Cybersecurity News Headlines Update on October 31, 2020

A National Cyber Challenge: CyberStart America Free for All U.S. High School Students; $2 Million in College Scholarships. “The US Starts Enders Hacking Game” is the title of today’s story on CyberStart America in The Register. Free to every high school student in the country, CyberStart America has a fighting chance of eliminating the advanced cyber skills pipeline advantage that China and Russia have established. Designed both for students who have played with technology and students who had no idea they could be good at it (through the “novice level,”) the game allows students to become virtual cyber protection agents where they solve very real world problems. Those who enjoy it can progress through hundreds of challenges learning at every level through cryptography, Linux, Python programing all the way to reverse malware engineering. Teachers report it is the best program for teaching creative problem-solving skills they have seen. Students who solve 20% of the challenges are eligible for the scholarship round where $2,000,000 in college scholarships will be awarded for use at the college of their choice. The qualification round starts on October 30 and last until the end of February. Read more in:

Hospitals Under Ransomware Siege (Ref: FBI, HHS and DHS). On Wednesday, October 28, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services, and the FBI issued a joint cybersecurity advisory saying they are in possession of “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” As of Thursday, networks at nearly two dozen hospitals in the US have been hit with ransomware. Mandiant has released a list of indicators of compromise. Read more in:

Ransomware Attack Shut Down Montreal Public Transit Website. A ransomware that hit the network of Société de transport de Montréal (STC) shut down both the transit agency’s website and STC’s reservation system for adapted transit. The bus and métro networks were not affected. People needing to make reservations for adapted transit rides were unable to do so or to modify existing reservations after 9:15 pm, Sunday, October 25. Read more in:

Zoom Begins Phase One of End-to-End Encryption Rollout. Zoom has begun rolling out end-to-end encryption (E2EE) for desktop and mobile devices. The initial phase of the rollout is a 30-day technical preview, during which Zoom will gather customer feedback. The current rollout does not offer E2EE for browsers. Read more in: Zoom rolls out encryption for all desktop and mobile users

Vastaamo Fires CEO for Withholding Breach Information. Ville Tapio, CEO of Finnish psychotherapy center Vastaamo, has been fired after it was learned that they prevented details of data breaches from becoming public. Patients have reported that hackers have contacted them, demanding they pay a ransom or have their personal information posted online. The Vastaamo patient database was initially breached in November 2018 and remained vulnerable to intrusion through March 2019. Read more in:

Hackers Leaked Swedish Security Company Customer Information. Hackers have posted data stolen from the Gunnebo Group, a Swedish company that provides physical security for organizations around the world. Gunnebo customers include banks, airports, government agencies, and nuclear power plants. In March, KrebsOnSecurity received a tip from Hold Security “about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware.” Included in that transaction were credentials for a Remote Desktop Protocol (RDP) account set up by a Gunnebo employee. In August 2020, Gunnebo disclosed that its network was hit with a ransomware attack. Read more in:

Critical Flaw in Oracle WebLogic Server is Being Actively Exploited. A critical remote code execution flaw in Oracle WebLogic server is being actively exploited. Hackers are searching for servers running vulnerable versions of Oracle WebLogic server. Oracle released a fix for the vulnerability last week as part of its quarterly Critical Patch Update. Read more in:

Optional Microsoft Update Removes Flash Player from Windows 10. Microsoft has released an optional update for Windows 10 and Windows Server that removes Adobe Flash Player and prevents it from being installed again. Once the update, KB KB4577586, has been installed, it cannot be uninstalled. The update currently removes versions Flash Player that is bundled with Windows 10. Standalone versions of Flash Player will not be removed, and the Flash Player component in Edge is not affected. Read more in:

Steelcase SEC Filing Divulges Cyberattack. Office furniture manufacturer Steelcase has acknowledged that its network was the target of a cyberattack. The information was disclosed in an October 26 form 8-K filing with the US Securities and Exchange Commission (SEC). Read more in:

FBI: Hackers Targeting Vulnerable SonarQube Instances. In a TLP: White Flash, the FBI has warned that “unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses.” The attacks have been occurring since April 2020. Recommended mitigations include changing SonarQube default settings, putting SonarQube instances behind a login screen, and checking for unauthorized access. “SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code.” Read more in:

Vulnerabilities in Hörmann Gateway Devices. Researchers have found a number of vulnerabilities in Hörmann BiSecur gateway device wireless access control system for garage doors, entrance gates, and other such smart systems. The flaws can be exploited both to open doors and to disable the door opening mechanisms. Some of the vulnerabilities require local network access to exploit; others can be exploited remotely. Read more in: Hackers Can Open Doors by Exploiting Vulnerabilities in Hörmann Device

Documents Show ICE, IRS Considering Using Hacking Tools. Documents shared with Motherboard show that US Immigration and Customs Enforcement (ICE) and the Internal Revenue Service (IRS) have explored the possibility of using hacking tools in criminal investigations and may have actually used them. The documents were obtained through a Freedom of Information Act (FoIA) lawsuit brought by Privacy International, the ACLU, and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law. Read more in: ICE, IRS Explored Using Hacking Tools, New Documents Show

Aetna Will Pay $1M USD for HIPAA Violations. The Aetna Life Insurance Company will pay the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1 million to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The fine covers three separate breaches that occurred in 2017 within a six-month period. Read more in:

Hackers Disable Georgia County Election Database with Ransomware. A ransomware attack earlier this month disabled a Hall County, Georgia, database that is used to verify voters’ signatures on absentee ballots. While the attack did not affect the voting process, county employees have had to manually verify signatures from voter registration cards. Read more in:

CISA and FBI Warn Russian APT Actor is Targeting Government Networks. In a joint cybersecurity advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warn that a Russian advanced persistent threat (APT) actor has targeted “US state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.” The APT actor has “exfiltrated data from at least two victim servers.” Read more in:

Cyberattack Hits COVID Vaccine Maker. A company that is manufacturing a COVID-19 vaccine for Russia has shut down operations in five countries following a cyberattack against its network. Dr. Reddy’s is based in India and is about to enter Phase 2 human trials of the vaccine, which has been given the nickname Sputinik V. Dr. Reddy’s has also isolated its data centers. Read more in: COVID-19 Vaccine-Maker Hit with Cyberattack, Data Breach

Finnish Psychotherapy Patients are Being Blackmailed After Vastaamo Data Breach. Patients of Finland’s Vastaamo psychotherapy clinic are reporting that they are being contacted with blackmail demands. Last week, Vastaamo disclosed a data breach compromised patient data. The hackers have reportedly posted some patient information on the dark web; patients who have been contacted by the hackers say they have been asked to pay 200 EUR (236 USD) to prevent their information from being exposed. Read more in:

US Treasury Sanctions Russian Research Institution Tied to Triton Malware. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned “a Russian government research institution that is connected to the destructive Triton malware.” The State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM or TsNIIKhM) supported threat actors’ use of Triton, which has been described as “the most dangerous threat activity publicly known.” Read more in:

Book Excerpt: SANDWORM: The Aurora Generator Test. In an excerpt from Andy Greenberg’s book, SANDWORM: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, Michael Assante’s 2007 Aurora demonstration proves the danger hackers could pose to the power grid by manipulating protective relays. Read more in: How 30 Lines of Code Blew Up a 27-Ton Generator

Botnet Exploits CMS Weaknesses. Researchers from Imperva have detected a botnet that is exploiting vulnerabilities in various content management systems (CMS) to infect websites. The botnet, which has been given the nickname KashmirBlack, is being used for cryptomining and spam. It uses Dropbox for its command-and-control infrastructure and stores files on GitHub and Pastebin. Hundreds of thousands of sites are believed to have been infected since late 2019. Read more in:

Sopra Steria Confirms its Network was Hit with Ransomware. Sopra Steria, the French IT service company, has acknowledged the cyberattack that hit its network last week was actually a ransomware attack. The company says the infection was kept to “a limited part” of its IT systems. Sopra Steria predicts “it will take a few weeks for a return to normal.” Read more in:

Microsoft is Beginning to Nudge Users Away from Internet Explorer. When users browsing in Internet Explorer attempt to access a website that is not IE-compatible, the site will launch in Microsoft Edge. Users will be notified that the site is not compatible with IE, and will be prompted to update to Edge, migrating their settings from IE. Microsoft plans to disable support for Internet Explorer in certain services starting in mid-November. Read more in:

Louisiana Calls in National Guard to Help Fight Cyberattacks. Officials in Louisiana have called in the state’s National Guard to help handle cyberattacks against government systems. Multiple local government systems in Louisiana have reportedly been infected with a remote access Trojan (RAT) that has previously been linked to hackers with ties to the North Korea’s government. Read more in:

Former Century 21 Sysadmin Charged for Computer Tampering. A former systems administrator for the Century 21 department store has been indicted on several charges, including computer tampering and computer trespass. Prior to resigning his opposition in November 2019, Hector Navarro allegedly stole employee data and created a superuser account that he used to access the system after he had left the company. Navarro allegedly deleted data to prevent people hired to replace him from accessing the network. Read more in:

Exposed Irrigation System Networks. An Israeli security company found more than 100 smart irrigation systems were left unprotected on the Internet. The vulnerable CC PRO systems were installed with the factory default settings unchanged, which means that the default account does not require a password. From there, malicious actors could access the system’s control panel and change settings and delete other users from the system. The company notified CERT Israel of the situation, which contacted affected companies as well as Motorola, the manufacturer, and shared information with CERTs in other countries. The number of exposed systems is falling. Read more in: Over 100 irrigation systems left exposed online without a password

NSA: China is Exploiting These Vulnerabilities. Patch Now. The US National Security Agency (NSA) has published a cybersecurity advisory listing 25 vulnerabilities that Chinese state-sponsored hackers are most frequently exploiting to gain access to “computer networks of interest that hold sensitive intellectual property, economic, political, and military information.” All 25 flaws are known and have fixes available. Read more in:

Oracle’s Quarterly Patch Update Includes Fixes for More than 400 Vulnerabilities. Oracle has released its scheduled quarterly Critical Patch Update (CPU) for October 2020. The CPU includes fixes for more than 400 security flaws affecting multiple product lines. More than half of the vulnerabilities are remotely exploitable without authentication. Read more in:

Google Patches Chrome Zero-day. Google has fixed a vulnerability in Chrome that was being actively exploited. The heap buffer overflow memory corruption flaw affects the FreeType font-rendering engine. The issue has been fixed in Chrome 86.0.4240.111. It has also been fixed in FreeType 2.10.4. Read more in:

Cisco Releases Fixes for Network Security Products. Cisco has released 17 advisories to address high-severity flaws in Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). Most of the vulnerabilities can be exploited remotely without authentication to create denial-of-service conditions. Read more in:

WordPress Forces Update for Loginizer Plugin. WordPress has forced an update for the Loginizer plugin to address an unauthenticated SQL injection vulnerability. The flaw could be exploited to take over vulnerable sites. WordPress has had the ability to force plugin updates since 2013 but has rarely used the feature. The plugin is installed on more than one million sites; the issue is fixed in Loginizer 1.6.4. Read more in:

Adobe Releases Updates Outside of Schedule. Adobe has released updates to address critical flaws in 10 products, including Illustrator, Dreamweaver, After Effects, Photoshop, and the Creative Cloud Desktop application. All of the flaws could be exploited to allow arbitrary code execution. This is the second out-of-schedule round of fixes Adobe has released this month; last week, Adobe released fixes for flaws in its Magento eCommerce platform. Read more in:

Adobe Content Attribution Tool in Preview. Adobe is offering a preview of a secure digital watermark technology, an attribution tool for Photoshop and Behance, to help identify images as real and to combat deepfake information. The tool “will be available to select customers in pre-release within Photoshop and Behance within the coming weeks.” The development of the tool is part of the larger Content Authenticity Initiative, a coalition of organizations working toward a common goal of “building a system to provide provenance and history for digital media, giving creators a tool to claim authorship and empowering consumers to assess whether what they are seeing is trustworthy.” Read more in:

Microsoft Doggedly Targets Trickbot Servers. The Trickbot botnet is being assailed from multiple angles. Earlier this month, Microsoft obtained a court order that allowed it to seize Trickbot servers operating within the US. Aware that the action was a temporary roadblock for the botnet, Microsoft has more recently been successful in efforts to seize Trickbot servers operating outside the US. US Cyber Command has also taken action to thwart Trickbot, and Europol has arrested 20 people in connection with laundering money for Trickbot operators. Read more in:

EU Sanctions Russian Hackers. The Council of the European Union has imposed sanctions on Russian hackers for their roles in a 2015 cyberattack against Germany’s Federal Parliament (Deutscher Bundestag). The sanctions impose travel bans and freeze assets. Additionally, EU organizations and individuals are prohibited from transferring funds to the sanctioned entities. Read more in:

FDA Approves Medical Device Cybersecurity Scoring Tool. The US Food and Drug Administration (FDA) has approved a rubric for assigning Critical Vulnerability Scoring System (CVSS) scores to vulnerabilities in medical devices. MITRE submitted its proposed rubric last year. The FDA has just announced that it has been approved as a Medical Device Development Tool (MDDT). Vendors can use this MDDT to “communicate measurements from the rubric about their devices with the FDA for pre-market security and risk assessments.” Read more in:

Finnish Psychotherapy Data Held for Ransom. Vastaamo, a Finnish organization that provides psychotherapy to thousands of people across the country, says they have been contacted by “an unknown hostile party” claiming to have stolen patient data. Vastaamo has notified authorities about the incident. Read more in: Hackers hold patient information for ransom in psychotherapy data breach

Sopra Steria’s Network Suffers Cyberattack. French IT outsourcing firm Sopra Steria has been hit with a cyberattack. According to a regulatory statement, the company detected the attack on the evening of October 20. Reports suggest that the Sopra Steria network was infected with Ryuk ransomware, which was also used in the attack targeting Universal Health Services last month. Read more in:

Mississippi School District Paying a Company to Help it Recover Files After Ransomware Attack. The Yazoo County School District in Mississippi has chosen to pay a private company $300,000 to regain access to encrypted files. The district became aware of the ransomware attack on Monday, October 12. They took their IT systems offline and solicited help from a cybersecurity company to help them recover their files. Read more in: Cyber-attack on Mississippi Schools Costs $300k

Microsoft Releases Updates for RCE Flaws. Microsoft has released fixes to address remote code execution vulnerabilities in the Windows Codecs Library and Visual Studio Code. The fixes come just days after Microsoft’s scheduled monthly security update. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users and admins to review the advisories and apply the patches as necessary. Read more in:

SharePoint Vulnerability Warning. The UK’s National Cyber Security Centre (NCSC) has issued a warning about a vulnerability in Microsoft SharePoint. Proof-of-concept exploit code has been released. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users to heed the NCSC warning and patch vulnerable systems. Read more in:

SonicWall Fixes Critical Flaw Affecting VPNs. A stack buffer overflow vulnerability in the SonicWall Network Security Appliance could be exploited to run arbitrary code or cause denial-of-service conditions. At the end of last week, “Shodan show[ed] over 800,000 VPN devices running vulnerable SonicOS software versions.” SonicWall has released updates to address the problem. Read more in:

Microsoft’s Azure Defender for IoT Released for Public Preview. Microsoft has released a new agentless Internet of Things (IoT) security solution for pubic preview. Organizations can use Azure Defender for IoT to help them “discover unmanaged IoT/OT assets, identify IoT/OT vulnerabilities, and continuously monitor for threats.” Read more in:

Gitjacker Can Help Find Exposed Git Folders. A new tool called Gitjacker can help users find exposed .git folders. It can also be used to download Git repositories, which puts sensitive information at risk of exposure. Read more in: New Gitjacker tool lets you find .git folders exposed online

Microsoft October Patch Tuesday Includes New Option to Disable JScript in IE. When Microsoft released its monthly security update last week, is also added an option for sysadmins to disable JScript execution in Internet Explorer (IE). JScript was introduced to IE in version 3.0 in 1996. It is no longer actively developed and receives updates only when there is evidence of active attacks exploiting it. Read more in:

People are So Wary of Phishing eMails That They are Missing Legitimate Messages. The Anti-Phishing Working group says that users are becoming wary of communications that might be phishing messages that they are ignoring legitimate communications. For example, organizations attempting to notify people that they may have come in contact with someone who tested positive for COVID-19 are finding it difficult to make sure those people get that information. Suggestions for improving the credibility of email messages include deploying domain-based message authentication, reporting & conformance (DMARC), using a specification standard such as brand indicators for message identification (BIMI), or offering a different way for message recipients to respond. Read more in: Phishing fears cause workers to reject genuine business communications

US Dept. of Justice Indicts Russian Hackers Believed to be Responsible for NotPetya and Other Destructive Cyberattacks. The US Department of Justice (DoJ) has indicted six people in connection with their alleged involvement with a hacker group known as Sandworm. The group is widely believed to have been responsible for the cyberattack that cut off power to hundreds of thousands of people in Ukraine in late 2015, a second attack in Ukraine that cut off power in Kyiv, and the NotPetya worm that caused millions of dollars in damage. The six men are facing charges including computer fraud and conspiracy. Read more in:

US Cyberspace Solarium Commission ICT Supply Chain Security Recommendations. The US Cyberspace Solarium Commission (CSC) has published a whitepaper outlining recommendations for improving information and communications technologies (ICT) supply chain cybersecurity. The whitepaper is one of several to have followed CSC’s overarching strategic report that was released in March 2020. Read more in:

DDoS Attacks Hit Two Massachusetts School Systems. Two Massachusetts school systems have had classes disrupted by distributed denial-of-service (DDoS) attacks. Sandwich Public Schools experienced connectivity problems that disrupted remote learning for a week; the district said that the problems were due to a firewall failure. In Tyngsboro, the local middle school and high school were hit with a DDoS that forced the schools to remote learning for several days. The source of the Tyngsboro attacks was reportedly a device that someone brought to one of the schools. Read more in:

Fix Available for Vulnerability in TI WooCommerce Wishlist WordPress Plugin. A critical flaw in the TI WooCommerce Wishlist WordPress plugin could be exploited to gain full administrative access to vulnerable sites. The flaw is being actively exploited; plugin has more than 70,000 active installations. Users are urged to update to TI WooCommerce Wishlist version 1.21.12. Read more in: Vulnerability in WordPress plugin TI WooCommerce Wishlist could allow full site takeover

Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.