purloined data. Read more in:

• Blackbaud: Ransomware gang had access to banking info and passwords
• Blackbaud: Hackers May Have Accessed Banking Details
• Cloud biz Blackbaud admits ransomware crims may have captured folks’ bank info, months after saying that everything’s fine
• FORM 8-K |Blackbaud (PDF)

ConnectWise partnered with HackerOne, has launched the bug bounty program aims to improve ConnectWise’s internal testing practices by detecting security vulnerabilities in its remote management software.

Shopify disclosed a data breach incident impacted to “less than 200” merchants involving two insider threats, but questions remain about the breach and how it was discovered, according to Shopify Incident Update.

Microsoft detected Netlogon vulnerability exploitation which already disclosed and patched by Microsoft last month using phased two-part rollout, according to security update published. The first part of the deployment was executed in the August Patch Tuesday security update. The second phase is planned for the first quarter of 2021.

Netlogon Elevation of Privilege Vulnerability dubbed “Zerologon” and identified as CVE-2020-1472, rated the maximum CVSS severity of 10, which allows hackers to essentially become a domain administrator and gain access to enterprise networks.

We’ll continue to monitor developments and update the threat analytics report with latest info. We strongly recommend customers to immediately apply security updates for CVE-2020-1472. Microsoft 365 customers can use threat & vulnerability management data to see patching status. pic.twitter.com/XTGgAHcw9S

— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020