Cybersecurity News Headlines Update on October 16, 2020

Cyber Command’s TrickBot Disruption Efforts are “Precedent-Setting”. US Cyber Command’s efforts to disrupt the TrickBot botnet mark “the first public, obvious operation to stop someone’s cyber capability before it could be used against us to cause even greater harm,” according to Columbia University cyber conflict researcher Jason Healey. Cyber Command severed communication between infected machines and the botnet’s command-and-control servers, and it injected nonsense data into the information TrickBot stole. While the efforts did not cause serious damage to the botnet, the action Cyber Command took “shows the growing reach of US military hackers.” Read more in: A Trickbot Assault Shows US Military Hackers’ Growing Reach

Microsoft’s TrickBot Legal Maneuver Could Help with Botnet Takedowns in the Future. Microsoft, along with several security firms and the Financial Services Information Sharing and Analysis Center (FS-ISAC), also took steps to disrupt TrickBot’s activity. While the efforts only temporarily hindered the botnet’s operations, the court case in which Microsoft was granted control of TrickBot servers did set a new legal precedent that could help take action against botnets more quickly in the future. Read more in: TrickBot botnet survives takedown attempt, but Microsoft sets new legal precedent

New York Dept. of Financial Services Calls for Regulation of Social Media Companies After Twitter Hack. In an investigative report into the July 2020 Twitter cybersecurity incident, the New York Department of Financial Services calls for “public oversight of social media,” to help improve their cybersecurity practices. The report notes that the “Twitter hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies.” Read more in:

• Twitter Investigation Report
• New York Wants Social Media Companies to be Regulated
• New York regulator faults Twitter for lax security measures prior to big account breach
• Security much? Twitter should have had a CISO to prevent Bitcoin hack, says US state financial body

Zoom Will Release Preview of End-to-End Encryption Next Week. Zoom plans to release a technical preview of its end-to-end encryption (E2EE) next week. The company will be “proactively soliciting feedback from users for the first 30 days.” When Zoom’s E2EE is rolled out, the feature will be available to all users. Read more in:

• Zoom Rolling Out End-to-End Encryption Offering
• Zoom to roll out end-to-end encrypted (E2EE) calls
• Zoom Rolls Out End-to-End Encryption After Setbacks
• Remember when Zoom was rumbled for lousy crypto? Six months later it says end-to-end is ready

Updates Address Vulnerabilities in PhantomPDF. Updates are available to address four high-severity security flaws in Foxit’s PhantomPDF. Users are urged to upgrade PhantomPDF version 10.1 for Windows and PhantomPDF version 4.1 for Mac. The Us Cybersecurity and Infrastructure Security Agency (CISA) warned of the flaws in a vulnerability summary earlier this month. Read more in:

• For Foxit’s sake: Windows and Mac users alike urged to patch PhantomPDF over use-after-free vulns
• This popular PDF software needs to be updated ASAP
• Vulnerability Summary for the Week of October 5, 2020

Barnes and Noble Hit by Cyberattack. US bookseller Barnes & Noble has disclosed a security breach that may have compromised customer data. The company issued a statement, saying, “We have a serious network issue and are in the process of restoring our server backups.” The attack reportedly occurred on October 10. Since then, users of Barnes & Noble’s Nook Digital eBook and eReader platform have said they are unable to access their libraries of eBooks and periodical subscriptions. Read more in:

• Barnes & Noble confirms cyberattack, suspected customer data breach
• Barnes & Noble Hack: A Reading List for Phishers and Crooks
• Barnes & Noble hit by cyberattack that exposed customer data

German Authorities Conduct Raids in Connection with FinFisher Spyware. Earlier this month, German authorities searched 15 homes and businesses in connection with FinFisher, a company that develops and sells surveillance software. The company is being investigated over suspicions that it exported its FinSpy surveillance software to countries without an export license. If this is true, the company could be charged with violating the Foreign Trade and Payments Act. Read more in:

• Police carry out raids linked to German spyware firm FinFisher
• German authorities raid FinFisher offices
• German police raid tech firm FinFisher over spyware allegations

Microsoft’s October 2020 Patch Tuesday. On Tuesday, October 13, Microsoft released updates to address nearly 90 security issues in Windows and Windows-related products. Eleven of the vulnerabilities are rated critical. One of the most concerning flaws, CVE-2020-16898, is a Windows TCP/IP remote code execution vulnerability that has been dubbed “Bad Neighbor.” The vulnerability can be exploited by sending maliciously crafted packets. Read more in:

• Microsoft Patch Tuesday, October 2020 Edition
• Microsoft Patch Tuesday fixes 87 flaws, 11 critical
• October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug
• CVE-2020-16898: “Bad Neighbor”
• US Cyber Command: Patch Windows ‘Bad Neighbor’ TCP/IP bug now
• Windows TCP/IP Remote Code Execution Vulnerability

Adobe Issues Fixes for Another Critical Flash Flaw. Adobe has released updates to fix for a critical flaw in Flash Player that could be exploited to crash vulnerable installations and allow remote code execution. The NULL pointer dereference vulnerability is fixed in versions 32.0.0.445 of Flash Player products. Read more in:

• Critical Flash Player Flaw Opens Adobe Users to RCE
• Security updates available for Adobe Flash Player | APSB20-58
• CVE-2020-9746 Detail

Adobe Releases Updates to Fix Nine Flaws in Magento. A pair of critical vulnerabilities in Adobe’s Magento eCommerce platform could be exploited to gain read/write access to the database or to execute arbitrary code. These flaws, along with seven other less severe issues, affect both Magento Commerce, which has a licensing fee, and Magento Open Source, which does not. Adobe has released updates to address the vulnerabilities. Read more in:

• Critical Magento Holes Open Online Shops to Code Execution
• Security Updates Available for Magento | APSB20-59

Microsoft Uses Trademark Law In An Attempt To Disrupt TrickBot Botnet

The TrickBot botnet has infected over a million servers and is used to spread ransomware, notably the Ryuk ransomware that has been infecting organizations like healthcare providers.

A court in Virginia has granted Microsoft permission to seize many of the operating control servers TrickBot uses to deploy malware, based on claims that they are abusing Microsoft’s trademarks. Microsoft argued that Trickbot irreparably harms the company “by damaging its reputation, brands, and customer goodwill.” As a result, they’ve taken over some of the servers, and shut them down.

Microsoft said that they don’t expect their action to permanently disrupt it, but they’re doing all they can to make the operator’s lives harder. The cybersecurity firm Intel 471 agreed, stating that “It is highly likely a takedown of the Trickbot infrastructure would have little medium- to long-term impact on the operation of Trickbot.” Refer to the legal filings from Microsoft here.

CISA: Hackers are Chaining Long-Known Vulnerabilities to Attack Government Networks. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning that hackers have been using a combination of vulnerabilities in several different VPNs along with the Windows Netlogon vulnerability to gain access to government networks. The advisory notes that there have been “some instances where this activity resulted in unauthorized access to elections support systems,” but that the integrity of election data has not been compromised. The advisory includes advice for protecting systems. Read more in:

• Alert (AA20-283A) APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
• Hacker groups chain VPN and Windows bugs to attack US government networks
• Foreign hackers are targeting federal, state and local IT networks, feds warn

Software AG Recovering From Ransomware Attack. German software company Software AG was hit with a ransomware attack on October 3. The ransomware operators encrypted files and demanded more than $20 million in return for the decryption key. Software AG attempted to negotiate with the attackers; after the communication broke down, the attackers published screenshots of what they say are data stolen from the company. Software AG says that the attack affected its internal network, but that customer services were not affected. Read more in:

• Software AG hit with ransomware: Crooks leak staffers’ passports, want millions for stolen files
• German tech giant Software AG down after ransomware attack
• Software AG IT giant hit with $23 million ransom by Clop ransomware

US Senator Demands Answers on Healthcare Ransomware Attacks. In the wake of a ransomware attack that affected multiple Universal Health Services (UHS) healthcare facilities, US Senator Mark Warner (D-Virginia) has written a letter to the CEO expressing “grave concerns” about the attack. Warner is seeing answers to a number of questions, including a description of UHS’s vulnerability management process, how various UHS networks are segmented and isolated, and whether the company has paid a ransom demand. Read more in:

• Senate Democrat raises concerns around Universal Health Services breach
• Here are the questions Congress asks after a ransomware attack
• Letter to Universal Health Services CEO (PDF)

Carnival Acknowledges Data Theft from Ransomware Attack. Carnival Corporation has acknowledged that ransomware actors who launched an attack on the cruise line operator’s network in August also stole personal data. Carnival disclosed the attack in a US Securities and Exchange Commission (SEC) filing on August 17, 2020. On October 8, 2020, Carnival filed an additional SEC form that acknowledged that the attackers accessed customer and employee information. Read more in: Largest cruise line operator Carnival confirms ransomware data theft

Ransomware Operators Post School District Data Online. Maze ransomware operators have published data stolen from Fairfax County (Virginia) Public Schools. The information about students and employees was taken during a September 2020 attack. Read more in:

• Hackers post stolen information from Fairfax school district
• Hackers Publish Public School District’s Stolen Data Online
• Maze ransomware attackers leak data stolen from suburban Washington schools

DHS Homeland Threat Assessment Report Reveals Hackers Targeted Census Bureau. The US Department of Homeland Security says that hackers targeted the US Census Bureau’s computer network several times over the last year. The information was disclosed in a Homeland Threat Assessment report released last week. In addition to the threats posed to the US democratic process, the Cyber Threat to the Homeland section of the report also addresses nation state threats, cybercrime, and opportunities for cyber actors to exploit COVID-19. Read more in:

• DHS: Unknown hackers targeted the US Census Bureau network
• Homeland Threat Assessment October 2020 (PDF)

Electrum Bitcoin Wallet Scam. Cybercriminals are targeting users of the Electrum cryptocurrency app. They send users what appears to be an update for the app, but which actually transfers the contents of the wallet to one controlled by the attackers. Over the past two years, the thieves have stolen more than $22 million. Read more in: Bitcoin wallet update trick has netted criminals more than $22 million

Disrupting TrickBot. Microsoft, ESET, Black Lotus Labs, and Symantec worked with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to disrupt the TrickBot botnet. The organizations obtained a court order allowing them to seize TrickBot command-and-control servers. US Cyber Command has also taken steps to disrupt the TrickBot botnet by sending out configuration files that cut off communications between the infected machines and the command-and-control servers. Read more in:

• Microsoft Uses Trademark Law to Disrupt Trickbot Botnet
• Report: U.S. Cyber Command Behind Trickbot Tricks
• Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election
• Microsoft seeks to disrupt Russian criminal botnet it fears could seek to sow confusion in the presidential election
• Security Firms & Financial Group Team Up to Take Down Trickbot
• Cyber Command, Microsoft take action against TrickBot botnet before Election Day
• Microsoft and others orchestrate takedown of TrickBot botnet
• TrickBot botnet targeted in takedown operations, little impact seen
• New action to combat ransomware ahead of U.S. elections

Governments Call for Encryption Backdoors. An “International Statement” calls for technology companies to provide a means for law enforcement to access communications protected by end-to-end encryption. The statement is signed by justice officials from the Five Eyes intelligence alliance – the UK, the US, Canada, Australia, and New Zealand – and from Japan and India. Read more in:

• International Statement: End-To-End Encryption and Public Safety
• ‘Five Eyes’ Alliance Demands Ways to Access Encrypted Apps
• Five Eyes governments, India, and Japan make new call for encryption backdoors
• Five Eyes nations plus Japan, India call for Big Tech to bake backdoors into everything

GAO: FAA Needs to Improve Avionics Cybersecurity Oversight. A report from the US Government Accountability Office (GAO) says that the Federal Aviation Administration (FAA) needs to strengthen its avionics cybersecurity oversight program. Avionics systems share information, including weather and positioning data, with “pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers.” As the systems become increasingly interconnected, the surface for cyberattacks also increases. Read more in:

• Watchdog: FAA needs to do more to address aircraft cybersecurity
• AVIATION CYBERSECURITY | FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks (PDF)