Cybersecurity News Headlines Update on March 31, 2021

Apple Emergency Updates for iPhones, iPads, and Apple Watch

Apple has released emergency updates for iOS, iPadOS, and watchOS. The updates address a vulnerability in the Apple WebKit browser engine that is reportedly being actively exploited. Users are urged to update to iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3. Apple also released an update for older iPhones, iOS 12.5.2.

Note: Unlike the iOS 14.4.1 update, Apple is telling us this vulnerability is being actively exploited. Push the update to your ADE devices so users will see the prompt to install the update. Expect this update to introduce at least one more Beta version of iOS 14.5 and iPadOS 14.5, so don’t hold off expecting a rapid release of that OS. Additionally iOS 14.5, iPadOS 14.5 introduce a number of changes you’re going to want to review prior to rolling it out.

Read more in:

PHP Code Repository Compromised

The PHP Git server was breached on Sunday, March 28. Malicious commits were added to the PHP-SRC repository in the names of PHP developer and maintainer Nikita Popov and PHP creator Rasmus Lerdorf. The fraudulent commits pretended to be typographical errors that needed correcting; they were detected before entering production. PHP maintainers are moving the code base to GitHub.

Note:

  • In my opinion, the malicious commits were meant to be found and are more a “proof of concept” vs an actual attempt to inject a backdoor. I hope the PHP team will investigate thoroughly to identify the root cause of the breach. There is always a chance of a better-hidden backdoor left in addition to the two malicious commits identified so far.
  • If you are using git, either self hosted or via github: (1) ensure you are using strong multi factor authentication or keys to identify developers, (2) use signed commits to make it more difficult to impersonate developers.
  • Luckily, it looks like the intrusion was identified quickly enough and no current release of PHP was affected. As a PHP user, there is nothing you need to do at this point.
  • The existing processes were able to detect the unauthorized updates and triggered a security review. The risks of insourcing public facing services versus using a hosted solution have changed, particularly with tight margins and a fast-changing security landscape. Service providers such as GitHub have learned how to secure their offering. Note that that does not alleviate your responsibilities to configure and secure your repositories as well. See GitHub’s nine best security practices (https://resources.github.com)

Read more in:

SolarWinds: Attackers Accessed DHS Email Accounts

Attackers exploiting the SolarWinds supply chain breach managed to access email accounts of top officials at the US Department of Homeland Security (DHS). They also accessed personal information of other senior federal officials, including the private schedule of the former Energy Secretary.

Read more in: Hackers accessed emails of top DHS officials as part of SolarWinds breach: report

Malicious Android System Update App is a RAT

A malicious Android app purports to be a system update but is actually a remote access Trojan (RAT) capable of stealing all kinds of data, monitoring users’ locations, and accessing the device’s search history. The app can also record phone calls, take pictures, and steal contact lists and call logs. The app was found on a third-party app store.

Note: While many malicious Android apps are delivered via third-party app stores, some do get added to the Google Play store. Update user guidance to not only not load apps from third-party app stores but also avoid apps from unknown or unfamiliar developers. Additionally, applications which require side-loading or developer mode should be a huge red flag.

Read more in:

SpaceX Encrypts Telemetry

SpaceX appears to have encrypted its telemetry. Amateur radio users had been able to access the telemetry data streams because SpaceX had to tell the Federal Communications Commission (FCC) and National telecommunications and Information Administration (NTIA) which frequencies it uses to communicate with its rockets.

Note:

  • Looks like SpaceX had been encrypting telemetry communications on the Starship vehicles since 2018 or so but not the Falcon9s. But, technology advances are leading to a resurgence in commercial satellite networking, including mobile use. While all the hype is on 5G, increased use of satellite comms is likely to happen more quickly. End to end encryption should be built into all new satellite comms applications – as this article proves once again, satellite comms (like fiber optic comms) are not impossible to intercept and monitor. Security through obscurity does not work.
  • NASA has been pushing to encrypt telemetry across the board to increase the security and integrity of communications. The challenge is that existing probes/satellites/etc. have neither the compute power nor the storage to add encryption to their operations. Irrespective of frequency disclosure, security by obscurity is not a good model. Protect sensitive or proprietary information explicitly, design new systems with that capability and capacity rather than adding it later.

Read more in: SpaceX seemingly takes steps to protect telemetry data after leak

Ransomware Operators Threaten to Leak Military Contractor Data

Ransomware operators claim to have stolen data from military contractor PDI Group and is threatening to release it on the Internet if the company does not pay the ransom demand. The PDI Group provides military ground support equipment to militaries around the world.

Note: Knowing where your data is and the consequence of loss ahead of time are key to the decision process here. Consider not only what PII is in the breach data, but also what Intellectual Property is included as well. Consult both the CISA Ransomware guide and your financial institution for regulatory requirements before moving forward with a decision to pay.

Read more in: Ransomware gang leaks data from US military contractor the PDI Group

OpenSSL Fixes High Severity Vulnerabilities

OpenSSL has fixed two high-severity vulnerabilities in the software library. The first is a certificate check bypass issue that disables the check that prevents non-CA certificates from issuing additional certificates. The second flaw is a null pointer dereference issue that could be exploited to crash vulnerable OpenSSL servers by sending a maliciously-crafted renegotiation ClientHello message. Both issues are fixed in OpenSSL 1.1.1k.

Note:

  • Neither of these vulnerabilities constitutes an emergency. Wait for updates to arrive for your platform and update according to your normal vulnerability management procedures.
  • Exploiting the certificate bypass flaw was possible only when an application expressly set the X509_V_FLAG_X509_STRICT flag. Exploiting the null pointer dereference flaw requires the server to be running TLS 1.2 with renegotiation enabled, which is the default. Disabling renegotiation is specific for your service implementation, updating to OpenSSL 1.1.1k or later may be a simpler option. While OpenSSL 1.0.2 is not impacted, it is also out of support and not receiving public updates. Patches have been released for Ubuntu and Debian. Expect other distributions to release updates soon.

Read more in:

SolarWinds: New Software Build System

SolarWinds CEO Sudhakar Ramakrishna says the company is experimenting with a new software build system that should help prevent breaches like the one disclosed late last year. Speaking at a virtual event last Thursday, Ramakrishna said the company is considering running two or three parallel build systems and chains. SolarWinds is implementing other new security measures, including a cybersecurity committee at the boardroom level and authority for the company’s CISO to pause software updates that are being released simply because of time-to-market concerns.

Note:

  • SolarWinds will continue to remain under the magnifying glass as they recover from their breach. Adding these security changes to the build process to make unauthorized additions to the code easier to detect may become a model you want to review for your code management. Decoupling time-to-market from the release process, while desirable, may not be practical in a market based economy. Solving this challenge can buy time to produce higher quality code out the gate.
  • Anyone thinking parallel build systems will prevent another software supply chain compromise is fundamentally missing the point. The attackers that compromised SolarWinds are extremely disciplined and are playing a long game. This is evidenced by the fact that they actually tested the build process before deploying their malware. While I’m sure statements like these will fool some investors, we can be reasonably sure the Russians are belly-laughing saying “haha – parallel build systems” (or whatever that translates to in Russian).

Read more in:

Ransomware Operators Leak Shell Employee Information

Earlier this month, oil company Royal Dutch Shell acknowledged “a third-party cyber security incident.” Clop ransomware operators have uploaded sensitive Shell employee documents to a website. The compromised information includes scans of visas and passports.

Read more in:

US Cyber Command Took Action to Protect 2020 Elections from Meddling

General Paul Nakasone, director of US Cyber Command and director of the National Security Agency, told the Senate Armed Services Committee that “U.S. Cyber Command conducted more than two dozen operations to get ahead of foreign threats before they interfered or influenced our elections in 2020.” Nakasone said that the operations demonstrated that Cyber Command needs to be ready to act if necessary; that Cyber Command’s partnership with NSA is a boon; and that timely information sharing with both foreign and domestic partners benefits everyone.

Read more in: US military conducted 2 dozen cyber operations to head off 2020 election meddling

Critical Flaw in Netmask npm Library

A critical vulnerability in the netmask npm library could be exploited to allow server-side request forgery bypasses and remote file inclusion. The problem lies in the way the library parses IP addresses with leading zeroes. The issue affects an estimate 278 million projects. The issue is fixed in netmask 2.0.0.

Note: This issue may be worse than the PHP compromise. The netmask library is included in more than 200,000 different projects, meaning that more or less any npm/node.js project is using this code. In some cases, it is used to make security decisions. Most users of this library have no idea that they are using it. Time for an “npm audit” and make sure you have a plan for doing this regularly. Not all vulnerabilities in npm packages are advertised as prominently.

Read more in:

Ransomware: Sierra Wireless Begins Bringing Network Back Up

Internet of Things (IoT) manufacturer Sierra Wireless says production has resumed following a March 20 ransomware attack. The company is now focusing on bringing its internal networks back.

Read more in: Sierra Wireless partially restores network following ransomware attack

NIST Published Draft Framework for Election Infrastructure Security

The US National Institute of Standards and Technology (NIST) has published a draft framework that offers “a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to election infrastructure.” The framework aims to help local governments implement cybersecurity best practices for polling places, voter registration databases, and voting machines. NIST is accepting comments through May 14, 2021.

Note: NIST is providing a structured approach to maintaining and securing both the voting machines and supporting infrastructure such as voter registration databases. As with other CSF documents, the controls are cross-walked with CSC, NIST, COBIT, ISO/IEC 27001 and ISA 62443 standards. This mapping should allow you to use existing controls and frameworks rather than starting from scratch in an unfamiliar baseline.

Read more in:

Exchange Server: 92 Percent Patched (But Patching is Not Sufficient)

Earlier this week, Microsoft said that 92 percent of vulnerable on-premises Exchange Servers have applied mitigations or been patched against the critical ProxyLogon flaws. Organizations should note that installing the patches does not eliminate the infection if the servers were compromised prior to patching. IT administrators should check systems for indicators of compromise (IOC). Microsoft released fixes for the four vulnerabilities on March 2.

Note:

  • A 92% mitigation rate is indeed impressive, unless it is due to attackers mitigating the vulnerability to hold on to servers they compromised. Again: It is critical to investigate Exchange servers in detail while patching. A pre-patch compromise is very likely.
  • The DHS emergency directive (ED 21-02) requires forensically imaging and analyzing the system prior to patching to avoid this scenario. It is so easy to get caught up in the heat of the moment and forget to check for compromise before patching the vulnerability. If you skipped the check, run the tools from CISA or Microsoft to make sure you’re clean, then cross check with your SIEM. Also verify that your endpoint protection is watching for exploitation real-time. Note Windows Defender includes this capability if your current solution does not.
    msrc-blog.microsoft.com: One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021
    us-cert.cisa.gov: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
  • This has long been a leading indicator of security-based processes/security programs vs. compliance-based. After a vulnerability is discovered, do you check to see if it had been exploited before you detected and mitigated the vulnerability? Old example: web security gateway is updated with more URLs of malicious and/or compromised web sites – did you check to see if any internal machines communicated with the newly discovered evil locations? Too many audits just check the box if vulnerability scanning and patching, URL updating and blocking is done and never look for that “we found the door to the vault open *and* checked to see if any cash was missing” step.

Read more in:

Exchange Server: Australia Cyber Security Centre is Scanning for Vulnerable Systems

Australian Cyber Security Centre (ACSC) head Abigail Bradshaw said that organizations have reached out to ACSC regarding the Microsoft Exchange Server vulnerabilities after they detected indicators of compromise (IOC) on their systems. ACSC is conducting scans of externally facing Internet connections to determine how many systems remain vulnerable.

Note: The ACSC is not only tracking vulnerable systems but also working to help get them patched and mitigated. They are partnering with both Microsoft and Commonwealth CISOs as well as state and territory governments to open communication channels and develop needed expertise to resolve problems.

Read more in: ACSC running scans to find vulnerable Microsoft Exchange servers in Australia

NCSC Urges Schools to Take Steps to Bolster Defenses Against Ransomware

The UK’s National Cyber Security Centre (NCSC) is warning of an increase in the number of ransomware attacks targeting the education sector. NCSC is urging schools to take steps “to disrupt ransomware attack vectors and enable effective recovery from ransomware attacks.”

Read more in:

CIOs Stepping Up Cyber Talent Efforts

The CIO Institute’s new report on “What Works in Finding Elite Cybersecurity Talent: Promising Practices for Chief Information Officers” was distributed to 4,800 CIOs this week. It shows how CIOs are taking a more active role in cyber talent management and has two surprising findings on (1) yield of elite talent from cyber education programs is shockingly low and (2) how employers use security certifications to decide whom to interview for job openings. The report also includes information about finding cyber talent inside organizations, outside the IT groups.

Read more in: What Works in Finding Elite Cybersecurity Talent: Promising Practices for Chief Information Officers

Ransomware: Sierra Wireless

Canadian Internet of Things (IoT) manufacturer Sierra Wireless is the victim of a ransomware attack. The attack began on March 20. It affected multiple manufacturing sites and disrupted internal operations. The incident has prompted the company to withdraw Q1 2021 financial guidance it released on February 23.

Read more in:

Ransomware: Spanish Labor Agency

A ransomware attack against Spain’s State Public Employment Service (SEPE) has delayed “hundreds of thousands” of appointments at the labor agency. SEPE is involved in the distribution of unemployment benefits. The attack affected all 710 SEPE offices.

Read more in:

Ransomware: How One Company Recovered Without Paying Demand

When Colorado-based data storage company SpectraLogic was the target of a ransomware attack in May 2020, the company called in the FBI instead of engaging with the attackers, who had demanded $3.6 million. SpectraLogic had backups that were separate from the network. Company systems were largely restored within eight days; non-critical systems were brought back several weeks later.

Note:

  • This is good recap of what it’s really like recovering your enterprise from an attack even when you have offsite backups. Partnership between IT and Cyber Security was key to eliminating the threat from their system to prevent recurrence. Fortunately, they were not subject to additional extortion related to disclosure of exfiltrated information. As the FBI said, this is the right way to recover, and it is also the hard way.
  • This is a fantastic read. It highlights the reality of how difficult, from the technical and business aspects, it is to deal with a ransomware attack. Having reliable backups is a key tool in recovering from such attacks. I suggest that you also run an exercise in your organization as to how would you recover from a ransomware attack; this can help you identify weaknesses that you may have from lack of appropriate tools, contact details for law enforcement, processes and procedures to deal with ransomware, and communications to senior management and other key stakeholders.
  • On an early system where I cut my teeth, the rule was “if it ran yesterday, it must run today.” We had three restore points: close of business last night, close of business last Friday, and close of business the previous Friday. Historically, backup was designed to recover a small number of files in days. Modern backup may have to be designed to recover some mission-critical applications, networks, or even enterprises in hours. Few legacy systems can meet this requirement.
  • Ben Wright and I are doing a presentation at the May RSA Conference on “The Risks of Cyberinsurance” and then a SANS paper on the topic. I’ve done a few comparisons of public events on cost to avoid or survive vs. paying the ransom, and also the limits to reduction (not avoidance) of cost that typical cyberinsurance policies provide.

Read more in: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay up

Ransomware: Operators Leaking Data Stolen from Universities

Ransomware operators have begun leaking data stolen from the University of Colorado (CU) and the University of Miami. The CU data were taken by exploiting a vulnerability in the Accellion File Transfer Appliance (FTA). The University of Miami has not disclosed a breach, but has acknowledged that its SecureSend email application is not accessible.

Note: The CLOP ransomware operators claim to have financial documents, student grades, academic records, enrollment information and student biographical information. Now the task is to not only close the vulnerable path, but also asses the risks and return for payment versus regulatory fines, providing identity monitoring and business impacts, including reputation risk. This is a time to actively engage the board or other governing body; do not make these decisions in a vacuum.

Read more in: Ransomware gang leaks data stolen from Colorado, Miami universities

Browser Changes: Chrome Will Default to HTTPS; Firefox Debuts Enhanced Privacy Feature

When Google moved Chrome 90 to the stable channel in mid-April, the browser will use HTTPS as the default protocol for all addresses typed in the address bar. Earlier this week, Mozilla released Firefox 87, which includes a new privacy feature called SmartBlock. The new feature aims to improve the performance of websites that are “broken” by Firefox’s tracking protections. SmartBlock is available for both private browsing and strict mode.

Note:

  • Firefox and Google Chrome using HTTPS by default does not improve security a lot, but it is a great indicator that the “HTTPS Everywhere” initiative succeeded in making HTTPS common enough to allow for this step. Some people have suggested eliminating HTTP. This may never be possible, as the proper use of HTTPS requires certificates verifying a specific host name. To configure these certificates, HTTP may still be needed. For sites listening on loopback for example, HTTPS does not add much and a correct implementation of HTTPS can be difficult.
  • About 83% of sites are now HTTPS so Chrome defaulting to https:// unless otherwise specified will have nominal impact. Even so, verify secured sites are what they claim to be. Note that IP Address, reserved hostnames like localhost/ and single label domains (e.g., payroll) will still default to http://. Firefox 87 also contains enhancements which limit the information in the HTTP Referer Header to just the top level URL. https://www.example.com is sent rather than https://www.example.com/mypath?myparameters.

Read more in:

Insurance Company CNA Financial Suffers Data Breach

Insurance firm CNA Financial was hit with a cyberattack on Sunday, March 21. A message on the company’s website notes that “out of an abundance of caution, we have disconnected our systems from our network, which continue to function.” Because CNA is a top US provider of cybersecurity insurance, there is concern that the attackers were looking for policyholder data, which could be used to plan ransomware attacks against companies with ransomware coverage.

Read more in:

California State Controller’s Office Suffers Data Breach

Earlier this month, the California State Controller’s Office Unclaimed Property Division experienced a data breach. A successful phishing attack gave attackers access to an employee account for 24 hours between March 18 and 19. The breach compromised personal data, including names, addresses, Social Security numbers, and the value of the property that has been submitted to the agency.

Read more in:

IT Contractor Gets Two Years in Prison for Deleting 1,200 O365 Accounts

Former IT contractor Deepanshu Kher has been sentenced to two years in prison for breaking into a company’s server and deleting more than 1,200 of their 1,500 O365 accounts. Kher had worked for a consulting firm that was hired to help an unnamed company with its O365 migration. Kher was pulled from the project for unsatisfactory work and then fired from the consulting firm in 2018. Several months later, he broke into the company’s system and deleted the accounts.

Read more in:

QNAP Warns of Brute Force Attacks Targeting NAS Devices

QNAP is urging customers to take steps to improve the security of their Internet-exposed network attached storage (NAS) devices. The devices are being targeted in brute force attacks. Users are encouraged to use strong passwords, change the default access port number, and disable the admin account.

Note:

  • My monthly(?) reminder: Never, ever expose NAS devices to the public internet. I have also noticed an increase in scans against SSH servers listening on (very) odd ports lately. That said: I believe QNAP is attempting to distinguish itself a bit from the crowd of similar devices by being more open in alerting its customers of security issues surrounding its product.
  • NAS devices are a popular target. Not only do they have access to possibly sensitive data and backups, they are a location crypto mining software can hide with a lower detection possibility. In addition to the advice above, be sure you have configured your IP access to only allow authorized hosts to access the device and don’t expose services to the Internet.

Read more in:

Known Flaws in Thrive Themes for WordPress are being Actively Exploited

Recently-patched vulnerabilities in Thrive Themes “legacy” themes and Thrive Themes plugins for WordPress are being actively exploited. The two flaws can be chained to allow unauthenticated users to upload arbitrary files on vulnerable WordPress sites. Users are urged to update to Thrive Themes “legacy” themes 2.0.0 and to the most recent versions of Thrive Themes plugins.

Note:

  • A flaw in the RESTAPI for Zapier can be exploited when Zapier is not configured, which allows arbitrary data to be added to the wp_options table. That update coupled with a flaw in the “Legacy” theme’s file compression REST API call allows for creation of arbitrary files on the site, including PHP executable. Updates to the Thrive themes and plugins were released March 12th; auto update can update themes as well as plugins. Wordfence Premium versions received firewall rules March 23rd, and the free version will receive them on April 22nd.
  • WordPress plugins continue to be both vulnerable and exploited. They should be used sparingly, by design and intent, not by default, and should be actively managed and policed.

Read more in:

Cisco Fixes Jabber Flaws

Cisco has released updates to address five vulnerabilities in Jabber for Windows, macOS, and Android and iOS. The most severe of the flaws is due to improper input validation of message content and could be exploited to allow remote, authenticated users execute arbitrary code.

Note: The alert suggests running Jabber in Phone-only or Team Messaging mode is a workaround for all but CVE-2021-1471. It is better to push out the updated versions. The Cisco alert below includes information on fixed and vulnerable versions. Mobile devices should auto-update to new versions as they are released to their respective App Stores.

Read more in:

Exchange Server: Some Patched Systems Were Already Breached

Brandon Wales, acting executive director of the Cybersecurity and Infrastructure Security Agency (CISA) said that thousands of Exchange Servers that have been patched had already been breached. He urged companies to check their systems for indicators of compromise and malicious activity, noting that compromised systems could be used to introduce ransomware or to attack other organizations. Updates for the critical flaws were released on March 2, but many systems have not yet been patched. Researchers at F-Secure said that Exchange Servers are being attacked “faster than we can count.”

Note: Make sure that you’ve checked for IOCs after you patch. The vulnerabilities area being actively exploited, and even if you applied the patches the day they were released, you still need to verify that your system is clean. Both Microsoft and CISA have published free tools to scan your system. The Microsoft EMOT tool has been updated to be easier and more effective than the prior version and will download and install the MS Security Scanner. github.com: microsoft / CSS-Exchange

Read more in:

Exchange Server: Ransomware Operators are Moving In

Vulnerable Microsoft Exchange Servers are now being actively targeted by ransomware operators. Ransomware known as DearCry began attacking Exchange Servers as early as March 9. BlackKingdom ransomware began exploiting the vulnerabilities more recently.

Note: DearCry appears to be a quickly developed package which encrypts not only data, but also executables and DLLs, rendering the system unusable. BlackKingdom is a more mature traditional ransomware, and security firms can provide help with file recovery if needed. Mitigate the risk by applying patches, scanning for IOCs and making sure that you have real-time detection of attempted exploitation.

Read more in:

Exchange Server: Microsoft Defender Antivirus Mitigates One of the Vulnerabilities

Microsoft has updated two antivirus tools so that they mitigate one of the Exchange Server vulnerabilities in on-premises servers. Microsoft Defender Antivirus and System Center Endpoint Protection mitigates one of the four Exchange Server vulnerabilities for which Microsoft released patches earlier this month. By mitigating this particular vulnerability (CVE-2021-26855), the tools thwart attackers’ current model of operation.

Note: The Defender mitigation addresses the ProxyLogon vulnerability. Even with the Defender mitigation, you still need to apply the patches for a comprehensive fix as well as scan to make sure your system has not been compromised. The Microsoft EMOT tool is designed to make this easy and can remediate issues found.

Read more in:

CISA Warns of Multiple Vulnerabilities in GE Power Management Devices

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning of multiple vulnerabilities in GE’s Universal Relay power management devices. The flaws could be exploited to access sensitive information, obtain privileged access, create a denial-of-service condition, or reboot the device. GE urges users to update affected devices’ firmware to UR firmware version 8.10 or later.

Note:

  • The list of vulnerabilities found in GE’s firmware is pretty much like reading the OWASP Top 10 software vulnerabilities list from 2005! This is true for many of the operational technology and “Internet of Things” vulnerabilities being disclosed – lots of vulnerabilities caused by prioritizing convenience (easy installs) over security and these devices put many obstacles in the way of easy patching. Essential security hygiene or at least strong segmentation and break/fix windows for patching should be high priority. Spending on Computerized Maintenance Management Systems (CMMS) by OT teams is a $1B per year market. Find out if your company is using a CMSS product and try to get firmware updating to be part of routine maintenance planning.
  • The list of disclosed vulnerabilities is both long and reminiscent of vulnerabilities we learned how to avoid years ago. Note that the version 7.4 firmware update added SSH V1 support and version 8.1x has support for weak SSH algorithms. Beyond updating the firmware, use network segmentation, firewalls, and isolation to limit access to these devices to only authorized devices as it’s not clear the weak protocols can be disabled. Don’t allow direct access from the Internet or your enterprise internet. See also the CISA control systems recommended practices for references on ICS defense in depth and improving ICS overall cybersecurity: us-cert.cisa.gov: Recommended Practices.

Read more in:

US Federal Grand Jury Indicts Swiss Citizen For Alleged Role in Leaking Stolen Data

A US federal grand jury has indicted an individual on charges they allegedly stole sensitive data and then posted them on the web. The compromised data include administrative credentials, access keys, and source code. Till Kottmann, who remains in Switzerland, faces several charges, including conspiracy to commit computer fraud and abuse.

Note: While the motivation for the hack appears to be raising awareness of private company and government-sponsored surveillance and the corresponding impacts on privacy coupled with inadequate security, unauthorized hacking is going to run you into legal entanglements. Worse still, if you’re taking action in support of class-action lawsuits intended to change legislation, it can render your work inadmissible. If you’re interested in disclosing security shortfalls, use the processes of a responsible disclosure organization to do it legally.

Read more in:

Netop Fixes Four Critical Flaws in Remote Teaching Software

Netop has addressed four critical vulnerabilities in its Netop Vision Pro system; the monitoring software is used by teachers to remotely access students’ computers. The flaws could be exploited to spy on students through webcams and microphones, infect machines with malware, and steal user credentials. Netop learned of the vulnerabilities in December 2020 and released an updated version of the product in February 2021.

Read more in:

Critical BIG-IP Vulnerability is Being Actively Exploited

Attackers are scanning for and actively targeting systems with unpatched F5 Networks BIG-IP and BIG-IQ network devices. F5 released fixes for this flaw and 20 others earlier this month. The unauthenticated remote command execution vulnerability exists in the iControl REST interface. BIG-IP server appliances are used to manage traffic flowing into and out of large networks.

Read more in:

Adobe Issues Fix for Critical Flaw in ColdFusion

Adobe has released updates for Cold Fusion to address a critical improper input validation vulnerability that could be exploited to execute arbitrary code. The issue affects ColdFusion 2016 Update 16 and earlier, ColdFusion 2018 Update 10 and earlier, and ColdFusion 2021, version 2021.0.0.323925.

Note: Adobe gives the security bulletin a priority rating of 2, which indicates that while it’s not actively being exploited, this is a product which has historically been at risk so you should plan to update soon (within 30 days.) Don’t wait for someone to discover your unpatched server. Note that you need to not only apply the corresponding ColdFusion update, but also update your JRE/JDK to the latest versions of the LTS releases for 1.8 and JDK 11 to secure the server. The Adobe security update site below also has links to guides for locking down your ColdFusion server which should be leveraged.

Read more in:

Shell Discloses Accellion File Transfer Appliance Breach

Energy company Shell disclosed that it “has been impacted by a data security incident involving Accellion’s File Transfer Appliance.” The company is notifying affected individuals and stakeholders.

Note: The Accellion FTA is being actively targeted and has been since December. Even if you apply the patches to extend the life of the service while you transition, you must check the device for indicators of compromise. At this point it may be better to take it offline and accelerate the migration than accept the risk of further compromise.

Read more in:

Flagstar Bank Now Says Some Customer Data Were Compromised in Accellion Attack

Michigan’s Flagstar Bank has been some notifying people that their personal data, including names, addresses, and Social Security numbers, were compromised through an attack against the institution’s Accellion file sharing platform. When Flagstar initially acknowledged the January attack several weeks ago, it said that employee data were compromised. Some of the people who have recently been contacted have not had an account with Flagstar in years; others have never had an account with Flagstar.

Note: Flagstar is offering two years of free credit monitoring to affected individuals. If you don’t already have credit monitoring, accept the offer. Otherwise, multiple monitoring services do not add much value. Note that financial institutions may acquire your personal information in unexpected ways, such as when they purchase your loan from the originating institution, and have retention requirements, mandated by regulators, which exceed the time you’re a customer. As a business, retain personal information the minimal amount of time, making sure you don’t have caches of unpurged data.

Read more in: Ransomwared Bank Tells Customers It Lost Their SSNs

Survey: Cybersecurity Experts Rank Smart City Technologies

Researchers at Berkeley’s Center for Long-Term Cybersecurity (CLTC) asked security experts to “rank different technologies according to underlying technical vulnerabilities, their attractiveness to potential attackers, and the potential impact of a successful serious cyberattack.” According to the results of the survey, emergency alerts, street video surveillance, and smart traffic signals posed more security risks than other technologies. The other technologies included in the survey are smart waste/recycling bins; satellite water leak detection; water consumption tracking; smart tolling; public transit open data; and gunshot detection. The researchers were asked to consider the presence of serious vulnerabilities in the underlying technology, the consequences of a successful attack, and whether the technology would be considered a target of interest for attackers.

Note: The term “Smart City” is like “Internet of Things” – very broad terms that often contain very different technologies or use cases. Comparison of risk across the disparate items within those broad buckets isn’t very meaningful. It is more important to focus on requiring essential security hygiene to be built into all products and systems being procured as part of “Smart City” initiatives.

Read more in:

Russian Pleads Guilty to Tesla Extortion Attempt

A Russian man who attempted to recruit a Tesla employee to place malware on computers at the Tesla Gigafactory has pleaded guilty to conspiracy to intentionally cause damage to a protected computer.” Egor Igorevich Kriuchkov allegedly planned to use the malware to steal data from the network and hold for ransom. Rather than cooperate with Kriuchkov, the Tesla employee informed his employer who then notified the FBI. Kriuchkov was arrested in August 2020.

Read more in:

ODNI Report on 2020 Elections: Russia Pushed Influence Narratives

The National Intelligence Council’s (NIC’s) Intelligence Community Assessment, Foreign Threats to the 2020 US Federal Elections, says there is evidence that foreign actors, most notably Russia, attempted to influence the election and undermine confidence in the electoral process. “A key element of Moscow’s strategy this election cycle was its use of proxies linked to Russian intelligence to push influence narratives … to US media organizations, US officials, and prominent US individuals, some close to [the] former president and his administration.” NIC says that they “have no indications that any foreign actor attempted to alter any technical aspect of the voting process in the 2020 US elections.”

Note:

  • Back in the late 1950’s a faked experiment led to concern over subliminal advertising frames inserted into films shown in movie theaters. In the early 2000s scientific research proved subliminal advertising did lead to unknowing influence and many countries banned it, while in the US the FCC “discouraged” its use. Much of the influence techniques used by nation states and terrorist groups on social media is essentially subliminal advertising and legislation needs to evolve – it is not something market forces will address.
  • Social engineering, influencing others to act in a fashion that supports your desired outcomes, is not new. Often this manifests itself in advertising, or social media posts where the legitimacy is difficult to discern. Changes in legislation can make it harder or add consequences, but it still falls to the consumer to verify information provided.

Read more in:

FBI Internet Crime Report 2020

The FBI’s Internet Crime Complaint Center (IC3) has published the 2020 Internet Crime Report. IC3 received more than 790,000 complaints regarding Internet-related crime in 2020. Phishing was the most often reported crime, followed by non-payment/non-delivery, and extortion. The total losses reported to IC3 total more than $4 billion. Business email compromise accounted for the largest portion ($1.8 billion) of those losses.

Note: Just to put that $4B number in perspective: the 2020 National Retail Federation shrinkage survey estimated that 2019 shrinkage (inventory loss from shoplifting, employee theft, supplier error/fraud, cashier errors and other causes) was $62B in the retail sector alone. Three key points here: (1) the FBI IC3 data comes from complaints filed with the FBI, the numbers don’t reflect overall losses in anyway; (2) in many industries, traditional crime continues to have a much larger business impact that cybercrime; (3) retail has kept shrinkage in the range of 1.5 – 2% over the years, while spending 1-1.5% of revenue on loss prevention/shrinkage control, meaning a 3% loss of revenue to shrinkage and the loss prevention program is an acceptable cost of doing business. Increasing spending in loss prevention without reducing shrinkage enough would result in a loss of profit, even if the absolute level of shrinkage went down. Can you talk similar language about the effectiveness of your spending on security controls to justify increases or changes?

Read more in:

Mimecast Says SolarWinds Threat Actor Stole Source Certificates and Customer Server Connection Information

Cloud-based email management company Mimecast says that a threat actor linked to the SolarWinds supply chain breach gained “access to part of our production grid environment… [and] accessed certain Mimecast-issued certificates and related customer server connection information.” The threat actor also accessed and downloaded some Mimecast source code repositories.

Note:

  • When implementing MFA, make sure to not leave exceptions. Verify that remains in effect. Make sure that access credentials, including certificates, are only accessible where absolutely needed. This also raises the question – when you discover a credential is compromised, and change it, and then discover you still have attackers in your system, do you update it again? Or do you wait to make the initial update until you’re absolutely certain the attackers are gone?
  • Private keys should not be stored online when not in use.

Read more in:

CISA’s CHIRP Tool Detects SolarWinds Indicators of Compromise

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a tool that can detect indicators of compromise related to SolarWinds in on-premises environments. “The tool looks for the presence of malware identified by security researchers as TEARDROP and RAINDROP; credential dumping certificate pulls; certain persistence mechanisms identified as associated with this campaign; system, network, and M365 enumeration; and known observable indicators of lateral movement.”

Note:

  • Similar to the Sparrow tool which scans for signs of APT compromise in a MS 365 or Azure environment, CHIRP scans for signs of APT compromise in an on-premise environment. CHIRP is available as a PowerShell script or compiled executable and is a command line tool. Unlike the Microsoft tool, CHIRP makes no changes to systems and takes 1-2 hours to run. Ingest the JSON results in your SEIM.
  • Such tools will enable one to detect some, perhaps even most, but not all compromises. “The absence of evidence is not evidence of absence.”

Read more in:

Three Year Sentence for Twitter Bitcoin Hack

One of the people involved in the Twitter cryptocurrency scam in July 2020 has pleaded guilty to 30 charges, including accessing a computer without authority causing more than $5,000 in damage. Graham Ivan Clark, who was 17 at the time of the incident, will serve three years in a detention facility. He has also surrendered the cryptocurrency he received in the scam. Two co-conspirators are facing charges as well.

Read more in:

Public-Private Task Force to Focus on Exchange Server Response

The National Security Council has created a Unified Coordination Group (UCG), a task force focused on the government’s response to the Microsoft Exchange Server attacks. The task force members include representatives from the intelligence community and well as from private industry. White House Press Secretary Jen Psaki said the UCG met earlier this week and “discussed the remaining number of unpatched systems, malicious exploitation, and ways to partner together on incident response, including the methodology partners could use for tracking the incident.” Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the Biden “Administration is committed to working with the private sector to build back better – including to modernize our cyber defenses and enhance the nation’s ability to respond rapidly to significant cybersecurity incidents.”

Note:

  • Rather than “build back better,” use cloud or outsourced services which are built and maintained at a higher level of assurance. One of the appeals and challenges of using cloud services is that the provider is patching and updating, as well as setting the security parameters they can manage. This leaves the customer with a smaller set of responsibilities. In the FedRAMP cloud space, system security is based on the same security framework that agencies need to follow when securing their own systems, with the added benefit of an external auditing company which holds them accountable for fully meeting those controls. While a more aggressive update schedule may stress existing resources, they also provide guidance to minimize the risks associated with updates.
  • The “Exchange Server” problem pales in comparison to SolarWinds.

Read more in:

TrickBot Warning

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint alert warning of “continued targeting through spearphishing campaigns using TrickBot malware.” A group of cybersecurity companies took steps to dismantle the TrickBot infrastructure last fall. The effort disrupted TrickBot operations for several weeks. The CISA/FBI alert provides a list of suggested mitigations, including blocking suspicious IP addresses, using antivirus software, and providing phishing and social engineering training to employees.

Note:

  • TrickBot is getting more exposure after legal actions shut down some competing botnets. Please do not focus too much on blocking specific IP addresses as they tend to change quickly. One interesting method to detect TrickBot is by inspecting TLS certificates. Tools like Zeek are excellent to collect this information and it tends to be quite useful not just for TrickBot.
  • Attackers use TrickBot to drop other malware such as Ryuk and Conti ransomware, or serve an Emotet downloader. The Alert warning below includes a layout of TrickBot’s techniques, mapped to MITRE ATT&CK techniques. That mapping can be used to help others understand the relevance of ATT&CK. Mitigations include user training, policy and procedures for reporting suspect email, firewall rules as well as segmenting systems to limit lateral movement. I have seen great success in reporting by adding a reporting button to email clients. Note: You will have to respond to reported messages for use to continue past the initial rollout.

Read more in:

Cisco Issues Router Fixes

Cisco has released fixes to address a high-severity flaw that could be exploited to remotely execute code as root user or cause a denial-of-service condition. The issue exists in the web-based management interface’s improper validation of user-supplied input. Cisco has made fixes available for affected products: RV132W ADSL2+ Wireless-N VPN routers running a firmware release prior to 1.0.1.15; and RV134W VDSL2 Wireless-AC VPN routers running a firmware release prior to 1.0.1.21.

Note: When configuring devices like these, limit access to the administration interface to authorized devices only. Do not enable remote administration without requiring a VPN. These routers were released in 2016; it’s a good time to consider replacing them with newer models, particularly if you are out of support and unable to apply the update.

Read more in:

Man Extradited to US, Sentenced to Prison for Cyber Extortion

A US district judge sentenced Joshua Polloso Epifaniou to one year and one day in prison for breaking into websites, stealing user and customer data, and threatening to publish it unless he was paid. Epifaniou has paid nearly $1 million in restitution and forfeiture.

Read more in:

Connecticut Will Consolidate State IT Operations

The governor of Connecticut said the state will consolidate its IT operations into one organization within Connecticut’s Department of Administration Services. Connecticut has close to 40 state agencies; some of the smaller agencies currently lack sufficient IT resources and expertise. The change is also expected to improve cybersecurity.

Note: Centralizing services like this enables leveraging a consolidated pool of expertise, and provide opportunities for increased coverage. The trick is not only relocation of services, but also having them operate in a consistent fashion, leveraging common patching, updating and backup processes as well as common platforms and application stacks to eliminate pockets of specialized support staff and processes. Security boundaries also have to be considered, much like when merging businesses, including verification of resources and services before trusting them in the new environment.

Read more in:

GAO: Department of Energy Needs to Increase Focus on Distribution System Cybersecurity

According to a report from the Government Accountability Office (GAO), the US power grid’s distribution systems are at an increased risk from cyberattacks. The distribution systems’ industrial control systems (ICSs) are increasingly remotely accessible and connected to business networks. The report says that the Department of Energy has focused on cybersecurity of the grid’s generation and transmission systems and needs to make sure the distribution system’s cybersecurity concerns are mitigated as well.

Note:

  • With a giant distributed system such as the Grid, not only do remote connections for management and monitoring need to be secure, but data communication paths, whether wireless or ethernet over powerline, need to be verified to limit unauthorized interception. The most common mitigation response I have heard to malicious behavior on control systems is to revert to manual control. While good on paper, verify that is actually practical and timely before relying on that plan.
  • We have been saying this for a decade or more. Time to stop “admiring the problem.” We need a narrow focus on what to do. Start with strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) wherever controls are connected to the public networks. Then end-to-end application layer encryption and finally application content control.

Read more in:

Universities and Colleges Targeted In Rash of Ransomware Attacks

Today the FBI issued a rare “FLASH” report notifying “trusted partners” of a sharply accelerating wave of PYSA ransomware already targeting education institutions in 12 US states and the United Kingdom. PYSA, also known as Mespinoza, is a malware capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.

Colleges that are not members of another FBI trusted partner group can get a copy of the report through their student cyber clubs that are wisely using this notification to practice locating IOCs both to help their schools and as preparation for the National Cyber Scholarship competition coming on April 5. The Cyber FastTrack College Coalition of 120 colleges is sharing the FBI FLASH report and more than 100 practice labs contained in the CyberStart learning labs game. Have your college cyber club president request the FBI FLASH report (and learning labs) by emailing [email protected].

Compromised Exchange Servers Targeted with Ransomware

In a new phase of attacks against on-premises Exchange Servers, systems that have already been compromised are now being targeted with ransomware. Microsoft says it “protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.”

Note:

  • These Exchange Server exploits follow an accelerated timeline of adoption by new criminals: from nation state attacks -> organized crime -> commodity ransomware attacks. Again: If you are not patched, you are compromised. Also consider Business E-Mail Compromise (BEC) attacks a possibility. They are more difficult to detect and may not make the news, at first.
  • Microsoft released a one-click tool aimed at companies, in particular SMEs, to use to identify whether they have been compromised and/or vulnerable, and to help remedy if they are. The tool is available at msrc-blog.microsoft.com: One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021

Read more in:

Linux Kernel Flaws Could be Exploited to Gain Root Privileges

A trio of vulnerabilities in the iSCSI module of the Linux kernel could be exploited to allow anyone with a user account to obtain root privileges. The vulnerabilities have been present since 2006 and they affect all Linux distributions. They were only recently detected by researched from GRIMM, which notified the Linux Security Team in mid-February. The issues are fixed in these kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260.

Note:

  • Not an emergency. Patch as updated packages become available. Sadly, privilege escalation vulnerabilities are too common to really worry about them too much.
  • While you may no longer have SCSI or iSCSI devices, the loadable modules are still installed with the OS. As kernel modules can be loaded by non-privileged users, it’s a good idea to look at hardening the processes around loading kernel modules and allowing only authorized/approved modules to load. While each Linux distribution is slightly different, modules can be denied by editing the modprobe configuration files to not only prevent the loading, but also to change the install for a given module to /bin/false.
  • The key issue with Linux vulnerabilities is all the different flavors of Linux that might be in use in your environment, especially in appliances and ICS-type equipment. That impacts not only the level of severity of the vulnerability but also the availability and timeliness of patching. This type of vulnerability – “vestigial” capabilities that aren’t used much but are left in software to end\sure backwards compatibility – are a continuing goldmine for attackers that Windows and Linux suffer because of the broad base of hardware that runs those OSs and the many, many, many years they have been out. It really is time to change the planning around IT lifecycle/depreciation schedules to be closer to mobile device short timeframes than the current schedules which really date back to mainframe days.

Read more in:

Analysis Shows Security Agencies Need to Adopt Better PDF Sanitization Methods

Researchers from the University of Grenoble (France) Alpes and France’s Institut national de recherche en informatique et en automatique (INRIA) have published a paper detailing data exposure concerns in PDFs published by security agencies. The researchers analyzed 40,000 PDFs published by security agencies in 47 countries. Just seven agencies used sanitization to remove sensitive information from PDFs, and 65 percent of the sanitized files still contained sensitive information. PDFs contain layers of hidden data. Inadequate sanitization can reveal “sensitive information like authors names, details on the information system and architecture.” The researchers urge agencies to change sanitization methods.

Note:

  • Redacting information requires a careful choice of tool and technique to avoid using mechanisms which can be bypassed. With PDF and other modern document types, it’s easy to overlook the hidden data included by default, from embedded files, to information about the author, organization and even software versions used. The published paper enumerates 11 types of hidden data in PDF files. The best tool for removing metadata from PDF files is Adobe Acrobat. NSA has published a guide for redacting files using Adobe Acrobat Pro. apps.nsa.gov: Redaction of PDF Files Using Adobe Acrobat Professional X
  • Or maybe we need fewer PDFs? Reviving the art of creating readable plain text documents may be easier and more effective than sanitizing PDFs.

Read more in:

Cyberattack Disrupted Molson Coors Production

The Molson Coors brewing company says that a cyberattack “caused a system outage,” disruption operations. Molson Coors disclosed the information in Form 8-K filed with the US Securities and Exchange Commission (SEC). The company has not provided details about the attack.

Read more in:

OVH Data Center Fire Occurred After UPS Unit Maintenance, Some Backups Non-recoverable

A fire that destroyed an OVH data center in Strasbourg, France, was likely caused by problems with an uninterrupted power supply (UPS) unit. Firefighters’ thermal cameras showed that a recently-serviced UPS unit and an adjacent unit were burning. The company has also said that internal backups for some systems are “non-recoverable.”

Note:

  • When outsourcing functions, whether to a hosting center or a cloud provider, look carefully at geographic separation to prevent single points of failure. When services were in your data center, you had discussions about separations to prevent a single incident taking down your systems and you sent backups to an offsite facility for storage. These same risks apply here. Cloud services make it easy to have regional separations, most often considered for availability, but also consider separations for recovery as well, separate backups and services. Similarly, have backups in a separate co-location service from your hosted systems if you’re not retaining them in your data center.
  • Fire safety is usually outside the expertise of cybersecurity teams, but it is just as complex – putting one group in charge of both has been promoted, but often makes no sense. Many UPS systems involve batteries and there are numerous scenarios where batteries can be mismanaged or undermaintained and burst into flames. There are also many storage scenarios which innocuous maintenance materials (antifreeze, fertilizer, burlap sacks, etc.) may be stored too close together and lead to fires. This is a good example to use to drive inspection if your group is responsible for fire safety.
  • Too many people feel that once their data is in the cloud they no longer need to worry about backups.

Read more in:

Microsoft Investigating Possible Leak of Exchange Server Proof-of-Concept Code

Microsoft is investigating whether information about the Exchange Server vulnerabilities was leaked prior to the patches’ release. Microsoft shared information about the vulnerabilities with its security partners through its Microsoft Active Protections Program (MAPP). On February 23, some MAPP partners received information about the Exchange Server vulnerabilities, which included proof-of-concept exploit code. (Please note that the WSJ story is behind a paywall.)

Note: Microsoft sources say they suspect that one of their MAPP business partners released the code. Vulnerability and supporting information, such as proof-of-concept code is released to these partners as part of their patch release process. If a partner was the source of the leak, they will face consequences, including ejection from the MAPP program. The possible risks of the MAPP program indicate timely application of released updates is prudent.

Read more in:

Sky Global CEO and Associate Indicted

A US federal grand jury has returned an indictment against Sky Global CEO Jean-Francois Eap and a former distributor of Sky Global devices, Thomas Herdman. Suzanne Turner, FBI Special Agent in Charge of the San Diego Field Office, said “Eap and Herdman allegedly provided a service designed to allow criminals to evade law enforcement to traffic drugs and commit acts of violent crime without detection.” Sky Global devices are allegedly designed to prevent law enforcement from monitoring communications.

Read more in:

UK ISPs and Law Enforcement Have Been Testing Internet Surveillance Technology

Internet service providers, the UK Home Office, and the National Crime Agency have been testing surveillance technology that could be used to retain all UK residents’ browsing histories. The Investigatory Powers Act 2016 allows the collection of data to create Internet Connection Records, and allows the information to be stored for up to 12 months.

Note: This will be watched very closely by the EU because the UK has now left the EU via Brexit. The UK has been granted temporary adequacy (meaning companies within the EU can continue to transfer personal data to organisations within the UK) until the end of June this year. However, should the EU deem the measures the UK are testing with this project to be in breach of the rights of EU citizens, the EU may not grant the UK ongoing adequacy from July 1, leading to major personal data transfer issues between the EU and the UK.

Read more in: The UK Is Secretly Testing a Controversial Web Snooping Tool

Google Pushes Out Fix for Another Chrome Zero-day

A use-after-free vulnerability in Google Chrome’s Blink rendering engine is being actively exploited. This is the third zero-day flaw in Chrome that has been disclosed in as many months. The issue is fixed in the most recent version of Chrome on the stable channel for desktop, “89.0.4389.90 for Windows, Mac and Linux, which will roll out over the coming days/weeks.” The update fixes four additional vulnerabilities.

Note:

  • Luckily, Google Chrome has a reasonably solid auto-update scheme. Just make sure to restart Google Chrome at least once a day.
  • The updates have not aligned with patch Tuesday, meaning you’re going to have to kick off an out-of-band patch sequence. Make sure to tell users to close Chrome, because you’re going to have to do that for them to apply the update. Make sure your other Chromium based browsers are up to date as well.
  • Browsers have become so general, flexible, feature-rich, and complex that they are inherently risky. Prefer purpose-built apps for sensitive applications.

Read more in:

Google’s Proof-of-Concept Spectre Exploit

Google has published a proof-of concept exploit for the Spectre vulnerability. Google notes that “the goal of this proof of concept is to demonstrate the feasibility of a web-based Spectre exploit.”

Note: The POC demonstrates that current Spectre mitigations are incomplete. Google has published guidance on new security defenses to mitigate both Spectre-style and common web-level cross-site leaks (security.googleblog.com: Towards native security defenses for the web ecosystem). These defenses are dependent on new security features introduced in Chrome 83 and Firefox 79 and if followed can help create applications more resistant to CSRF, XSS, DOM based and other information leak attacks.

Read more in:

Buffalo Public Schools Cancels Classes Due to Ransomware

Buffalo (New York) Public Schools was hit with a ransomware attack on Friday, March 12. The district cancelled remote learning on Friday afternoon “due to an unanticipated interruption to BPS District network systems.” The district has cancelled all classes on Monday, March 15.

Read more in:

House Committee Forms DOD Supply Chain Security Task Force

The US House of Representatives Armed Services Committee has created a task force to look into defense supply chain issues. Over the next three months, the Defense Critical Supply Chain Task Force will develop legislative solutions to supply chain and related issues that can be incorporated into the 2022 National Defense Authorization Act. Task force co-chair Representative Mike Gallagher (R-Wisconsin) also co-chaired the Cyberspace Solarium Commission.

Note:

  • A much faster approach would be to simply photocopy the reports from any of the numerous other task forces that have been launched by the US Federal Government in the last decade or so on the same topic. I provided input to one in 2012 or so and would just cut and paste my same recommendations today.
  • Paying attention to your supply chain is really important, particularly when a known supplier is acquired by one who may not have your best interests at heart. Discovery may reveal hardware and software products no longer appropriate for your enterprise which will then have to be replaced or constrained. That analysis has to be supported by detection capabilities and response to prevent malicious activities not yet surfaced by your supply chain analysis.
  • Even if we are unable to hold vendors responsible for the quality of their own code, we must hold them accountable when they distribute malicious code from other sources. We will not secure the supply-chain by putting all the onus on the end-using enterprises.

Read more in: New House task force focuses on supply chain vulnerabilities

Some Exchange Server Victims Have Multiple Backdoors Installed

Experts are working to notify and help organizations with systems that have been compromised by groups exploiting the Exchange Server vulnerabilities before the attackers move on to phase two of the campaign, which could have much more dire consequences. Some of the victims have been targeted by multiple groups and as a result, now have multiple backdoors on their systems. Victims of the attacks include Norway’s parliament, and the European Banking Authority.

Note:

  • With proof-of-concept code circulating, backdoors are to be expected. Attackers are racing to control as many systems as possible before other groups lock them down. The attackers are acting MUCH more quickly than system owners and will make the cleanup job all that much harder for system owners who are slow to respond.
  • As feared, the criminals have already moved on to the next phase and are starting to leverage their foothold on compromised systems to launch ransomware attacks known as Ransom:Win32/DoejoCrypt.A, and also as DearCry (www.zdnet.com: Microsoft Exchange attacks: Watch out for this new ransomware threat to unpatched servers) If you have not checked your on premise Exchange servers by now do so as a matter of urgency using the guidance provided by Microsoft: msrc-blog.microsoft.com: Microsoft Exchange Server Vulnerabilities Mitigations – updated March 9, 2021

Read more in:

Multiple Threat Actors are Exploiting Exchange Server Vulnerabilities

According to analysis from ESET, at least 10 APT groups are exploiting the Microsoft Exchange Server vulnerabilities. Many of the groups have ties to China. Six of the groups were actively exploiting the flaws prior to Microsoft’s emergency patch release on Tuesday, March 2.

Note:

  • The interval between initial exploits by Hafnium and additional APT groups is simply too small for them to have independently discovered the vulnerabilities and developed working exploits. This suggests that after the initial exploits were leveraged by Hafnium in or before January, they then shared them with other groups such as Tick, LuckyMous, Calypso, Webslic and APT41. Given the scope of added exploits discovered, assume they are shared even more broadly. For this reason, it is best to operate on the model that all Exchange servers are targets and that you not only need to apply the patches, but also check carefully for signs of compromise. Make sure that your real-time endpoint protection includes the Exchange vulnerabilities and IOCs.
  • This issue of NewsBites features a wide array of vulnerabilities in IT critical infrastructure elements, like windows, MacOS, Exchange and F5 BigIP – without even mentioning SolarWinds Orion. This points out two big issues that are pre-requisites to even considering thinking about talking about buzzwords like “Zero Trust:” – (1) to be proactive, risk analysis has to focus as much (really more) on where vulnerabilities would cause the most impact to business as on who might launch attacks; and (2) if you can’t get the critical IT infrastructure elements to the essential security hygiene level (meaningful segmentation, rapid patching, configuration management) then you have no chance in assessing the trustability of anything else.
  • I concur with John Pescatore but I want to stress the urgency and seriousness. Our infrastructure now stands naked before a nation state willing to take the risk of being caught in the act of compromising that infrastructure. We must assume that that state will work to maintain its advantage and that in time of crisis would exploit it.

Read more in:

Microsoft Releases Patches for Older Versions of Exchange Server

On Monday, March 8, Microsoft released patches for older, unsupported versions of Exchange Server to protect entities using those versions from attacks. The decision to release the additional fixes underscores the severity of the severity of the situation. In a blog post accompanying the patches’ release, Microsoft cautions that the cumulative updates address only the four Exchange Server vulnerabilities that are being actively exploited and urged users to upgrade to a supported version of Exchange Server.

Note: If you are running an older Exchange version, you not only need to apply the patches, but also run detection tools such as the Microsoft Safety Scanner (MSERT) to detect and remove any web shells. Next, start your migration to either supported Exchange or Exchange online services.

Read more in:

Apple Updates macOS, iOS, and iPadOS to Fix Code Execution Issue

Apple has released an assortment of updates to fix a vulnerability that could allow arbitrary code execution. Users are urged to update to macOS Big Sur 11.2.3, iOS 14.4.1 and iPadOS 14.4.1.

Note:

  • Apple’s release of an update fixing one single vulnerability is very unusual and may indicate that this vulnerability is already being exploited.
  • This update fixes CVE-2021-1844 in Webkit, necessitating updates to iOS/iPadOS and watchOS as well as Safari and macOS 11 (BigSur). While iOS and iPadOS 14.5 are expected to drop soon, this update is here now. Minimize the impact by leveraging your device management solution to push the update to Automated Device Enrollment (ADE), formerly DEP, devices.

Read more in:

Microsoft Patch Tuesday: March 2021

On Tuesday, March 9, Microsoft released updates to address more than 80 vulnerabilities in Windows, Edge, Azure, Office, and other products. Several of the vulnerabilities are being actively exploited, including a memory corruption issue in Internet Explorer that was used in attacks targeting security researchers; the flaw can be exploited to gain privileges equivalent to those of the logged-on user.

Note:

  • With all the attention to Exchange, don’t lose sight of this month’s Microsoft patches. Ten of the released updates are rated critical. Some of the patches are being refined, so keep an eye out for changes. Note that this is the last patch for the legacy Edge browser, because support ends this month. You should be actively migrating off legacy Edge to alternatives such as Chromium Edge.
  • I hope you had the Exchange server issue under control ahead of the release of Tuesday’s monthly patches. We should all be patching DNS servers (and AD using DNS). This vulnerability, while not as easily exploitable as some, has also had some PoC exploits released.

Read more in:

Adobe Updates Five Critical Flaws in Framemaker, Connect, and Creative Cloud

Adobe has released updates to address critical flaws in Framework, Connect, ad Creative Cloud. An out-of-bounds read issue in Framework, an improper input validation issue in Connect, and an arbitrary file overwrite issue and an OS command injection security issue in Creative could be exploited to allow arbitrary code execution. An improper input validation issue in Creative Cloud could be exploited to gain elevated privileges.

Note: While these vulnerabilities are rated critical, they are also marked priority 3 which means the product has not historically been a target and to install the updates at your discretion. Creative cloud users should automatically get the updates. Add scanning for the updated versions to your monthly patch verification process flagging or updating those who fail to apply the update.

Read more in:

F5 Issues Updates to Fix Seven BIG-IP Flaws; Four are Critical

F5 has disclosed seven security issues affecting its BIG-IP and BIG-IQ network devices. Four of the flaws are critical remote code execution issues that could be exploited to take control of vulnerable systems. The flaws are fixed in BIGH-IP versions 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. One of the critical flaws also affects BIG-IQ; it is fixed in versions 8.0.0, 7.1.0.3, and 7.0.0.2.

Note:

  • In addition to patching these systems, verify that the administrative interfaces are not exposed. The #1 precaution you can take, if it is for a home router or an enterprise gateway, is to avoid exposing your administrative interfaces and APIs to the public.
  • If you’re an F5 shop, you’re probably using F5 for not only load balancing Internet facing services, but also WAF and SSL termination. These vulnerabilities enable remote code execution, so an exploit can effectively pivot into non-public areas of your corporate network. It’s reasonably easy to discover vulnerable devices with tools like Shodan. There is no effective mitigation other than patching/updating. The F5 overview below has a table of affected to fixed software versions. Use this to plan your attack. Also don’t overlook your non-Internet facing F5 devices.

Read more in:

Verkada Surveillance Cameras Breached

Live feeds from more than 150,000 Verkada surveillance cameras were breached after admin account credentials were found on the Internet. The intruders were able to access archived footage as well. Verkada has disabled all internal administrator accounts. Affected organizations include hospitals, prisons, schools, police stations, and manufacturing facilities.

Note: This isn’t new: Internet connected cameras accessed via some kind of “support” or “backdoor” password. Cameras often need to be exposed to the Internet for remote monitoring. If you do this: Please do not place cameras in sensitive areas (for example inside your house or office) and avoid systems that store footage in the cloud.

Read more in:

European Judicial and Law Enforcement Authorities Make Arrests After Cracking Sky ECC Encryption

Authorities in Belgium, France, and the Netherlands, with the support of Europol and Eurojust, have “unlocked” the Sky ECC encrypted communication network, which allows them to monitor communications of organized crime groups. Earlier this week, authorities conducted raids in which they seized property and made arrests. Sky ECC maintains that its encryption was not broken, but that the information used to make the arrests and seizures was obtained through a phony version of its app.

Note: Well done to all involved in this operation. In particular I think it is very worth noting that this operation was successful without requiring any backdoors into encryption. This demonstrates that we can have strong encryption and that law enforcement with the right resources and tools do not need to undermine that security to attain their goals.

Read more in:

OVHcloud Data Center Fire in France

A fire at OVH data centers in Strasbourg, France, has affected the availability of major websites, including eeNews Europe, VeraCrypt, and Rust. Some threat actor groups have also been affected. The fire broke out in one of four data centers in Strasbourg; the entire site, which includes four data centers, has been isolated. OVHcloud is the largest cloud services provider in Europe.

Note:

  • OVH has a rich history of inaction against malicious sites. Some researchers noted how the data center fire removed about 30% of the infrastructure used by various APT groups. This history of inaction against malicious content may also be an indicator for an underlying issue with how the data centers are run in general.
  • Just because you moved to the cloud does not mean your BCP issues are magically gone away. Always revise your BCPs and test them using different scenarios, your cloud provider going offline being one of those scenarios.

Read more in:

Schneider Releases Updates to Address Flaws in Certain Smart Meters

Schneider Electric has released updated for two vulnerabilities that affect its PowerLogic ION/PM smart meter product line. The flaws which were detected by researchers at Claroty are pre-authentication integer-overflow vulnerabilities; both could be exploited to reboot a vulnerable meter, effectively creating denial-of-service condition. One of the vulnerabilities could also be exploited to allow remote code execution.

Note: These are unauthenticated vulnerabilities, which have been widely published on the Internet. Beyond applying the update, make sure that your meters are properly isolated and that only authorized devices can reach them. The Schneider Electric bulletins includes general security recommendations. Also use NIST SP 800-82 “Guide to Industrial Control Systems (ICS) Security” to validate the security measures taken and identify gaps to resolve: nvlpubs.nist.gov (PDF)

Read more in:

Microsoft’s MSERT Tool Can Now Detect Exchange Server Indicators of Compromise

Microsoft has updated its MSERT security scanning tool that enables it to detect web shell scripts used in the recent Exchange Server attacks.

Note:

  • Windows Defender has also been updated to detect the web shells. The Microsoft Safety Scanner, also called MSERT, can be used to detect and will automatically remove the implanted web shells unless you start it with the /N argument. Note MSERT is not a real-time defense tool and only performs spot checks. Select the full scan option, which can take a while. Microsoft also released a PowerShell script “Test-ProxyLogin.ps1” to search for IOCs in Exchange and OWA log files, see GitHub CSS-Exchange link below.
  • Given the nature of these vulnerabilities and the widespread exploitation of them, if your company has not yet applied the patches then assume you have been breached and respond accordingly. Applying the patches will fix the vulnerability but will not address any compromise or additional backdoors attackers may have planted before the patches were applied.

Read more in:

30,000+ Exchange Servers Breached

At least 30,000 organizations in the US have been breached through vulnerabilities in Microsoft Exchange Server. Microsoft released emergency updates to address the flaws on Tuesday, March 2. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive instructing federal civilian departments and agencies to apply the patches or disconnect their vulnerable systems from the Internet. Read more in:

Alternative Mitigations for Exchange Server Vulnerabilities

Microsoft has released a set of suggested mitigations for organizations that are unable to apply the March 2 emergency Exchange Server updates. Microsoft cautions that ”these mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack.”

Note: Examine the mitigations carefully before deciding to implement. They include disabling services you may be using. Even if you decide to implement them, you still need to apply the security patches for a complete fix as well as check your services for IOC’s to make sure you’re not already compromised.

Read more in:

Exchange Server Attacks Timeline

Brian Krebs enumerates events from DEVCORE’s January 5, 2021 disclosure of the Exchange Server vulnerabilities to Microsoft through current efforts “to notify victims, coordinate remediation, and remain vigilant for ‘Stage 2’ of this attack.” The ZDNet article answers questions such as “What Happened?”; “What are the vulnerabilities and why are they important?”; and “What do I do now?”

Note: The Brian Krebs article includes an excellent timeline that helps explain how these bugs went from to a bug disclosure with updates on patch Tuesday scenario to an act immediately situation. Make sure that you examine the mitigation and remediation options from Microsoft, do not leave your exchange services unchecked, act on the assumption that many threat actors are looking for an opportunistic exploit. Don’t be exploit 60,001.

Read more in:

Exchange Server Attack Victims

Organizations affected by Exchange Server attacks include US defense contractors, international aid organizations, think tanks, and the European Banking Authority, which took its email systems offline following an attack. Czech Investigators are trying to determine whether email systems attacks affecting the city of Prague and the Czech Labor Ministry are related to the Exchange Server vulnerabilities. Read more in:

SITA Breach Compromised Airline Passenger Data

Aviation IT services provider SITA has confirmed that its systems were hit with a cyberattack that compromised passenger data stored on its SITA Passenger Service System servers. The incident occurred on February 24, 2021. Affected airlines have begun notifying passengers. SITA (Société Internationale de Télécommunications Aéronautiques) is based in Geneva, Switzerland.

Note:

  • This is third-party compromise. Affiliated airlines, (e.g., Star Alliance) share data. One of the Airlines is also a SITA customer, with associated data sharing, which allowed access to not only their customers’ data but also passenger data for other member airlines. When sharing data, make sure only the minimum necessary to operate is shared, that protection requirements are clearly stated, then monitor for misuse. In this case the data is limited to member name, status and membership number; airlines are watching for misuse of that information.
  • Frequent flyers should take this occasion to review the often extensive personal information that airlines and travel agencies hold on them and change their passwords. Few airlines or travel agencies offer strong authentication.

Read more in:

Scottish University and Nottinghamshire Schools Victims of Separate Cyberattacks

Scotland’s University of the Highlands and Islands (UHI) is dealing with “an ongoing cyber incident” that has forced it to shut down many of its 13 campuses. Fifteen schools in the Nova Education Trust have been affected by a cybersecurity incident that prevented them from providing much remote learning. Read more in:

More Accellion Breach Victims

The scope of the breaches exploiting vulnerabilities in Accellion’s File Transfer Appliance (FTA) continues to grow. Michigan-based Flagstar Bank recently disclosed that some of their data were accessed. Accellion released fixes for the vulnerabilities in December 2020 and January 2021. Accellion has planned to end support for FTA on April 30, 2021; the company has been encouraging customers to migrate to its new Kiteworks platform.

Note:

  • This NewsBites item illustrates both the complexity and time varying nature of supply chain risk. If company X used Bank Y that had a file transfer capability that was provided by service Z that used the Accellion File Transfer appliance, December 2020 (when Accellion acknowledged it was the cause of the first reported breach) should have been an immediate severe risk flag – if Company X even know Bank Y used Service Z that used Accellion’s vulnerable product. But the risk actually started increasing in 2018 when Accellion started telling customers it would be ending support for the product in April 2021 and ending support for the appliance OS in November 2020 – all reasons for Service Z to move away from the product and for customers of Service Z to move away from Service Z if it did not – if this level of supply chain risk monitoring was being done, which some are actually doing today.
  • If you have the Accellion FTA appliance, you are hopefully finishing (or have finished) your migration to an alternative solution. If you are a customer of a company still using the FTA appliance, evaluate the risk of data exposed using that platform, versus selecting a new supplier using supported/secure services. Make sure your vendor/supply chain monitoring includes watching for and responding to these sorts of risk.

Read more in:

Critical Vulnerability in The Plus Addons for Elementor WordPress Plugin

A critical flaw in The Plus Addons for Elementor plugin for WordPress can be exploited to take control of vulnerable websites. The privilege elevation vulnerability appears to affect only the premium version of the plugin; the free version, The Plus Addons for Elementor Lite, is not affected. Users of the premium version of the plugin are urged to deactivate and remove it until a fix is available.

Note: Treat this as a zero day. The coding error, when exploited, allows the creation of new admin users and login as existing ones. A firewall rule was distributed to the paid Wordfence users on March 8th; free versions will not get that rule until April 7th. If you’re using the paid version of Elementor, and you need The Plus Addons, an alternative to removing the plugins may be to switch to the free “Elementor Lite.”

Read more in: Critical 0-day in The Plus Addons for Elementor Allows Site Takeover

Unpatched QNAP NAS Devices are Being Targeted with Cryptomining Malware

Threat actors are targeting unpatched QNAP network attacked storage (NAS) devices to install cryptomining malware. QNAP released fixes for the firmware flaws – an improper access control vulnerability and a command injection vulnerability – in October 2020. The researchers who found the issue “noticed the attacker customized the program by hiding the mining process and the real CPU memory resource usage information, so when the QNAP users check the system usage via the WEB management interface, they cannot see the abnormal system behavior.” The issue affects all QNAP NAS devices with firmware that predates the October 2020 update.

Note:

  • QNAP NAS devices have been a target since September 2019. Limiting access to them and keeping the firmware and apps updated needs to be SOP. If you own a QNAP NAS device, change the passwords for all accounts, remove unknown user accounts, make sure both the firmware and applications are updated, remove unused/unknown applications, limit access to the device to authorized hosts only via ACL or firewall rules, and install the QNAP MalwareRemover app.
  • NAS devices should not be attached to the public networks. They should be physically isolated, not merely firewalled.

Read more in:

Charges in Georgia Hacking Cases

A US federal grand jury has indicted Robert Purbeck for allegedly breaking into computer networks of medical clinics and a city in the US state of Georgia. Purbeck is facing charges of computer fraud and abuse, access device fraud and wire fraud.

Note: These attacks were possible because working credentials were obtained for the targeted servers. MFA should be SOP when protecting access to sensitive data, such as medical records. Also make sure systems are accessible only from known clients, and that patient/customer facing systems can only be used to access the minimum amount of data, and are monitored for misuse. Make sure these systems also implement MFA.

Read more in: Idaho Man Charged With Hacking Into Computers in Georgia

FBI Investigating Healthcare Ransomware Attacks

The FBI is investigating at least two healthcare-related ransomware attacks: one affecting Allergy Partners, which has locations across the US, and the second affecting the Rehoboth McKinley Christian Health Care in Gallup, New Mexico. Rehobot’s network was hit with ransomware in February. The facility serves the Navajo Nation. Read more in: