Cybersecurity News Headlines Update on November 17, 2020

State-Sponsored APTs Target COVID-19 Research. Microsoft says that State-sponsored hackers operating on behalf of the Russian and North Korean governments have been targeting organizations involved in COVID-19 vaccine research and development. Microsoft found evidence of three hacking groups targeting a total of seven organizations in South Korea, India, France, Canada, and the US. (Please note that the WSJ story is behind a paywall.) Read more in:

• Hackers sponsored by Russia and North Korea are targeting COVID-19 researchers
• Microsoft says three APTs have targeted seven COVID-19 vaccine makers
• Covid-19 Vaccine Makers Face Russian, North Korean Cyberattacks, Microsoft Says (paywall)
• Cyberattacks targeting health care must stop

Hundreds of Thousands of Windows Systems are Not Patched Against Known, Critical Vulnerabilities. The Internet Storm Center has found that nearly 250,000 Windows systems have not been patched against the BlueKeep remote desktop protocol (RDP) vulnerability; BlueKeep was disclosed in spring 2019. More than 100,000 Windows systems remain unpatched against the SMBGhost vulnerability in the Server Message Block v3 protocol; SMBGhost was disclosed in March 2020. Read more in:

• Heartbleed, BlueKeep and other vulnerabilities that didn’t disappear just because we don’t talk about them anymore
• More than 245,000 Windows systems still remain vulnerable to BlueKeep RDP bug

Capcom Says Ransomware Actors Stole Customer and Employee Data. Video game publisher Capcom has disclosed that the attackers behind a ransomware attack on the company’s network stole customer and employee data as well as sensitive company information. The attack occurred on November 2. The breach affects as many as 350,000 people. Read more in:

• Street Fighter maker says soz after ransomware hadoukens servers leaving 350,000 folks’ data at risk of compromise
• Capcom confirms data breach after gamers’ data stolen in cyberattack

ICO Fines Ticketmaster UK Over 2018 Data Breach. The UK Information Commissioner’s Office (IOC) has fined the Ticketmaster’s UK division 1.25 million GBP (1.65 million USD) for a breach that affected 9.4 million individuals. The ICO found that Ticketmaster “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.” The breach affected UK customers who made purchases between February and June 2018. Read more in:

• Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal
• Ticketmaster Scores Hefty Fine Over 2018 Data Breach

Hackney Council Struggling to Recover from Cyberattack. London’s Hackney Council, which experienced “an advanced, criminal cyberattack” in mid-October, says it could be months before all services are restored. The Hackney Council websites notes that its “services are currently significantly disrupted and you may experience difficulty contacting us or using our services.” Read more in:

• Cyber-attack disruption could last for months, says council
• Service status

Hackers Targeting South Korea’s Supply Chain. Researchers at ESET have found that a hacking group with ties to North Korea’s government has been using stolen certificates to launch supply chain attacks in South Korea. In South Korea, Internet users are often required to install security software to allow them to visit government and banking websites. To facilitate these downloads, many users have an integration installation program known as WIZVERA VeraPort installed on their computers. ESET researchers say, “the attackers [are likely replacing] the software to be delivered to WIZVERA VeraPort users from a legitimate but compromised website.” Read more in:

• Lazarus supply‑chain attack in South Korea
• Lazarus malware strikes South Korean supply chains
• Hacked Security Software Used in Novel South Korean Supply-Chain Attack
• Lazarus Group Targets South Korea via Supply Chain Attack

Recently-patched Intel Flaws Can be Exploited to Bypass Boot Guard. Several recently-patched vulnerabilities affecting Intel products could be exploited to override the Boot Guard protection, which is designed to prevent unauthorized code from running during the boot process. Attackers could install malicious firmware or obtain decrypted files from the targeted computer. The exploit requires that the attacker have physical access to vulnerable computers. Read more in: Hackers can use just-fixed Intel bugs to install malicious firmware on PCs

CISA Warns of Vulnerability in BD Alaris Infusion Pumps. An alert from the US Cybersecurity and Infrastructure Security Agency (CISA) describes an improper network session authentication vulnerability in the BD Alaris 8015 PC Unit and BD Alaris Systems Manager. The flaw could be exploited to cause denial-of-service conditions. CISA’s alert urges organizations using these products to employ mitigations provided by the manufacturer. Read more in:

• BD’s Alaris infusion pumps flagged for cybersecurity vulnerability
• BD Discloses Alaris Medical Device Vulnerability, Poses DoS Attack Risk
• ICS Medical Advisory (ICSMA-20-317-01) | BD Alaris 8015 PC Unit and BD Alaris Systems Manager

Texas Driver’s License Data Compromised. A data breach affecting systems at an insurance software company has compromised driver’s license information belonging to more than 27 million Texas residents. The company, Vertafore, “determined that, at some point between March 11 and August 1 of this year, there was potential unauthorized access to the three data files.” Vertafore disclosed the breach on November 10. Intruders accessed the system sometime between March 11 and August 1. The incident was detected in mid-August. The statement suggests that the data were compromised because the three data files were stored in an unsecured external storage service. Read more in:

• Software vendor says data breach exposed nearly 28 million Texas driver’s license records
• Data of 27 Million Texas Drivers Compromised in Breach
• Vertafore Statement Regarding Data Event

US Mental Healthcare Provider Discloses Patient Data Breach. People Incorporated, a Minnesota-based mental health services provider, has disclosed that several employee email accounts were accessed by an unauthorized third party earlier this year. According to a statement from the company, “the accessed email accounts contained the personal and protected health information of certain patients, including their names, dates of birth, addresses, treatment information, insurance information, and medical record number.” The incident affected approximately 27,500 individuals. Read more in: US mental health provider admits email breach exposed patient data

Critical Healthcare Cybersecurity Incidents Abound. According to Health IT Security, Hendrick Health in Texas detected a threat that prompted it to shut down IT networks; the organization “is operating under EHR (electronic health record) downtime procedures.” Among other news in the article: Sonoma (California) Valley Hospital is operating under EHR downtime procedures a month after its network was hit with ransomware; Florida’s Advanced Urgent Care is notifying patients that their personal information may have been compromised during a ransomware attack in March; and Minnesota’s People Incorporated Mental Health Services notified 27,500 patients that their personal data were compromised following a phishing incident earlier this year. Read more in: ‘Security Threat’ Forces Hendrick Health to EHR Downtime Procedures

Australia’s Government Warns of SDBBot Activity Targeting Healthcare Sector. The Australian Cyber Security Centre (ACSC) has issued an alert warning that it “observed increased targeting activity against the Australian Health sector.” The threat actors have been using the SDBBot remote Access Tool (RAT) to move through networks and exfiltrate data. The ACSC notes that “SDBBot is a known precursor of the Clop ransomware,” and urges “that all network owners review their controls against ransomware as per ACSC’s publication Ransomware in Australia.” Read more in:

• SDBBot Targeting Health Sector
• Ransomware in Australia
• Australian government warns of possible ransomware attacks on health sector

Microsoft: Use MFA That Doesn’t Use Publicly Switched Phone Networks. Microsoft is urging organizations to use multi-factor authentication (MFA) that does not rely on publicly switched telephone networks. SMS and voice protocols were designed without encryption; one-time passcodes sent via SMS or voice can be intercepted. Encrypted authentication apps, like Microsoft Authenticator, Google Authenticator, and Cisco Duo Mobile provide better security. Read more in:

• Microsoft urges users to stop using phone-based multi-factor authentication
• Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped
• It’s Time to Hang Up on Phone Transports for Authentication

Microsoft Patch Tuesday, and A New Format for the Security Update Guide. On Tuesday, November 10, Microsoft released fixes to address 112 vulnerabilities; one of the flaws is being actively exploited. The Windows Kernel Cryptography Driver vulnerability has been actively exploited in conjunction with a Chrome JavaScript engine RCE flaw to compromise vulnerable devices. With this monthly release, Microsoft has changed the format of its advisories. While the new format brings Microsoft’s advisories in line with those of other software vendors, it also eliminates some details that users have found useful. Read more in:

• Patch Tuesday, November 2020 Edition
• Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
• Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild
• Microsoft pushes 112 patches, which may cause management tools to buckle under pressure
• ‘Bad move, plain and simple’: Microsoft’s new bug reporting format draws criticism
• November 2020 Security Updates

Adobe November Patch Tuesday Fixes Three Flaws. Adobe has released fixes for three vulnerabilities affecting Adobe Connect and Adobe Reader Mobile. A pair of reflected cross-site scripting flaws in Adobe Connect could be exploited to allow arbitrary JavaScript execution in the browser. An improper access control vulnerability in Adobe Reader Mobile could be exploited to disclose information. Read more in:

• Adobe releases new security fixes for Connect, Reader Mobile
• Adobe releases security update for Adobe Reader for Android
• Security updates available for Adobe Connect | APSB20-69
• Security update available for Adobe Reader Mobile | APSB20-71

Google Fixes More Chrome Zero-days. Google has fixed two more zero-day flaws in Chrome. One of the flaws is an inappropriate implementation in V8; the other is a use after free issue in Chrome Site Isolation. The vulnerabilities, which are being actively exploited, are resolved in Chrome 86.0.4240.198 for Windows, macOS, and Linux. Read more in:

• 2 More Google Chrome Zero-Days Under Active Exploitation
• Google patches two more Chrome zero-days
• Google Patches Two More Chrome Zero-Days Exploited in Attacks
• Google fixes more Chrome zero-days exploited in the wild

Security Updates Available to Address Three Flaws in Silver Peak Unity Orchestrator. A trio of flaws affecting Silver Peak’s Unity Orchestrator SD-WAN management platform could be combined to allow unauthenticated attackers to take over vulnerable networks. The flaws, an authentication bypass issue, a file delete path traversal issue, and an arbitrary SQL query execution issue, are resolved in Silver Peak Unity Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+. Read more in:

• Silver Peak SD-WAN Bugs Allow for Network Takeover
• Silver Peak addresses three-pronged RCE exploit in Unity Orchestrator
• Security Advisories

Cisco Fixes Vulnerability in IOS XR Software. Cisco has released an update to address “a vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers.” The flaw could be exploited to cause a denial-of-service condition. The issue affects Cisco ASR 900 Series Aggregation Service Routers running IOS XR software earlier than versions 6.7.2 and 7.1.2. Read more in:

• High-Severity Cisco DoS Flaw Can Immobilize ASR Routers
• Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers Slow Path Forwarding Denial of Service Vulnerability

Intel Fixes 95 Security Issues. Intel released 40 security advisories on Tuesday, November 10. The advisories address a total of 95 vulnerabilities in a variety of its products. Critical flaws affect Intel Wireless Bluetooth products and Intel Active Management Technology. Read more in:

• Colossal Intel Update Anchored by Critical Privilege-Escalation Bugs
• Intel fixes 95 vulnerabilities in November 2020 Platform Update
• Intel® Product Security Center Advisories

Schneider Electric PLC Vulnerabilities. Two flaws in Schneider Electric Programmable Logic Controllers (PLCs) could be exploited to compromise vulnerable PLCs and from there, move through the network. The flaws affect Schneider EcoStruxure Machine Expert v1.0 PLC management software and firmware for Schneider M221 PLC, version 1.10.2.2. Read more in:

• Bugs in Critical Infrastructure Gear Allow Sophisticated Cyberattacks
• Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs
• Security Notification – Modicon M221 Programmable Logic Controller

Mission Critical Institute for Cybersecurity (MCI) and Sinclair College’s National UAS Training and Certification Center (Sinclair) have partnered to train the next generation of cybersecurity professionals by creating a world-class workforce certification pathway to expand the nation’s lead in UAS technology and build a talent pipeline for companies, universities, or the government to hire new personnel or upskill their existing workforce. More information is available at Sinclair College Cybersecurity – 100% Online Cybersecurity Boot Camps and Programs

Improperly Configured AWS S3 Bucket Exposes 10 Million Hotel Guest Records. A misconfigured AWS S3 bucket has exposed 24.4 GB of personal data belonging to millions of hotel guests. The issue affected a hotel reservation platform, Cloud Hospitality, that allows hotels to integrate their own systems with third-party online booking sites, such as Expedia and Hotels.com. The stored data include names, national ID numbers, and payment card information. Read more in:

• Report: Hotel Reservation Platform Leaves Millions of People Exposed in Massive Data Breach
• Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak
• Hotel Booking Firm Leaks Data on Millions of Guests

Critical Flaws in Ultimate Member WordPress Plugin. Three critical privilege elevation flaws in the Ultimate Member plugin for WordPress could be exploited to take over vulnerable websites. The plugin is installed on more than 100,000 sites. Website admins are urged to update to version 2.1.12 as soon as possible. Read more in:

• Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin
• Ultimate Member Plugin for WordPress Allows Site Takeover

Australian Government Seeks to Expand Scope of Critical Infrastructure. A proposed amendment to Australia’s Security of Critical Infrastructure Act 2018 would expand the definition of critical infrastructure to comprise additional sectors, including communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage. The Act currently imposes security requirements on organizations in the gas, electricity, water, and maritime port sectors. Read more in:

• Australia’s critical infrastructure definition to span communications, data storage, space
• Security Legislation Amendment (Critical Infrastructure) Bill 2020 | Explanatory Document (PDF)

Older Versions of Android Will Have Trouble Accessing Sites with Let’s Encrypt Certificates. Starting next September, devices running older versions of the Android operating system may experience trouble accessing websites secured with Let’s Encrypt root certificates. The Let’s Encrypt root certificate was initially cross-signed by IdenTrust (DST Root X3). That certificate will expire on September 1, 2021. Let’s Encrypt now has its own trusted root certificate (ISRG Root X1). Devices running Android versions older than 7.1.1 will need to be updated to trust that root certificate. Read more in:

• Let’s Encrypt Warns Some Android Users of Compatibility Issues
• Older Android phones will start failing on some secure websites in 2021
• Let’s Encrypt warns about a third of Android devices will from next year stumble over sites that use its certs

Laptop Manufacturer Compal Hit with Ransomware. Compal, a company that manufactures laptops for Apple, Acer, Dell, HP and other companies, was hit with a ransomware attack over the weekend. Compal detected the incident on Sunday, November 8. According to a company statement, the incident affected the internal office network, not the production network. Read more in:

• Laptop mega-manufacturer Compal hit by DoppelPaymer ransomware – same one that hit German hospital
• Compal, the second-largest laptop manufacturer in the world, hit by ransomware
• Laptop maker Compal hit by ransomware, $17 million demanded

X-Cart eCommerce Platform Hit with Ransomware. eCommerce platform X-Cart was hit with a ransomware attack in late October. The attack took down stores hosted on X-Cart. Some stores were completely unavailable, while others reported trouble sending email alerts. An executive for Seller Labs, which acquired X-Cart a year ago, says they did not pay a ransom to regain access to their systems. Read more in:

• Ransomware hits e-commerce platform X-Cart
• X-Cart customers recovering from ransomware attack that led to widespread e-commerce site outages

Gitpaste Worm Has at Least 12 Attack Modules. Malware recently detected by researchers at Juniper Threat Labs targets Linux-based x86 servers and Linux IoT devices. The worm, dubbed Gitpaste, stores code in GitHub and Pastebin. It has at least a dozen attack modules. Gitpaste appears to be adding infected devices to a botnet. Once a system is compromised, a shell script is installed, and that begins downloading and executing the malware’s other components. Read more in:

• Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin
• This new malware wants to add your Linux servers and IoT devices to its botnet
• Gitpaste-12 Worm Targets Linux Servers, IoT Devices

UVM Cyberattack Impacts Chemotherapy, Mammograms. Problems caused by a cyberattack that hit the University of Vermont (UVM) Health Network in late October have reduced the number of patients they can currently provide with chemotherapy treatments. UVM Health Network has been unable to administer mammograms, ultrasounds, and related screenings. In addition, 300 staff members have been furloughed or reassigned. Read more in: Cyberattack on UVM Health Network Impedes Chemotherapy Appointments

Upcoming Chrome Feature Will Block JavaScript Redirects. Google will introduce a new feature to Chrome to help prevent a link that opens in a new tab from executing JavaScript. A security flaw in an attribute that tells the browser to open a link in a new tab allows the new page to redirect users to a URL that is different from the one they clicked on. The change to fix this issue has been made in Chrome Canary and is expected to be included in Chrome 88 when it is released in January 2021. Read more in:

• Issue 898942: Anchor target=_blank should imply rel=noopener
• Google Chrome to block JavaScript redirects on web page URL clicks

Zoom Agrees to Terms of FTC Settlement Over Misleading Security Claims. Zoom and the US Federal Trade Commission (FTC) have reached a settlement over charges that the company misled users about the encryption it offered. The original complaint alleged that Zoom misled its users when it claimed to offer “end-to-end 256-bit encryption.” According to the terms of the settlement, “Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base.” Read more in:

• Zoom settles charges with FTC over deceptive security practices
• Zoom strong-armed by US watchdog to beef up security after boasting of end-to-end encryption that didn’t exist
• Zoom settles FTC charges for misleading users about security features
• FTC Requires Zoom to Enhance its Security Practices as Part of Settlement
• Agreement Containing Consent Order (PDF)