NSA Warns that VMware Flaw is Being Actively Exploited, Fixes Available. The US National Security Agency (NSA) has issued a cybersecurity advisory, warning that Russian hackers are exploiting a command injection flaw in VMware Access and VMware identity Manager. The exploit allows attackers to install malware, access data, and maintain a persistent presence on vulnerable systems. VMware issued fixes for the flaw on Thursday, December 3. Read more in:
- Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace ONE Access Using Compromised Credentials (PDF)
- HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754)
- Advisory | VMSA-2020-0027.2
- NSA says Russian state hackers are using a VMware flaw to ransack networks
- NSA warns of Russian government-backed hackers aiming at US defense sector targets
- The NSA Warns That Russia Is Attacking Remote Work Platforms
- NSA warns of Russian state-sponsored hackers exploiting VMWare vulnerability
- VMware Patches Workspace ONE Access Vulnerability Reported by NSA
- VMware Rolls a Fix for Formerly Critical Zero-Day Bug
- VMware fixes zero-day vulnerability reported by the NSA
Kalispell Regional Healthcare Agrees to Pay $4.2M in Breach Settlement. Kalispell (Montana) Regional Healthcare (KRH) has reached a settlement with plaintiffs in a lawsuit filed after a data security breach. KRH will pay $4.2 million. The lawsuit was filed in December 2019; the incident occurred earlier that year. The attack began through phishing emails; the attackers gained access to employee accounts and retained that access until the breach was detected several months later. Read more in:
- Montana Hospital Group to Pay $4.2M After Breach Lawsuit
- $4.2M Settlement Proposed in Kalispell Regional Breach Lawsuit
NDAA Would Create Position of National Cybersecurity Director. The proposed 2021 US National Defense Authorization Act (a must-pass bill) would establish a new Senate-confirmed, executive branch position of National Cyber Director. The bill would also give the Cybersecurity and Infrastructure Security Agency (CISA) subpoena authority to keep tabs on critical infrastructure cybersecurity and require CISA to hire cybersecurity coordinators for every state. Read more in:
- Defense Bill Would Restore White House Cybersecurity Post
- Defense bill set to pass with state cybersecurity programs
- Congress set to establish White House national cyber director, enact other Solarium Commission recommendations
- Potential national cybersecurity director inches towards reality
- Congress Sets up National Cyber Director in NDAA, Trump Threatens to Veto
Greater Baltimore Medical Center Suffers Ransomware Attack. The Greater Baltimore Medical Center (GBMC) has acknowledged that its network was hit with ransomware over the weekend. GBMC Health Care says that the attack has forced them to cancel some procedures that were scheduled for Monday, December 7. Read more in: Greater Baltimore Medical Center Hit by Ransomware Attack
Embraer Data Leaked After Ransomware Attack. Ransomware operators behind a November ransomware attack on Brazilian aerospace company Embraer have published files that were allegedly taken from the company’s network. Embraer has refused to pay the demanded ransom and has restored its systems from backups. Read more in:
- Hackers leak data from Embraer, world’s third-largest airplane maker
- RansomExx Ransomware Gang Dumps Stolen Embraer Data: Report
Randstad Discloses Ransomware Attack. Randstad, a human resources company based in the Netherlands, has disclosed that its network was hit with ransomware known as Egregor. The ransomware operators have also targeted systems at Barnes and Noble and at TransLink, Vancouver, BC’s transportation agency. Read more in:
- Largest global staffing agency Randstad hit by Egregor ransomware
- HR Giant Randstad Hit by Egregor Ransomware
Kmart Network Reportedly Hit with Ransomware. US retailer Kmart has reportedly been targeted in a ransomware attack. The incident affected the company’s back-end servers. Kmart has not confirmed the report; a ransom note was shared with Bleeping Computer. Read more in:
- Kmart nationwide retailer suffers a ransomware attack
- Kmart, a vulnerable target, among those hit in Egregor ransomware attack spree
- Kmart, Latest Victim of Egregor Ransomware – Report
UK Engineering Services Firm Acknowledges Cyberattack. RMD Kwikform, a UK engineering services firm, was the target of a cyberattack in November. The company has notified the Information Commissioner’s Office (ICO) and is cooperating with the National Cyber Security Centre (NCSC) and other authorities. Kwikform’s parent company, Interserve, was the target of a cyberattack in May 2020. Read more in:
- Walsall-based construction firm hit by cyber attack
- Walsall construction firm targeted in cyber attack
- Interserve’s ‘up for sale’ subsidiary RMD Kwikform suffers cyber attack
Kazakhstan Government Wants to Intercept Citizens’ HTTPS Traffic Again. The government of Kazakhstan is once again requiring that citizens living in the country’s capital install a government-issued digital certificate on their devices if they want to access Internet services outside the country. The certificate allows the government to intercept all HTTPS traffic from those devices. If Kazakh citizens want to access sites like Facebook, YouTube, Instagram, Twitter, or Netflix, they will need the certificate. This has happened twice before – in December 2015 and in July 2019. In those previous instances, browser makers blacklisted the Kazakh government certificate. The requirement is being touted as a security initiative; the country plans to hold a parliamentary election in January 2021. Read more in:
- Kazakhstan government is intercepting HTTPS traffic in its capital
- Kazakhstan: As election beckons, authorities tighten control on internet
Package Delivery Lockers Hacked. Someone hacked into a system that allowed them to unlock thousands of package delivery lockers in Moscow, Russia. The PickPoint delivery service allows people to order items and have them delivered to lockers, where they retrieve their packages using a mobile app. Read more in: Hacker opens 2,732 PickPoint package lockers across Moscow
Italian Police Make Arrests in Leonardo Data Theft. Authorities in Italy have arrested two people in connection with the theft of data from a defense contractor LeonardoSpA. The suspects introduced malware into the company computers through a USB drive; they allegedly stole 10GB of data from Leonardo over a two-year period. One of the suspects was an IT manager at the company. Read more in:
- Italian police arrest suspects in Leonardo military, defense data theft
- Police arrest two in data theft cyberattack on Leonardo defense corp
- Italy Says Two Arrested for Defense Data Theft
QNAP Releases Fixes for Vulnerabilities in NAS Devices. QNAP has published a security advisory urging users to update to the most recent versions of QTS and QuTS to address four vulnerabilities in its Network Attached Storage (NAS) products. One of the flaws could be exploited to take control of vulnerable NAS devices. Read more in:
- QNAP High-Severity Flaws Plague NAS Systems
- QNAP patches QTS vulnerabilities allowing NAS device takeover
- Multiple Vulnerabilities in QTS and QuTS hero
FBI Warns of BEC Scammers Exploiting eMail Forwarding Rules. The FBI has released a Private Industry Notification warning that cyber threat actors are exploiting email forwarding rules to evade detection while conducting business email compromise (BEC) attacks. The thieves are setting email forwarding rules on web-based email clients. If the company admins have not synced email settings for web-based email accounts and desktop clients, the forwarding rule changes could go unnoticed. Read more in:
- Private Industry Notification | Cyber Criminals Exploit Email Rule Vulnerability to Increase the Likelihood of Successful Business Email Compromise (PDF)
- FBI warns of email forwarding rules being abused in recent hacks
- FBI Warns of Auto-Forwarding Email Rules Abused for BEC Scams
Phishing Campaign Targets COVID Cold Chain. An IBM Security X-Force threat intelligence task force “recently uncovered a global phishing campaign targeting organizations associated with a COVID-19 cold chain.” British regulators have approved Pfizer’s vaccine; US regulators are scheduled to evaluate Pfizer’s and Moderna’s vaccines next week. Once vaccines are approved, they must be transported at extremely low temperatures, hence the term cold chain for the companies that will provide the specialized refrigeration for vaccine storage and transportation. EU regulators are due to approve this vaccine over the coming weeks. Read more in:
- IBM Uncovers Global Phishing Campaign Targeting the COVID-19 Vaccine Cold Chain
- Hackers Are Targeting the Covid-19 Vaccine ‘Cold Chain’
- Mysterious phishing campaign targets organizations in COVID-19 vaccine cold chain
- Nation-state backed hackers going after COVID vaccine supply chain
- Cyberattacks Target COVID-19 Vaccine ‘Cold-Chain’ Orgs
- Hackers target EU Commission, COVID-19 cold chain supply orgs
- State-Sponsored Hackers Likely Behind Attacks on COVID-19 Vaccine Cold Chain
- Hackers Targeting COVID-19 Vaccine Supply Chain Via Phishing Campaigns
- COVID-19 hacking extends to supply chain for controlling vaccine temperature, IBM says
Oracle WebLogic Flaw is Being Actively Exploited. Cyber threat actors are actively exploiting a critical vulnerability in Oracle WebLogic. Oracle released a fix for the flaw in its October 2020 Critical Patch Update. The remote code execution flaw is being exploited to drop several different payloads, including one that installs the DarkIRC bot. Users are urged to apply the available patch for CVE-2020-14882 as well as for CVE-2020-14750, a related vulnerability for which Oracle released an unscheduled fix in November. Read more in:
- Oracle vulnerability that executes malicious code is under active attack
- Critical Oracle WebLogic flaw actively exploited by DarkIRC malware
- Recent Oracle WebLogic Vulnerability Exploited to Deliver DarkIRC Malware
Alabama School District Hit with Ransomware. Huntsville (Alabama) City Schools have temporarily shut down in the wake of a ransomware attack. The school district has been providing both remote and in-person learning. The attack became apparent on Monday, November 30. The district has asked that all district-owned devices be shut down until further notice. Schools will remain closed for the rest of the week and possibly into next week. Read more in: Alabama school district shut down by ransomware attack
Online Curriculum Company K12 Pays Ransomware Demand. K12, a Virginia-based company that provides customized online learning curricula, paid threat actors to regain access to compromised systems following a November 2020 ransomware attack. Read more in: K12 online schooling giant pays Ryuk ransomware to stop data leak
Vancouver Transit System Hit with Ransomware. TransLink, the Vancouver, British Columbia, transit system, was infected with ransomware. On December 1, TransLink said that the incident had disrupted phones, inline services, and the ability to pay fares with credit and debit cards, but that transit services were not affected. As of Thursday, December 3, customers were once again able to use payment cards for fares. Read more in:
- Ransomware attack led to 3 days of transit payment problems, TransLink says
- Metro Vancouver’s transit system TransLink hit by Egregor ransomware
Aerospace Company Embraer Discloses Cyberattack. Brazilian aerospace conglomerate Embraer has disclosed that one of its systems was hit with a cyberattack in November. The incident has been reported to Brazil’s Securities and Exchange Commission. Read more in:
CISA Warns that Foreign Threat Actors are Targeting US Think Tanks. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that it has “observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks.” The alert includes an attack profile and recommended mitigations. Read more in:
- US alert urges think tanks to be on guard for foreign hacking activity
- FBI and Homeland Security warn of APT attacks on US think tanks
- Think-Tanks Under Attack by Foreign APTs, CISA Warns
- Alert (AA20-336A) | Advanced Persistent Threat Actors Targeting U.S. Think Tanks
TrickBot’s Up to New Tricks. A new component in the TrickBot botnet/banking Trojan is capable of modifying the Unified Extensible Firmware Interface (UEFI) on targeted computers. This new feature “makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device,” according to researchers at Eclypsium and AdvantIntel. Read more in:
- Trickbot Now Offers ‘Trickboot’: Persist, Brick, Profit
- The Internet’s Most Notorious Botnet Has an Alarming New Trick
- New TrickBot version can tamper with UEFI/BIOS firmware
- One of the Internet’s most aggressive threats could take UEFI malware mainstream
- TrickBot’s new module aims to infect your UEFI firmware
- TrickBot Malware Can Scan Systems for Firmware Vulnerabilities
- TrickBot adds firmware tool that researchers say could lead to ‘bricking’ devices
- Trickbot trojan takes aim at vulnerabilities in booting process
Allegations that DHS Agents Bought Phone Location Data from Brokers Prompt Lawsuit and Investigation. The American Civil Liberties Union (ACLU) is suing the US government for information about whether the US Department of Homeland Security (DHS) is circumventing warrant requirements and buying cell phone location information from commercial data brokers. According to a 2018 US Supreme Court ruling, law enforcement must obtain a valid search warrant prior to accessing mobile device information, including location. In a related story, the Department of Homeland Security’s (DHS’s) inspector general is investigating similar allegations. Read more in:
- Wyden, Warren, Markey, Schatz Secure DHS IG Investigation of CBP Phone Location Data Surveillance Program
- How an ICE Contractor Tracks Phones Around the World
- CBP’s warrantless use of cell phone location data is under investigation
- ACLU sues US govt, demands to know if agents are buying their way around warrants to track suspects’ smartphones
- ACLU V. DHS — COMPLAINT
iOS Flaw Could Have Been Exploited to Take Control of Vulnerable Devices. A Google Project Zero researcher has found a bug that could have been exploited to take control of iOS devices without user interaction. Ian Beer found that a memory corruption bug affecting the iOS kernel could be exploited through Wi-Fi to remotely gain control of nearby iOS devices. Apple patched the flaw in May 2020 with iOS 12.4.7, iPadOS & iOS 13.5 and watchOS 5.3.7 & 6.2.5. Read more in:
- This ‘Magical Bug’ Exposed Any iPhone in a Hacker’s Wi-Fi Range
- iPhone Bug Allowed for Complete Device Takeover Over the Air
- Google researcher: I made this ‘magic’ iPhone Wi-Fi hack in my bedroom, imagine what others could do
- How a nightmare wormable, wireless, automatic hijack-a-nearby-iPhone security flaw was found and fixed
- Google Security Researcher Develops ‘Zero-Click’ Exploit for iOS Flaw
- Watch This Google Hacker Pwn 26 iPhones With a ‘WiFi Broadcast Packet of Death’
Current Version of NDAA Gives CISA Subpoena Power to Identify Owners of Vulnerable Critical Infrastructure. The most recent version of the US National Defense Authorization Act (NDAA) gives the Cybersecurity and Infrastructure Security Agency (CISA) the authority to issue administrative subpoenas to help identify owners of unsecure and/or unpatched Internet-connected devices. The provision would grant CISA the authority to obtain the information from Internet service providers. Read more in: CISA set to receive subpoena powers over ISPs in effort to track critical infrastructure vulnerabilities
Malware Targets macOS. Researchers have detected a new malware variant that targets macOS systems. The malware has been linked to the OceanLotus advanced persistent threat (APT) group, which has ties to the Vietnamese government. The malware spreads through malicious files included in phishing emails. Read more in:
- Hackers are targeting MacOS users with this updated malware
- MacOS Users Targeted By OceanLotus Backdoor
New Zealand’s New Data Privacy Law Takes Effect December 1, 2020. New Zealand’s Privacy Act 2020 takes effect on December 1. Under the new law, organization are obligated to report data breaches that pose a “risk of harm.” The law applies to New Zealand-based organizations that handle data as well as organizations that conduct business and/or collect data about New Zealand residents. Read more in: New Zealand Privacy Act: Updated data breach legislation comes into effect tomorrow
Texas Governor’s Support Leads to 1,150 Students in 235 High Schools Discovering Their Level of Cybersecurity Talent and Vying for $2 Million in Scholarships. Texas Governor Abbott’s active support has enabled more than 1,000 high school students to use CyberStart America to discover their cyber aptitude in less than 30 days. Many participants are finding they are hooked on solving cybersecurity problems as “cyber protection agents,” even those who never took a computer science or networking or cybersecurity class. New Jersey’s Governor Murphy also promoted the program to students and New Jersey’s students are cutting into Texas’s lead. With 100 more days to go in CyberStart America and every high school student in every state eligible for the free program, at least 30,000 America high school students will be able to begin their professional journey toward a career in cybersecurity and/or computer science with $2 million in college scholarships available to those who do well.
Leaderboard to see how students in your state are doing.
Site to Learn More and Sign Up for CyberStart America.
Pennsylvania County Pays $500,000 After Ransomware Attack. The government of Delaware County (Pennsylvania) paid $500,000 to regain access to their systems following a ransomware attack. The county took some of its systems offline after discovering the incident. Read more in:
- Disruption to Portions of Delaware County’s Computer Network
- Pennsylvania county pays 500K ransom to DoppelPaymer ransomware
- Delaware County Pays $500,000 Ransom After Outages
Baltimore (Maryland) County Schools Suffers Ransomware Attack. The Baltimore County Public School (BCPS) system was forced to cancel classes and shut its offices on Wednesday, November 25 after its network was hit with ransomware. BCPS exhorted students and staff not to use district-issued Windows computers. District-issued Chromebooks were not affected. Read more in:
- Class canceled in Baltimore County, Md., in latest school ransomware attack
- Cyberattack forces shutdown of Baltimore County schools for the day
- Baltimore students told to ditch Windows PCs after ransomware attack
- Forget Snow Day: Baltimore’s 115,000+ public school kids get Ransomware Day, must check Win PCs for infection
University of Vermont Medical Health Network Still Recovering from October Ransomware Attack. More than a month after a ransomware attack hit systems at the University of Vermont Medical Health Network (UVMHN), the organization is still working on restoring services. UVMHN comprises seven facilities in Vermont and New York State. Read more in:
- Post-Cyberattack, UVM Health Network Still Picking Up Pieces
- Vermont hospitals still recovering from October ransomware attack
- U of Vermont Medical Center Continuing Cyber-Attack Recovery
AspenPointe Discloses September Data Breach. Colorado-based healthcare company AspenPointe has disclosed a data breach that affected nearly 300,000 patients. The attackers compromised both personal health information (PHI) and personally identifiable information (PII). The attackers had access to the system for 10 days in mid-September 2020. Read more in: Healthcare provider AspenPointe data breach affects 295K patients
Advantech Confirms Ransomware Attack. Advantech, a Taiwan-based company that manufactures chips used in Internet of Things (IoT) devices, has confirmed that its systems were hit with a ransomware attack. The threat actors have posted some Advantech documents online; they are reportedly demanding 750 Bitcoins for ransom. Read more in:
- IoT chip maker Advantech confirms ransomware attack, data theft
- Conti Gang Hits IoT Chipmaker Advantech with $14M Ransom Demand
Microsoft Teams No Longer Supports Internet Explorer. As of Monday, November 30, Microsoft Teams no longer supports Internet Explorer 11. If users log into the web version of Microsoft Teams with IE 11, they will see a message reminding them that the browser is no longer supported and recommending that they use the desktop client instead. The withdrawal of support is one in a series of changes Microsoft is implementing to encourage users to move to their Edge browser. Read more in:
- Microsoft really wants you to stop using Internet Explorer
- Microsoft Teams will no longer support Internet Explorer 11
Spamhaus Says 50+ Dormant Domains Springing Back to Life is Suspicious. According to Spamhaus, more than 50 networks sprung back to life after being dormant for some time. The networks, all of which are in the North American region, were revived at the same time; each of the networks was introduced by autonomous system numbers that have also been dormant. Spamhaus has placed most of the suspect networks on its DROP list “until their owners clarify the situation.” Read more in:
- Tens of Dormant North American Networks Suspiciously Resurrected at Once
- Suspicious network resurrections
TrickBot Botnet Comes Creeping Back. The TrickBot botnet appears to be re-emerging after Microsoft and US Cyber Command efforts to disrupt it earlier this fall. Both organizations targeted the botnet’s command-and-control servers. The newest iteration of TrickBot uses a clever obfuscation technique to sneak the payload past detection tools. Read more in:
- Latest Version of TrickBot Employs Clever New Obfuscation Trick
- It’s hard to keep a big botnet down: TrickBot sputters back toward full health
US Supreme Court Hears Arguments in CFAA Case. The US Supreme Court is hearing appeal arguments in a case that is likely to determine how broadly or narrowly the Computer Fraud and Abuse Act (CFAA) is interpreted. The case seeks to overturn the conviction of a Georgia police officer who used his legitimate access to a license plate database to search for information at the request of an individual who turned out to be an undercover FBI agent. Read more in:
- Justices express qualms about sweeping computer crime law
- The Supreme Court will finally rule on controversial US hacking law
- US Supreme Court hears Van Buren appeal arguments in light of Computer Fraud and Abuse Act ambiguity
Microsoft Defender for Identity Can Detect Zerologon Exploits. Microsoft Defender for Identity, a cloud-based security product, is now capable of detecting attacks that exploit the Zerologon. Microsoft says that customers “will be able to identify the device that attempted the impersonation, the domain controller, the targeted asset, [and] whether the impersonation attempts were successful.” Read more in: