Cybersecurity News Headlines Update on April 24, 2021

iOS Now Lets Users Opt Out of Ad Tracking

Apple’s newest update for iOS, version 14.5, includes a new features called App Tracking Transparency, which lets users choose whether or not to allow apps to track their activity across other apps and websites owned by other companies. App Tracking Transparency gives users granular control, allowing them to make decisions for each app.

Note:

  • The important issue is that consumers increasingly have the choice (as they should) to decide how much of their personal info gets exposed, and they are increasingly choosing to reduce the exposure. That has been good news for app dev groups and DevOps methodologies that actually do focus on the users wants and needs – software architects and DevOps leads listing “privacy” as one of their core business requirements is a good thing.
  • Initially Apple introduced IDFA where you could disable the unique identifier for your device. With 14.5, applications will prompt for permission to track, with an optional messages explaining why they want to track; and you can click “Ask App not to Track.” Note that the prompt will not show up where developers are tracking you across their own services, e.g., Facebook tracking you from their main platform to Messenger and Instagram.
  • This is more useful than the now-universal warnings about the use of cookies without distinguishing between native cookies (those used for saving state in the application) and tracking cookies.

Read more in:

Codecov: HashiCorp Key Compromised

HashiCorp says that its GPG code-signing and verification key was compromised as a result of the Codecov supply chain attack. The key has been rotated. Codecov learned earlier this month that threat actors accessed and modified Bash Uploader scripts to exfiltrate sensitive information.

Note:

  • For encryption and digital signatures to be more than placebos, essential security hygiene is needed to enforce strong access controls around the private keys. When code signing is used, processes/playbooks for how to perform revocation need to be established and periodically tested.
  • Supply chain attacks are so dangerous because they not only affect end-users (“consumers”) but also suppliers. This can lead to a snowball effect with one compromise of a key supplier leading to the compromise of additional suppliers with vastly different customers.
  • Private keys must not be stored online when not in use. That is what thumb drives are for.

Read more in:

Passwordstate Password Manager Suffers Supply Chain Attack

Customers of the Passwordstate password manager are being directed to reset their passwords following a supply chain attack that affected the Passwordstate update mechanism. The issue affects customers who implemented In-Place Upgrades between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC. Manual upgrades were not affected.

Note:

  • The impact of the compromised code is increased as this is an enterprise password manager, as opposed to one for individual users. Providing an enterprise password manager is an excellent way to help users establish good passwords and minimize reuse. And as it is now a central repository of key sensitive information, due diligence is essential, not only for making sure updates are genuine, but also that security controls are fully implemented. Click Studios, the makers of Passwordstate, are posting advisories and updates (clickstudios.com.au: Incident Management Advisory) which include checksums of the bad DLL, suggested actions, exfiltrated data description and status. Australian customers may also reach out to the Australian Cyber security Center (ACSC) for assistance at [email protected] or 1300 CYBER1.
  • Password managers are one of those “if you put all your eggs in one basket, you better really, really watch that basket” areas. This appears to have a narrow compromise window but the severity means that all PCs using the compromised Passwordstate software should be considered compromised until examined.
  • Another case of a supplier distributing malicious code, distributing code that it did not write, leaving others with a huge mess to clean up. Unlike SolarWinds, this code was not distributed to enterprises but to end-users, at least some of whom are enterprise users. We cannot put all the risk of supply chain compromises on the end users. We must hold suppliers accountable for distributing malicious code. Distributing only code that one originates is a much easier problem than never distributing code with errors or vulnerabilities.

Read more in:

Update Delivered by Law Enforcement in January is Now Deleting Emotet

Over the weekend, law enforcement officials activated code that erases Emotet malware from infected computers. In late January 2021, law enforcement agencies from several countries took control of Emotet’s command and control infrastructure. Shortly thereafter, Germany’s federal police agency, Bundeskriminalamt, began pushing out the update designed to remove Emotet.

Note:

  • The uninstaller was delivered by the captured Emotet C2 servers in late January with a self-destruct date of April 25th. The package addresses the two ways Emotet achieves persistence: either as a system service or a Run key. The Malwarebytes blog explains the behavior of the package and actions it takes. Per the US DOJ, the update was provided by foreign law enforcement using overseas C2 servers, not FBI agents. The delay between distribution and removal was to give time for responders to complete forensic analysis and cleanup of any other related malware.
  • The Emotet takedown appears to be one of the more successful takedowns in recent memory. A lot has been written about law enforcement pushing an update to remove the malware (similar also to recent law enforcement action against unpatched Exchange servers). I believe we should and hopefully will see more of the same in the future. Waiting for users to patch and fix their systems hasn’t been working and these systems become ticking timebombs waiting for additional infections, or being used to revive taken down botnets.

Read more in:

Radixx Says Malware Responsible for Reservation Systems’ Outage

Radixx has acknowledged that a security incident caused an outage of its Radixx Res reservation application. The outage affected reservations systems for approximately 20 low-cost airlines. Radixx says it “is taking steps to stand up a new Radixx application server environment.”

Read more in:

FAA Tells Private Jet Operators to Update Garmin Aviation GPS Now

The US Federal Aviation Administration (FAA) has published an Airworthiness Directive (AD) instructing private jet operators to install software updates for Garmin GTS 8000 series collision avoidance units. The devices have generated seven false Traffic Collision Avoidance System warnings, which could ultimately increase the likelihood of a collision. The AD is effective May 17, 2021.

Note: Our industry has a lot to learn from the FAA about how to distribute intelligence in a timely manner to those who can best, or must, act on it.

Read more in:

Follow-up: Univ. of Minnesota Researchers Apologize for “Hypocrite Commits”

Researchers from the University of Minnesota (UMN) have offered a written apology for submitting what they call “hypocrite commits” to the Linux kernel project. Last week, a Linux kernel project maintainer banned UMN from contributing to the project, reverted patches submitted by anyone with a umn.edu email address, and placed a “default reject” on any future patches submitted through umn.edu addresses. The maintainer said that they will not discuss the matter further until after the researchers and the university take action to satisfy the Linux community’s required actions.

Note: This is not how you partner with someone to improve processes. This is analogous to an unauthorized penetration test, causing more harm than the improvements envisioned at inception. It is commendable that the UMN both apologized and stopped the research efforts leading to the commits; more work is still needed to repair the damage. While the apology identifies that they didn’t achieve permission, current actions still don’t reflect they are following the processes for legitimate patch submission. This is now about regaining trust rather than fixing technical issues.

Read more in:

FBI/DHS/CISA Joint Warning About Russian State-Sponsored Hackers

The Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert describing activity conducted by Russian state-sponsored cyberthreat actors. The alert describes the group’s tactics, techniques, and procedures, which include password spraying and leveraging zero-day vulnerabilities. The alert recommends that organizations adopt security controls, including implementing multi-factor authentication (MFA) and “prohibit[ing] remote access to administrative functions and resources from IP addresses and systems not owned by the organization.”

Note: Even if you don’t think you are a target, review the US-CERT CISA Alert recommendations you can leverage across your organization: implementing MFA, and making sure that newly provisioned systems are configured to appropriate security baseline, and that you’re actively monitoring services for abuse. Additionally, make sure that your user verification processes are still robust. Make sure that adjustments made for a fully remote workforce didn’t introduce gaps an attacker can leverage to get legitimate credentials.

Read more in:

Apple Patches “Worst macOS Bug in Recent Memory”

Apple has released a fix for a vulnerability in macOS that let hackers bypass Apple security features including Gatekeeper, File Quarantine, and app notarization requirements. The flaw has been exploited in the wild. Researcher Patrick Wardle has referred to the vulnerability as “the worst macOS bug in recent memory.” Users are urged to update to macOS (Big Sur) 11.3.

Note:

  • Labeling this vulnerability the “worst in recent memory” may be overhyping it a bit, but while exploitation still requires a user to willingly install malware, the vulnerability evades all controls Apple put in place in recent years to prevent just that from happening. Upgrade quickly.
  • At core, the Apple protections assumed applications would have a file “info.plist.” An application, which is actually a script and doesn’t contain that file, would bypass the security check, including the mandatory notarization check, and be executed. In addition to the macOS update, XProtect has also been updated to detect and warn for attempts to exploit the flaw which means that will be available for older macOS users. While the XProtect update is installed automatically, the macOS update is not. Apple released updates to Big Sur, Mojave, and Catalina this week to address multiple vulnerabilities; you’ll want to get those all queued up for installation.
  • The telling quote is in the Wired story: “The flaw is akin to a front entrance that’s barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific attributes.” This type of flaw is pretty much at the level of buffer overflows.

Read more in:

More Than One-Fifth of PC Users are Running Windows 7

Kaspersky says that based on analysis of anonymized OS metadata, 22 percent of PC users are running end-of-life Windows 7. Microsoft discontinued support for Windows 7 in January 2020. Kaspersky says that 72 percent of PC users are running Windows 10.

Note: Ignoring special purpose systems which have to run Windows 7, such as an instrument controller or oscilloscope, general purpose systems need to move to a supported OS. The common argument is that the old system is fully functional typically followed by not wanting to learn a new OS. Because there are no fixes or support for these systems, they need to be isolated as they are no longer sufficiently secure for Internet access. This is further complicated by cloud migrations which require these systems to have Internet access. The good news is that new versions of applications are unlikely to operate on either Windows 7 systems either because the OS isn’t supported or the hardware is not sufficient for its needs which can be used to drive the conversation.

Read more in:

UK’s Secure By Design Plan Now Includes Smartphones

The UK’s Department for Culture, Media and Sport (DCMS) has added smartphones to its Secure by Design plan. Makers of Internet of Things, including smartphones, tablets, and other gadgets will be required to disclose when the plan to stop providing security support for devices when they are introduced to market. Makers of smart devices will also be prohibited from publishing default admin passwords for those devices. They will also have to offer a single point of contact for reporting vulnerabilities and obtaining updates. DCMS is pushing for Secure by Design to become law.

Note:

  • The intent is to drive a consistent security standard across Europe. The disclosure of product support duration is supposed to happen at the point of sale, and now is expanded to include Smartphones. The challenge is for consumers and small businesses, who may be unaccustomed thinking about support end dates, to add this to their lifecycle planning, including sufficient lead time to plan and test replacements.
  • These are sensible requirements that shouldn’t be too hard to comply with. In particular, the idea of publishing an “end of support” date is important. Some software and hardware manufacturers already do so, but usually only for more professional devices. It may also lead to longer support time frames if customers are able to verify the expected time the device will be supported.
  • We expect Microsoft to publicly state how long versions of Windows will be supported; the same should be true of everything else with software that can be updated. The software industry has long evaded any possibility of being required to provide warranty for software; regulations like this are needed.
  • No other infrastructure, from food to finance, has gone three generations without government safety regulation. It is ironic that cyber is the only exception, since it is now used to operate all the others. One necessary measure will be to hold suppliers accountable for the quality of their output.

Read more in:

Pulse Connect Secure VPN Vulnerabilities

Mandiant investigated multiple intrusions at government, defense, and financial organization systems around the world. “In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment.” The Pulse Connect Secure VPN appliances were compromised via authentication bypass. Mandiant is tracking a dozen malware families that are involved with exploiting vulnerabilities in Pulse Connect Secure VPN devices. In all, four security issues, three of which were patched in 2019 and 2020. Tool available to help organizations determine whether their installations have been impacted. Pulse Secure will provide customers who have been impacted with advanced mitigations.

Note:

  • The exploit bypasses 2FA authentication, not just reusable credentials. If you’re running a Pulse Connect Secure VPN, run the Pulse Security Integrity Checking Tool (https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s) to verify the integrity of your installation – note the tool will reboot your VPN appliance. Make sure that you’re on a supported version of their software updates will not be provided for End of Engineering (EOE) or End of Life (EOL) versions. Make sure that you’re actively updating and monitoring the software and security configuration of your VPN, to include running integrity checks on a regular basis.
  • Pulse VPN appliances keep on giving to the bad guys, and I still do not see an estimated delivery date for patches. With active exploitation under way, please follow the mitigating steps noted in the advisory and hope for the best.

Read more in:

Linux Kernel Project Maintainer Bans Univ. of Minnesota Over Malicious Commits

A Linux kernel project maintainer has banned the University of Minnesota (UMN) from contributing to the project after UMN researchers deliberately submitted malicious code commits. The Linux kernel project maintainer has also said they will revert any code commits that came from a UMN email address. “Commits from @umn.edu addresses have been found to be submitted in ‘bad faith’ to try to test the kernel community’s ability to review ‘known malicious’ changes. Because of this, all submissions from this group must be reverted from the kernel tree and will need to be re-reviewed again to determine if they actually are a valid fix.” The commits in question are the subject of a research paper scheduled to be presented at the IEEE Symposium on Security and Privacy in May.

Note:

  • The open source community is largely built on trust, not on reviewing each other’s code carefully for security vulnerabilities. So it is reasonable to expect a strong reaction from Linux kernel maintainers if researchers use the kernel development process in security experiments. However, the exact facts are not quite clear in this case. The researchers state that they only suggested patches on mailing lists, and spoke up before these patches were included in any actual code repositories. The Linux kernel maintainers point to a large list of commits that they reverted. But many of these commits are not related to the research, and some actually patched unrelated security flaws, which may now end up being “unpatched” again. The real problem here may rest with the university’s Institutional Review Board approving the research. I find that the fallout clearly shows that this research involved people, and people’s reactions to the experiment are what we are seeing now.
  • Perhaps in no other community is it so difficult to distinguish the good guys from the bad, the rogues from the merely mischievous, those who are part of the problem from those who are part of the solution.

Read more in:

Laptop Manufacturer Quanta Suffers Ransomware Attack

Quanta Computer, which manufacturers laptops for multiple companies, including Apple, has acknowledged that it was the victim of a ransomware attack. The ransomware operators have begun posting files they claim to have taken during the attack; the files include schematics, dated March 2021, that are allegedly for a MacBook design.

Note: Quanta refused to pay REvil’s ransom, and now the operators are asking Apple to pay by May 1st. The ransom is currently set to $50 million and goes to $100 million after April 27th. While Apple is not expected to pay, expect that Quanta’s customers (including Apple, HP, Alienware, Dell, Lenovo, Cisco and Microsoft) will be demanding a full accounting of the breach as well as a review of mitigations taken to prevent recurrence to retain their business. Having clear documentation of where data resides and third-party liability agreements are key in this situation. A determination has to be made as to exactly what was exfiltrated and the value determined to drive next steps. You’ll want your legal team at the table.

Read more in:

SonicWall Issues Fixes for Email Security Tool Vulnerabilities

SonicWall has released updates to address three vulnerabilities affecting its Email Security (ES) product. The flaws could lead to unauthorized administrative account creation, post-authentication arbitrary file upload, and post-authentication file read. They have been exploited together to gain administrative access and execute code on vulnerable devices. The issues affect both the hosted and on-premises versions of ES.

Note: This vulnerability only affects the SonicWall email appliance, not the firewall. SonicWall published some rules for its firewall products to mitigate these vulnerabilities.

Read more in:

US Power Grid Cybersecurity Plan

The White House has released its 100-day power grid cyber security plan. One of the plan’s central strategies is developing a stronger relationship between national security agencies and the electric utility systems, which are largely private. The plan will be managed by the Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Energy.

Note: The effort includes a new Request for Information (RFI) to get input from electric utilities, electric companies, academia, research laboratories, etc. to build recommendations for future security including preventing exploitation and attacks by foreign threats. The RFI is due by June 7th and is located on the Federal Register (www.federalregister.gov/documents/2021/04/22/2021-08482/notice-of-request-for-information-rfi-on-ensuring-the-continued-security-of-the-united-states). Responses can be made via email or in writing via US-mail, and will be posted on DOE’s Securing Critical Electric Infrastructure web page (www.energy.gov/oe/securing-critical-electric-infrastructure).

Read more in:

US Government Agencies Affected by Pulse Secure Connect VPN Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that networks at several federal agencies were affected by threat actors exploiting vulnerabilities in Pulse Connect Secure devices. Mandiant suspects that one of the groups exploiting the vulnerabilities has ties to China.

Note: Mandiant reports they are tracking twelve malware families and multiple hacking groups tied to exploiting the flaws. Beyond wondering if you are target or not, make sure that you’ve applied the updates and are on supported software versions.

Read more in:

CISA Issues Emergency Directive Regarding Pulse Connect Secure

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive instructing federal agencies to mitigate vulnerabilities in Pulse Connect Secure devices by 5:00pm EDT on Friday, April 23. Agencies are required to run the Pulse Connect Secure Integrity Tool every 24 hours.

Note:

  • If after running the Integrity Tool hash mismatches or newly deleted files are discovered, your device has to be immediately isolated (while powered on) and forensically analyzed. They can be returned to service once they have a clean bill of health to include the steps in Appendix A of ED 21-03. In addition to running the tool, it is expected that agencies will apply updates within 48 hours of their release.
  • Government agencies are historically slow to patch and became even slower when they had to support large numbers of work from home employees as the pandemic hit. The level of compromise of the old PulseSecure flaws and the emergence of the latest vulnerability justify an edict for emergency action.

Read more in:

Dept. of Justice Forms Ransomware Task Force

The US Department of Justice (DoJ) has convened The Ransomware and Digital Extortion Task Force. The task force will include officials from the DoJ’s National Security Division, Criminal Division, Civil Division, Executive Office of U.S. Attorneys, and the FBI and will be overseen by Acting Deputy Attorney General John Carlin. (Please note that the WSJ story is behind a paywall.)

Read more in:

Codecov Attackers Accessed Hundreds of Customer Networks

Investigators say that the threat actors who altered Codecov’s Bash Uploader script harvested customers’ credentials and used them to gain access to hundreds of Codecov customers’ networks. The initial Bash Uploader breach went undetected for several months.

Note: Use strong authentication (at least two kinds of evidence, at least one of which is resistant to replay), by default. Fraudulently reusable credentials constitute a major weakness in our infrastructure. Use strong authentication to protect the infrastructure even if you think that your application and environment do not require it. The ubiquitous mobile and biometrics make it both cheap and convenient. No excuses.

Read more in:

MasterCard Acquires Ekata

MasterCard has acquired identity verification company Ekata. According to a press release, “Ekata’s identity verification data, machine learning technology and global experience combined with Mastercard’s fraud prevention and digital identity programs will help businesses confidently know who their customers are and, in turn, help those customers safely interact online.”

Note:

  • The credit card companies have been buying up vendors in the fraud detection and identity proofing markets, which together represent $30B in annual revenue – which is about equal what the estimates are for online fraud costs to financial institutions. However, false declines – transactions denied because of false positives in fraud detection – cost the financial industry 5x as much per year as fraud. Just like in phishing attacks, all this spending and cost is due to the use of easily compromised reusable passwords. The European Banking Authority is mandating Strong Customer Authentication under Payments Services Directive 2 which has been rolling out in 2021 and has the potential to shift fraud liability from merchants to the card issuers, another factor driving card brand/issuer spending in this area.
  • The card brands really do need to get their house in order. All the new detection technology cannot compensate for the fundamental vulnerability, Primary Account Numbers in the clear, that they have no plan to fix.

Read more in:

Wordfence: Remove Kaswara Modern WPBakery Page Builder Addons WordPress Plugin

A critical vulnerability in the Kaswara Modern WPBakery Page Builder Addons premium WordPress plugin is being actively exploited. The flaw allows “unauthenticated attackers to upload malicious PHP files to a WordPress site and ultimately achieve remote code execution to take over the site.” The plugin also contains several vulnerable endpoints that can be exploited to delete files and inject JavaScript. Wordfence recommends that users remove the plugin as it is no longer maintained.

Note: This is an actively exploited vulnerability with no available update. Because the plugin is not maintained, no update is expected, necessitating prompt retirement and uninstallation of this plugin. While paid Wordfence users have firewall rules as of April 21st, free users will not have those until May 21st.

Read more in: PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately

Update Contact Form 7 WordPress Plugin to Fix Severe Flaws

WordPress users are urged to update the Redirection for Contact Form 7 plugin to address three severe vulnerabilities. The flaws could be exploited to generate arbitrary nonces, install arbitrary plugins and inject PHP Objects, and delete arbitrary posts. The most current version of the Redirection for Contact Form 7 plugin is 2.3.5.

Note:

  • The good news is the plugin maintainers released an update within 24 hours of confirming reports of the flaw, indicating the team is actively engaged and committed to maintaining the security of the plugin. Verify you’ve updated the plugin, and even if updated, uninstall it if you are not actively using it. Wordfence released firewall rules February 11th and March 13th for the paid and free versions.
  • Hardly a week goes by that vulnerabilities in WordPress plugins are not identified. Plug-ins should be used only by design and intent, never by default, and they must be managed.

Read more in: Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin

QNAP Fixes Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync

QNAP has released updates to address a critical vulnerability affecting its HBS 3 Hybrid Backup Sync. The flaw can be exploited to access QNAP network attached storage (NAS) devices using hardcoded credentials. Users are urged to upgrade to the latest version of HBS.

Note:

  • Please use my comment from prior issues of NewsBites: “DO NOT EXPOSE YOUR NETWORK STORAGE DEVICES TO THE INTERNET. EVER.” I will stop typing now and patch my QNAP device. (But I likely uninstalled this utility during setup.)
  • Hard coded credentials solve short term problems, but leave you open to exploit when discovered. Make sure not only that you are updating the software on your NAS devices, but also that they are only accessible from authorized devices, including limiting remote management to local devices only. Review them for unexpected accounts and applications, removing these when discovered.
  • “Hard-coded credentials” is the kind of bad practice that the UK effort is intended to identify and discourage.

Read more in:

Codecov Bash Uploader Was Compromised for Three Months

Earlier this month, Codecov discovered that a threat actor modified their Bash Uploader script. The threat actor was able to obtain unauthorized access due to “an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify” the script. Codecov’s investigation found that the Bash Uploader script had been altered several times starting on January 31, 2021. The changes allowed the threat actor “to potentially export information stored in our users’ continuous integration (CI) environments.”

Note:

  • If you had any keys, credentials or tokens in your CI environment, and you’re using the Codecov CI runner which includes their Bash Uploader, you need to consider them compromised and you need to start revoking/updating or creating new ones. Also make sure that digital signatures are verified when doing updates. Even if you’re running an internal deployment, make sure you’re running the known-good versions of the software.
  • Yet another software supply chain compromise. Just like similar compromises, we may see additional fallout from this as the attackers behind this were able to harvest some credentials used in CI/CD pipelines. If you are using Codecov, and were affected, make sure you update your credentials (and also look into methods to automatically rotate them from time to time).
  • Two important aspects to this item: (1) Attackers are increasingly focusing on the tools used by developers which are often built without emphasizing security and often go untested even when they are use in software development lifecycle that includes security testing of the end software product; (2) The Register piece quotes a survey of developers by the Open Source Software Security Foundation (the 2020 consolidation of the Open Source Security Coalition and the Core Infrastructure Initiative) that says developers of free and open source software spend less than 3% of their time on security and feel even that is too much. While the DevOps movement has shown promising trends in making security and privacy “guard rails” be considered intrinsic requirements, it has not resulted in developers magically becoming security experts or champions.

Read more in:

August 2020 VirusTotal Upload is One of the SolarWinds Backdoors

Brian Krebs reports that a file uploaded to VirusTotal in August 2020 has been identified as one of the backdoors used in the SolarWinds Supply chain attack. Analysis indicates that the individual who flagged the file as suspicious works in IT at the National Telecommunications and Information Administration (NTIA), which is a division of the US Department of Commerce. Microsoft and FireEye both published blog posts about the back door in early March. In December 2020, the Wall Street Journal reported that NTIA was among the agencies that had been seriously affected by SolarWinds.

Note:

  • The VirusTotal screen shot shows that as of last week, 54 of 70 security vendors flagged this file as malicious, but it does not show what the identification rate was when the malicious file was first submitted. Despite a lot of hype around Artificial Intelligence/Machine Learning solving malware as a problem, servers running critical applications with privileged access on sensitive network segments should have strong application control/permission management security policies in place, not just rely on end point detection and response agents.
  • I find the combination of exploits and techniques used in an attack fascinating and educational. This is also a stark reminder that defense in depth is as prudent as ever. Leverage these types of disclosures to make sure that you don’t have a similar weakness. In this case make sure you’re applied the updates to VMware Workspace One Access which address CVE-2020-4006.

Read more in: Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?

Vulnerabilities in OpENer EtherNet/IP Stack

Five security issues in the OpENer EtherNet/IP Stack could be exploited to lead to remote code execution, read arbitrary data, or cause a denial-of-service condition. Four of the vulnerabilities were detected by researchers at Claroty; a fifth was detected last year by Cisco Talos. The issues affect all OpENer commits and versions prior to February 10, 2021.

Note:

  • We had a long list of basic IP stack vulnerabilities like this this year, for example the Treck IP Stack and Name:Wreck vulnerabilities. Many affect IoT devices, and have in common that they are difficult or impossible to patch. Network segmentation appears to be the only workaround to help.
  • This can be exploited by sending specially crafted packets to vulnerable devices. OpENer is an EtherNet/IP stack for I/O adapter devices. If you’ve incorporated it yourself, you can apply the latest commits from their repo and update your stack. More likely it’s embedded in your control systems. You’re going to want to use the US-CERT/CISA mitigations below including segmentation, applying updates when available and blocking them from either Internet access or direct access from your corporate net.
  • EtherNet/IP is widely used where both TCP/IP and the Common Industrial Protocol are used. The Open DeviceNet Vendors Association (ODVA) manages the standard and product conformance testing and lists over 100 products using the EtherNet/IP stack. Segmentation around industrial networks should be reviewed/strengthened since discovery and remediation will be complex.

Read more in:

SolarWinds: CERT-EU Says Six EU Agencies Affected

Officials from CERT-EU say that 14 EU agencies were running the SolarWinds Orion IT monitoring platform, and that of those, six were affected by the supply chain attack. Without offering details, CERT-EU said that some agencies experienced “significant impact” and that some personal data were compromised.

Note: The risks from this attack weren’t limited to agencies. If you’ve not looked at your SolarWinds install for IOCs, go to the CISA site (us-cert.cisa.gov: Alert (AA20-352A) | Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations) for vulnerability information, mitigations as well as IOCs. Make sure there are no remnants, forgotten or unpatched installations.

Read more in: SolarWinds hack affected six EU agencies

SolarWinds: H-ISAC Insights

The Health Information Sharing and Analysis Center (H-ISAC) has published a report aimed at helping organizations in the health care sector better protect their systems and better respond to incidents in the future. The report, Strategic Threat Intelligence: Preparing for the Next “SolarWinds” Event, “provides detailed technical analysis and recommendations for IT and information security teams to help address immediate concerns by providing tactical mitigations and recommendations.”

Read more in:

White House Scaling Back SolarWinds and Exchange Server Unified Coordination Groups’ Surge Efforts

The Biden Administration is standing down task forces established in response to the SolarWinds and Exchange Server Incidents. A statement by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger notes that “due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures.”

Note:

  • While you may see fewer alerts from CISA on Orion or Exchange, the importance of monitoring for malicious behavior and keeping secure updated configurations doesn’t change. Make sure your supply chain security plans include monitoring for maleficence or unusual behavior, introduced by an unchecked malicious update, such as today’s Codecov Bash Updater story.
  • We cannot patch our way to security. If we did not already know that, SolarWinds should convince us. While further remediation efforts may have diminishing returns, the “supply chain” as a means of compromising thousands of enterprises at a time demands a policy response. Those who recklessly, or even negligently, distribute malicious code (as opposed to those who distribute vulnerable code through error) must be held accountable.

Read more in:

Mandiant Describes OT Red Team Smart Meter Exercise

In a simulated attack scenario, Mandiant’s OT (operational technology) Red Team made its way into an industrial control system at a North American utility and shut off a smart meter. The team “leveraged weaknesses in people, process, and technology to gain remote access from the public Internet and to achieve a set of pre-approved objectives in the OT environment.”

Read more in:

BGP Routing Leak

On Friday, April 16, a Border Gateway Protocol (BGP) routing leak in the Vodafone autonomous network (AS55410) based in India caused network and website connectivity issues around the world. The autonomous system experienced an inbound traffic spike which was 13 times greater than normal. The incident lasted for approximately 10 minutes.

Note: BGP routing leaks will continue to happen. There are technologies to prevent them, but universally adopting them is difficult. Ultimately, you do not control where packets are going after they leave your network. Properly configured TLS is your best bet to mitigate the threat.

Read more in: Major BGP leak disrupts thousands of networks globally

Mozilla is Disabling FTP in Firefox 88, Removing it Entirely in Firefox 90

When Mozilla releases Firefox 88 this week, the browser will by default have FTP disabled. A Mozilla Add-ons Blog post reads, “To help offset this removal, ftp has been added to the list of supported protocol_handlers for browser extensions. This means that extensions will be able to prompt users to launch a FTP application to handle certain links.” When Firefox 90 is released in June 2021, FTP implementation will be removed entirely.

Note:

  • There is a lot of really bad code being patched carried along in many products that really should be rewritten or removed – does anyone really miss Flash? While this move by Mozilla really just means that browser extensions will be launched if FTP is needed, good to see all of the browser vendors jettisoning minimal useful functions and reducing browser complexity.
  • This means you’re going to need a browser extension to perform FTP from your browser, or better still use an FTP application for those times where you still need it. Most file transfer services now use web servers for downloading files rather than FTP.
  • File transfer is a useful, not to say necessary, function. However, the continued use of historically broken tools continues to leak information and must end.

Read more in:

Google’s FLoC is Not Gaining Traction Anywhere Except Chrome

Major browsers have said they do not plan to enable Google’s newly introduced Federated Learning of Cohorts or FLoC, ad tracking technology. Multiple browsers, including Microsoft Edge, Brave, Opera, and Firefox, have indicated they will not enable the technology, noting that “FLoC … materially harms user privacy under the guise of being privacy-friendly” (Brave) and “We do not support solutions that leverage non-consented user identity signals, such as fingerprinting” (Microsoft). In addition, WordPress has proposed treating FLoC as a security vulnerability. Earlier this month, the Electronic Frontier Foundation wrote that “The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process.”

Note:

  • FLoC seems to be changing generally available cookies for grouping based on browser history for more targeted advertising as defined by Google. The predominant response towards tracking is to have an environment of opt-in, explicit permission for tracking rather than implicit tracking. Unfortunately all the browser manufacturers are coming at it slightly differently. Until the W3C comes out with a new standard, make sure that you’re enabling privacy options, with the exception of FLoC. Chrome users can opt-out of FLoC by either going to Settings, Privacy and Security, Cookies and Other Site Data and selecting “Block third-party cookies” or by installing the DuckDuckGo extension for Chrome.
  • It is generally a good idea to treat any “privacy enhancement” initiative from a company that monetizes their customers’ personal data with a large dose of skepticism.

Read more in:

WordPress Update Includes Fixes for Two Security Issues

WordPress released version 5.7.1 last week. The updated version of the content management system includes fixes for an XXE vulnerability in the media library affecting PHP 8 and a data exposure vulnerability in the latest posts block and REST API.

Note:

  • So you noticed your WordPress site was updated to 5.7.1 right? Now you need to make sure you’re on the current PHP. PHP 7.4 was released in 11/28/19 and is actively supported until 11/28/21 and PHP 8.0 was released 11/26/20 and is supported until 11/26/22. Don’t wait for active support to end prior to updating. Since PHP releases versions at the end of November/beginning of December, you can plan around that.
  • While less porous than browsers, WordPress continues to be a problem. Use with due caution. Prefer purpose built applications.

Read more in:

Member of FIN7 Hacking Group Sentenced to 10 Years in Prison

A US District Judge in the state of Washington has sentenced Fedir Hladyr to 10 years in prison for his role in the operations of the FIN7 hacking group. FIN7, which comprised more than 70 individuals, broke into US companies’ networks and stole payment card information. Hladyr was responsible for coordinating the group’s operations. He has also been ordered to pay $2.5 million in restitution.

Read more in:

Software Developer Charged with Sabotaging Employer’s Computers

A Texas man has been indicted for sabotaging an employer’s computer system. Davis Lu is a software developer who worked with emerging technology for an unnamed company based in Cleveland, Ohio. In August 2019, that company experienced a cyber disruption, causing crashed production servers and preventing employees from accessing servers. An investigation revealed malicious code that caused the crash, and additional malicious code that deleted employee profiles. Lu has been charged with damaging protected computers.

Note: There is little to substitute for good management and supervision, but multi-party controls, and Privileged Access Management systems to implement them can reduce the risk to more reasonable levels.

Read more in:

FBI Remotely Removed Web Shells from Infected Exchange Servers

Since Friday, April 9, the FBI has been removing web shells from compromised on-premises Exchange servers in at least eight US states. A federal court in Texas granted the warrant that allowed the FBI to conduct the operation without the knowledge of the systems owners and operators, although they are attempting to contact them. The operation “did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”

Note:

  • There are a couple of important dimensions to this one: First, the fire department going into a burning building without permission to put out a fire that may spread to adjacent buildings is a good thing overall, but may end up in extensive water damage to the burning building. The same is true for what the FBI is doing – from a business perspective, much better to *not* be a candidate for unplanned outside fixes of your compromised systems. Second: be prepared for phishing campaigns that appear to be coming from @FBI.gov – warn your supply chain as well. If you have been unable to move to restrictive DMARC anti-spoofing policies, this would be a good item to use to get high level support to do so.
  • This both cool and unsettling. It is better to secure your own systems or hire help than to have assistance granted by court order. The FBI will be sending email to notify system owners of actions taken. Even so, be on the lookout for fake FBI.gov phishing emails. Remember these actions didn’t apply patches or forensically analyze your systems to determine what else may be impacted.

Read more in:

CISA: Patch New Exchange Server Vulnerabilities Now

Included in Microsoft’s Patch Tuesday this month are fixes for four additional vulnerabilities in on-premise Exchange Servers. These new flaws were detected by the National Security Agency. The Cybersecurity and Infrastructure Security Agency (CISA) has given US federal agencies until12:01am EDT on Friday, April 16 to deploy the Microsoft updates. Agencies are also required to apply/maintain controls, report completion by noon EDT on April 16, and to immediately report related cyber incidents and indicators of compromise.

Note: While these vulnerabilities don’t appear to be actively being exploited, CISA considers them severe enough to warrant not only requiring immediate patching, but disconnecting any systems not patched by noon today. They make the point that once a fix is publicly released, the weakness can be reverse engineered to create an exploit; coupled with the current activities around exploiting Exchange servers, it’s a good idea to apply these patches now, regardless of whether you’re in the public or the private sector.

Read more in:

Microsoft Patch Tuesday

On Tuesday, April 13, Microsoft released fixes for more than 110 security issues. Among the vulnerabilities addressed are four additional flaws affecting on-premise Exchange Servers (see additional information in the story above). Other vulnerabilities addressed in the updates is a privilege elevation flaw in Windows that is being actively exploited.

Note: I hope you kept good notes, because there are four more Exchange vulnerabilities to patch. These vulnerabilities were found and reported by the NSA, and no exploit or details have been made public yet. But Microsoft considers exploitation likely.

Read more in:

SAP Updates

On Tuesday, April 13, SAP released a total of 19 security notes, including updates to address critical vulnerabilities in Business Client, Commerce, and NetWeaver. Five of the security notes are updates to previously released notes.

Note:

  • Vulnerabilities in ERP systems usually do not get a lot of press. But they are heavily targeted and prior vulnerabilities in SAP (or similar products) were used to compromise numerous organizations. It often takes only days for exploits to be developed. I know this one is more difficult to patch, but make sure you get it done soon.
  • SAP is already on the radar of exploitable platforms, and the patch list includes fixes to vulnerabilities with critical (aka hot news) and high ratings. These fixes address missing authorization checks, information disclosure, and other flaws which warrant prompt action.
  • The SolarWinds compromise pointed out that high market share apps that are put in highly sensitive places are high value targets for sophisticated attackers, and should be prioritized for patching. The SolarWinds compromise also pointed out that monitoring of high-risk systems should be stepped up after patching to reduce time to detect if an update has been compromised.

Read more in:

Adobe Patch Tuesday

On Tuesday, April 13, Adobe released fixes for 10 vulnerabilities affecting Adobe Bridge, Adobe Digital Editions, Photoshop, and RoboHelp. Four of the vulnerabilities in Adobe Bridge are rated critical: two memory corruption issues and two out-of-bounds write bugs, all of which could lead to arbitrary code execution. Two critical buffer overflow vulnerabilities in Photoshop could lead to remote code execution. A critical privilege elevation vulnerability in Digital Editions could lead to arbitrary system file write.

Note: If affected products are installed but not currently licensed, or not logged into the respective Creative Cloud account, the automatic update will not happen. Suggest uninstalling products with expired or no licenses to remove potentially exploitable applications from systems.

Read more in:

Google Project Zero is Adding a 30-Day Grace Period for Patching

Google Project Zero is changing its disclosure policy to allow time for users to apply patches. Project Zero’s 90-day (for vulnerabilities that are not being exploited) and 7-day (for vulnerabilities that are being actively exploited) deadlines will remain in place, but if vendors produce a patch within the designated time period, Project Zero will refrain from releasing vulnerability details for 30 days.

Note: Google must strike a difficult balance between identifying vulnerabilities and inviting their exploitation, a responsibility few would take on.

Read more in:

Chrome 90 Introduces HTTPS Default Protocol

Google has released Chrome 90 to the stable channel for Linux, macOS, and Windows. The newest version of the browser includes using HTTPS as the default protocol. It also reintroduces protection from NAT Slipstreaming attacks. In all, Chrome 90 addresses 37 security issues.

Note:

  • Of the 37 security fixes, 19 were credited to external researchers – the value of well-managed external bug bounty programs continues to be validated.
  • Other browsers will likely follow. More than 90% of websites are supporting HTTPS now, so this move makes a lot of sense. But you may experience some slower connections to the sites that do not support HTTPS, which will likely include internal IoT style devices.
  • This update also applies to Chromium based browsers (Edge, Brave, Vivaldi, etc.) With the migration to HTTPS over the last few years, the impact on end users is nominal. Sites on the HSTS preload list already defaulted to HTTPS. HTTP fallback is still enabled. This release also includes the first version of Google’s Federated Learning of Cohorts (FLoC) which is their answer to privacy while still delivering targeted ads. Note that FLoC is disabled by default in Brave and Vivaldi.

Read more in:

NERC: Electric Utilities Have Faced “Unprecedented” Cyber Threats

At a virtual press briefing earlier this week, North American Electric Reliability Corporation (NERC) Senior VP Manny Cancel said that the electricity sector has faced an “unprecedented” increase in cyber threats over the past year and a half. Cancel noted that nearly 25 percent of the 1,500 electric utilities that share information with NERC said they had downloaded the tainted SolarWinds software. A smaller subset of those said they used SolarWinds in their operational technology networks.

Note:

  • Control systems have to not only watch for compromised products like Orion, but also for attempts to access control systems via spearphishing and VPN compromise. The GAO report from March 21 (www.gao.gov: Electricity Grid Cybersecurity: DOE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems) had one recommendation for DOE: to more fully address risks to the nations power grid in coordination with DHS, states and industry. Until that effort solidifies, look to a hybrid approach to protection systems rooted in the Purdue Model. Secure the perimeter, require multi-factor authentication for access, verify security settings and updates are applied, and use segmentation to allow only authorized systems to interact with control system components.
  • There are software products and firmware in use across power systems that have the same or higher market share as SolarWinds had in that vertical, particularly on the OT networks. Identifying those and increasing prioritization of protection/segmentation/detection of those high value targets is a lesson learned from the SolarWinds compromise impact.
  • While these numbers are not surprising, they document the severity of the attack and the resulting risk to our infrastructure.

Read more in:

ODNI Annual Threat Assessment

The Office of the Director of National Intelligence has released its annual threat assessment report. The report “focuses on the most direct, serious threats to the United States during the next year.” Intelligence officials also spoke at a Senate Intelligence Committee hearing earlier this week. “The complexity of the threats, their intersections, and the potential for cascading events in an increasingly interconnected and mobile world create new challenges for the IC [Intelligence Community].”

Note: This report is only 27 pages and is far more than just cyber, covering military, WMD, Space, Intelligence and Influence capabilities for many countries. Use the information to better understand the threats, their motivations, capabilities, and goals and how that overlays with current world conditions.

Read more in:

US Sanctions Russia

The Biden administration has imposed sanctions on Russia for cyberespionage activity and for its efforts to influence the presidential election. Also sanctioned six Russian technology companies that support the cyberespionage activity and more than 30 entities and individuals for attempting to sway the election. In addition, 10 Russian Embassy officials in Washington, DC, will be expelled.

Read more in:

NSA, CISA, and FBI Warn of Top Vulnerabilities Exploited by Russian Hackers

In a joint advisory, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) warn that Russian Foreign Intelligence Service threat actors are exploiting “known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.” The advisory includes a list of the exploited vulnerabilities and mitigations for those vulnerabilities.

Note:

  • The list of vulnerabilities isn’t surprising. It is not a list of difficult to exploit obscure problems, but the same list of vulnerabilities everybody else is exploiting. Use this as a good reason to double check if you are running any of the vulnerable systems, and make sure they are patched. Given that some of these vulnerabilities go back to 2018: If you still find a vulnerable system, consider it compromised.
  • Actors are taking advantage of both unpatched or improperly secured systems and reusable credentials. Beyond implementing multi-factor authentication, integrate your reusable password system (typically Active Directory) with a system which monitors for breached passwords, and require users to not select a known compromised password; immediately change passwords when they are discovered in the breach data. Prioritize the patching and security validation of any and all internet facing services. Dispel beliefs that your access server is obscure and not discoverable by looking for similar products in a tool like Shodan.
  • After SolarWinds, we should hardly need such a warning. It is urgent that we restore trust in our infrastructure. In the meantime, we can resist some further damage by implementing strong authentication (at least two kinds of evidence, at least one of which is resistant to replay), one of our most efficient protective measures.

Read more in:

Sabotage Reportedly Shut Down Iran’s Natanz Uranium Enrichment Site

In what appears to be an act of sabotage, Iran’s Natanz uranium enrichment facility was shut down on Sunday, April 11. An explosion at the facility reportedly caused a power failure. US and Israeli intelligence officials said that Israel played a role in the incident. The Natanz facility was shut down a decade ago by the Stuxnet worm.

Note:

  • Not a lot of details out on this one yet, but an important reminder on two fronts. The obvious one is for power system and other critical infrastructure operators to take immediate action to reduce exposure to similar attacks. But, a broader reminder that back in 2010 the Stuxnet malware attack caused spillover that impacted financial systems and many other networks – good reason for an accelerated push to make sure essential security hygiene deficiencies are addressed rapidly.
  • The take-away is to make sure that critical infrastructure is properly protected from cyber-attack. Control systems need to be properly isolated and never directly accessible from the Internet. Further, not only restrict access to known trusted systems, but also monitor that access for anomalous behavior. Make sure that supporting systems, such as power and cooling are similarly protected and monitored. Lastly, practice good OPSEC. One of the take-aways from the Stuxnet incident was that PR photos in front of the control systems were used to reveal the technology used allowing that attack to be very accurately developed and targeted.

Read more in:

Name:Wreck DNS Vulnerabilities

Researchers at Forescout and JSOF have disclosed nine vulnerabilities affecting four widely-used TCP/IP stacks. The flaws can be exploited to cause denial-of-service conditions and take devices offline or gain remote control of vulnerable devices. The issues affect an estimated 100 million devices.

Note:

  • While these are issues that need to be “patched now”, the end user may not have the option if vendor firmware is not updated. A better fix is likely an architecture that forces all internal devices to use an internal recursive resolver. While it may not mitigate all the vulnerabilities, it will at least provide visibility into DNS traffic which is crucial for devices that are often only offering limited logging.
  • The vulnerable versions of Nucleus NET, FreeBSD, and NetX have been updated, but the trick is waiting on vendor updates to devices with these as an embedded OS. Mitigations include identification and segmentation of devices with the vulnerable TCP/IP stacks, configuring devices to use known good internal DNS servers and monitoring and blocking of malicious or malformed DNS traffic.

Read more in:

Critical Zoom Flaw Allows Remote Code Executions with No User Interaction

Two security researchers from the Netherlands demonstrated an exploit of flaws in the Zoom desktop client that allowed them to take control of a user’s computer. The exploit chains together three vulnerabilities in Zoom to allow remote code execution with no user interaction. The exploit works on the Zoom desktop client for PCs and for Mac.

Note:

  • The browser version of Zoom in not affected – a good work around until the patch is available. Good to see that Zoom was one of the sponsors of the Pwn2Own competition that found this one.
  • This flaw was revealed and demonstrated during the Pwn2Own event. The vulnerabilities have been reported to Zoom, and no details were made public. The Pwn2Own events have been a great way for researchers to demonstrate their skills responsibly. While depressing to see pretty much every single target fall year after year, this event has been a great source of responsibly disclosed vulnerability details.
  • The exploit leverages a weakness in the Zoom Chat product, not the in-session chat which is part of Zoom Meetings or Zoom Video Webinars. The attacker has to either be an accepted external contact or another organizational user. The best mitigation is to use the web client until a fix is released. Also make sure that you’re following best practices to secure online meetings and accept external contact requests only from people you know and trust.
  • A rare exception to the rule that one should prefer purpose-built applications to browsers.

Read more in:

NCSC Recommends Actions to Address Fortinet SSL VPN Vulnerability

Britain’s National Cyber Security Centre (NCSC) is urging users to take steps to protect Fortinet SSL VPNs from active exploits. NCSC recommends checking to see if the FortiOS updates have been applied. If they have not, “the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured and then returned to service.”

Note:

  • As the flaws are being exploited, assume unpatched devices have been compromised. The strategy recommended by NCSC, effectively a factory wipe and reset, (and patched) is a good way to make sure that your device is operating from a known good configuration. Make sure that all your internet facing and boundary protection devices including VPNs, firewalls, load balancers, WAFs are at the top of both the patch priority and security posture review lists. Ensure they are both properly configured and updated.
  • Updating your remote access equipment, while most people still work from home, may be scary. But dealing with an incident involving your remote access equipment while working from home is worse. An upgrade can be scheduled.

Read more in:

Unit 42 Researchers Find Cryptojackers Targeting Washington State Educational Organizations

Researchers at Palo Alto Networks’ Unit 42 global threat intelligence team recently detected cryptojacking attacks targeting three educational organizations in Washington state. The incidents were detected on February 16, March 10, and March 15. The Unit 42 report includes a list of indicators of compromise.

Read more in:

Ransomware Affects Cheese Delivery in the Netherlands

A ransomware attack that targeted Bakker Logistiek, a warehousing and transportation provider, has resulted in a cheese shortage in stores in the Netherlands. Bakker’s director said that due to the attack, they did not know where in their warehouses products were, and that it also prevented the company from receiving orders. The company is using backups to restore operations. They did not indicate if they paid the ransom.

Read more in:

Expired Certificate Prevents Pulse Secure VPN Logins

An expired code-signing certificate prevented Pulse Secure VPN users from accessing their devices. The problem affects users working from home when they try to connect to company networks through their browsers. The issue is the expired certificate combined with a software bug that fails to verify that timestamped executables are signed.

Note:

  • This denial of service/access problem that keeps popping up shows the need for certificate discovery and management tools. There are some commercial products and a number of open source tools (like OpenCA and gnoMint) that provide support at scale for certificate management.
  • Certificate use has become pervasive, and certificate lifetimes are shrinking, necessitating active monitoring and automated processes to update them automatically where possible. If nothing else, generate a support ticket with sufficient priority and warning to take action without interruption. When using certificates to sign code, be sure to not only use a timestamp server which captures the certificate validity at the time of signing, but also verify the behavior after the code signing certificate has expired.

Read more in:

US Dept. of Health and Human Services OIG Finds Infosec Program is Not Effective

An audit of the US Department of Health and Human Services (HHS) information security program found it to be not effective. The audit, which was conducted by Ernst & Young LLP on behalf of the HHS Office of Inspector General (OIG), evaluated HHS’s information security program against Federal Information Security Management Act (FISMA) metrics. HHS’s information security program was also found not effective in audits conducted for FY 2018 and FY 2019.

Note: Repeat findings on an audit are not something you want. While HHS does have overall strategy for implementing needed processes and controls, OIG found the specific roadmaps and KPIs were lacking, which would drive completing the implementation of those strategies. Make sure that your enterprise strategy has the information needed for success to the lowest layers, including measurable objectives, defined timelines and funded resources. If you are not going to implement a regulatory requirement, such as the Continuous Diagnostics and Mitigation (CDM) program, work that at the highest levels with the regulator, and document the outcome and update your enterprise roadmap accordingly.

Read more in:

  • HHS Information Security Program Still ‘Not Effective’
  • Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (Report in Brief)
  • Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (PDF)

IcedID Banking Trojan Spreading Through Contact Forms

Researchers from the Microsoft 365 Defender Threat Intelligence Team have detected attackers abusing contact forms on company websites to generate emails that include malicious links that can ultimately lead to machines becoming infected with the IcedID banking Trojan.

Read more in:

Accellion: University of Colorado

The University of Colorado (CU) has provided additional information about a data breach related to a vulnerability in Accellion’s File Transfer Appliance (FTA). CU says that more than 300,000 unique records containing personally identifiable information were compromised. CU says the compromised data are being held for ransom and that they do not intent to pay the demand.

Read more in:

Kentucky Unemployment Insurance Office Offline to Reset PINs After Attempted Fraud

A cyberattack forced the Kentucky Office of Unemployment Insurance to take account operations offline for several days. Attackers used automated tools to access users’ accounts; in some cases, they changed bank information so that funds were diverted to a different account. The Office of Unemployment Insurance is resetting more than 300,000 PINs to ensure that thieves would not steal payments. Once the operations go back online, users will be assigned a new, 8 digit PIN and will be required to create a new 12 character password.

Note:

  • Previously used 4-digit PINs, while encrypted, were trivial to guess, as users often chose predictable values. Having users choose longer passwords, sending account PINs out-of-band, and an emailed multi-factor access code are excellent steps in the right direction.
  • While resistant to the rare brute force attacks, it sounds as though this system will continue to be vulnerable to the more prevalent fraudulent credential replay attacks. Strong authentication requires that at least one form of evidence be resistant to replay.

Read more in:

Biden Nominates Former NSA Officials to Top Cybersec Positions at DHS and White House

The Biden administration has nominated former National Security Agency (NSA) official Jen Easterly to become director of the Cybersecurity and Infrastructure Security Agency (CISA). Biden is also expected to nominated former NSA official Chris Inglis to fill the new position of National Cybersecurity Director.

Note: These nominees have not only cybersecurity expertise, but also track records of partnership with private industry. CISA has used those relationships to increase the relevance, effectiveness and value of their services and guidance to both the public and private sector. Extending this partnership model to other cybersecurity roles is necessary to have comprehensive, relevant and effective security leadership.

Read more in:

DC Care First BC/BS Health Insurer Loses Clinical and Other Patient PII To Attackers

CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) has disclosed that a January 2021 cyberattack compromised data belonging to current and former enrollees and employees. The compromised data include names, Social Security numbers, claims information, and in some cases, clinical information.

Note: This is a good example of transparency and a proactive response. CHPDC has not only published a notice, but also a FAQ, offered 2 years of free credit monitoring as well as engaged expert help for response, containment and remediation to prevent recurrence. While it’s nice to have full attribution in a cyber-attack, these steps taken represent concrete measurable actions which will help maintain and strengthen business relationships with customers, peers, and providers.

Read more in:

Threat Actors are Exploiting Unpatched SAP Applications

Threat actors are exploiting known vulnerabilities in SAP applications. In a joint report, SAP and Onapsis noted that “critical SAP vulnerabilities [are] being weaponized in less than 72 hours of a patch release.” Attackers are exploiting the flaws to steal data, conduct fraud, deliver malware, and disrupt operations. Users are urged to update SAP applications.

Note:

  • Attackers are now actively targeting unsecured SAP applications. CVE-2020-6287 and CVE-2020-6207 are rated as high-risk due to the potential to gain remote unauthorized system access. While patching your ERP system requires prioritization and adequate regression testing, these aggressive attacks warrant enlisting outside services to expedite the process. Consider immediately restricting access to unpatched SAP systems that are currently Internet-accessible.
  • Patching faster continues to be easier to do with ease of spinning up AWS/Azure based full sized test environments, and is critical to do with high impact applications like SAP. The Solar Winds compromise points out that those high impact apps should also be tested for flaws or hidden capabilities, and the production instances monitored for unusual behavior – also a lot easier to do with manageable levels of false positives with modern tools.
  • Historically, it has been more important to patch thoroughly than to patch urgently. Recent events suggest that that may be changing. In any case, the time to widespread exploitation seems to be shrinking.

Read more in:

Threat Actors are Using Collaboration Apps to Spread Malware

Threat actors have been targeting collaboration apps, like Slack and Discord, to spread malware. The increased number of people working remotely has expanded the use of these apps; attackers have been using the platforms to deliver malware and exfiltrate data. The activity does not exploit vulnerabilities in the collaboration apps; instead, the threat actors are exploiting existing features and the level of trust that the platforms offer.

Note: These platforms are excellent for sharing and distributing files, and links to them are easily embedded in email. As the use of these services has become commonplace, those links no longer stand out as unusual. Some of the attack vectors, such as token stealing to access Discord, can’t be easily mitigated. If you’re not actively using these collaboration apps for business purposes, consider blocking their domains and adding the client software to your application deny list. If you are using them, make sure that your implementation is following best security practices and is sufficient for protecting the data stored and exchanged there.

Read more in:

Critical Flaw in VMware Carbon Black

A critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and gain elevated privileges. The issue is due to incorrect URL handling. Users are urged to upgrade to VMware Carbon Black Workload appliance version 1.0.2.

Read more in:

Gigaset Android Phone Affected by Supply Chain Attack

Some Gigaset Android smartphones are being infected with malware through a “poisoned” update. The malware can open browser windows, download other malware, and send text messages in an effort to spread. Gigaset says the issue affects “older devices” and that they “expect to be able to provide further information” soon.

Note:

  • The troubling detail is that the update came from the Gigaset update servers. Gigaset published a technical solution to remove the malware; there is some disagreement about the completeness of the fix. The better plan may be to power of affected devices, and remove both the battery and SIM. While Gigaset hopes to have better remediation information shortly, as this is impacting older devices, the more expedient and complete resolution may be to replace your device if affected.
  • We cannot deal with the supply chain by placing all the responsibility on the end user. We must hold those who distribute malicious code responsible.

Read more in:

Lazarus Group’s Vyveva Backdoor Malware

An advanced persistent threat (APT) group with ties to North Korea reportedly used backdoor malware known as Vyveva in an attack against networks at a South African freight company. The Lazarus APT group appears to have been using Vyveva since late 2018. Vyveva’s “capabilities [include] file exfiltration, ‘timestomping,’ gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators.”

Read more in:

Singapore Job Matching Organization Discloses Third-Party Data Breach

Singapore’s Employment and Employability Institute (e2i) has disclosed a data breach affecting 30,000 individuals. The company learned of the breach on March 12 from a third-party vendor whose systems were breached. The incident affects individuals who used e2i services or participated in e2i events between November 2018 and March 2021.

Note: Third-party liability needs to be understood. Make sure that your contracts not only flow down cyber security and data protection requirements but also legal and indemnification clauses. These clauses should be standardized for your supply chain management group and reviewed/updated annually by your cyber and legal staff. The review may drive the need to update existing contracts. Document your decision to update now or wait until renewal.

Read more in: Third-party security breach compromises data of Singapore job-matching service

Malicious Document Builder EtterSilent

Threat actors are using a malicious document builder known as EtterSilent in their campaigns. One version of EtterSilent mimics electronic signature app DocuSign but asks users to enable macros; a second version of EtterSilent has been used to drop the Trickbot banking trojan.

Note: EtterSilent includes features that allow it to bypass Microsoft Defender, Windows Antimalware Scan Interface (AMSI), and popular email services, including Gmail. EtterCell documents, created by the EtterSilent builder, are downloader payloads that use Excel 4.0 macro functions to download and execute malicious payloads.

Read more in:

Android Malware Hides in App Pretending to be Netflix

Check Point Research (CPR) discovered a wormable malware in a phony app on the Google Play Store. Dubbed “FlixOnline” it disguises itself as a legitimate Netflix client offering unlimited entertainment and a free 60-day premium Netflix subscription due to COVID-19. The malware targets WhatsApp, “listening in” on conversations and auto-responding to messages with malicious content. The application requests overlay and Battery Optimization Ignore and notification permissions to keep the device from shutting down as well as provide access to the WhatsApp communications.

Note:

  • Beware of over-permissioned applications bearing false promises. The application is using the permissions granted to access the WhatsApp and dismiss and reply to messages. Overlay permissions are often seen in a credential stealing application. The Netflix link provided is also a credential stealing site. The application has been removed from the Play Store and Play Protect will remove any installed copies. No action is needed for the WhatsApp.
  • With each Android release, Google has been reducing the scope of app behavior that is allowed. Taking advantage of that requires carriers/operators to be pushing out updates, users to allow them to happen and sometimes requires newer phones to be used. Google had been improving Play Store security/privacy vetting across 2019 but did not publicly announce significant advances in 2020 or so far in 2021. The Play Store and Apple App Store still represent significant obstacles in preventing malware compared to what PC and server operating systems.

Read more in:

Belden Says More Information Was Compromised in 2020 Breach

Belden, a network connectivity device manufacturer based in the US, has disclosed additional information about a 2020 cyberattack. When the company first acknowledged the incident in November, it said that current and former employee data and some business data had been compromised. Now it appears that the compromised data include information about some employee’s family members, and health-related information.

Note: Consider whether your enterprise holds data sensitive for others that you do not really need, use, or adequately protect. The most effective way to ensure that one does not leak sensitive data is not to keep it.

Read more in:

Previous Data Theft May Have Contributed to Exchange Server Attacks

US government officials and Microsoft are puzzling over how the threat actors behind the Microsoft Exchange Server attacks were able to carry out attacks so broadly and so quickly. One emerging theory is that the threat actors, who have been linked to China, have vast troves of stolen and/or mined information that they used to determine which accounts to target. Anne Neuberger, deputy national security adviser for cyber and emerging technology said, “We face sophisticated adversaries who, we know, have collected large amounts of passwords and personal information in their successful hacks. Their potential ability to operationalize that information at scale is a significant concern.” (Please note that the WSJ story is behind a paywall.)

Read more in:

Aviary Dashboard Analyzes Data Output from Sparrow Detection Tool

The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners have released a dashboard to help “visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise.”

Note: As DHS/CISA continue to refine and require added scans relating to the SolarWinds compromise, this dashboard represents a way to track and monitor the results from scans made using their Sparrow detection tool, which should aid reporting requirements associated with this activity. Even if you’re not bound by these directives, consider this approach to tracking the status and health of SolarWinds environments.

Read more in:

FBI and CISA Joint Advisory: APT Actors Actively Exploiting Flaws in Fortinet FortiOS

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert about advanced persistent threat (APT) actors scanning on ports 4443, 8443 and 10443 for known vulnerabilities in Fortinet FortiOS SSL VPNs. The threat actors could exploit the vulnerabilities “to gain access to multiple government, commercial, and technology services networks.” Users are urged to apply updates.

Note:

  • These are older vulnerabilities, and likely exploited by more than APT actors. Patching a remote access device while everybody is working from home has its risk. But if it is too risky to patch, it would be even worse if the device gets compromised. Patch!
  • The vulnerability exploited in CVE-2018-13379 was not only resolved in the May 2019 patch, but also allows attackers to bypass 2FA. Make sure that your Fortinet devices are up-to-date to ensure that your 2FA implementation is not rendered ineffective. Review the IC3 guidance below for important mitigations, beyond updating your devices and enabling multi-factor authentication, important steps include requiring administrative privileges to install software, using network segmentation, auditing the use of administrator accounts, and configuring systems with the principle of least privilege in mind.

Read more in:

Malware Disrupts Automobile Inspections

A malware attack affecting automobile emissions testing company Applus Technologies is preventing vehicle inspections in eight US states. The March 30 attack prompted Applus technologies to disconnect their network from the Internet. As it is uncertain when inspections will resume, officials in affected states are notifying law enforcement authorities of the situation, asking them not to issue citations for expired emissions. Applus Technologies is also working with customers to ensure the vehicle owners do not incur fines and penalties.

Read more in:

Spear Phishing Campaign Targets Job Seekers on LinkedIn

Threat actors are targeting LinkedIn users with phony job offers. The spear phishing campaign tries to manipulate LinkedIn users into clicking on a malicious ZIP file that installs a fileless backdoor Trojan known as more_eggs. That malware has the capacity to download additional malware, giving threat actors access to the user’s computer.

Note: This attack is targeting out-of-work professionals with a personalized compelling campaign, which means user education has to come through non-work channels such as professional organizations, or reaching out to friends who you know to be job hunting. Make sure they are both aware of the campaign and have current endpoint protection on their system. The motivation appears to be access-for-hire – where access to compromised systems is sold to others for use in subsequent campaigns.

Read more in:

Microsoft Outage Caused by Bug

An outage that affected Microsoft’s cloud services on Thursday, April 1 was due to a code defect that overwhelmed the Azure DNS service, which “led to decreased availability of … DNS service.” The issue was resolved by Thursday evening.

Note:

  • A good reminder that DNS is still a critical service. Doesn’t matter how big your cloud is if nobody can find it.
  • Microsoft services detected the issue and recovered themselves after 39 minutes, which is impressive on its own and Microsoft has made changes to their volumetric spike detection system to reduce that window further. As we put more reliance on cloud service providers, it becomes important to fully understand what their service level objectives are and compare them with your maximum tolerable downtime. Understand and document what recourse is available during a service outage. If you implement monitoring to discover interruptions in service, make sure that it is configured in a way that your CSP will accept your findings as genuine. That may require monitoring from more locations and more sophisticated service checks than initially considered.

Read more in:

CISA Now Overseeing .GOV Top Level Domain

An appropriations bill that passed US Congress late last year includes the DOTGOV Online Trust in Government Act, which moves oversight of the .gov top level domain from the General Services Administration (GSA) to the Cybersecurity and Infrastructure Security Agency (CISA) as of April 2021. Currently, just 10 percent of local governments have a .GOV domain.

Note:

  • Now we just need to get state and local governments to actually use .gov domains. For example here in Florida, one of these three domains is not run by the state. Guess which one: sunbiz.org, myflorida.com, stateofflorida.com. Consistent use of the .gov TLD will make it easier to spot imposters.
  • Working with small agencies in the past, the barrier to entry for .GOV domains was just too high as compared to getting a free, or nearly free .US or .ORG domain. Not only does CISA need to get .GOV domains funded, the ROI and time to deliver must outweigh the ease of getting alternate domains. Agency leadership also has to be enrolled in supporting their use as well as informed of options such as grants for technical and non-technical items needed to support transitioning to the new domains.

Read more in: The DOTGOV Act: Local Cybersecurity a National Imperative

Ransomware: Broward County Schools

Ransomware operators recently demanded a $40 million payment after infecting the Broward County Public Schools network. The Florida school district said it does not intend to pay the demanded ransom.

Read more in:

Ransomware: CNA Website Operational, Email Functionality Restored

US insurance company CNA has acknowledged that a cyber incident that occurred in late March was a ransomware attack. As of Monday, April 5, the company’s website is operational, and CNA says it “has reestablished email functionality which is protected by multi-factor authentication and a security platform to help detect and block email threats.“ The company has also employed additional security measures.

Note:

  • Ben Wright and I are doing a talk at the RSA Conference in May: “How Risky is Cyberinsurance?” One issue we won’t have time to address is concentration of risk – if an insurer suffers a major incident (such as widespread exploitation of Solar Winds or Microsoft Exchange vulnerabilities) will the insurer be able to meet their financial obligations? In this case, S&P and other credit rating firms say they are not changing CNA’s credit rating. But, since many large enterprises do require supply chain/third-party partners to carry insurance, good to check for too large a percentage with a single cyberinsurance carrier.
  • Implementing multi-factor authentication on email has to be a foundational setting we all use. Hosted email providers make this easy to implement. Avoid the temptation to allow VIPs and system administrators to opt-out. In short, they have more access and are more targeted than other users, making them more risky.

Read more in:

Facebook Data Leak

Data belonging to more than 530 million Facebook users data been leaked on the darknet. Compromised data include names, phone numbers, birthdates, email addresses and other identifiers. The leak affects users from more than 100 countries.

Note:

  • This appears to be data stolen in a 2019 breach. Even so, much of this data is still accurate. At that time the Facebook and Instagram function to search by phone number was removed. What has happen is the data has been released, for free, and could be used for social engineering or SIM swapping campaigns. Make sure that your mobile number is protected from unauthorized swapping, your spam filters are configured and working; and review your identity/credit monitoring to make sure you are alerted upon use of your personal information.
  • As Facebook’s European Head Quarters is based in Ireland, the Irish Data Protection Commission has released a statement in which the line “The DPC attempted over the weekend to establish the full facts and is continuing to do so. It received no proactive communication from Facebook” stood out for me. If Facebook are serious about the personal data of its users I would expect it to be actively informing the Data Protection Commission of its investigations into this issue. www.dataprotection.ie: DPC statement, re: Dataset appearing online

Read more in:

Kaspersky Researchers Discover a Cyberespionage Campaign Targeting Vietnam

Researchers from Kaspersky have found evidence of a cyberespionage campaign that employs sophisticated tactics to “make it significantly more difficult for researchers to reverse engineer the malware for analysis.” The campaign appears to be the work of Chinese state-sponsored threat actors; it targets Vietnamese government and military organizations.

Read more in:

Stanford University Medical School Discloses Accellion-Related Data Breach

In a message to the Stanford community, Stanford University Medical School said that it experienced a data breach that involved Accellion’s File Transfer Appliance file-sharing service. Threat actors have posted data taken from Stanford University Medical School on a leak site. The compromised information includes names, addresses, Social Security numbers, and financial data.

Note:

  • A recurring theme with Accellion FTA users is not if they have been breached, but when. The FTA appliance was secure mechanism for transferring sensitive data between service providers and business partners. Universities used them for student, faculty and staff data transfers so the impact of exfiltrated data is very broad. If you still have an FTA appliance, it needs to be decommissioned and replaced. You will want to forensically analyze them to establish what data may have been accessed. If you don’t have in-house expertise, engage security services with direct experience with the FTA breaches to work with you through this process.
  • One might conclude that open-source intelligence has failed to communicate this vulnerability. What does this say about the effectiveness of open-source intelligence? SANS is doing its part.

Read more in:

Exchange Server: CISA Requires Agencies to Run Microsoft Safety Scanner

The US Cybersecurity and Infrastructure Security (CISA) has directed federal agencies to “download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode” and “download and run the Test-ProxyLogon.ps1 script as an administrator to analyze Exchange and IIS logs and discover potential attacker activity.” Agencies must perform these actions by noon EDT on Monday, April 5. There are also hardening requirements that must be implemented by June 28, 2021. The new requirements were released as Supplemental Direction to CISA’s March 3 Emergency Directive 21-02.

Note:

  • Everybody should run the Microsoft Safety Scanner for Exchange. Even if you patched as soon as the patch was released by Microsoft. The scanner isn’t perfect, but it is easy to run and you should assume that the system was compromised the day before the patch was released.
  • The MSERT script is being updated frequently, so be sure to download the latest before performing these scans. The new requirements are not just to harden the OS of the servers, but also verify that you’re employing principle of least privilege for accounts on your exchange server. Also note the requirement to not only be on support OS and Exchange versions but also apply patches within 48 hours of release which leaves little time for regression testing and necessitates verified roll-back procedures.

Read more in:

North Korean State-Sponsored Threat Actors Created Fake Security Company

North Korean state-backed hackers are once again targeting security researchers. This time, the threat actors have set up a phony offensive security company, replete with a website and associated social media accounts. The fake company, SecuriElite, says it is based in Turkey and that it offers penetration testing, software security assessments, and exploits. The same group of threat actors launched a campaign earlier this year involving phone social media accounts, from which they asked targeted researchers if they wanted to collaborate on a project.

Note: Just as you would for services used at home, you need to check references carefully when hiring a security firm. Use known good sources for references. If your industry peers haven’t heard of or don’t have direct experience with a firm, use caution or select again.

Read more in:

Whistleblower: Ubiquiti Breach “Catastrophically Worse Than Reported”

In a letter to the European Data Protection Supervisor, a whistleblower wrote that a breach disclosed by Ubiquiti in January 2021 “was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers.” In a March 31 Update to January 2021 Account Notification, Ubiquiti disclosed that it was targeted by an unsuccessful extortion attempt in January.

Note:

  • Unlike similar products, the “controller” function for Ubiquiti’s network and video products is run on premise. But authentication usually happens via Ubiquiti’s cloud authentication service. In addition, the web-based controller software in some cases retrieves components from Ubiquiti’s site. I reviewed the controller web interface, and for example, Ubiquiti is including JavaScript from delighted.com for “optional user surveys”. An attacker, who appears to have had full access to Ubiquiti’s source code and cloud infrastructure, may have been able to swap out that code for something malicious. If you are using Ubiquiti products, make sure you disable remote access to the controller.
  • Transparency is key in a breach situation. Be clear about the scope and relevance of affected systems, as well as recovery efforts. Update your disclosure as new information becomes available to maintain the relationship with your customers and users. For third-party contracts, make sure that your security requirements flow down to sub-contractors and that your indemnification and liability clauses are sufficient to protect your business. If you’re using the Ubiquiti cloud management services and you have not changed your password since January 11th, both change it and implement MFA.

Read more in:

Ransomware: University of Maryland Data Leaked

Ransomware operators are leaking data that appears to have been stolen from systems at the University of Maryland, Baltimore, and the University of California, Merced. The compromised data include tax documents, passport numbers, Social Security numbers (SSNs) and health savings plan enrollment forms.

Note: The Clop group has been harvesting data via Accellion FTA exploits. This dataset includes both employee and student data. While the universities have taken steps to prevent recurrence, employees and students need to make sure they are also taking steps to prevent identity theft for themselves and any family members also included on benefit, tuition, or grant application forms.

Read more in: Ransomware group targets universities in Maryland, California in new data leaks

Medical Researchers Targeted in Phishing Campaign

A report from Proofpoint says that state sponsored threat actors have targeted medical researchers in the US and Israel with credential phishing attacks. The campaign began in December 2020. Proofpoint says “the tactics and techniques observed in BadBlood (Proofpoint’s name for the campaign) continue to mirror those used in historic TA453 (aka Charming Kitten) campaigns.”

Note:

  • Capturing reusable credentials continues to be the “easy button” for getting access to systems and information. In this campaign they are using look-alike sites to harvest credentials, and while users may notice that the 1drv[.]casa is not a legitimate Microsoft login site, many will miss that clue. The more complete solution is ubiquitous multi-factor authentication. Don’t allow any users to opt-out, reducing the effectiveness of captured credentials. If possible, integrate your password processes with breach data checks to identify and trigger updates for passwords which have been breached.
  • Almost every time I read a long report about a complex state-sponsored attack, in the first paragraph I’ll see “phishing” and “harvested login-credential.” After that will be catchy names for the threat actor or malware, and descriptions of what the attackers did after easily “harvesting credentials” – i.e., taking advantage of the use of reusable passwords by obvious targets, like sys admins, medical researchers during a pandemic, security researchers, CFOs, etc. There has been a lot of hype recently about “Zero Trust” architectures, which can’t exist when those targets are still using easily compromised credentials.

Read more in:

US Justice Dept. Warns of Vaccine Survey Phishing Campaigns

The US Justice Department says it has received reports of fraudulent COVID-19 surveys that are being sent to consumers in email and in text messages. The message says the recipient is eligible to receive a prize for answering the questions and asks them to provide a credit card number to pay shipping and handling.

Note: This takes its cues from the old Nigerian scam, where you are tricked into providing a small fee in exchange for a huge reward. And as in that scenario, the temptation to participate is heightened by the campaign message. As then, the task is to train users, friends and family to click only on links from known senders. The DOJ site below has links for not only reporting suspected phishing campaigns, but also references for users who may have provided information to fraudsters as well as protection measures for future use. As we are in tax season, consider an IRS Identity protection PIN to prevent fraudulent filing of a tax return on your SSN. www.irs.gov: Get An Identity Protection PIN (IP PIN)

Read more in:

SolarWinds: US Malware Analysis Report

The US Department of Homeland Security (DGS) and US Cyber Command are planning to release a malware analysis report that details malicious code allegedly used by the threat actors behind the SolarWinds supply chain attack. The report was initially scheduled to be released on March 31, but has since been delayed.

Read more in:

Indictment in Kansas Water Utility Breach

US federal authorities have indicted Wyatt A. Travnichek for allegedly tampering with a public water system in Kansas. The incident occurred in late March 2019. Travnichek allegedly gained access to the Post Rock Rural Water District’s computer system and shut down cleaning and disinfection procedures. Travnichek has been charged with tampering with a public water system and reckless damage to a protected computer wit unauthorized access.

Read more in:

RSA: DHS Secretary Describes Planned 60-Day Cybersecurity Sprints

Speaking to a virtual audience at the RSA conference, US Department of Homeland Security (DHS) Secretary Alejandro Mayorkas said that DHS and the Cybersecurity and Infrastructure Security Agency (CISA) are planning a series of 60-day sprints to address cybersecurity goals. There are six areas of focus, including ransomware, resiliency of industrial control systems at water and sewage treatment facilities, and election security. Mayorkas also noted the forthcoming executive order, which will aim to “advance the federal government’s ability to prevent and respond to cyber incidents.”

Read more in: DHS Secretary Outlines 60-Day Cybersecurity Recovery Plan

Executive Order to Address Breach Disclosure

Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the Biden administration is working closely with the private sector on a forthcoming executive order, which is expected to make “fundamental improvements to national cybersecurity.” Among other elements, the draft executive order would require organizations that do business with the federal government to disclose network breaches with a matter of days.

Note:

  • Breach disclosure, encryption at rest, and 2FA for companies working with the Federal Government appear to be the core themes of the pending order. When implementing encryption, have a clear understanding of where and when data is, and is not, encrypted. Contracts with the Federal Government already include incident response and disclosure requirements, with pre-identified contacts and defined timelines. Additionally, a clear understanding of how that information needs to be protected, where and when it is reported, and by whom, are key to maintaining trust in the business relationship. If you don’t have similar provisions in contracts with service providers, you need to add them.
  • The first federal US breach notification law was proposed in 2003. Sad to see that 18 years later US legislators still have been unable to act in this area. Since several states have joined California in passing state level laws, most companies would prefer a federal standard requirement. So, action is badly needed on this and perhaps the FCC will tackle cell phone number spoofing, too.

Read more in: Companies Must Quickly Report Hacks to U.S. Under Proposed Order

Brown University Data Center Shut Down Following Cyber Incident

Brown University’s CIO and chief digital officer said they shut down the school’s data center after detecting “a cybersecurity threat to the University’s Microsoft Windows-based technology infrastructure” on March 30. The Computing and Information Services team has begun restoring systems.

Note: Many services are back online, or are being restored shortly. Brown University is using their Computing and Information Services Alerts page to provide status updates on impacted services. it.brown.edu: Computing & Information Services Alerts

Read more in:

Harris Federation Ransomware Attack Affects 50 UK Schools

The UK’s non-profit Harris Federation, which operates 50 primary and secondary schools in London and Essex, has disclosed that it suffered a ransomware attack in late March. The incident occurred the same day the National Cyber Security Centre warned that ransomware operators are targeting the education sector. The attack affected servers, telephone systems, and email systems. Devices that the schools issued to students have also been disabled.

Read more in: