Cybersecurity News Headlines Update on November 17, 2020

State-Sponsored APTs Target COVID-19 Research. Microsoft says that State-sponsored hackers operating on behalf of the Russian and North Korean governments have been targeting organizations involved in COVID-19 vaccine research and development. Microsoft found evidence of three hacking groups targeting a total of seven organizations in South Korea, India, France, Canada, and the US. (Please note that the WSJ story is behind a paywall.) Read more in:

Hundreds of Thousands of Windows Systems are Not Patched Against Known, Critical Vulnerabilities. The Internet Storm Center has found that nearly 250,000 Windows systems have not been patched against the BlueKeep remote desktop protocol (RDP) vulnerability; BlueKeep was disclosed in spring 2019. More than 100,000 Windows systems remain unpatched against the SMBGhost vulnerability in the Server Message Block v3 protocol; SMBGhost was disclosed in March 2020. Read more in:

Capcom Says Ransomware Actors Stole Customer and Employee Data. Video game publisher Capcom has disclosed that the attackers behind a ransomware attack on the company’s network stole customer and employee data as well as sensitive company information. The attack occurred on November 2. The breach affects as many as 350,000 people. Read more in:

ICO Fines Ticketmaster UK Over 2018 Data Breach. The UK Information Commissioner’s Office (IOC) has fined the Ticketmaster’s UK division 1.25 million GBP (1.65 million USD) for a breach that affected 9.4 million individuals. The ICO found that Ticketmaster “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page.” The breach affected UK customers who made purchases between February and June 2018. Read more in:

Hackney Council Struggling to Recover from Cyberattack. London’s Hackney Council, which experienced “an advanced, criminal cyberattack” in mid-October, says it could be months before all services are restored. The Hackney Council websites notes that its “services are currently significantly disrupted and you may experience difficulty contacting us or using our services.” Read more in:

Hackers Targeting South Korea’s Supply Chain. Researchers at ESET have found that a hacking group with ties to North Korea’s government has been using stolen certificates to launch supply chain attacks in South Korea. In South Korea, Internet users are often required to install security software to allow them to visit government and banking websites. To facilitate these downloads, many users have an integration installation program known as WIZVERA VeraPort installed on their computers. ESET researchers say, “the attackers [are likely replacing] the software to be delivered to WIZVERA VeraPort users from a legitimate but compromised website.” Read more in:

Recently-patched Intel Flaws Can be Exploited to Bypass Boot Guard. Several recently-patched vulnerabilities affecting Intel products could be exploited to override the Boot Guard protection, which is designed to prevent unauthorized code from running during the boot process. Attackers could install malicious firmware or obtain decrypted files from the targeted computer. The exploit requires that the attacker have physical access to vulnerable computers. Read more in: Hackers can use just-fixed Intel bugs to install malicious firmware on PCs

CISA Warns of Vulnerability in BD Alaris Infusion Pumps. An alert from the US Cybersecurity and Infrastructure Security Agency (CISA) describes an improper network session authentication vulnerability in the BD Alaris 8015 PC Unit and BD Alaris Systems Manager. The flaw could be exploited to cause denial-of-service conditions. CISA’s alert urges organizations using these products to employ mitigations provided by the manufacturer. Read more in:

Texas Driver’s License Data Compromised. A data breach affecting systems at an insurance software company has compromised driver’s license information belonging to more than 27 million Texas residents. The company, Vertafore, “determined that, at some point between March 11 and August 1 of this year, there was potential unauthorized access to the three data files.” Vertafore disclosed the breach on November 10. Intruders accessed the system sometime between March 11 and August 1. The incident was detected in mid-August. The statement suggests that the data were compromised because the three data files were stored in an unsecured external storage service. Read more in:

US Mental Healthcare Provider Discloses Patient Data Breach. People Incorporated, a Minnesota-based mental health services provider, has disclosed that several employee email accounts were accessed by an unauthorized third party earlier this year. According to a statement from the company, “the accessed email accounts contained the personal and protected health information of certain patients, including their names, dates of birth, addresses, treatment information, insurance information, and medical record number.” The incident affected approximately 27,500 individuals. Read more in: US mental health provider admits email breach exposed patient data

Critical Healthcare Cybersecurity Incidents Abound. According to Health IT Security, Hendrick Health in Texas detected a threat that prompted it to shut down IT networks; the organization “is operating under EHR (electronic health record) downtime procedures.” Among other news in the article: Sonoma (California) Valley Hospital is operating under EHR downtime procedures a month after its network was hit with ransomware; Florida’s Advanced Urgent Care is notifying patients that their personal information may have been compromised during a ransomware attack in March; and Minnesota’s People Incorporated Mental Health Services notified 27,500 patients that their personal data were compromised following a phishing incident earlier this year. Read more in: ‘Security Threat’ Forces Hendrick Health to EHR Downtime Procedures

Australia’s Government Warns of SDBBot Activity Targeting Healthcare Sector. The Australian Cyber Security Centre (ACSC) has issued an alert warning that it “observed increased targeting activity against the Australian Health sector.” The threat actors have been using the SDBBot remote Access Tool (RAT) to move through networks and exfiltrate data. The ACSC notes that “SDBBot is a known precursor of the Clop ransomware,” and urges “that all network owners review their controls against ransomware as per ACSC’s publication Ransomware in Australia.” Read more in:

Microsoft: Use MFA That Doesn’t Use Publicly Switched Phone Networks. Microsoft is urging organizations to use multi-factor authentication (MFA) that does not rely on publicly switched telephone networks. SMS and voice protocols were designed without encryption; one-time passcodes sent via SMS or voice can be intercepted. Encrypted authentication apps, like Microsoft Authenticator, Google Authenticator, and Cisco Duo Mobile provide better security. Read more in:

Microsoft Patch Tuesday, and A New Format for the Security Update Guide. On Tuesday, November 10, Microsoft released fixes to address 112 vulnerabilities; one of the flaws is being actively exploited. The Windows Kernel Cryptography Driver vulnerability has been actively exploited in conjunction with a Chrome JavaScript engine RCE flaw to compromise vulnerable devices. With this monthly release, Microsoft has changed the format of its advisories. While the new format brings Microsoft’s advisories in line with those of other software vendors, it also eliminates some details that users have found useful. Read more in:

Adobe November Patch Tuesday Fixes Three Flaws. Adobe has released fixes for three vulnerabilities affecting Adobe Connect and Adobe Reader Mobile. A pair of reflected cross-site scripting flaws in Adobe Connect could be exploited to allow arbitrary JavaScript execution in the browser. An improper access control vulnerability in Adobe Reader Mobile could be exploited to disclose information. Read more in:

Google Fixes More Chrome Zero-days. Google has fixed two more zero-day flaws in Chrome. One of the flaws is an inappropriate implementation in V8; the other is a use after free issue in Chrome Site Isolation. The vulnerabilities, which are being actively exploited, are resolved in Chrome 86.0.4240.198 for Windows, macOS, and Linux. Read more in:

Security Updates Available to Address Three Flaws in Silver Peak Unity Orchestrator. A trio of flaws affecting Silver Peak’s Unity Orchestrator SD-WAN management platform could be combined to allow unauthenticated attackers to take over vulnerable networks. The flaws, an authentication bypass issue, a file delete path traversal issue, and an arbitrary SQL query execution issue, are resolved in Silver Peak Unity Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+. Read more in:

Cisco Fixes Vulnerability in IOS XR Software. Cisco has released an update to address “a vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers.” The flaw could be exploited to cause a denial-of-service condition. The issue affects Cisco ASR 900 Series Aggregation Service Routers running IOS XR software earlier than versions 6.7.2 and 7.1.2. Read more in:

Intel Fixes 95 Security Issues. Intel released 40 security advisories on Tuesday, November 10. The advisories address a total of 95 vulnerabilities in a variety of its products. Critical flaws affect Intel Wireless Bluetooth products and Intel Active Management Technology. Read more in:

Schneider Electric PLC Vulnerabilities. Two flaws in Schneider Electric Programmable Logic Controllers (PLCs) could be exploited to compromise vulnerable PLCs and from there, move through the network. The flaws affect Schneider EcoStruxure Machine Expert v1.0 PLC management software and firmware for Schneider M221 PLC, version 1.10.2.2. Read more in:

Mission Critical Institute for Cybersecurity (MCI) and Sinclair College’s National UAS Training and Certification Center (Sinclair) have partnered to train the next generation of cybersecurity professionals by creating a world-class workforce certification pathway to expand the nation’s lead in UAS technology and build a talent pipeline for companies, universities, or the government to hire new personnel or upskill their existing workforce. More information is available at Sinclair College Cybersecurity – 100% Online Cybersecurity Boot Camps and Programs

Improperly Configured AWS S3 Bucket Exposes 10 Million Hotel Guest Records. A misconfigured AWS S3 bucket has exposed 24.4 GB of personal data belonging to millions of hotel guests. The issue affected a hotel reservation platform, Cloud Hospitality, that allows hotels to integrate their own systems with third-party online booking sites, such as Expedia and Hotels.com. The stored data include names, national ID numbers, and payment card information. Read more in:

Critical Flaws in Ultimate Member WordPress Plugin. Three critical privilege elevation flaws in the Ultimate Member plugin for WordPress could be exploited to take over vulnerable websites. The plugin is installed on more than 100,000 sites. Website admins are urged to update to version 2.1.12 as soon as possible. Read more in:

Australian Government Seeks to Expand Scope of Critical Infrastructure. A proposed amendment to Australia’s Security of Critical Infrastructure Act 2018 would expand the definition of critical infrastructure to comprise additional sectors, including communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage. The Act currently imposes security requirements on organizations in the gas, electricity, water, and maritime port sectors. Read more in:

Older Versions of Android Will Have Trouble Accessing Sites with Let’s Encrypt Certificates. Starting next September, devices running older versions of the Android operating system may experience trouble accessing websites secured with Let’s Encrypt root certificates. The Let’s Encrypt root certificate was initially cross-signed by IdenTrust (DST Root X3). That certificate will expire on September 1, 2021. Let’s Encrypt now has its own trusted root certificate (ISRG Root X1). Devices running Android versions older than 7.1.1 will need to be updated to trust that root certificate. Read more in:

Laptop Manufacturer Compal Hit with Ransomware. Compal, a company that manufactures laptops for Apple, Acer, Dell, HP and other companies, was hit with a ransomware attack over the weekend. Compal detected the incident on Sunday, November 8. According to a company statement, the incident affected the internal office network, not the production network. Read more in:

X-Cart eCommerce Platform Hit with Ransomware. eCommerce platform X-Cart was hit with a ransomware attack in late October. The attack took down stores hosted on X-Cart. Some stores were completely unavailable, while others reported trouble sending email alerts. An executive for Seller Labs, which acquired X-Cart a year ago, says they did not pay a ransom to regain access to their systems. Read more in:

Gitpaste Worm Has at Least 12 Attack Modules. Malware recently detected by researchers at Juniper Threat Labs targets Linux-based x86 servers and Linux IoT devices. The worm, dubbed Gitpaste, stores code in GitHub and Pastebin. It has at least a dozen attack modules. Gitpaste appears to be adding infected devices to a botnet. Once a system is compromised, a shell script is installed, and that begins downloading and executing the malware’s other components. Read more in:

UVM Cyberattack Impacts Chemotherapy, Mammograms. Problems caused by a cyberattack that hit the University of Vermont (UVM) Health Network in late October have reduced the number of patients they can currently provide with chemotherapy treatments. UVM Health Network has been unable to administer mammograms, ultrasounds, and related screenings. In addition, 300 staff members have been furloughed or reassigned. Read more in: Cyberattack on UVM Health Network Impedes Chemotherapy Appointments

Upcoming Chrome Feature Will Block JavaScript Redirects. Google will introduce a new feature to Chrome to help prevent a link that opens in a new tab from executing JavaScript. A security flaw in an attribute that tells the browser to open a link in a new tab allows the new page to redirect users to a URL that is different from the one they clicked on. The change to fix this issue has been made in Chrome Canary and is expected to be included in Chrome 88 when it is released in January 2021. Read more in:

Zoom Agrees to Terms of FTC Settlement Over Misleading Security Claims. Zoom and the US Federal Trade Commission (FTC) have reached a settlement over charges that the company misled users about the encryption it offered. The original complaint alleged that Zoom misled its users when it claimed to offer “end-to-end 256-bit encryption.” According to the terms of the settlement, “Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base.” Read more in:

Published by Natalie Wong

, as a technical writer for how-to guides, tutorials, fixes for common problem happen on gaming and console, and articles about the latest tech. My gaming alias is Midnight, and I usually play PUBG, CSGO, GTA V and some coop games.