iOS Now Lets Users Opt Out of Ad Tracking
Apple’s newest update for iOS, version 14.5, includes a new features called App Tracking Transparency, which lets users choose whether or not to allow apps to track their activity across other apps and websites owned by other companies. App Tracking Transparency gives users granular control, allowing them to make decisions for each app.
- The important issue is that consumers increasingly have the choice (as they should) to decide how much of their personal info gets exposed, and they are increasingly choosing to reduce the exposure. That has been good news for app dev groups and DevOps methodologies that actually do focus on the users wants and needs – software architects and DevOps leads listing “privacy” as one of their core business requirements is a good thing.
- Initially Apple introduced IDFA where you could disable the unique identifier for your device. With 14.5, applications will prompt for permission to track, with an optional messages explaining why they want to track; and you can click “Ask App not to Track.” Note that the prompt will not show up where developers are tracking you across their own services, e.g., Facebook tracking you from their main platform to Messenger and Instagram.
Read more in:
- iOS 14.5 delivers Unlock iPhone with Apple Watch, more diverse Siri voice options, and new privacy controls
- The New iOS Update Lets You Stop Ads From Tracking You—So Do It
- Facebook now has to ask permission to track your iPhone. Here’s how to stop it.
Codecov: HashiCorp Key Compromised
HashiCorp says that its GPG code-signing and verification key was compromised as a result of the Codecov supply chain attack. The key has been rotated. Codecov learned earlier this month that threat actors accessed and modified Bash Uploader scripts to exfiltrate sensitive information.
- For encryption and digital signatures to be more than placebos, essential security hygiene is needed to enforce strong access controls around the private keys. When code signing is used, processes/playbooks for how to perform revocation need to be established and periodically tested.
- Supply chain attacks are so dangerous because they not only affect end-users (“consumers”) but also suppliers. This can lead to a snowball effect with one compromise of a key supplier leading to the compromise of additional suppliers with vastly different customers.
- Private keys must not be stored online when not in use. That is what thumb drives are for.
Read more in:
- HCSEC-2021-12 – Codecov Security Event and HashiCorp GPG Key Exposure
- HashiCorp reveals exposure of private code-signing key after Codecov compromise
- HashiCorp is the latest victim of Codecov supply-chain attack
Passwordstate Password Manager Suffers Supply Chain Attack
Customers of the Passwordstate password manager are being directed to reset their passwords following a supply chain attack that affected the Passwordstate update mechanism. The issue affects customers who implemented In-Place Upgrades between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC. Manual upgrades were not affected.
- The impact of the compromised code is increased as this is an enterprise password manager, as opposed to one for individual users. Providing an enterprise password manager is an excellent way to help users establish good passwords and minimize reuse. And as it is now a central repository of key sensitive information, due diligence is essential, not only for making sure updates are genuine, but also that security controls are fully implemented. Click Studios, the makers of Passwordstate, are posting advisories and updates (clickstudios.com.au: Incident Management Advisory) which include checksums of the bad DLL, suggested actions, exfiltrated data description and status. Australian customers may also reach out to the Australian Cyber security Center (ACSC) for assistance at ASD.Assist@defence.gov.au or 1300 CYBER1.
- Password managers are one of those “if you put all your eggs in one basket, you better really, really watch that basket” areas. This appears to have a narrow compromise window but the severity means that all PCs using the compromised Passwordstate software should be considered compromised until examined.
- Another case of a supplier distributing malicious code, distributing code that it did not write, leaving others with a huge mess to clean up. Unlike SolarWinds, this code was not distributed to enterprises but to end-users, at least some of whom are enterprise users. We cannot put all the risk of supply chain compromises on the end users. We must hold suppliers accountable for distributing malicious code. Distributing only code that one originates is a much easier problem than never distributing code with errors or vulnerabilities.
Read more in:
- Backdoored password manager stole data from as many as 29K enterprises
- Breach at Click Studios-owned password manager left clients exposed for more than 24 hours
- Passwordstate Password Manager Update Hijacked to Install Backdoor on Thousands of PCs
Update Delivered by Law Enforcement in January is Now Deleting Emotet
Over the weekend, law enforcement officials activated code that erases Emotet malware from infected computers. In late January 2021, law enforcement agencies from several countries took control of Emotet’s command and control infrastructure. Shortly thereafter, Germany’s federal police agency, Bundeskriminalamt, began pushing out the update designed to remove Emotet.
- The uninstaller was delivered by the captured Emotet C2 servers in late January with a self-destruct date of April 25th. The package addresses the two ways Emotet achieves persistence: either as a system service or a Run key. The Malwarebytes blog explains the behavior of the package and actions it takes. Per the US DOJ, the update was provided by foreign law enforcement using overseas C2 servers, not FBI agents. The delay between distribution and removal was to give time for responders to complete forensic analysis and cleanup of any other related malware.
- The Emotet takedown appears to be one of the more successful takedowns in recent memory. A lot has been written about law enforcement pushing an update to remove the malware (similar also to recent law enforcement action against unpatched Exchange servers). I believe we should and hopefully will see more of the same in the future. Waiting for users to patch and fix their systems hasn’t been working and these systems become ticking timebombs waiting for additional infections, or being used to revive taken down botnets.
Read more in:
- Cleaning up after Emotet: the law enforcement file
- Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs
- Following similar move in US, Europol prepares coup de gras for Emotet’s remains
- This software update is deleting botnet malware from infected PCs around the world
- Emotet malware nukes itself today from all infected computers worldwide
- Law enforcement delivers final blow to Emotet
- Emotet Malware Automatically Uninstalled
Radixx Says Malware Responsible for Reservation Systems’ Outage
Radixx has acknowledged that a security incident caused an outage of its Radixx Res reservation application. The outage affected reservations systems for approximately 20 low-cost airlines. Radixx says it “is taking steps to stand up a new Radixx application server environment.”
Read more in:
- Radixx Announces Security Incident Impacting Radixx Res
- Outages blamed on malware still plaguing budget airlines
FAA Tells Private Jet Operators to Update Garmin Aviation GPS Now
The US Federal Aviation Administration (FAA) has published an Airworthiness Directive (AD) instructing private jet operators to install software updates for Garmin GTS 8000 series collision avoidance units. The devices have generated seven false Traffic Collision Avoidance System warnings, which could ultimately increase the likelihood of a collision. The AD is effective May 17, 2021.
Note: Our industry has a lot to learn from the FAA about how to distribute intelligence in a timely manner to those who can best, or must, act on it.
Read more in:
- Airworthiness Directives; Garmin International GMN-00962 GTS Processor Units (PDF)
- US aviation regulator warns of mid-air collision risk if Garmin TCAS boxes are not updated
- Airborne Collision Avoidance System (ACAS)
Follow-up: Univ. of Minnesota Researchers Apologize for “Hypocrite Commits”
Researchers from the University of Minnesota (UMN) have offered a written apology for submitting what they call “hypocrite commits” to the Linux kernel project. Last week, a Linux kernel project maintainer banned UMN from contributing to the project, reverted patches submitted by anyone with a umn.edu email address, and placed a “default reject” on any future patches submitted through umn.edu addresses. The maintainer said that they will not discuss the matter further until after the researchers and the university take action to satisfy the Linux community’s required actions.
Note: This is not how you partner with someone to improve processes. This is analogous to an unauthorized penetration test, causing more harm than the improvements envisioned at inception. It is commendable that the UMN both apologized and stopped the research efforts leading to the commits; more work is still needed to repair the damage. While the apology identifies that they didn’t achieve permission, current actions still don’t reflect they are following the processes for legitimate patch submission. This is now about regaining trust rather than fixing technical issues.
Read more in:
- An open letter to the Linux community
- University of Minnesota security researchers apologize for deliberately buggy Linux patches
- Linux kernel team rejects University of Minnesota researchers’ apology
- The Linux Foundation’s demands to the University of Minnesota for its bad Linux patches security project
FBI/DHS/CISA Joint Warning About Russian State-Sponsored Hackers
The Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert describing activity conducted by Russian state-sponsored cyberthreat actors. The alert describes the group’s tactics, techniques, and procedures, which include password spraying and leveraging zero-day vulnerabilities. The alert recommends that organizations adopt security controls, including implementing multi-factor authentication (MFA) and “prohibit[ing] remote access to administrative functions and resources from IP addresses and systems not owned by the organization.”
Note: Even if you don’t think you are a target, review the US-CERT CISA Alert recommendations you can leverage across your organization: implementing MFA, and making sure that newly provisioned systems are configured to appropriate security baseline, and that you’re actively monitoring services for abuse. Additionally, make sure that your user verification processes are still robust. Make sure that adjustments made for a fully remote workforce didn’t introduce gaps an attacker can leverage to get legitimate credentials.
Read more in:
- Alert (AA21-116A) | Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders
- US Urges Organizations to Implement MFA, Other Controls to Defend Against Russian Attacks
- Before SolarWinds, US officials say SVR began stealthily targeting cloud services in 2018
- US warns of Russian state hackers still targeting US, foreign orgs
Apple Patches “Worst macOS Bug in Recent Memory”
Apple has released a fix for a vulnerability in macOS that let hackers bypass Apple security features including Gatekeeper, File Quarantine, and app notarization requirements. The flaw has been exploited in the wild. Researcher Patrick Wardle has referred to the vulnerability as “the worst macOS bug in recent memory.” Users are urged to update to macOS (Big Sur) 11.3.
- Labeling this vulnerability the “worst in recent memory” may be overhyping it a bit, but while exploitation still requires a user to willingly install malware, the vulnerability evades all controls Apple put in place in recent years to prevent just that from happening. Upgrade quickly.
- At core, the Apple protections assumed applications would have a file “info.plist.” An application, which is actually a script and doesn’t contain that file, would bypass the security check, including the mandatory notarization check, and be executed. In addition to the macOS update, XProtect has also been updated to detect and warn for attempts to exploit the flaw which means that will be available for older macOS users. While the XProtect update is installed automatically, the macOS update is not. Apple released updates to Big Sur, Mojave, and Catalina this week to address multiple vulnerabilities; you’ll want to get those all queued up for installation.
- The telling quote is in the Wired story: “The flaw is akin to a front entrance that’s barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific attributes.” This type of flaw is pretty much at the level of buffer overflows.
Read more in:
- All Your Macs Are Belong To Us
- Researchers Say ‘Massive’ MacOS Bug Was Exploited by Hackers
- Apple patches ‘worst macOS bug in recent memory’ after it was used in the wild
- Hackers Used ‘Mind-Blowing’ Bug to Sneak Past macOS Safeguards
- About the security content of macOS Big Sur 11.3
More Than One-Fifth of PC Users are Running Windows 7
Kaspersky says that based on analysis of anonymized OS metadata, 22 percent of PC users are running end-of-life Windows 7. Microsoft discontinued support for Windows 7 in January 2020. Kaspersky says that 72 percent of PC users are running Windows 10.
Note: Ignoring special purpose systems which have to run Windows 7, such as an instrument controller or oscilloscope, general purpose systems need to move to a supported OS. The common argument is that the old system is fully functional typically followed by not wanting to learn a new OS. Because there are no fixes or support for these systems, they need to be isolated as they are no longer sufficiently secure for Internet access. This is further complicated by cloud migrations which require these systems to have Internet access. The good news is that new versions of applications are unlikely to operate on either Windows 7 systems either because the OS isn’t supported or the hardware is not sufficient for its needs which can be used to drive the conversation.
Read more in:
- Kaspersky finds 22% of PC users still running end-of-life Windows 7 OS
- 22% of all users still run Microsoft end-of-life Windows 7
UK’s Secure By Design Plan Now Includes Smartphones
The UK’s Department for Culture, Media and Sport (DCMS) has added smartphones to its Secure by Design plan. Makers of Internet of Things, including smartphones, tablets, and other gadgets will be required to disclose when the plan to stop providing security support for devices when they are introduced to market. Makers of smart devices will also be prohibited from publishing default admin passwords for those devices. They will also have to offer a single point of contact for reporting vulnerabilities and obtaining updates. DCMS is pushing for Secure by Design to become law.
- The intent is to drive a consistent security standard across Europe. The disclosure of product support duration is supposed to happen at the point of sale, and now is expanded to include Smartphones. The challenge is for consumers and small businesses, who may be unaccustomed thinking about support end dates, to add this to their lifecycle planning, including sufficient lead time to plan and test replacements.
- These are sensible requirements that shouldn’t be too hard to comply with. In particular, the idea of publishing an “end of support” date is important. Some software and hardware manufacturers already do so, but usually only for more professional devices. It may also lead to longer support time frames if customers are able to verify the expected time the device will be supported.
- We expect Microsoft to publicly state how long versions of Windows will be supported; the same should be true of everything else with software that can be updated. The software industry has long evaded any possibility of being required to provide warranty for software; regulations like this are needed.
- No other infrastructure, from food to finance, has gone three generations without government safety regulation. It is ironic that cyber is the only exception, since it is now used to operate all the others. One necessary measure will be to hold suppliers accountable for the quality of their output.
Read more in:
- Government response to the call for views on consumer connected product cyber security legislation
- Secure by Design
- Easy-to-guess default device passwords are a step closer to being banned
- UK.gov wants mobile makers to declare death dates for their new devices from launch
Pulse Connect Secure VPN Vulnerabilities
Mandiant investigated multiple intrusions at government, defense, and financial organization systems around the world. “In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment.” The Pulse Connect Secure VPN appliances were compromised via authentication bypass. Mandiant is tracking a dozen malware families that are involved with exploiting vulnerabilities in Pulse Connect Secure VPN devices. In all, four security issues, three of which were patched in 2019 and 2020. Tool available to help organizations determine whether their installations have been impacted. Pulse Secure will provide customers who have been impacted with advanced mitigations.
- The exploit bypasses 2FA authentication, not just reusable credentials. If you’re running a Pulse Connect Secure VPN, run the Pulse Security Integrity Checking Tool (https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s) to verify the integrity of your installation – note the tool will reboot your VPN appliance. Make sure that you’re on a supported version of their software updates will not be provided for End of Engineering (EOE) or End of Life (EOL) versions. Make sure that you’re actively updating and monitoring the software and security configuration of your VPN, to include running integrity checks on a regular basis.
- Pulse VPN appliances keep on giving to the bad guys, and I still do not see an estimated delivery date for patches. With active exploitation under way, please follow the mitigating steps noted in the advisory and hope for the best.
Read more in:
- Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
- Pulse Connect Secure Security Update
- Hackers are targeting flaws in these VPN devices now. Here’s what you need to do
Linux Kernel Project Maintainer Bans Univ. of Minnesota Over Malicious Commits
A Linux kernel project maintainer has banned the University of Minnesota (UMN) from contributing to the project after UMN researchers deliberately submitted malicious code commits. The Linux kernel project maintainer has also said they will revert any code commits that came from a UMN email address. “Commits from @umn.edu addresses have been found to be submitted in ‘bad faith’ to try to test the kernel community’s ability to review ‘known malicious’ changes. Because of this, all submissions from this group must be reverted from the kernel tree and will need to be re-reviewed again to determine if they actually are a valid fix.” The commits in question are the subject of a research paper scheduled to be presented at the IEEE Symposium on Security and Privacy in May.
- The open source community is largely built on trust, not on reviewing each other’s code carefully for security vulnerabilities. So it is reasonable to expect a strong reaction from Linux kernel maintainers if researchers use the kernel development process in security experiments. However, the exact facts are not quite clear in this case. The researchers state that they only suggested patches on mailing lists, and spoke up before these patches were included in any actual code repositories. The Linux kernel maintainers point to a large list of commits that they reverted. But many of these commits are not related to the research, and some actually patched unrelated security flaws, which may now end up being “unpatched” again. The real problem here may rest with the university’s Institutional Review Board approving the research. I find that the fallout clearly shows that this research involved people, and people’s reactions to the experiment are what we are seeing now.
- Perhaps in no other community is it so difficult to distinguish the good guys from the bad, the rogues from the merely mischievous, those who are part of the problem from those who are part of the solution.
Read more in:
- University Suspends Project After Researchers Submitted Vulnerable Linux Patches
- Linux bans University of Minnesota for committing malicious code
- On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits (PDF)
Laptop Manufacturer Quanta Suffers Ransomware Attack
Quanta Computer, which manufacturers laptops for multiple companies, including Apple, has acknowledged that it was the victim of a ransomware attack. The ransomware operators have begun posting files they claim to have taken during the attack; the files include schematics, dated March 2021, that are allegedly for a MacBook design.
Note: Quanta refused to pay REvil’s ransom, and now the operators are asking Apple to pay by May 1st. The ransom is currently set to $50 million and goes to $100 million after April 27th. While Apple is not expected to pay, expect that Quanta’s customers (including Apple, HP, Alienware, Dell, Lenovo, Cisco and Microsoft) will be demanding a full accounting of the breach as well as a review of mitigations taken to prevent recurrence to retain their business. Having clear documentation of where data resides and third-party liability agreements are key in this situation. A determination has to be made as to exactly what was exfiltrated and the value determined to drive next steps. You’ll want your legal team at the table.
Read more in:
- Apple Targeted in $50 Million Ransomware Hack of Supplier Quanta
- Apple supplier Quanta Computer confirms it’s fallen victim to ransomware attack
- REvil gang tries to extort Apple, threatens to sell stolen blueprints
SonicWall Issues Fixes for Email Security Tool Vulnerabilities
SonicWall has released updates to address three vulnerabilities affecting its Email Security (ES) product. The flaws could lead to unauthorized administrative account creation, post-authentication arbitrary file upload, and post-authentication file read. They have been exploited together to gain administrative access and execute code on vulnerable devices. The issues affect both the hosted and on-premises versions of ES.
Note: This vulnerability only affects the SonicWall email appliance, not the firewall. SonicWall published some rules for its firewall products to mitigate these vulnerabilities.
Read more in:
- Security Notice: SonicWall Email Security Zero-Day Vulnerabilities
- Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise
- Someone is using SonicWall’s email security tool to hack customers
- Zero-day vulnerabilities in SonicWall email security are being actively exploited
- Zero-Day Flaws in SonicWall Email Security Tool Under Attack
- SonicWall Patches 3 Zero-Day Flaws
US Power Grid Cybersecurity Plan
The White House has released its 100-day power grid cyber security plan. One of the plan’s central strategies is developing a stronger relationship between national security agencies and the electric utility systems, which are largely private. The plan will be managed by the Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Energy.
Note: The effort includes a new Request for Information (RFI) to get input from electric utilities, electric companies, academia, research laboratories, etc. to build recommendations for future security including preventing exploitation and attacks by foreign threats. The RFI is due by June 7th and is located on the Federal Register (www.federalregister.gov/documents/2021/04/22/2021-08482/notice-of-request-for-information-rfi-on-ensuring-the-continued-security-of-the-united-states). Responses can be made via email or in writing via US-mail, and will be posted on DOE’s Securing Critical Electric Infrastructure web page (www.energy.gov/oe/securing-critical-electric-infrastructure).
Read more in:
- Biden Administration Takes Bold Action to Protect Electricity Operations from Increasing Cyber Threats
- With details sparse, vendors scramble to make sense of Biden 100-day grid security plan
- White House launches cybersecurity push targeting electricity sector
- U.S. Unveils Plan to Protect Power Grid From Foreign Hackers
US Government Agencies Affected by Pulse Secure Connect VPN Vulnerabilities
The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that networks at several federal agencies were affected by threat actors exploiting vulnerabilities in Pulse Connect Secure devices. Mandiant suspects that one of the groups exploiting the vulnerabilities has ties to China.
Note: Mandiant reports they are tracking twelve malware families and multiple hacking groups tied to exploiting the flaws. Beyond wondering if you are target or not, make sure that you’ve applied the updates and are on supported software versions.
Read more in:
- Chinese hackers compromise dozens of government agencies, defense contractors
- CISA confirms U.S. agencies affected by Pulse Connect VPN vulnerabilities
- At least 24 agencies run Pulse Secure software. How many were hacked is an open question.
- Nation-State Actor Linked to Pulse Secure Attacks
- Alert (AA21-110A) | Exploitation of Pulse Connect Secure Vulnerabilities
- Analysis Report (AR21-112A) | CISA Identifies SUPERNOVA Malware During Incident Response
- Hackers are exploiting a Pulse Secure 0-day to breach orgs around the world
CISA Issues Emergency Directive Regarding Pulse Connect Secure
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive instructing federal agencies to mitigate vulnerabilities in Pulse Connect Secure devices by 5:00pm EDT on Friday, April 23. Agencies are required to run the Pulse Connect Secure Integrity Tool every 24 hours.
- If after running the Integrity Tool hash mismatches or newly deleted files are discovered, your device has to be immediately isolated (while powered on) and forensically analyzed. They can be returned to service once they have a clean bill of health to include the steps in Appendix A of ED 21-03. In addition to running the tool, it is expected that agencies will apply updates within 48 hours of their release.
- Government agencies are historically slow to patch and became even slower when they had to support large numbers of work from home employees as the pandemic hit. The level of compromise of the old PulseSecure flaws and the emergence of the latest vulnerability justify an edict for emergency action.
Read more in:
- Mitigate Pulse Connect Secure Product Vulnerabilities
- KB44755 – Pulse Connect Secure (PCS) Integrity Assurance
- CISA issues third emergency directive since SolarWinds
- CISA Orders Agencies to Mitigate Pulse Secure VPN Risks
- CISA orders federal orgs to mitigate Pulse Secure VPN bug by Friday
Dept. of Justice Forms Ransomware Task Force
The US Department of Justice (DoJ) has convened The Ransomware and Digital Extortion Task Force. The task force will include officials from the DoJ’s National Security Division, Criminal Division, Civil Division, Executive Office of U.S. Attorneys, and the FBI and will be overseen by Acting Deputy Attorney General John Carlin. (Please note that the WSJ story is behind a paywall.)
Read more in:
- Ransomware Targeted by New Justice Department Task Force (paywall)
- Justice Department convenes task force to tackle wave of ransomware attacks
- New US Justice Department team aims to disrupt ransomware operations
Codecov Attackers Accessed Hundreds of Customer Networks
Investigators say that the threat actors who altered Codecov’s Bash Uploader script harvested customers’ credentials and used them to gain access to hundreds of Codecov customers’ networks. The initial Bash Uploader breach went undetected for several months.
Note: Use strong authentication (at least two kinds of evidence, at least one of which is resistant to replay), by default. Fraudulently reusable credentials constitute a major weakness in our infrastructure. Use strong authentication to protect the infrastructure even if you think that your application and environment do not require it. The ubiquitous mobile and biometrics make it both cheap and convenient. No excuses.
Read more in:
- Codecov hackers breached hundreds of restricted customer sites – sources
- Codecov breach impacted ‘hundreds’ of customer networks: report
- Hundreds of networks reportedly hacked in Codecov supply-chain attack
MasterCard Acquires Ekata
MasterCard has acquired identity verification company Ekata. According to a press release, “Ekata’s identity verification data, machine learning technology and global experience combined with Mastercard’s fraud prevention and digital identity programs will help businesses confidently know who their customers are and, in turn, help those customers safely interact online.”
- The credit card companies have been buying up vendors in the fraud detection and identity proofing markets, which together represent $30B in annual revenue – which is about equal what the estimates are for online fraud costs to financial institutions. However, false declines – transactions denied because of false positives in fraud detection – cost the financial industry 5x as much per year as fraud. Just like in phishing attacks, all this spending and cost is due to the use of easily compromised reusable passwords. The European Banking Authority is mandating Strong Customer Authentication under Payments Services Directive 2 which has been rolling out in 2021 and has the potential to shift fraud liability from merchants to the card issuers, another factor driving card brand/issuer spending in this area.
- The card brands really do need to get their house in order. All the new detection technology cannot compensate for the fundamental vulnerability, Primary Account Numbers in the clear, that they have no plan to fix.
Read more in:
- Mastercard to Acquire Ekata to Advance Digital Identity Efforts
- Mastercard buys digital identity firm Ekata for $850 million
- Mastercard is acquiring identity verification company Ekata for $850M
Wordfence: Remove Kaswara Modern WPBakery Page Builder Addons WordPress Plugin
Note: This is an actively exploited vulnerability with no available update. Because the plugin is not maintained, no update is expected, necessitating prompt retirement and uninstallation of this plugin. While paid Wordfence users have firewall rules as of April 21st, free users will not have those until May 21st.
Update Contact Form 7 WordPress Plugin to Fix Severe Flaws
WordPress users are urged to update the Redirection for Contact Form 7 plugin to address three severe vulnerabilities. The flaws could be exploited to generate arbitrary nonces, install arbitrary plugins and inject PHP Objects, and delete arbitrary posts. The most current version of the Redirection for Contact Form 7 plugin is 2.3.5.
- The good news is the plugin maintainers released an update within 24 hours of confirming reports of the flaw, indicating the team is actively engaged and committed to maintaining the security of the plugin. Verify you’ve updated the plugin, and even if updated, uninstall it if you are not actively using it. Wordfence released firewall rules February 11th and March 13th for the paid and free versions.
- Hardly a week goes by that vulnerabilities in WordPress plugins are not identified. Plug-ins should be used only by design and intent, never by default, and they must be managed.
QNAP Fixes Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync
QNAP has released updates to address a critical vulnerability affecting its HBS 3 Hybrid Backup Sync. The flaw can be exploited to access QNAP network attached storage (NAS) devices using hardcoded credentials. Users are urged to upgrade to the latest version of HBS.
- Please use my comment from prior issues of NewsBites: “DO NOT EXPOSE YOUR NETWORK STORAGE DEVICES TO THE INTERNET. EVER.” I will stop typing now and patch my QNAP device. (But I likely uninstalled this utility during setup.)
- Hard coded credentials solve short term problems, but leave you open to exploit when discovered. Make sure not only that you are updating the software on your NAS devices, but also that they are only accessible from authorized devices, including limiting remote management to local devices only. Review them for unexpected accounts and applications, removing these when discovered.
- “Hard-coded credentials” is the kind of bad practice that the UK effort is intended to identify and discourage.
Read more in:
- Resolved: Improper Authorization Vulnerability in HBS 3 Hybrid Backup Sync
- QNAP removes backdoor account in NAS backup, disaster recovery app
Codecov Bash Uploader Was Compromised for Three Months
Earlier this month, Codecov discovered that a threat actor modified their Bash Uploader script. The threat actor was able to obtain unauthorized access due to “an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify” the script. Codecov’s investigation found that the Bash Uploader script had been altered several times starting on January 31, 2021. The changes allowed the threat actor “to potentially export information stored in our users’ continuous integration (CI) environments.”
- If you had any keys, credentials or tokens in your CI environment, and you’re using the Codecov CI runner which includes their Bash Uploader, you need to consider them compromised and you need to start revoking/updating or creating new ones. Also make sure that digital signatures are verified when doing updates. Even if you’re running an internal deployment, make sure you’re running the known-good versions of the software.
- Yet another software supply chain compromise. Just like similar compromises, we may see additional fallout from this as the attackers behind this were able to harvest some credentials used in CI/CD pipelines. If you are using Codecov, and were affected, make sure you update your credentials (and also look into methods to automatically rotate them from time to time).
- Two important aspects to this item: (1) Attackers are increasingly focusing on the tools used by developers which are often built without emphasizing security and often go untested even when they are use in software development lifecycle that includes security testing of the end software product; (2) The Register piece quotes a survey of developers by the Open Source Software Security Foundation (the 2020 consolidation of the Open Source Security Coalition and the Core Infrastructure Initiative) that says developers of free and open source software spend less than 3% of their time on security and feel even that is too much. While the DevOps movement has shown promising trends in making security and privacy “guard rails” be considered intrinsic requirements, it has not resulted in developers magically becoming security experts or champions.
Read more in:
- Bash Uploader Security Update
- Backdoored developer tool that stole credentials escaped notice for 3 months
- Will the CodeCov breach become the next big software supply chain hack?
- Codecov dev tool hit in another supply chain hack
- Attack on Codecov Affects Customers
- Codecov dev tool warns of stolen credentials from compromised script, undiscovered for two months
August 2020 VirusTotal Upload is One of the SolarWinds Backdoors
Brian Krebs reports that a file uploaded to VirusTotal in August 2020 has been identified as one of the backdoors used in the SolarWinds Supply chain attack. Analysis indicates that the individual who flagged the file as suspicious works in IT at the National Telecommunications and Information Administration (NTIA), which is a division of the US Department of Commerce. Microsoft and FireEye both published blog posts about the back door in early March. In December 2020, the Wall Street Journal reported that NTIA was among the agencies that had been seriously affected by SolarWinds.
- The VirusTotal screen shot shows that as of last week, 54 of 70 security vendors flagged this file as malicious, but it does not show what the identification rate was when the malicious file was first submitted. Despite a lot of hype around Artificial Intelligence/Machine Learning solving malware as a problem, servers running critical applications with privileged access on sensitive network segments should have strong application control/permission management security policies in place, not just rely on end point detection and response agents.
- I find the combination of exploits and techniques used in an attack fascinating and educational. This is also a stark reminder that defense in depth is as prudent as ever. Leverage these types of disclosures to make sure that you don’t have a similar weakness. In this case make sure you’re applied the updates to VMware Workspace One Access which address CVE-2020-4006.
Vulnerabilities in OpENer EtherNet/IP Stack
Five security issues in the OpENer EtherNet/IP Stack could be exploited to lead to remote code execution, read arbitrary data, or cause a denial-of-service condition. Four of the vulnerabilities were detected by researchers at Claroty; a fifth was detected last year by Cisco Talos. The issues affect all OpENer commits and versions prior to February 10, 2021.
- We had a long list of basic IP stack vulnerabilities like this this year, for example the Treck IP Stack and Name:Wreck vulnerabilities. Many affect IoT devices, and have in common that they are difficult or impossible to patch. Network segmentation appears to be the only workaround to help.
- This can be exploited by sending specially crafted packets to vulnerable devices. OpENer is an EtherNet/IP stack for I/O adapter devices. If you’ve incorporated it yourself, you can apply the latest commits from their repo and update your stack. More likely it’s embedded in your control systems. You’re going to want to use the US-CERT/CISA mitigations below including segmentation, applying updates when available and blocking them from either Internet access or direct access from your corporate net.
- EtherNet/IP is widely used where both TCP/IP and the Common Industrial Protocol are used. The Open DeviceNet Vendors Association (ODVA) manages the standard and product conformance testing and lists over 100 products using the EtherNet/IP stack. Segmentation around industrial networks should be reviewed/strengthened since discovery and remediation will be complex.
Read more in:
- Fuzzing and Pr’ing: How We Found Bugs in a Popular Third-Party Ethernet/IP Protocol Stack
- EIP Stack Group OpENer Ethernet/IP server out-of-bounds write vulnerability (December 2, 2020)
- ICS Advisory (ICSA-21-105-02) | EIPStackGroup OpENer Ethernet/IP
- Severe Bugs Reported in EtherNet/IP Stack for Industrial Systems
SolarWinds: CERT-EU Says Six EU Agencies Affected
Officials from CERT-EU say that 14 EU agencies were running the SolarWinds Orion IT monitoring platform, and that of those, six were affected by the supply chain attack. Without offering details, CERT-EU said that some agencies experienced “significant impact” and that some personal data were compromised.
Note: The risks from this attack weren’t limited to agencies. If you’ve not looked at your SolarWinds install for IOCs, go to the CISA site (us-cert.cisa.gov: Alert (AA20-352A) | Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations) for vulnerability information, mitigations as well as IOCs. Make sure there are no remnants, forgotten or unpatched installations.
Read more in: SolarWinds hack affected six EU agencies
SolarWinds: H-ISAC Insights
The Health Information Sharing and Analysis Center (H-ISAC) has published a report aimed at helping organizations in the health care sector better protect their systems and better respond to incidents in the future. The report, Strategic Threat Intelligence: Preparing for the Next “SolarWinds” Event, “provides detailed technical analysis and recommendations for IT and information security teams to help address immediate concerns by providing tactical mitigations and recommendations.”
Read more in:
- Strategic Threat Intelligence: Preparing for the Next “SolarWinds” Event
- H-ISAC Supply-Chain Insights Aim to Prevent Next SolarWinds Cyberattack
White House Scaling Back SolarWinds and Exchange Server Unified Coordination Groups’ Surge Efforts
The Biden Administration is standing down task forces established in response to the SolarWinds and Exchange Server Incidents. A statement by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger notes that “due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures.”
- While you may see fewer alerts from CISA on Orion or Exchange, the importance of monitoring for malicious behavior and keeping secure updated configurations doesn’t change. Make sure your supply chain security plans include monitoring for maleficence or unusual behavior, introduced by an unchecked malicious update, such as today’s Codecov Bash Updater story.
- We cannot patch our way to security. If we did not already know that, SolarWinds should convince us. While further remediation efforts may have diminishing returns, the “supply chain” as a means of compromising thousands of enterprises at a time demands a policy response. Those who recklessly, or even negligently, distribute malicious code (as opposed to those who distribute vulnerable code through error) must be held accountable.
Read more in:
- Statement by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger on SolarWinds and Microsoft Exchange Incidents
- White House ‘standing down’ emergency response groups to SolarWinds, Microsoft hacks
- Feds Stand Down UCG ‘Surge’ Responses to Solar Winds, Microsoft Hacks
Mandiant Describes OT Red Team Smart Meter Exercise
In a simulated attack scenario, Mandiant’s OT (operational technology) Red Team made its way into an industrial control system at a North American utility and shut off a smart meter. The team “leveraged weaknesses in people, process, and technology to gain remote access from the public Internet and to achieve a set of pre-approved objectives in the OT environment.”
Read more in:
- Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure
- How (and why) cyber specialists hacked a North American utility’s smart meter
BGP Routing Leak
On Friday, April 16, a Border Gateway Protocol (BGP) routing leak in the Vodafone autonomous network (AS55410) based in India caused network and website connectivity issues around the world. The autonomous system experienced an inbound traffic spike which was 13 times greater than normal. The incident lasted for approximately 10 minutes.
Note: BGP routing leaks will continue to happen. There are technologies to prevent them, but universally adopting them is difficult. Ultimately, you do not control where packets are going after they leave your network. Properly configured TLS is your best bet to mitigate the threat.
Read more in: Major BGP leak disrupts thousands of networks globally
Mozilla is Disabling FTP in Firefox 88, Removing it Entirely in Firefox 90
When Mozilla releases Firefox 88 this week, the browser will by default have FTP disabled. A Mozilla Add-ons Blog post reads, “To help offset this removal, ftp has been added to the list of supported protocol_handlers for browser extensions. This means that extensions will be able to prompt users to launch a FTP application to handle certain links.” When Firefox 90 is released in June 2021, FTP implementation will be removed entirely.
- There is a lot of really bad code being patched carried along in many products that really should be rewritten or removed – does anyone really miss Flash? While this move by Mozilla really just means that browser extensions will be launched if FTP is needed, good to see all of the browser vendors jettisoning minimal useful functions and reducing browser complexity.
- This means you’re going to need a browser extension to perform FTP from your browser, or better still use an FTP application for those times where you still need it. Most file transfer services now use web servers for downloading files rather than FTP.
- File transfer is a useful, not to say necessary, function. However, the continued use of historically broken tools continues to leak information and must end.
Read more in:
- Mozilla Add-ons Blog | Built-in FTP implementation to be removed in Firefox 90
- Mozilla to start disabling FTP next week with removal set for Firefox 90
Google’s FLoC is Not Gaining Traction Anywhere Except Chrome
Major browsers have said they do not plan to enable Google’s newly introduced Federated Learning of Cohorts or FLoC, ad tracking technology. Multiple browsers, including Microsoft Edge, Brave, Opera, and Firefox, have indicated they will not enable the technology, noting that “FLoC … materially harms user privacy under the guise of being privacy-friendly” (Brave) and “We do not support solutions that leverage non-consented user identity signals, such as fingerprinting” (Microsoft). In addition, WordPress has proposed treating FLoC as a security vulnerability. Earlier this month, the Electronic Frontier Foundation wrote that “The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process.”
- FLoC seems to be changing generally available cookies for grouping based on browser history for more targeted advertising as defined by Google. The predominant response towards tracking is to have an environment of opt-in, explicit permission for tracking rather than implicit tracking. Unfortunately all the browser manufacturers are coming at it slightly differently. Until the W3C comes out with a new standard, make sure that you’re enabling privacy options, with the exception of FLoC. Chrome users can opt-out of FLoC by either going to Settings, Privacy and Security, Cookies and Other Site Data and selecting “Block third-party cookies” or by installing the DuckDuckGo extension for Chrome.
- It is generally a good idea to treat any “privacy enhancement” initiative from a company that monetizes their customers’ personal data with a large dose of skepticism.
Read more in:
- Nobody is flying to join Google’s FLoC
- Microsoft disables Google’s FLoC tracking in Microsoft Edge, for now
- WordPress could treat Google FloC as a security issue
- Proposal: Treat FLoC like a security concern
- Google’s FLoC Is a Terrible Idea
WordPress Update Includes Fixes for Two Security Issues
WordPress released version 5.7.1 last week. The updated version of the content management system includes fixes for an XXE vulnerability in the media library affecting PHP 8 and a data exposure vulnerability in the latest posts block and REST API.
- So you noticed your WordPress site was updated to 5.7.1 right? Now you need to make sure you’re on the current PHP. PHP 7.4 was released in 11/28/19 and is actively supported until 11/28/21 and PHP 8.0 was released 11/26/20 and is supported until 11/26/22. Don’t wait for active support to end prior to updating. Since PHP releases versions at the end of November/beginning of December, you can plan around that.
- While less porous than browsers, WordPress continues to be a problem. Use with due caution. Prefer purpose built applications.
Read more in:
Member of FIN7 Hacking Group Sentenced to 10 Years in Prison
A US District Judge in the state of Washington has sentenced Fedir Hladyr to 10 years in prison for his role in the operations of the FIN7 hacking group. FIN7, which comprised more than 70 individuals, broke into US companies’ networks and stole payment card information. Hladyr was responsible for coordinating the group’s operations. He has also been ordered to pay $2.5 million in restitution.
Read more in:
- High-level organizer of notorious hacking group FIN7 sentenced to ten years in prison for scheme that compromised tens of millions of debit and credit cards
- ‘High-level’ organiser of FIN7 hacking group sentenced to ten years in prison
- Member of FIN7 Hacking Group Sentenced to US Prison
- FIN7 ‘technical guru’ sentenced to 10 years in prison
Software Developer Charged with Sabotaging Employer’s Computers
A Texas man has been indicted for sabotaging an employer’s computer system. Davis Lu is a software developer who worked with emerging technology for an unnamed company based in Cleveland, Ohio. In August 2019, that company experienced a cyber disruption, causing crashed production servers and preventing employees from accessing servers. An investigation revealed malicious code that caused the crash, and additional malicious code that deleted employee profiles. Lu has been charged with damaging protected computers.
Note: There is little to substitute for good management and supervision, but multi-party controls, and Privileged Access Management systems to implement them can reduce the risk to more reasonable levels.
Read more in:
- Software developer charged with damaging the computer system of a Cleveland company
- Software Developer Arrested in Computer Sabotage Case
- Software developer charged with sabotaging employer’s systems through denial-of-service attack
FBI Remotely Removed Web Shells from Infected Exchange Servers
Since Friday, April 9, the FBI has been removing web shells from compromised on-premises Exchange servers in at least eight US states. A federal court in Texas granted the warrant that allowed the FBI to conduct the operation without the knowledge of the systems owners and operators, although they are attempting to contact them. The operation “did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”
- There are a couple of important dimensions to this one: First, the fire department going into a burning building without permission to put out a fire that may spread to adjacent buildings is a good thing overall, but may end up in extensive water damage to the burning building. The same is true for what the FBI is doing – from a business perspective, much better to *not* be a candidate for unplanned outside fixes of your compromised systems. Second: be prepared for phishing campaigns that appear to be coming from @FBI.gov – warn your supply chain as well. If you have been unable to move to restrictive DMARC anti-spoofing policies, this would be a good item to use to get high level support to do so.
- This both cool and unsettling. It is better to secure your own systems or hire help than to have assistance granted by court order. The FBI will be sending email to notify system owners of actions taken. Even so, be on the lookout for fake FBI.gov phishing emails. Remember these actions didn’t apply patches or forensically analyze your systems to determine what else may be impacted.
Read more in:
- Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities
- Motion to Partially Unseal Search Warrant and Related Documents and [Proposed] Order (PDF)
- The FBI Takes a Drastic Step to Fight China’s Hacking Spree
- FBI Operation Remotely Removes Web Shells From Exchange Servers
- FBI Removing Web Shells From Infected Exchange Servers
- FBI blasts away web shells on US servers in wake of Exchange vulnerabilities
CISA: Patch New Exchange Server Vulnerabilities Now
Included in Microsoft’s Patch Tuesday this month are fixes for four additional vulnerabilities in on-premise Exchange Servers. These new flaws were detected by the National Security Agency. The Cybersecurity and Infrastructure Security Agency (CISA) has given US federal agencies until12:01am EDT on Friday, April 16 to deploy the Microsoft updates. Agencies are also required to apply/maintain controls, report completion by noon EDT on April 16, and to immediately report related cyber incidents and indicators of compromise.
Note: While these vulnerabilities don’t appear to be actively being exploited, CISA considers them severe enough to warrant not only requiring immediate patching, but disconnecting any systems not patched by noon today. They make the point that once a fix is publicly released, the weakness can be reverse engineered to create an exploit; coupled with the current activities around exploiting Exchange servers, it’s a good idea to apply these patches now, regardless of whether you’re in the public or the private sector.
Read more in:
- Supplemental Direction v2
- Released: April 2021 Exchange Server Security Updates
- CISA gives federal agencies until Friday to patch Exchange servers
- NSA discovers critical Exchange Server vulnerabilities, patch now
Microsoft Patch Tuesday
On Tuesday, April 13, Microsoft released fixes for more than 110 security issues. Among the vulnerabilities addressed are four additional flaws affecting on-premise Exchange Servers (see additional information in the story above). Other vulnerabilities addressed in the updates is a privilege elevation flaw in Windows that is being actively exploited.
Note: I hope you kept good notes, because there are four more Exchange vulnerabilities to patch. These vulnerabilities were found and reported by the NSA, and no exploit or details have been made public yet. But Microsoft considers exploitation likely.
Read more in:
- Security Update Guide
- Microsoft April 2021 Patch Tuesday
- Microsoft Patch Tuesday, April 2021 Edition
- NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches
- Microsoft’s April 2021 Patch Tuesday: Download covers 114 CVEs including new Exchange Server bugs
On Tuesday, April 13, SAP released a total of 19 security notes, including updates to address critical vulnerabilities in Business Client, Commerce, and NetWeaver. Five of the security notes are updates to previously released notes.
- Vulnerabilities in ERP systems usually do not get a lot of press. But they are heavily targeted and prior vulnerabilities in SAP (or similar products) were used to compromise numerous organizations. It often takes only days for exploits to be developed. I know this one is more difficult to patch, but make sure you get it done soon.
- SAP is already on the radar of exploitable platforms, and the patch list includes fixes to vulnerabilities with critical (aka hot news) and high ratings. These fixes address missing authorization checks, information disclosure, and other flaws which warrant prompt action.
- The SolarWinds compromise pointed out that high market share apps that are put in highly sensitive places are high value targets for sophisticated attackers, and should be prioritized for patching. The SolarWinds compromise also pointed out that monitoring of high-risk systems should be stepped up after patching to reduce time to detect if an update has been compromised.
Read more in:
- SAP Security Patch Day – April 2021
- SAP fixes critical bugs in Business Client, Commerce, and NetWeaver
Adobe Patch Tuesday
On Tuesday, April 13, Adobe released fixes for 10 vulnerabilities affecting Adobe Bridge, Adobe Digital Editions, Photoshop, and RoboHelp. Four of the vulnerabilities in Adobe Bridge are rated critical: two memory corruption issues and two out-of-bounds write bugs, all of which could lead to arbitrary code execution. Two critical buffer overflow vulnerabilities in Photoshop could lead to remote code execution. A critical privilege elevation vulnerability in Digital Editions could lead to arbitrary system file write.
Note: If affected products are installed but not currently licensed, or not logged into the respective Creative Cloud account, the automatic update will not happen. Suggest uninstalling products with expired or no licenses to remove potentially exploitable applications from systems.
Read more in:
- Adobe Patches Slew of Critical Security Bugs in Bridge, Photoshop
- Security Updates Available for Adobe Bridge | APSB21-23
- Security updates available for Adobe Photoshop | APSB21-28
- Security Updates Available for Adobe Digital Editions | APSB21-26
- Security update available for RoboHelp | APSB21-20
Google Project Zero is Adding a 30-Day Grace Period for Patching
Google Project Zero is changing its disclosure policy to allow time for users to apply patches. Project Zero’s 90-day (for vulnerabilities that are not being exploited) and 7-day (for vulnerabilities that are being actively exploited) deadlines will remain in place, but if vendors produce a patch within the designated time period, Project Zero will refrain from releasing vulnerability details for 30 days.
Note: Google must strike a difficult balance between identifying vulnerabilities and inviting their exploitation, a responsibility few would take on.
Read more in:
- Summary of changes for 2021
- Google Project Zero testing 30-day grace period on bug details to boost user patching
Chrome 90 Introduces HTTPS Default Protocol
Google has released Chrome 90 to the stable channel for Linux, macOS, and Windows. The newest version of the browser includes using HTTPS as the default protocol. It also reintroduces protection from NAT Slipstreaming attacks. In all, Chrome 90 addresses 37 security issues.
- Of the 37 security fixes, 19 were credited to external researchers – the value of well-managed external bug bounty programs continues to be validated.
- Other browsers will likely follow. More than 90% of websites are supporting HTTPS now, so this move makes a lot of sense. But you may experience some slower connections to the sites that do not support HTTPS, which will likely include internal IoT style devices.
- This update also applies to Chromium based browsers (Edge, Brave, Vivaldi, etc.) With the migration to HTTPS over the last few years, the impact on end users is nominal. Sites on the HSTS preload list already defaulted to HTTPS. HTTP fallback is still enabled. This release also includes the first version of Google’s Federated Learning of Cohorts (FLoC) which is their answer to privacy while still delivering targeted ads. Note that FLoC is disabled by default in Brave and Vivaldi.
Read more in:
- Stable Channel Update for Desktop
- Google Brings 37 Security Fixes to Chrome 90
- Google releases Chrome 90 with HTTPS by default and security fixes
- Google Chrome 90 released with HTTPS as the default protocol
NERC: Electric Utilities Have Faced “Unprecedented” Cyber Threats
At a virtual press briefing earlier this week, North American Electric Reliability Corporation (NERC) Senior VP Manny Cancel said that the electricity sector has faced an “unprecedented” increase in cyber threats over the past year and a half. Cancel noted that nearly 25 percent of the 1,500 electric utilities that share information with NERC said they had downloaded the tainted SolarWinds software. A smaller subset of those said they used SolarWinds in their operational technology networks.
- Control systems have to not only watch for compromised products like Orion, but also for attempts to access control systems via spearphishing and VPN compromise. The GAO report from March 21 (www.gao.gov: Electricity Grid Cybersecurity: DOE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems) had one recommendation for DOE: to more fully address risks to the nations power grid in coordination with DHS, states and industry. Until that effort solidifies, look to a hybrid approach to protection systems rooted in the Purdue Model. Secure the perimeter, require multi-factor authentication for access, verify security settings and updates are applied, and use segmentation to allow only authorized systems to interact with control system components.
- There are software products and firmware in use across power systems that have the same or higher market share as SolarWinds had in that vertical, particularly on the OT networks. Identifying those and increasing prioritization of protection/segmentation/detection of those high value targets is a lesson learned from the SolarWinds compromise impact.
- While these numbers are not surprising, they document the severity of the attack and the resulting risk to our infrastructure.
Read more in:
- Experts see ‘unprecedented’ increase in hackers targeting electric grid
- Hundreds of electric utilities downloaded SolarWinds backdoor, regulator says
ODNI Annual Threat Assessment
The Office of the Director of National Intelligence has released its annual threat assessment report. The report “focuses on the most direct, serious threats to the United States during the next year.” Intelligence officials also spoke at a Senate Intelligence Committee hearing earlier this week. “The complexity of the threats, their intersections, and the potential for cascading events in an increasingly interconnected and mobile world create new challenges for the IC [Intelligence Community].”
Note: This report is only 27 pages and is far more than just cyber, covering military, WMD, Space, Intelligence and Influence capabilities for many countries. Use the information to better understand the threats, their motivations, capabilities, and goals and how that overlays with current world conditions.
Read more in:
- Annual Threat Assessment (PDF)
- Intelligence Hearing Video | Wednesday, April 14, 2021 – 10:00am
- The Biggest Security Threats to the US Are the Hardest to Define
US Sanctions Russia
The Biden administration has imposed sanctions on Russia for cyberespionage activity and for its efforts to influence the presidential election. Also sanctioned six Russian technology companies that support the cyberespionage activity and more than 30 entities and individuals for attempting to sway the election. In addition, 10 Russian Embassy officials in Washington, DC, will be expelled.
Read more in:
- Executive Order on Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation
- FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government
- Treasury Sanctions Russia with Sweeping New Sanctions Authority
- Biden administration imposes significant economic sanctions on Russia over cyberspying, efforts to influence presidential election
- White House slaps sanctions on Russian cyber activities while blaming SVR for SolarWinds campaign
- As US takes sweeping action against Russia for years of hacking, industry skeptical of impact
- It was Russia wot did it: SolarWinds hack was done by Kremlin’s APT29 crew, say UK and US
- SolarWinds: US and UK blame Russian intelligence service hackers for major cyber attack
NSA, CISA, and FBI Warn of Top Vulnerabilities Exploited by Russian Hackers
In a joint advisory, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) warn that Russian Foreign Intelligence Service threat actors are exploiting “known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.” The advisory includes a list of the exploited vulnerabilities and mitigations for those vulnerabilities.
- The list of vulnerabilities isn’t surprising. It is not a list of difficult to exploit obscure problems, but the same list of vulnerabilities everybody else is exploiting. Use this as a good reason to double check if you are running any of the vulnerable systems, and make sure they are patched. Given that some of these vulnerabilities go back to 2018: If you still find a vulnerable system, consider it compromised.
- Actors are taking advantage of both unpatched or improperly secured systems and reusable credentials. Beyond implementing multi-factor authentication, integrate your reusable password system (typically Active Directory) with a system which monitors for breached passwords, and require users to not select a known compromised password; immediately change passwords when they are discovered in the breach data. Prioritize the patching and security validation of any and all internet facing services. Dispel beliefs that your access server is obscure and not discoverable by looking for similar products in a tool like Shodan.
- After SolarWinds, we should hardly need such a warning. It is urgent that we restore trust in our infrastructure. In the meantime, we can resist some further damage by implementing strong authentication (at least two kinds of evidence, at least one of which is resistant to replay), one of our most efficient protective measures.
Read more in:
- Russian SVR Targets U.S. and Allied Networks (PDF)
- Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks
- NSA: Top 5 vulnerabilities actively abused by Russian govt hackers
Sabotage Reportedly Shut Down Iran’s Natanz Uranium Enrichment Site
In what appears to be an act of sabotage, Iran’s Natanz uranium enrichment facility was shut down on Sunday, April 11. An explosion at the facility reportedly caused a power failure. US and Israeli intelligence officials said that Israel played a role in the incident. The Natanz facility was shut down a decade ago by the Stuxnet worm.
- Not a lot of details out on this one yet, but an important reminder on two fronts. The obvious one is for power system and other critical infrastructure operators to take immediate action to reduce exposure to similar attacks. But, a broader reminder that back in 2010 the Stuxnet malware attack caused spillover that impacted financial systems and many other networks – good reason for an accelerated push to make sure essential security hygiene deficiencies are addressed rapidly.
- The take-away is to make sure that critical infrastructure is properly protected from cyber-attack. Control systems need to be properly isolated and never directly accessible from the Internet. Further, not only restrict access to known trusted systems, but also monitor that access for anomalous behavior. Make sure that supporting systems, such as power and cooling are similarly protected and monitored. Lastly, practice good OPSEC. One of the take-aways from the Stuxnet incident was that PR photos in front of the control systems were used to reveal the technology used allowing that attack to be very accurately developed and targeted.
Read more in:
- Blackout Hits Iran Nuclear Site in What Appears to Be Israeli Sabotage
- Iranian Nuclear Site Shut Down by Apparent Cyberattack
- Stuxnet sibling theory surges after Iran says nuke facility shut down by electrical fault
Name:Wreck DNS Vulnerabilities
Researchers at Forescout and JSOF have disclosed nine vulnerabilities affecting four widely-used TCP/IP stacks. The flaws can be exploited to cause denial-of-service conditions and take devices offline or gain remote control of vulnerable devices. The issues affect an estimated 100 million devices.
- While these are issues that need to be “patched now”, the end user may not have the option if vendor firmware is not updated. A better fix is likely an architecture that forces all internal devices to use an internal recursive resolver. While it may not mitigate all the vulnerabilities, it will at least provide visibility into DNS traffic which is crucial for devices that are often only offering limited logging.
- The vulnerable versions of Nucleus NET, FreeBSD, and NetX have been updated, but the trick is waiting on vendor updates to devices with these as an embedded OS. Mitigations include identification and segmentation of devices with the vulnerable TCP/IP stacks, configuring devices to use known good internal DNS servers and monitoring and blocking of malicious or malformed DNS traffic.
Read more in:
- Forescout and JSOF Disclose New DNS Vulnerabilities, Impacting Millions of Enterprise and Consumer Devices
- 100 Million More IoT Devices Are Exposed—and They Won’t Be the Last
Critical Zoom Flaw Allows Remote Code Executions with No User Interaction
Two security researchers from the Netherlands demonstrated an exploit of flaws in the Zoom desktop client that allowed them to take control of a user’s computer. The exploit chains together three vulnerabilities in Zoom to allow remote code execution with no user interaction. The exploit works on the Zoom desktop client for PCs and for Mac.
- The browser version of Zoom in not affected – a good work around until the patch is available. Good to see that Zoom was one of the sponsors of the Pwn2Own competition that found this one.
- This flaw was revealed and demonstrated during the Pwn2Own event. The vulnerabilities have been reported to Zoom, and no details were made public. The Pwn2Own events have been a great way for researchers to demonstrate their skills responsibly. While depressing to see pretty much every single target fall year after year, this event has been a great source of responsibly disclosed vulnerability details.
- The exploit leverages a weakness in the Zoom Chat product, not the in-session chat which is part of Zoom Meetings or Zoom Video Webinars. The attacker has to either be an accepted external contact or another organizational user. The best mitigation is to use the web client until a fix is released. Also make sure that you’re following best practices to secure online meetings and accept external contact requests only from people you know and trust.
- A rare exception to the rule that one should prefer purpose-built applications to browsers.
Read more in:
- Critical Zoom vulnerability triggers remote code execution without user input
- Huge Zoom flaw lets hackers completely take over your Mac or PC [updated]
NCSC Recommends Actions to Address Fortinet SSL VPN Vulnerability
Britain’s National Cyber Security Centre (NCSC) is urging users to take steps to protect Fortinet SSL VPNs from active exploits. NCSC recommends checking to see if the FortiOS updates have been applied. If they have not, “the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured and then returned to service.”
- As the flaws are being exploited, assume unpatched devices have been compromised. The strategy recommended by NCSC, effectively a factory wipe and reset, (and patched) is a good way to make sure that your device is operating from a known good configuration. Make sure that all your internet facing and boundary protection devices including VPNs, firewalls, load balancers, WAFs are at the top of both the patch priority and security posture review lists. Ensure they are both properly configured and updated.
- Updating your remote access equipment, while most people still work from home, may be scary. But dealing with an incident involving your remote access equipment while working from home is worse. An upgrade can be scheduled.
Read more in:
- Alert: Critical risk to unpatched Fortinet VPN devices
- Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised
- APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks (PDF)
Unit 42 Researchers Find Cryptojackers Targeting Washington State Educational Organizations
Researchers at Palo Alto Networks’ Unit 42 global threat intelligence team recently detected cryptojacking attacks targeting three educational organizations in Washington state. The incidents were detected on February 16, March 10, and March 15. The Unit 42 report includes a list of indicators of compromise.
Read more in:
- Attackers Conducting Cryptojacking Operation Against U.S. Education Organizations
- Washington State educational organizations targeted in cryptojacking spree
Ransomware Affects Cheese Delivery in the Netherlands
A ransomware attack that targeted Bakker Logistiek, a warehousing and transportation provider, has resulted in a cheese shortage in stores in the Netherlands. Bakker’s director said that due to the attack, they did not know where in their warehouses products were, and that it also prevented the company from receiving orders. The company is using backups to restore operations. They did not indicate if they paid the ransom.
Read more in:
- Dutch supermarkets run out of cheese after ransomware attack
- ‘Cheese hack’ resolved involved ransomware (Dutch)
Expired Certificate Prevents Pulse Secure VPN Logins
An expired code-signing certificate prevented Pulse Secure VPN users from accessing their devices. The problem affects users working from home when they try to connect to company networks through their browsers. The issue is the expired certificate combined with a software bug that fails to verify that timestamped executables are signed.
- This denial of service/access problem that keeps popping up shows the need for certificate discovery and management tools. There are some commercial products and a number of open source tools (like OpenCA and gnoMint) that provide support at scale for certificate management.
- Certificate use has become pervasive, and certificate lifetimes are shrinking, necessitating active monitoring and automated processes to update them automatically where possible. If nothing else, generate a support ticket with sufficient priority and warning to take action without interruption. When using certificates to sign code, be sure to not only use a timestamp server which captures the certificate validity at the time of signing, but also verify the behavior after the code signing certificate has expired.
Read more in:
- KB44781 – Multiple functionalities/features fail for End-Users with a Certificate error.
- Pulse Secure VPN users can’t login due to expired certificate
US Dept. of Health and Human Services OIG Finds Infosec Program is Not Effective
An audit of the US Department of Health and Human Services (HHS) information security program found it to be not effective. The audit, which was conducted by Ernst & Young LLP on behalf of the HHS Office of Inspector General (OIG), evaluated HHS’s information security program against Federal Information Security Management Act (FISMA) metrics. HHS’s information security program was also found not effective in audits conducted for FY 2018 and FY 2019.
Note: Repeat findings on an audit are not something you want. While HHS does have overall strategy for implementing needed processes and controls, OIG found the specific roadmaps and KPIs were lacking, which would drive completing the implementation of those strategies. Make sure that your enterprise strategy has the information needed for success to the lowest layers, including measurable objectives, defined timelines and funded resources. If you are not going to implement a regulatory requirement, such as the Continuous Diagnostics and Mitigation (CDM) program, work that at the highest levels with the regulator, and document the outcome and update your enterprise roadmap accordingly.
Read more in:
- HHS Information Security Program Still ‘Not Effective’
- Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (Report in Brief)
- Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (PDF)
IcedID Banking Trojan Spreading Through Contact Forms
Researchers from the Microsoft 365 Defender Threat Intelligence Team have detected attackers abusing contact forms on company websites to generate emails that include malicious links that can ultimately lead to machines becoming infected with the IcedID banking Trojan.
Read more in:
- Investigating a unique “form” of email delivery for IcedID malware
- Microsoft Warns of Malware Delivery via Google URLs
- Criminals spread malware using website contact forms with Google URLs
- IcedID Circulates Via Web Forms, Google URLs
- Attackers deliver legal threats, IcedID malware via contact forms
- IcedID Trojan Finding New Ways to Slip Past Defenses
Accellion: University of Colorado
The University of Colorado (CU) has provided additional information about a data breach related to a vulnerability in Accellion’s File Transfer Appliance (FTA). CU says that more than 300,000 unique records containing personally identifiable information were compromised. CU says the compromised data are being held for ransom and that they do not intent to pay the demand.
Read more in:
- Cyberattack Update April 9, 2021
- Accellion breach exposed 300,000 records, University of Colorado says
Kentucky Unemployment Insurance Office Offline to Reset PINs After Attempted Fraud
A cyberattack forced the Kentucky Office of Unemployment Insurance to take account operations offline for several days. Attackers used automated tools to access users’ accounts; in some cases, they changed bank information so that funds were diverted to a different account. The Office of Unemployment Insurance is resetting more than 300,000 PINs to ensure that thieves would not steal payments. Once the operations go back online, users will be assigned a new, 8 digit PIN and will be required to create a new 12 character password.
- Previously used 4-digit PINs, while encrypted, were trivial to guess, as users often chose predictable values. Having users choose longer passwords, sending account PINs out-of-band, and an emailed multi-factor access code are excellent steps in the right direction.
- While resistant to the rare brute force attacks, it sounds as though this system will continue to be vulnerable to the more prevalent fraudulent credential replay attacks. Strong authentication requires that at least one form of evidence be resistant to replay.
Read more in:
- Kentucky Unemployment Insurance Site Shuttered After Attack
- Important Security Notice About Unemployment Insurance PINs
Biden Nominates Former NSA Officials to Top Cybersec Positions at DHS and White House
The Biden administration has nominated former National Security Agency (NSA) official Jen Easterly to become director of the Cybersecurity and Infrastructure Security Agency (CISA). Biden is also expected to nominated former NSA official Chris Inglis to fill the new position of National Cybersecurity Director.
Note: These nominees have not only cybersecurity expertise, but also track records of partnership with private industry. CISA has used those relationships to increase the relevance, effectiveness and value of their services and guidance to both the public and private sector. Extending this partnership model to other cybersecurity roles is necessary to have comprehensive, relevant and effective security leadership.
Read more in:
- Biden Nominates Former NSA Officials for Top Cybersecurity Roles
- Biden scores praise for nominations of White House, DHS cyber leaders
- Biden to Nominate Former NSA Official Easterly to Head CISA
- White House to nominate NSA veterans Chris Inglis, Jen Easterly as national cyber director, CISA chief
DC Care First BC/BS Health Insurer Loses Clinical and Other Patient PII To Attackers
CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) has disclosed that a January 2021 cyberattack compromised data belonging to current and former enrollees and employees. The compromised data include names, Social Security numbers, claims information, and in some cases, clinical information.
Note: This is a good example of transparency and a proactive response. CHPDC has not only published a notice, but also a FAQ, offered 2 years of free credit monitoring as well as engaged expert help for response, containment and remediation to prevent recurrence. While it’s nice to have full attribution in a cyber-attack, these steps taken represent concrete measurable actions which will help maintain and strengthen business relationships with customers, peers, and providers.
Read more in:
- Major DC insurance provider hacked by ‘foreign cybercriminals’
- Recent Cyberattack: A message from our President & CEO, George Aloth
Threat Actors are Exploiting Unpatched SAP Applications
Threat actors are exploiting known vulnerabilities in SAP applications. In a joint report, SAP and Onapsis noted that “critical SAP vulnerabilities [are] being weaponized in less than 72 hours of a patch release.” Attackers are exploiting the flaws to steal data, conduct fraud, deliver malware, and disrupt operations. Users are urged to update SAP applications.
- Attackers are now actively targeting unsecured SAP applications. CVE-2020-6287 and CVE-2020-6207 are rated as high-risk due to the potential to gain remote unauthorized system access. While patching your ERP system requires prioritization and adequate regression testing, these aggressive attacks warrant enlisting outside services to expedite the process. Consider immediately restricting access to unpatched SAP systems that are currently Internet-accessible.
- Patching faster continues to be easier to do with ease of spinning up AWS/Azure based full sized test environments, and is critical to do with high impact applications like SAP. The Solar Winds compromise points out that those high impact apps should also be tested for flaws or hidden capabilities, and the production instances monitored for unusual behavior – also a lot easier to do with manageable levels of false positives with modern tools.
- Historically, it has been more important to patch thoroughly than to patch urgently. Recent events suggest that that may be changing. In any case, the time to widespread exploitation seems to be shrinking.
Read more in:
- Active Cyberattacks on Mission-Critical SAP Applications
- SAP issues advisory on the exploit of old vulnerabilities to target enterprise applications
- SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers
- Hackers actively targeting unsecured SAP installs, DHS, SAP and Onapsis warn
- Attackers Actively Seeking, Exploiting Vulnerable SAP Applications
- SAP Bugs Under Active Cyberattack, Causing Widespread Compromise
- Malicious Cyber Activity Targeting Critical SAP Applications
Threat Actors are Using Collaboration Apps to Spread Malware
Threat actors have been targeting collaboration apps, like Slack and Discord, to spread malware. The increased number of people working remotely has expanded the use of these apps; attackers have been using the platforms to deliver malware and exfiltrate data. The activity does not exploit vulnerabilities in the collaboration apps; instead, the threat actors are exploiting existing features and the level of trust that the platforms offer.
Note: These platforms are excellent for sharing and distributing files, and links to them are easily embedded in email. As the use of these services has become commonplace, those links no longer stand out as unusual. Some of the attack vectors, such as token stealing to access Discord, can’t be easily mitigated. If you’re not actively using these collaboration apps for business purposes, consider blocking their domains and adding the client software to your application deny list. If you are using them, make sure that your implementation is following best security practices and is sufficient for protecting the data stored and exchanged there.
Read more in:
- Sowing Discord: Reaping the benefits of collaboration app abuse
- Hackers Are Exploiting Discord and Slack Links to Serve Up Malware
- Threat actors targeted Slack and Discord as the pandemic raged on
- Attackers Blowing Up Discord, Slack with Malware
Critical Flaw in VMware Carbon Black
A critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and gain elevated privileges. The issue is due to incorrect URL handling. Users are urged to upgrade to VMware Carbon Black Workload appliance version 1.0.2.
Read more in:
- Critical Cloud Bug in VMWare Carbon Black Allows Takeover
- VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982)
- VMware Carbon Black Cloud Workload 1.0.2 Release Notes
Gigaset Android Phone Affected by Supply Chain Attack
Some Gigaset Android smartphones are being infected with malware through a “poisoned” update. The malware can open browser windows, download other malware, and send text messages in an effort to spread. Gigaset says the issue affects “older devices” and that they “expect to be able to provide further information” soon.
- The troubling detail is that the update came from the Gigaset update servers. Gigaset published a technical solution to remove the malware; there is some disagreement about the completeness of the fix. The better plan may be to power of affected devices, and remove both the battery and SIM. While Gigaset hopes to have better remediation information shortly, as this is impacting older devices, the more expedient and complete resolution may be to replace your device if affected.
- We cannot deal with the supply chain by placing all the responsibility on the end user. We must hold those who distribute malicious code responsible.
Read more in:
- Another supply-chain attack? Android maker Gigaset injects malware into victims’ phones via poisoned update
- Gigaset: malware attacks on the manufacturer’s Android devices are puzzling (German)
Lazarus Group’s Vyveva Backdoor Malware
An advanced persistent threat (APT) group with ties to North Korea reportedly used backdoor malware known as Vyveva in an attack against networks at a South African freight company. The Lazarus APT group appears to have been using Vyveva since late 2018. Vyveva’s “capabilities [include] file exfiltration, ‘timestomping,’ gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators.”
Read more in:
- (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
- Vyveva: Lazarus hacking group’s latest weapon strikes South African freight
- North Korean hackers use new Vyveva malware to attack freighters
Singapore Job Matching Organization Discloses Third-Party Data Breach
Singapore’s Employment and Employability Institute (e2i) has disclosed a data breach affecting 30,000 individuals. The company learned of the breach on March 12 from a third-party vendor whose systems were breached. The incident affects individuals who used e2i services or participated in e2i events between November 2018 and March 2021.
Note: Third-party liability needs to be understood. Make sure that your contracts not only flow down cyber security and data protection requirements but also legal and indemnification clauses. These clauses should be standardized for your supply chain management group and reviewed/updated annually by your cyber and legal staff. The review may drive the need to update existing contracts. Document your decision to update now or wait until renewal.
Malicious Document Builder EtterSilent
Threat actors are using a malicious document builder known as EtterSilent in their campaigns. One version of EtterSilent mimics electronic signature app DocuSign but asks users to enable macros; a second version of EtterSilent has been used to drop the Trickbot banking trojan.
Note: EtterSilent includes features that allow it to bypass Microsoft Defender, Windows Antimalware Scan Interface (AMSI), and popular email services, including Gmail. EtterCell documents, created by the EtterSilent builder, are downloader payloads that use Excel 4.0 macro functions to download and execute malicious payloads.
Read more in:
- Emerging hacking tool ‘EtterSilent’ mimics DocuSign, researchers find
- EtterSilent maldoc builder used by top cybercriminal gangs
- EtterSilent Builder Gains Momentum in Malware Campaigns
Android Malware Hides in App Pretending to be Netflix
Check Point Research (CPR) discovered a wormable malware in a phony app on the Google Play Store. Dubbed “FlixOnline” it disguises itself as a legitimate Netflix client offering unlimited entertainment and a free 60-day premium Netflix subscription due to COVID-19. The malware targets WhatsApp, “listening in” on conversations and auto-responding to messages with malicious content. The application requests overlay and Battery Optimization Ignore and notification permissions to keep the device from shutting down as well as provide access to the WhatsApp communications.
- Beware of over-permissioned applications bearing false promises. The application is using the permissions granted to access the WhatsApp and dismiss and reply to messages. Overlay permissions are often seen in a credential stealing application. The Netflix link provided is also a credential stealing site. The application has been removed from the Play Store and Play Protect will remove any installed copies. No action is needed for the WhatsApp.
- With each Android release, Google has been reducing the scope of app behavior that is allowed. Taking advantage of that requires carriers/operators to be pushing out updates, users to allow them to happen and sometimes requires newer phones to be used. Google had been improving Play Store security/privacy vetting across 2019 but did not publicly announce significant advances in 2020 or so far in 2021. The Play Store and Apple App Store still represent significant obstacles in preventing malware compared to what PC and server operating systems.
Read more in:
- New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp
- New wormable Android malware poses as Netflix to hijack WhatsApp sessions
- Fake Netflix app on Play Store caught hijacking WhatsApp sessions
- New wormable Android spyware and adware positions since Netflix in order to hijack WhatsApp sessions
- Fake Netflix App on Google Play Spreads Malware Via WhatsApp
Belden Says More Information Was Compromised in 2020 Breach
Belden, a network connectivity device manufacturer based in the US, has disclosed additional information about a 2020 cyberattack. When the company first acknowledged the incident in November, it said that current and former employee data and some business data had been compromised. Now it appears that the compromised data include information about some employee’s family members, and health-related information.
Note: Consider whether your enterprise holds data sensitive for others that you do not really need, use, or adequately protect. The most effective way to ensure that one does not leak sensitive data is not to keep it.
Read more in:
- Belden says health benefits data stolen in 2020 cyberattack
- Belden Issues Supplemental Notification of Data Incident
Previous Data Theft May Have Contributed to Exchange Server Attacks
US government officials and Microsoft are puzzling over how the threat actors behind the Microsoft Exchange Server attacks were able to carry out attacks so broadly and so quickly. One emerging theory is that the threat actors, who have been linked to China, have vast troves of stolen and/or mined information that they used to determine which accounts to target. Anne Neuberger, deputy national security adviser for cyber and emerging technology said, “We face sophisticated adversaries who, we know, have collected large amounts of passwords and personal information in their successful hacks. Their potential ability to operationalize that information at scale is a significant concern.” (Please note that the WSJ story is behind a paywall.)
Read more in:
- Suspected China Hack of Microsoft Shows Signs of Prior Reconnaissance (paywall)
- The Cybersecurity 202: This House Democrat is pushing for more funding for state and local cybersecurity
Aviary Dashboard Analyzes Data Output from Sparrow Detection Tool
The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners have released a dashboard to help “visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise.”
Note: As DHS/CISA continue to refine and require added scans relating to the SolarWinds compromise, this dashboard represents a way to track and monitor the results from scans made using their Sparrow detection tool, which should aid reporting requirements associated with this activity. Even if you’re not bound by these directives, consider this approach to tracking the status and health of SolarWinds environments.
Read more in:
- CISA releases tool to review Microsoft 365 post-compromise activity
- cisagov / Sparrow | Aviary
- Using Aviary to Analyze Post-Compromise Threat Activity in M365 Environments
FBI and CISA Joint Advisory: APT Actors Actively Exploiting Flaws in Fortinet FortiOS
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert about advanced persistent threat (APT) actors scanning on ports 4443, 8443 and 10443 for known vulnerabilities in Fortinet FortiOS SSL VPNs. The threat actors could exploit the vulnerabilities “to gain access to multiple government, commercial, and technology services networks.” Users are urged to apply updates.
- These are older vulnerabilities, and likely exploited by more than APT actors. Patching a remote access device while everybody is working from home has its risk. But if it is too risky to patch, it would be even worse if the device gets compromised. Patch!
- The vulnerability exploited in CVE-2018-13379 was not only resolved in the May 2019 patch, but also allows attackers to bypass 2FA. Make sure that your Fortinet devices are up-to-date to ensure that your 2FA implementation is not rendered ineffective. Review the IC3 guidance below for important mitigations, beyond updating your devices and enabling multi-factor authentication, important steps include requiring administrative privileges to install software, using network segmentation, auditing the use of administrator accounts, and configuring systems with the principle of least privilege in mind.
Read more in:
- APTs targeting Fortinet, CISA and FBI warn
- Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities
- CISA, FBI warn of hacking threat against Fortinet product
- FBI and CISA: APT Groups Targeting Government Agencies
- FBI: APTs Actively Exploiting Fortinet VPN Security Holes
- Advanced hackers use Fortinet flaws in likely attempt to breach government networks, feds warn
- APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks (PDF)
Malware Disrupts Automobile Inspections
A malware attack affecting automobile emissions testing company Applus Technologies is preventing vehicle inspections in eight US states. The March 30 attack prompted Applus technologies to disconnect their network from the Internet. As it is uncertain when inspections will resume, officials in affected states are notifying law enforcement authorities of the situation, asking them not to issue citations for expired emissions. Applus Technologies is also working with customers to ensure the vehicle owners do not incur fines and penalties.
Read more in:
- Malware attack is preventing car inspections in eight US states
- Cyberattack disables CT DMV emissions testing. When will services return?
- Applus Provides Update
Spear Phishing Campaign Targets Job Seekers on LinkedIn
Threat actors are targeting LinkedIn users with phony job offers. The spear phishing campaign tries to manipulate LinkedIn users into clicking on a malicious ZIP file that installs a fileless backdoor Trojan known as more_eggs. That malware has the capacity to download additional malware, giving threat actors access to the user’s computer.
Note: This attack is targeting out-of-work professionals with a personalized compelling campaign, which means user education has to come through non-work channels such as professional organizations, or reaching out to friends who you know to be job hunting. Make sure they are both aware of the campaign and have current endpoint protection on their system. The motivation appears to be access-for-hire – where access to compromised systems is sold to others for use in subsequent campaigns.
Read more in:
- LinkedIn Spear-Phishing Campaign Targets Job Hunters
- LinkedIn Phishing Ramps Up With More-Targeted Attacks
- Hackers Spearphish Professionals on LinkedIn with Fake Job Offers, Infecting them with Malware, Warns eSentire
Microsoft Outage Caused by Bug
An outage that affected Microsoft’s cloud services on Thursday, April 1 was due to a code defect that overwhelmed the Azure DNS service, which “led to decreased availability of … DNS service.” The issue was resolved by Thursday evening.
- A good reminder that DNS is still a critical service. Doesn’t matter how big your cloud is if nobody can find it.
- Microsoft services detected the issue and recovered themselves after 39 minutes, which is impressive on its own and Microsoft has made changes to their volumetric spike detection system to reduce that window further. As we put more reliance on cloud service providers, it becomes important to fully understand what their service level objectives are and compare them with your maximum tolerable downtime. Understand and document what recourse is available during a service outage. If you implement monitoring to discover interruptions in service, make sure that it is configured in a way that your CSP will accept your findings as genuine. That may require monitoring from more locations and more sophisticated service checks than initially considered.
Read more in:
- Azure status history
- Microsoft says investigating issues with Microsoft 365 services and features
- Microsoft Cloud services were down for some users
- Microsoft outage caused by overloaded Azure DNS servers
CISA Now Overseeing .GOV Top Level Domain
An appropriations bill that passed US Congress late last year includes the DOTGOV Online Trust in Government Act, which moves oversight of the .gov top level domain from the General Services Administration (GSA) to the Cybersecurity and Infrastructure Security Agency (CISA) as of April 2021. Currently, just 10 percent of local governments have a .GOV domain.
- Now we just need to get state and local governments to actually use .gov domains. For example here in Florida, one of these three domains is not run by the state. Guess which one: sunbiz.org, myflorida.com, stateofflorida.com. Consistent use of the .gov TLD will make it easier to spot imposters.
- Working with small agencies in the past, the barrier to entry for .GOV domains was just too high as compared to getting a free, or nearly free .US or .ORG domain. Not only does CISA need to get .GOV domains funded, the ROI and time to deliver must outweigh the ease of getting alternate domains. Agency leadership also has to be enrolled in supporting their use as well as informed of options such as grants for technical and non-technical items needed to support transitioning to the new domains.
Ransomware: Broward County Schools
Ransomware operators recently demanded a $40 million payment after infecting the Broward County Public Schools network. The Florida school district said it does not intend to pay the demanded ransom.
Read more in:
- Conti ransomware gang hits Broward County Schools with $40M demand
- Ransomware gang wanted $40 million in Florida schools cyberattack
Ransomware: CNA Website Operational, Email Functionality Restored
US insurance company CNA has acknowledged that a cyber incident that occurred in late March was a ransomware attack. As of Monday, April 5, the company’s website is operational, and CNA says it “has reestablished email functionality which is protected by multi-factor authentication and a security platform to help detect and block email threats.“ The company has also employed additional security measures.
- Ben Wright and I are doing a talk at the RSA Conference in May: “How Risky is Cyberinsurance?” One issue we won’t have time to address is concentration of risk – if an insurer suffers a major incident (such as widespread exploitation of Solar Winds or Microsoft Exchange vulnerabilities) will the insurer be able to meet their financial obligations? In this case, S&P and other credit rating firms say they are not changing CNA’s credit rating. But, since many large enterprises do require supply chain/third-party partners to carry insurance, good to check for too large a percentage with a single cyberinsurance carrier.
- Implementing multi-factor authentication on email has to be a foundational setting we all use. Hosted email providers make this easy to implement. Avoid the temptation to allow VIPs and system administrators to opt-out. In short, they have more access and are more targeted than other users, making them more risky.
Read more in:
- CNA website back online after ‘sophisticated cybersecurity attack’
- CNA shares details about ransomware attack, recovery effort
- Security Incident Update (PDF)
Facebook Data Leak
Data belonging to more than 530 million Facebook users data been leaked on the darknet. Compromised data include names, phone numbers, birthdates, email addresses and other identifiers. The leak affects users from more than 100 countries.
- This appears to be data stolen in a 2019 breach. Even so, much of this data is still accurate. At that time the Facebook and Instagram function to search by phone number was removed. What has happen is the data has been released, for free, and could be used for social engineering or SIM swapping campaigns. Make sure that your mobile number is protected from unauthorized swapping, your spam filters are configured and working; and review your identity/credit monitoring to make sure you are alerted upon use of your personal information.
- As Facebook’s European Head Quarters is based in Ireland, the Irish Data Protection Commission has released a statement in which the line “The DPC attempted over the weekend to establish the full facts and is continuing to do so. It received no proactive communication from Facebook” stood out for me. If Facebook are serious about the personal data of its users I would expect it to be actively informing the Data Protection Commission of its investigations into this issue. www.dataprotection.ie: DPC statement, re: Dataset appearing online
Read more in:
- 533 million Facebook users’ personal data leaked online
- Facebook data on 533 million users posted online
- 533 million Facebook users’ phone numbers leaked on hacker forum
- 533 Million Facebook Account Records Posted to Forum
- Facebook data for over 500M users reportedly leaks online
Kaspersky Researchers Discover a Cyberespionage Campaign Targeting Vietnam
Researchers from Kaspersky have found evidence of a cyberespionage campaign that employs sophisticated tactics to “make it significantly more difficult for researchers to reverse engineer the malware for analysis.” The campaign appears to be the work of Chinese state-sponsored threat actors; it targets Vietnamese government and military organizations.
Read more in:
- Spy Operations Target Vietnam with Sophisticated RAT
- The leap of a Cycldek-related threat actor
- Kaspersky Uncovers New APAC Cyberespionage Campaign
- Advanced threat actors up their game in new APAC cyberespionage campaign
Stanford University Medical School Discloses Accellion-Related Data Breach
In a message to the Stanford community, Stanford University Medical School said that it experienced a data breach that involved Accellion’s File Transfer Appliance file-sharing service. Threat actors have posted data taken from Stanford University Medical School on a leak site. The compromised information includes names, addresses, Social Security numbers, and financial data.
- A recurring theme with Accellion FTA users is not if they have been breached, but when. The FTA appliance was secure mechanism for transferring sensitive data between service providers and business partners. Universities used them for student, faculty and staff data transfers so the impact of exfiltrated data is very broad. If you still have an FTA appliance, it needs to be decommissioned and replaced. You will want to forensically analyze them to establish what data may have been accessed. If you don’t have in-house expertise, engage security services with direct experience with the FTA breaches to work with you through this process.
- One might conclude that open-source intelligence has failed to communicate this vulnerability. What does this say about the effectiveness of open-source intelligence? SANS is doing its part.
Read more in:
- Hackers leak Social Security numbers, student data in massive data breach
- Message to Stanford community on cybersecurity incident
- Statement on the School of Medicine Cybersecurity Incident
- Stolen Stanford data leaked after Accellion breach
Exchange Server: CISA Requires Agencies to Run Microsoft Safety Scanner
The US Cybersecurity and Infrastructure Security (CISA) has directed federal agencies to “download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode” and “download and run the Test-ProxyLogon.ps1 script as an administrator to analyze Exchange and IIS logs and discover potential attacker activity.” Agencies must perform these actions by noon EDT on Monday, April 5. There are also hardening requirements that must be implemented by June 28, 2021. The new requirements were released as Supplemental Direction to CISA’s March 3 Emergency Directive 21-02.
- Everybody should run the Microsoft Safety Scanner for Exchange. Even if you patched as soon as the patch was released by Microsoft. The scanner isn’t perfect, but it is easy to run and you should assume that the system was compromised the day before the patch was released.
- The MSERT script is being updated frequently, so be sure to download the latest before performing these scans. The new requirements are not just to harden the OS of the servers, but also verify that you’re employing principle of least privilege for accounts on your exchange server. Also note the requirement to not only be on support OS and Exchange versions but also apply patches within 48 hours of release which leaves little time for regression testing and necessitates verified roll-back procedures.
Read more in:
- Exchange Server attacks: Run this Microsoft malware scanner now, CISA tells government agencies
- CISA gives federal agencies 5 days to find hacked Exchange servers
- Emergency Directive 21-02 Supplemental Direction (March 31, 2021)
- Microsoft Safety Scanner
North Korean State-Sponsored Threat Actors Created Fake Security Company
North Korean state-backed hackers are once again targeting security researchers. This time, the threat actors have set up a phony offensive security company, replete with a website and associated social media accounts. The fake company, SecuriElite, says it is based in Turkey and that it offers penetration testing, software security assessments, and exploits. The same group of threat actors launched a campaign earlier this year involving phone social media accounts, from which they asked targeted researchers if they wanted to collaborate on a project.
Note: Just as you would for services used at home, you need to check references carefully when hiring a security firm. Use known good sources for references. If your industry peers haven’t heard of or don’t have direct experience with a firm, use caution or select again.
Read more in:
- Google: North Korean hackers are targeting researchers through fake offensive security firm
- North Korean hackers return, target infosec researchers in new operation
- Google: North Korean APT Gearing Up to Target Security Researchers Again
- Update on campaign targeting security researchers
Whistleblower: Ubiquiti Breach “Catastrophically Worse Than Reported”
In a letter to the European Data Protection Supervisor, a whistleblower wrote that a breach disclosed by Ubiquiti in January 2021 “was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers.” In a March 31 Update to January 2021 Account Notification, Ubiquiti disclosed that it was targeted by an unsuccessful extortion attempt in January.
- Transparency is key in a breach situation. Be clear about the scope and relevance of affected systems, as well as recovery efforts. Update your disclosure as new information becomes available to maintain the relationship with your customers and users. For third-party contracts, make sure that your security requirements flow down to sub-contractors and that your indemnification and liability clauses are sufficient to protect your business. If you’re using the Ubiquiti cloud management services and you have not changed your password since January 11th, both change it and implement MFA.
Read more in:
- Whistleblower: Ubiquiti Breach “Catastrophic”
- Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’
- Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges
- Ubiquiti breach puts countless cloud-based devices at risk of takeover
- Ubiquiti confirms extortion attempt following security breach
- Update to January 2021 Account Notification
Ransomware: University of Maryland Data Leaked
Ransomware operators are leaking data that appears to have been stolen from systems at the University of Maryland, Baltimore, and the University of California, Merced. The compromised data include tax documents, passport numbers, Social Security numbers (SSNs) and health savings plan enrollment forms.
Note: The Clop group has been harvesting data via Accellion FTA exploits. This dataset includes both employee and student data. While the universities have taken steps to prevent recurrence, employees and students need to make sure they are also taking steps to prevent identity theft for themselves and any family members also included on benefit, tuition, or grant application forms.
Medical Researchers Targeted in Phishing Campaign
A report from Proofpoint says that state sponsored threat actors have targeted medical researchers in the US and Israel with credential phishing attacks. The campaign began in December 2020. Proofpoint says “the tactics and techniques observed in BadBlood (Proofpoint’s name for the campaign) continue to mirror those used in historic TA453 (aka Charming Kitten) campaigns.”
- Capturing reusable credentials continues to be the “easy button” for getting access to systems and information. In this campaign they are using look-alike sites to harvest credentials, and while users may notice that the 1drv[.]casa is not a legitimate Microsoft login site, many will miss that clue. The more complete solution is ubiquitous multi-factor authentication. Don’t allow any users to opt-out, reducing the effectiveness of captured credentials. If possible, integrate your password processes with breach data checks to identify and trigger updates for passwords which have been breached.
- Almost every time I read a long report about a complex state-sponsored attack, in the first paragraph I’ll see “phishing” and “harvested login-credential.” After that will be catchy names for the threat actor or malware, and descriptions of what the attackers did after easily “harvesting credentials” – i.e., taking advantage of the use of reusable passwords by obvious targets, like sys admins, medical researchers during a pandemic, security researchers, CFOs, etc. There has been a lot of hype recently about “Zero Trust” architectures, which can’t exist when those targets are still using easily compromised credentials.
Read more in:
- BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns
- Iranian credential thieves targeting medical researchers
- APT Charming Kitten Pounces on Medical Researchers
- Attackers Target Medical Research Staff with Credential Phishing Attacks
US Justice Dept. Warns of Vaccine Survey Phishing Campaigns
The US Justice Department says it has received reports of fraudulent COVID-19 surveys that are being sent to consumers in email and in text messages. The message says the recipient is eligible to receive a prize for answering the questions and asks them to provide a credit card number to pay shipping and handling.
Note: This takes its cues from the old Nigerian scam, where you are tricked into providing a small fee in exchange for a huge reward. And as in that scenario, the temptation to participate is heightened by the campaign message. As then, the task is to train users, friends and family to click only on links from known senders. The DOJ site below has links for not only reporting suspected phishing campaigns, but also references for users who may have provided information to fraudsters as well as protection measures for future use. As we are in tax season, consider an IRS Identity protection PIN to prevent fraudulent filing of a tax return on your SSN. www.irs.gov: Get An Identity Protection PIN (IP PIN)
Read more in:
- US DOJ: Phishing attacks use vaccine surveys to steal personal info
- Justice Department Warns About Fake Post-Vaccine Survey Scams
SolarWinds: US Malware Analysis Report
The US Department of Homeland Security (DGS) and US Cyber Command are planning to release a malware analysis report that details malicious code allegedly used by the threat actors behind the SolarWinds supply chain attack. The report was initially scheduled to be released on March 31, but has since been delayed.
Read more in:
- US to publish details on suspected Russian hacking tools used in SolarWinds espionage
- USA to publish detailed analysis of SolarWinds hacking tools
Indictment in Kansas Water Utility Breach
US federal authorities have indicted Wyatt A. Travnichek for allegedly tampering with a public water system in Kansas. The incident occurred in late March 2019. Travnichek allegedly gained access to the Post Rock Rural Water District’s computer system and shut down cleaning and disinfection procedures. Travnichek has been charged with tampering with a public water system and reckless damage to a protected computer wit unauthorized access.
Read more in:
- Feds Indict Kansas Man for Allegedly Hacking Into Water Supply
- Kansas man indicted in connection with 2019 hack at water utility
- Feds say man broke into public water system and shut down safety processes
- Indictment: Kansas Man Indicted for Tampering With a Public Water System
RSA: DHS Secretary Describes Planned 60-Day Cybersecurity Sprints
Speaking to a virtual audience at the RSA conference, US Department of Homeland Security (DHS) Secretary Alejandro Mayorkas said that DHS and the Cybersecurity and Infrastructure Security Agency (CISA) are planning a series of 60-day sprints to address cybersecurity goals. There are six areas of focus, including ransomware, resiliency of industrial control systems at water and sewage treatment facilities, and election security. Mayorkas also noted the forthcoming executive order, which will aim to “advance the federal government’s ability to prevent and respond to cyber incidents.”
Executive Order to Address Breach Disclosure
Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the Biden administration is working closely with the private sector on a forthcoming executive order, which is expected to make “fundamental improvements to national cybersecurity.” Among other elements, the draft executive order would require organizations that do business with the federal government to disclose network breaches with a matter of days.
- Breach disclosure, encryption at rest, and 2FA for companies working with the Federal Government appear to be the core themes of the pending order. When implementing encryption, have a clear understanding of where and when data is, and is not, encrypted. Contracts with the Federal Government already include incident response and disclosure requirements, with pre-identified contacts and defined timelines. Additionally, a clear understanding of how that information needs to be protected, where and when it is reported, and by whom, are key to maintaining trust in the business relationship. If you don’t have similar provisions in contracts with service providers, you need to add them.
- The first federal US breach notification law was proposed in 2003. Sad to see that 18 years later US legislators still have been unable to act in this area. Since several states have joined California in passing state level laws, most companies would prefer a federal standard requirement. So, action is badly needed on this and perhaps the FCC will tackle cell phone number spoofing, too.
Brown University Data Center Shut Down Following Cyber Incident
Brown University’s CIO and chief digital officer said they shut down the school’s data center after detecting “a cybersecurity threat to the University’s Microsoft Windows-based technology infrastructure” on March 30. The Computing and Information Services team has begun restoring systems.
Note: Many services are back online, or are being restored shortly. Brown University is using their Computing and Information Services Alerts page to provide status updates on impacted services. it.brown.edu: Computing & Information Services Alerts
Read more in:
- Brown U. cuts off data center after detecting ‘cybersecurity threat’
- IT Security Threat and Temporary Systems Outage
Harris Federation Ransomware Attack Affects 50 UK Schools
The UK’s non-profit Harris Federation, which operates 50 primary and secondary schools in London and Essex, has disclosed that it suffered a ransomware attack in late March. The incident occurred the same day the National Cyber Security Centre warned that ransomware operators are targeting the education sector. The attack affected servers, telephone systems, and email systems. Devices that the schools issued to students have also been disabled.
Read more in: