Cybersecurity News Headlines Update on November 24, 2020

GoDaddy Employees Tricked Into Changing DNS Settings for Cryptocurrency Domains. Attackers used social engineering to trick employees at domain name registrar GoDaddy into transferring control of several cryptocurrency-related domains. The bad actors managed to gain access to some Liquid.com customer data. NiceHash noticed traffic was being redirected. The company froze customer accounts for 24 hours while it ensured that the domain settings were returned to normal. Read more in:

• GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services
• GoDaddy staff fall prey to social engineering scam in cryptocurrency exchange attack wave
• GoDaddy Employees Tricked into Compromising Cryptocurrency Sites
• Crooks social-engineer GoDaddy staff into handing over control of crypto-biz domain names

Tesla Bluetooth Vulnerability Could be Exploited to Steal Model X Vehicles. The keyless entry system for Tesla Model X automobiles is vulnerable to a Bluetooth attack that could be exploited to steal a Model X. The attack involves a flaw in the firmware update process for Tesla Model X key fobs. Telsa will start pushing out over-the-air updates for the affected key fobs this week. Read more in:

• This Bluetooth Attack Can Steal a Tesla Model X in Minutes
• Tesla Model X hacked and stolen in minutes using new key fob hack
• Tesla Model X key fobs could be hacked to steal cars, fix released
• Tesla Model X vulnerable to Bluetooth hack that makes theft a breeze, report says (audio)

VMware Working on Fixes for Critical Privilege Elevation Vulnerability. A critical privilege elevation vulnerability in six VMware products could be exploited to “execute commands with unrestricted privileges on the underlying operating system.” VMware has released workarounds as a temporary solution until patches are available. Read more in:

• Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending
• VMware discloses critical zero-day vulnerability in Workspace One
• VMware Workspace One Access, VMware Identity Manager, VMware Identity Manager Connector Workaround Instructions for CVE-2020-4006 (81731)
• Advisory | VMSA-2020-0027

VMware Issues Patches for ESXi Hypervisor Vulnerabilities. VMware has released fixes for multiple flaws affecting its ESXi hypervisor. A critical use-after-free vulnerability could be exploited “to execute code as the virtual machine’s VMX process running on the host.” An important privilege elevation vulnerability affects the way some system calls are managed. Both of the vulnerabilities were discovered during the Tianfu Cup Hacking Challenge earlier this month. Read more in:

• VMware Fixes Critical Flaw in ESXi Hypervisor
• Advisory | VMSA-2020-0026

Ransomware Attack Against Managed.com Affects Local Governments. The ransomware attack against the network of hosting provider Managed.com has affected local governments in the US. The company took down its web hosting services after becoming aware of the attack last week. That action has rendered some Managed.com client websites unavailable. The affected organizations include some local governments in Indiana, North Carolina, and Oregon. The website of the Arizona Judicial Branch has also been affected. Read more in:

• Local governments forced offline after ransomware targets web host
• Attack on Vendor Affects Website of Arizona Court System

Brazilian Superior Electoral Court System Recovers from Ransomware Attack. Brazil’s Superior Electoral Court has its IT systems fully operational following a ransomware attack that hit on November 3. The court was operating “with limited functionality” before November 20. The incident is being called “the worst-ever” cyberattack suffered by a Brazilian government department. Read more in: Brazilian government recovers from “worst-ever” cyberattack

South Korean Retailer E-Land Suffers Ransomware Attack. E-Land, a South Korean retail company, has temporarily suspended operations at 23 of its NC Department Stores and NewCore Outlet stores in the wake of a ransomware attack. The ransomware was activated on systems at E-Land headquarters on November 22. Read more in: Ransomware forces E-Land South Korean retail giant to close stores

Manchester United Says Cyberattack is Disrupting IT Systems. On Friday, November 20, the Manchester United football club has disclosed that its network experienced a cyberattack that is causing “ongoing IT disruption.” The incident is under investigation. Manchester United said “All critical systems required for matches to take place” over the weekend were operational. Read more in:

• Manchester United: IT Systems Disrupted in Cyberattack
• Manchester United football club discloses security breach
• Manchester United working with infosec experts to ‘minimize ongoing IT disruption’ caused by ‘cyber attack’
• Manchester United PLC Update on Cyber Security Breach

Romanian Police Arrest Malware Purveyors. Police in Romania have arrested two individuals in connection with three online services that are designed to help malware evade detection by antivirus software. The investigators also took down relevant servers in Romania, Norway, and the US. Read more in:

• Two Romanians arrested for running three malware services
• Two Romanians Arrested for Running Malware Encryption Services
• Police arrest 2 in connection with CyberSeal, Dataprotector crime services

Google Plans to Add End-to-End Encryption to Android Messaging App. Google plans to begin beta-testing end-to-end encryption (E2EE) for its Android Messaging App. The feature will be rolled out to one-on-one Rich Communication Services (RCS) conversations. Google has been touting the RCS text-messaging standard as an alternative to SMS. Read more in:

• Helping you connect around the world with Messages
• Google is adding end-to-end encryption to its Android Messages app
• End-to-end encryption? In Android’s default messaging app? Don’t worry, nobody else noticed either
• Google is testing end-to-end encryption in Android Messages

Cryptocurrency and Criminal Finances Conference. Europol hosted the fourth Global Conference on Criminal Finances and Cryptocurrencies, which was held virtually. There were more than 2,000 participants, representing “law enforcement and judicial authorities, financial intelligence units, international organisations and the private sector.” Presentations included “case examples to exchange knowledge and best practices on investigations related to cryptocurrency facilitated crime and subsequent money-laundering activities. Read more in: Over 2 000 Participants from 132 Countries Logged on for the 4th Global Conference on Criminal Finances and Cryptocurrencies

OMB Directs Agencies to Prepare for IPv6-only Infrastructure. A memo from the US Office of Management and Budget (OMB) directs federal agencies to take steps to prepare for the transition to IPv6. Agencies have 45 days to create IPv6 integrated project teams that will “govern and enforce IPv6 efforts.” Within 180 days, agencies must establish and publish on their websites their own IPv4 policies. They are also required to conduct at least one pilot of an IPv6-only operational system and to develop an IPv6 implementation plan prior to the end of FY 2021. Read more in:

• IPv6 is now the standard for federal agencies’ internet traffic
• Memorandum | Completing the Transition to Internet Protocol Version 6 (1Pv6) (PDF)

Internet of Things Security Bill To Establish Security Standards Mandatory for Government. The US Senate has unanimously passed the IoT Cybersecurity Improvement Act. The bill will require that Internet of Things (IoT) devices purchased by the federal government meet certain cybersecurity standards which will be set by the National Institute of Standards and Technology (NIST). Agencies will also need to establish vulnerability disclosure processes for IoT devices. The House of Representatives passed the bill in September. Read more in:

• Senate passes IoT cybersecurity bill
• IoT Cybersecurity Improvement Act Passed, Heads to President’s Desk
• H.R. 1668: IoT Cybersecurity Improvement Act of 2020

Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously. Three vulnerabilities in Cisco’s Webex video-conferencing application could be exploited to join meetings as ghost users, able to listen in without the knowledge of other meeting participants or the host. An attacker could exploit one of the flaws to access the names, email addresses, and IP addresses of meeting participants. Another flaw could be exploited to remain in a meeting even after being dismissed by the host. Cisco has released updates to address the vulnerabilities. Read more in:

• Cisco Webex bugs allow attackers to join meetings as ghost users
• Cisco rolls out fix for Webex flaws that let hackers eavesdrop on meetings
• Cisco Webex Vulns Let ‘Ghost’ Attendees Spy on Meetings
• Cisco Webex ‘Ghost’ Flaw Opens Meetings to Snooping
• Cisco fixes WebEx bugs allowing ‘ghost’ attackers in meetings
• Cisco Webex Vulnerability Allows Ghost Access to Meetings
• Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability
• Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability
• Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability

Bad Actors Scanning for Vulnerable WordPress Sites. Hackers appear to be scanning for WordPress sites that use Epsilon Framework-based themes. Multiple function injection vulnerabilities could be exploited together to execute code remotely and to take over vulnerable websites. Users are urged to update to a fixed version of the theme(s) they use, if they are available. Themes built with Epsilon Framework are used on at least 150,000 sites. Read more in:

• Large-Scale Attacks Target Epsilon Framework Themes
• Widespread Scans Underway for RCE Bugs in WordPress Websites
• Hackers are actively probing millions of WordPress sites

Organizations Involved in COVID-19 Response Hit by Cyberattacks. Two companies with ties to COVID-19 research and treatment were recently targeted by cyberattacks. Americold, an Atlanta-based company that provides cold storage for food distributors and is planning to be involved with COVID vaccine storage has disclosed that its network was hit with a cyberattack earlier this month. The disclosure was made in a US Securities and Exchange Commission (SEC) filing. Miltenyi Biotec, a biotechnology company based in Germany, was hit with a cyberattack that affected some operational processes; Miltenyi supplies research companies with antigens for use in developing COVID-19 treatments. Read more in:

• Hackers Hit COVID-19 Biotech Firm, Cold Storage Giant with Cyberattacks
• Food-Supply Giant Americold Admits Cyberattack
• Customer Service and Technical Support Contacts

CISA Director Krebs Fired. Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs has been fired. The decision to fire Krebs has met with condemnation from legislators and from cybersecurity experts. Read more in:

• Firing of CISA Chief Christopher Krebs Widely Condemned
• Trump Fires Security Chief Christopher Krebs
• Firing Christopher Krebs Crosses a Line—Even for Trump
• “Krebs has been terminated”: Trump fires cybersecurity chief on Twitter
• Trump fires DHS cyber official, widely credited for repairing fractured relations with industry
• ‘We can’t do this every four years’: Critical infrastructure rattled by Krebs DHS departure
• Trump fires CISA chief Chris Krebs, who guarded the 2020 election from interference and domestic misinformation

Firefox 83 has HTTPS-Only Mode Feature. Firefox 83 has a new mode that connects only to HTTPS sites; users will be asked to approve connections to unsecure websites. The feature is disabled by default. Mozilla released Firefox 83 to the stable channel earlier this week. Read more in:

• Firefox 83 introduces HTTPS-Only Mode
• Firefox 83 released with ‘HTTPS-Only Mode’ that only loads HTTPS sites
• Firefox 83 boosts security with HTTPS-Only mode, zero-day fix
• Mozilla Boosts Security in Firefox With HTTPS-Only Mode

Mozilla Seeks Input Before Rolling Out DNS-over-HTTP to All Firefox Users. Mozilla plans to rollout the DNS-over-HTTPS (DoH) protocol for Firefox for all users worldwide, but is asking companies, governments, and Internet service providers (ISPs) for their input. The public comment period runs through January 4, 2021. Read more in:

• Mozilla DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR) Comment Period: Help us enhance security and privacy online
• Fearing drama, Mozilla opens public consultation before worldwide Firefox DoH rollout
• In an unusual move, Mozilla asks for public comment about browser privacy feature

Firefox Says Goodbye to Flash in January. Mozilla has announced that it will end support for Flash in Firefox as of January 26, 2021. With the release of Firefox 85, “there will be no setting to re-enable Flash support.” Read more in:

• Ending Firefox support for Flash
• Firefox support for Flash ends on January 26

Industrial Control System Vulnerabilities. Four industrial control system (ICS) vendors have recently disclosed vulnerabilities in their products. Real Time Automation disclosed a stack overflow flaw in its 499ES ENIP stack protocol. Paradox disclosed two vulnerabilities in its IP150 Internet Module. Schneider Electric disclosed nine security issues in its Interactive Graphical SCADA System, and Sensormatic Electronics disclosed a vulnerability in the American Dynamics victor Web Client and Software House C•CURE Web Client. Read more in: Multiple Industrial Control System Vendors Warn of Critical Bugs

Managed.com Hit with Ransomware. Hosting provider Managed.com was hit with a ransomware attack that began earlier this week. The company has taken down all its servers to contend with the incident. The attack affected Managed.com’s public facing hosting systems; some customers’ sites were encrypted. Read more in:

• Ransomware attack forces web hosting provider Managed.com to take servers offline
• REvil ransomware hits Managed.com hosting provider, 500K ransom