Cybersecurity News Headlines Update on October 31, 2020

A National Cyber Challenge: CyberStart America Free for All U.S. High School Students; $2 Million in College Scholarships. “The US Starts Enders Hacking Game” is the title of today’s story on CyberStart America in The Register. Free to every high school student in the country, CyberStart America has a fighting chance of eliminating the advanced cyber skills pipeline advantage that China and Russia have established. Designed both for students who have played with technology and students who had no idea they could be good at it (through the “novice level,”) the game allows students to become virtual cyber protection agents where they solve very real world problems. Those who enjoy it can progress through hundreds of challenges learning at every level through cryptography, Linux, Python programing all the way to reverse malware engineering. Teachers report it is the best program for teaching creative problem-solving skills they have seen. Students who solve 20% of the challenges are eligible for the scholarship round where $2,000,000 in college scholarships will be awarded for use at the college of their choice. The qualification round starts on October 30 and last until the end of February. Read more in:

• On Friday the US starts Ender’s hacking game: All local teens can compete for scholarships in cybersecurity
• SANS Launches New CyberStart Program for All High School Students

Hospitals Under Ransomware Siege (Ref: FBI, HHS and DHS). On Wednesday, October 28, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services, and the FBI issued a joint cybersecurity advisory saying they are in possession of “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” As of Thursday, networks at nearly two dozen hospitals in the US have been hit with ransomware. Mandiant has released a list of indicators of compromise. Read more in:

• FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals
• Cyberattack targets networks of Vermont, New York hospitals
• Ransomware Hits Dozens of Hospitals in an Unprecedented Wave
• Ransomware Wave Hits Healthcare, as 3 Providers Report EHR Downtime
• FBI warning: Trickbot and ransomware attackers plan big hit on US hospitals
• Advisories: “Brazen” Russian ransomware hackers target hundreds of US hospitals
• 2 More Hospitals Hit by Growing Wave of Ransomware Attacks, As Feds Issue Warning
• Ransomware Activity Targeting the Healthcare and Public Health Sector
• aaronst/unc1878_indicators.txt

Ransomware Attack Shut Down Montreal Public Transit Website. A ransomware that hit the network of Société de transport de Montréal (STC) shut down both the transit agency’s website and STC’s reservation system for adapted transit. The bus and métro networks were not affected. People needing to make reservations for adapted transit rides were unable to do so or to modify existing reservations after 9:15 pm, Sunday, October 25. Read more in:

• Ransomware attack blamed for shutting down STM website
• Adapted transit users want compensation after STM’s website shut down by virus
• Montreal’s STM public transport system hit by ransomware attack

Zoom Begins Phase One of End-to-End Encryption Rollout. Zoom has begun rolling out end-to-end encryption (E2EE) for desktop and mobile devices. The initial phase of the rollout is a 30-day technical preview, during which Zoom will gather customer feedback. The current rollout does not offer E2EE for browsers. Read more in: Zoom rolls out encryption for all desktop and mobile users

Vastaamo Fires CEO for Withholding Breach Information. Ville Tapio, CEO of Finnish psychotherapy center Vastaamo, has been fired after it was learned that they prevented details of data breaches from becoming public. Patients have reported that hackers have contacted them, demanding they pay a ransom or have their personal information posted online. The Vastaamo patient database was initially breached in November 2018 and remained vulnerable to intrusion through March 2019. Read more in:

• Finnish psychotherapy center fires CEO for suppressing breach details
• Why the extortion of Vastaamo matters far beyond Finland — and how cyber pros are responding

Hackers Leaked Swedish Security Company Customer Information. Hackers have posted data stolen from the Gunnebo Group, a Swedish company that provides physical security for organizations around the world. Gunnebo customers include banks, airports, government agencies, and nuclear power plants. In March, KrebsOnSecurity received a tip from Hold Security “about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware.” Included in that transaction were credentials for a Remote Desktop Protocol (RDP) account set up by a Gunnebo employee. In August 2020, Gunnebo disclosed that its network was hit with a ransomware attack. Read more in:

• Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo
• Hackers Leak Swedish Security Firm’s Data

Critical Flaw in Oracle WebLogic Server is Being Actively Exploited. A critical remote code execution flaw in Oracle WebLogic server is being actively exploited. Hackers are searching for servers running vulnerable versions of Oracle WebLogic server. Oracle released a fix for the vulnerability last week as part of its quarterly Critical Patch Update. Read more in:

• PATCH NOW: CVE-2020-14882 Weblogic Actively Exploited Against Honeypots
• Oracle WebLogic Server RCE Flaw Under Active Attack
• Critical Oracle WebLogic flaw actively targeted in attacks
• Oracle WebLogic Vulnerability Targeted One Week After Patching
• Hackers are on the hunt for Oracle servers vulnerable to potent exploit

Optional Microsoft Update Removes Flash Player from Windows 10. Microsoft has released an optional update for Windows 10 and Windows Server that removes Adobe Flash Player and prevents it from being installed again. Once the update, KB KB4577586, has been installed, it cannot be uninstalled. The update currently removes versions Flash Player that is bundled with Windows 10. Standalone versions of Flash Player will not be removed, and the Flash Player component in Edge is not affected. Read more in:

• Microsoft releases update to remove Adobe Flash from Windows
• Windows 10 update removes Flash and prevents it from being reinstalled

Steelcase SEC Filing Divulges Cyberattack. Office furniture manufacturer Steelcase has acknowledged that its network was the target of a cyberattack. The information was disclosed in an October 26 form 8-K filing with the US Securities and Exchange Commission (SEC). Read more in:

• Furniture Giant Steelcase Hit by Suspected Ransomware Attack
• Steelcase furniture giant hit by Ryuk ransomware attack
• United States Securities and Exchange Commission | Form 8-K | Steelcase Inc.

FBI: Hackers Targeting Vulnerable SonarQube Instances. In a TLP: White Flash, the FBI has warned that “unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses.” The attacks have been occurring since April 2020. Recommended mitigations include changing SonarQube default settings, putting SonarQube instances behind a login screen, and checking for unauthorized access. “SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code.” Read more in:

• FBI: Hackers stole government source code via SonarQube instances
• Cyber Actors Target Misconfigured SonarQube Instances to Access Proprietary Source Code of US Government Agencies and Businesses (PDF)

Vulnerabilities in Hörmann Gateway Devices. Researchers have found a number of vulnerabilities in Hörmann BiSecur gateway device wireless access control system for garage doors, entrance gates, and other such smart systems. The flaws can be exploited both to open doors and to disable the door opening mechanisms. Some of the vulnerabilities require local network access to exploit; others can be exploited remotely. Read more in: Hackers Can Open Doors by Exploiting Vulnerabilities in Hörmann Device

Documents Show ICE, IRS Considering Using Hacking Tools. Documents shared with Motherboard show that US Immigration and Customs Enforcement (ICE) and the Internal Revenue Service (IRS) have explored the possibility of using hacking tools in criminal investigations and may have actually used them. The documents were obtained through a Freedom of Information Act (FoIA) lawsuit brought by Privacy International, the ACLU, and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law. Read more in: ICE, IRS Explored Using Hacking Tools, New Documents Show

Aetna Will Pay $1M USD for HIPAA Violations. The Aetna Life Insurance Company will pay the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1 million to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The fine covers three separate breaches that occurred in 2017 within a six-month period. Read more in:

• Triple Data Breach Earns Insurer $1m Fine
• Aetna Fined $1 Million After 3 Data Breaches
• Aetna Pays $1,000,000 to Settle Three HIPAA Breaches

Hackers Disable Georgia County Election Database with Ransomware. A ransomware attack earlier this month disabled a Hall County, Georgia, database that is used to verify voters’ signatures on absentee ballots. While the attack did not affect the voting process, county employees have had to manually verify signatures from voter registration cards. Read more in:

• Report: Ransomware Disables Georgia County Election Database
• Georgia Election Data Hit in Ransomware Attack
• Election-related system impacted by ransomware in Georgia county
• Ransomware Knocks Out Voter Database in Georgia

CISA and FBI Warn Russian APT Actor is Targeting Government Networks. In a joint cybersecurity advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warn that a Russian advanced persistent threat (APT) actor has targeted “US state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.” The APT actor has “exfiltrated data from at least two victim servers.” Read more in:

• Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets
• Energetic Bear Attackers Targeting US Government Agencies
• Russian state hackers stole data from US government networks
• Russia-linked group that breached US state and local IT draws official accusation from feds
• Russians Who Pose Election Threat Have Hacked Nuclear Plants and Power Grid
• FBI: Russian hacking group stole data after targeting local governments
• DHS, FBI say Russian hackers targeting US state and local systems

Cyberattack Hits COVID Vaccine Maker. A company that is manufacturing a COVID-19 vaccine for Russia has shut down operations in five countries following a cyberattack against its network. Dr. Reddy’s is based in India and is about to enter Phase 2 human trials of the vaccine, which has been given the nickname Sputinik V. Dr. Reddy’s has also isolated its data centers. Read more in: COVID-19 Vaccine-Maker Hit with Cyberattack, Data Breach

Finnish Psychotherapy Patients are Being Blackmailed After Vastaamo Data Breach. Patients of Finland’s Vastaamo psychotherapy clinic are reporting that they are being contacted with blackmail demands. Last week, Vastaamo disclosed a data breach compromised patient data. The hackers have reportedly posted some patient information on the dark web; patients who have been contacted by the hackers say they have been asked to pay 200 EUR (236 USD) to prevent their information from being exposed. Read more in:

• Hacking may have compromised privacy of thousands of psychotherapy clients in Finland
• Vastaamo Breach: Hackers Blackmailing Psychotherapy Patients
• Finland Shocked by Therapy Center Hacking, Client Blackmail
• Data breach at Finnish psychotherapy center takes a darker turn with extortion attempts
• Therapy patients blackmailed for cash after clinic data breach

US Treasury Sanctions Russian Research Institution Tied to Triton Malware. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned “a Russian government research institution that is connected to the destructive Triton malware.” The State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM or TsNIIKhM) supported threat actors’ use of Triton, which has been described as “the most dangerous threat activity publicly known.” Read more in:

• Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
• The US Sanctions Russians for Potentially ‘Fatal’ Triton Malware
• US Treasury sanctions Russian research institute behind Triton malware
• Hackers behind life-threatening attack on chemical-maker are sanctioned
• Treasury sanctions Russian research institute for Triton attack
• U.S. Levies Sanctions Against Russian Research Institution Linked to Triton Malware
• US sanctions Russian government institution in connection with Trisis malware

Book Excerpt: SANDWORM: The Aurora Generator Test. In an excerpt from Andy Greenberg’s book, SANDWORM: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, Michael Assante’s 2007 Aurora demonstration proves the danger hackers could pose to the power grid by manipulating protective relays. Read more in: How 30 Lines of Code Blew Up a 27-Ton Generator

Botnet Exploits CMS Weaknesses. Researchers from Imperva have detected a botnet that is exploiting vulnerabilities in various content management systems (CMS) to infect websites. The botnet, which has been given the nickname KashmirBlack, is being used for cryptomining and spam. It uses Dropbox for its command-and-control infrastructure and stores files on GitHub and Pastebin. Hundreds of thousands of sites are believed to have been infected since late 2019. Read more in:

• CrimeOps of the KashmirBlack Botnet – Part II
• KashmirBlack botnet behind attacks on CMSs like WordPress, Joomla, Drupal, others
• Botnet Infects Hundreds of Thousands of Websites
• KashmirBlack Botnet Uses DevOps to Stay Agile

Sopra Steria Confirms its Network was Hit with Ransomware. Sopra Steria, the French IT service company, has acknowledged the cyberattack that hit its network last week was actually a ransomware attack. The company says the infection was kept to “a limited part” of its IT systems. Sopra Steria predicts “it will take a few weeks for a return to normal.” Read more in:

• Sopra Steria confirms being hit by Ryuk ransomware attack
• Sopra Steria Hit by New Ryuk Variant
• Sopra Steria Group: Cyberattack information update

Microsoft is Beginning to Nudge Users Away from Internet Explorer. When users browsing in Internet Explorer attempt to access a website that is not IE-compatible, the site will launch in Microsoft Edge. Users will be notified that the site is not compatible with IE, and will be prompted to update to Edge, migrating their settings from IE. Microsoft plans to disable support for Internet Explorer in certain services starting in mid-November. Read more in:

• Microsoft begins to finally kill off Internet Explorer
• Microsoft IE Browser Death March Hastens
• Redirection from Internet Explorer to Microsoft Edge for compatibility with modern web sites

Louisiana Calls in National Guard to Help Fight Cyberattacks. Officials in Louisiana have called in the state’s National Guard to help handle cyberattacks against government systems. Multiple local government systems in Louisiana have reportedly been infected with a remote access Trojan (RAT) that has previously been linked to hackers with ties to the North Korea’s government. Read more in:

• Cyberattacks hit Louisiana government offices as worries rise about election hacking
• Louisiana Calls Out National Guard to Fight Ransomware Surge
• Exclusive: National Guard called in to thwart cyberattack in Louisiana weeks before election

Former Century 21 Sysadmin Charged for Computer Tampering. A former systems administrator for the Century 21 department store has been indicted on several charges, including computer tampering and computer trespass. Prior to resigning his opposition in November 2019, Hector Navarro allegedly stole employee data and created a superuser account that he used to access the system after he had left the company. Navarro allegedly deleted data to prevent people hired to replace him from accessing the network. Read more in:

• Systems Admin Arrested for Hacking Former Employer
• D.A. Vance: Former Century 21 Employee Charged with Computer Tampering, Larceny For Breach of Company Data

Exposed Irrigation System Networks. An Israeli security company found more than 100 smart irrigation systems were left unprotected on the Internet. The vulnerable CC PRO systems were installed with the factory default settings unchanged, which means that the default account does not require a password. From there, malicious actors could access the system’s control panel and change settings and delete other users from the system. The company notified CERT Israel of the situation, which contacted affected companies as well as Motorola, the manufacturer, and shared information with CERTs in other countries. The number of exposed systems is falling. Read more in: Over 100 irrigation systems left exposed online without a password

NSA: China is Exploiting These Vulnerabilities. Patch Now. The US National Security Agency (NSA) has published a cybersecurity advisory listing 25 vulnerabilities that Chinese state-sponsored hackers are most frequently exploiting to gain access to “computer networks of interest that hold sensitive intellectual property, economic, political, and military information.” All 25 flaws are known and have fixes available. Read more in:

• Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks
• NSA publishes list of top vulnerabilities currently targeted by Chinese hackers
• Enterprises Should Fix These 25 Flaws
• NSA releases list of 25 vulnerabilities targeted by China
• Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities (PDF)

Oracle’s Quarterly Patch Update Includes Fixes for More than 400 Vulnerabilities. Oracle has released its scheduled quarterly Critical Patch Update (CPU) for October 2020. The CPU includes fixes for more than 400 security flaws affecting multiple product lines. More than half of the vulnerabilities are remotely exploitable without authentication. Read more in:

• Oracle Kills 402 Bugs in Massive October Patch Update
• How much does Oracle love you? Thiiiis much: Latest patch bundle has 402 fixe
• Oracle Releases Another Mammoth Security Patch Update
• Oracle Critical Patch Update Advisory – October 2020

Google Patches Chrome Zero-day. Google has fixed a vulnerability in Chrome that was being actively exploited. The heap buffer overflow memory corruption flaw affects the FreeType font-rendering engine. The issue has been fixed in Chrome 86.0.4240.111. It has also been fixed in FreeType 2.10.4. Read more in:

• Google Patches Bug Used in Active Attacks Against Chrome
• Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser
• Google releases Chrome security update to patch actively exploited zero-day

Cisco Releases Fixes for Network Security Products. Cisco has released 17 advisories to address high-severity flaws in Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). Most of the vulnerabilities can be exploited remotely without authentication to create denial-of-service conditions. Read more in:

• Cisco Warns of Severe DoS Flaws in Network Security Software
• Cisco Patches 17 High-Severity Vulnerabilities in Security Appliances
• Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication

WordPress Forces Update for Loginizer Plugin. WordPress has forced an update for the Loginizer plugin to address an unauthenticated SQL injection vulnerability. The flaw could be exploited to take over vulnerable sites. WordPress has had the ability to force plugin updates since 2013 but has rarely used the feature. The plugin is installed on more than one million sites; the issue is fixed in Loginizer 1.6.4. Read more in:

• WordPress deploys forced security update for dangerous bug in popular plugin
• Loginizer < 1.6.4 – Unauthenticated SQL Injection

Adobe Releases Updates Outside of Schedule. Adobe has released updates to address critical flaws in 10 products, including Illustrator, Dreamweaver, After Effects, Photoshop, and the Creative Cloud Desktop application. All of the flaws could be exploited to allow arbitrary code execution. This is the second out-of-schedule round of fixes Adobe has released this month; last week, Adobe released fixes for flaws in its Magento eCommerce platform. Read more in:

• Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio
• Adobe releases another out-of-band patch, squashing critical bugs across creative software
• Recent bulletins and advisories

Adobe Content Attribution Tool in Preview. Adobe is offering a preview of a secure digital watermark technology, an attribution tool for Photoshop and Behance, to help identify images as real and to combat deepfake information. The tool “will be available to select customers in pre-release within Photoshop and Behance within the coming weeks.” The development of the tool is part of the larger Content Authenticity Initiative, a coalition of organizations working toward a common goal of “building a system to provide provenance and history for digital media, giving creators a tool to claim authorship and empowering consumers to assess whether what they are seeing is trustworthy.” Read more in:

• Adobe previews content attribution tool in Photoshop to fight deep fakes
• Adobe Transparency Tool to Help Prove Images Aren’t Doctored
• The Content Authenticity Initiative unveils content attribution tool within Photoshop and Behance
• Creating the standard for digital content attribution.

Microsoft Doggedly Targets Trickbot Servers. The Trickbot botnet is being assailed from multiple angles. Earlier this month, Microsoft obtained a court order that allowed it to seize Trickbot servers operating within the US. Aware that the action was a temporary roadblock for the botnet, Microsoft has more recently been successful in efforts to seize Trickbot servers operating outside the US. US Cyber Command has also taken action to thwart Trickbot, and Europol has arrested 20 people in connection with laundering money for Trickbot operators. Read more in:

• Microsoft Continues Dismantling Trickbot
• Trickbot—the for-hire botnet Microsoft attacked—is scrambling to stay alive
• Microsoft says it took down 94% of TrickBot’s command and control servers

EU Sanctions Russian Hackers. The Council of the European Union has imposed sanctions on Russian hackers for their roles in a 2015 cyberattack against Germany’s Federal Parliament (Deutscher Bundestag). The sanctions impose travel bans and freeze assets. Additionally, EU organizations and individuals are prohibited from transferring funds to the sanctioned entities. Read more in:

• Malicious cyber-attacks: EU sanctions two individuals and one body over 2015 Bundestag hack
• EU sanctions Russian hackers over 2015 German parliament attack
• EU slaps sanctions on GRU leader, Fancy Bear, FBI-wanted hacker over Bundestag attack

FDA Approves Medical Device Cybersecurity Scoring Tool. The US Food and Drug Administration (FDA) has approved a rubric for assigning Critical Vulnerability Scoring System (CVSS) scores to vulnerabilities in medical devices. MITRE submitted its proposed rubric last year. The FDA has just announced that it has been approved as a Medical Device Development Tool (MDDT). Vendors can use this MDDT to “communicate measurements from the rubric about their devices with the FDA for pre-market security and risk assessments.” Read more in:

• FDA Approves Use of New Tool for Medical Device Vulnerability Scoring
• FDA vulnerability grading system proves all risk not created equal
• Rubric for Applying CVSS to Medical Devices (September 2019)

Finnish Psychotherapy Data Held for Ransom. Vastaamo, a Finnish organization that provides psychotherapy to thousands of people across the country, says they have been contacted by “an unknown hostile party” claiming to have stolen patient data. Vastaamo has notified authorities about the incident. Read more in: Hackers hold patient information for ransom in psychotherapy data breach

Sopra Steria’s Network Suffers Cyberattack. French IT outsourcing firm Sopra Steria has been hit with a cyberattack. According to a regulatory statement, the company detected the attack on the evening of October 20. Reports suggest that the Sopra Steria network was infected with Ryuk ransomware, which was also used in the attack targeting Universal Health Services last month. Read more in:

• French IT giant Sopra Steria hit by Ryuk ransomware
• French IT outsourcer Sopra Steria hit by ‘cyberattack’, Ryuk ransomware suspected

Mississippi School District Paying a Company to Help it Recover Files After Ransomware Attack. The Yazoo County School District in Mississippi has chosen to pay a private company $300,000 to regain access to encrypted files. The district became aware of the ransomware attack on Monday, October 12. They took their IT systems offline and solicited help from a cybersecurity company to help them recover their files. Read more in: Cyber-attack on Mississippi Schools Costs $300k

Microsoft Releases Updates for RCE Flaws. Microsoft has released fixes to address remote code execution vulnerabilities in the Windows Codecs Library and Visual Studio Code. The fixes come just days after Microsoft’s scheduled monthly security update. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users and admins to review the advisories and apply the patches as necessary. Read more in:

• Microsoft releases emergency security updates for Windows and Visual Studio
• Microsoft Fixes RCE Flaws in Out-of-Band Windows Update
• CISA Warns of Remote Code Execution Bugs in Visual Studio, Windows Codecs Library
• Microsoft issues out-of-band Windows security updates for RCE bugs
• Microsoft Releases Security Updates to Address Remote Code Execution Vulnerabilities
• CVE-2020-17022 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability
• CVE-2020-17023 | Visual Studio JSON Remote Code Execution Vulnerability

SharePoint Vulnerability Warning. The UK’s National Cyber Security Centre (NCSC) has issued a warning about a vulnerability in Microsoft SharePoint. Proof-of-concept exploit code has been released. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users to heed the NCSC warning and patch vulnerable systems. Read more in:

• Proof-of-Concept Prompts Alert on SharePoint Remote Execution Flaw
• Government Spooks Urge Firms to Patch SharePoint Bug
• Alert: Risk of SharePoint vulnerability to UK organisations

SonicWall Fixes Critical Flaw Affecting VPNs. A stack buffer overflow vulnerability in the SonicWall Network Security Appliance could be exploited to run arbitrary code or cause denial-of-service conditions. At the end of last week, “Shodan show[ed] over 800,000 VPN devices running vulnerable SonicOS software versions.” SonicWall has released updates to address the problem. Read more in:

• SonicWall Fixes Critical Flaw in Firewall Appliances
• Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE
• 800,000 SonicWall VPNs vulnerable to new remote code execution bug
• Critical Vulnerability Allows Hackers to Disrupt SonicWall Firewalls
• If you want to practice writing exploits and worms, there’s a big hijacking hole in SonicWall firewall VPNs
• Critical SonicWall vulnerability affects 800K firewalls, patch now
• SonicWall VPN Portal Critical Flaw (CVE-2020-5135)

Microsoft’s Azure Defender for IoT Released for Public Preview. Microsoft has released a new agentless Internet of Things (IoT) security solution for pubic preview. Organizations can use Azure Defender for IoT to help them “discover unmanaged IoT/OT assets, identify IoT/OT vulnerabilities, and continuously monitor for threats.” Read more in:

• Azure Defender for IoT is now in public preview
• Azure Defender for IoT enters public preview
• Microsoft releases Azure Defender for IoT in public preview

Gitjacker Can Help Find Exposed Git Folders. A new tool called Gitjacker can help users find exposed .git folders. It can also be used to download Git repositories, which puts sensitive information at risk of exposure. Read more in: New Gitjacker tool lets you find .git folders exposed online

Microsoft October Patch Tuesday Includes New Option to Disable JScript in IE. When Microsoft released its monthly security update last week, is also added an option for sysadmins to disable JScript execution in Internet Explorer (IE). JScript was introduced to IE in version 3.0 in 1996. It is no longer actively developed and receives updates only when there is evidence of active attacks exploiting it. Read more in:

• Microsoft adds option to disable JScript in Internet Explorer
• Option to disable JScript execution in Internet Explorer

People are So Wary of Phishing eMails That They are Missing Legitimate Messages. The Anti-Phishing Working group says that users are becoming wary of communications that might be phishing messages that they are ignoring legitimate communications. For example, organizations attempting to notify people that they may have come in contact with someone who tested positive for COVID-19 are finding it difficult to make sure those people get that information. Suggestions for improving the credibility of email messages include deploying domain-based message authentication, reporting & conformance (DMARC), using a specification standard such as brand indicators for message identification (BIMI), or offering a different way for message recipients to respond. Read more in: Phishing fears cause workers to reject genuine business communications

US Dept. of Justice Indicts Russian Hackers Believed to be Responsible for NotPetya and Other Destructive Cyberattacks. The US Department of Justice (DoJ) has indicted six people in connection with their alleged involvement with a hacker group known as Sandworm. The group is widely believed to have been responsible for the cyberattack that cut off power to hundreds of thousands of people in Ukraine in late 2015, a second attack in Ukraine that cut off power in Kyiv, and the NotPetya worm that caused millions of dollars in damage. The six men are facing charges including computer fraud and conspiracy. Read more in:

• US Indicts Sandworm, Russia’s Most Destructive Cyberwar Unit
• The U.S. Government Charged Russia’s Most Destructive Hackers
• US indicts Russian GRU ‘Sandworm’ hackers for NotPetya, worldwide attacks
• U.S. Charges Russian Intelligence Officers for NotPetya, Industroyer Attacks
• US charges Russian GRU officers for NotPetya, other major hacks
• Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace
• Indictment, filed October 15, 2020 (PDF)

US Cyberspace Solarium Commission ICT Supply Chain Security Recommendations. The US Cyberspace Solarium Commission (CSC) has published a whitepaper outlining recommendations for improving information and communications technologies (ICT) supply chain cybersecurity. The whitepaper is one of several to have followed CSC’s overarching strategic report that was released in March 2020. Read more in:

• Cyber Solarium Commission outlines recommendations for strengthening the supply chain
• Cyber Solarium Commission lays out plan to secure supply chain
• Cyberspace Solarium Commission White Paper #4: Building a Trusted ICT Supply Chain

DDoS Attacks Hit Two Massachusetts School Systems. Two Massachusetts school systems have had classes disrupted by distributed denial-of-service (DDoS) attacks. Sandwich Public Schools experienced connectivity problems that disrupted remote learning for a week; the district said that the problems were due to a firewall failure. In Tyngsboro, the local middle school and high school were hit with a DDoS that forced the schools to remote learning for several days. The source of the Tyngsboro attacks was reportedly a device that someone brought to one of the schools. Read more in:

• DDoS Attacks Disrupt Massachusetts Schools
• Cyberattack disrupts remote learning in Sandwich schools
• Investigation underway after Tyngsboro schools hit by cyberattack

Fix Available for Vulnerability in TI WooCommerce Wishlist WordPress Plugin. A critical flaw in the TI WooCommerce Wishlist WordPress plugin could be exploited to gain full administrative access to vulnerable sites. The flaw is being actively exploited; plugin has more than 70,000 active installations. Users are urged to update to TI WooCommerce Wishlist version 1.21.12. Read more in: Vulnerability in WordPress plugin TI WooCommerce Wishlist could allow full site takeover