Pupuweb

Sabotage Reportedly Shut Down Iran’s Natanz Uranium Enrichment Site

In what appears to be an act of sabotage, Iran’s Natanz uranium enrichment facility was shut down on Sunday, April 11. An explosion at the facility reportedly caused a power failure. US and Israeli intelligence officials said that Israel played a role in the incident. The Natanz facility was shut down a decade ago by the Stuxnet worm.

Note:

• Not a lot of details out on this one yet, but an important reminder on two fronts. The obvious one is for power system and other critical infrastructure operators to take immediate action to reduce exposure to similar attacks. But, a broader reminder that back in 2010 the Stuxnet malware attack caused spillover that impacted financial systems and many other networks – good reason for an accelerated push to make sure essential security hygiene deficiencies are addressed rapidly.
• The take-away is to make sure that critical infrastructure is properly protected from cyber-attack. Control systems need to be properly isolated and never directly accessible from the Internet. Further, not only restrict access to known trusted systems, but also monitor that access for anomalous behavior. Make sure that supporting systems, such as power and cooling are similarly protected and monitored. Lastly, practice good OPSEC. One of the take-aways from the Stuxnet incident was that PR photos in front of the control systems were used to reveal the technology used allowing that attack to be very accurately developed and targeted.

Read more in:

• Blackout Hits Iran Nuclear Site in What Appears to Be Israeli Sabotage
• Iranian Nuclear Site Shut Down by Apparent Cyberattack
• Stuxnet sibling theory surges after Iran says nuke facility shut down by electrical fault

Name:Wreck DNS Vulnerabilities

Researchers at Forescout and JSOF have disclosed nine vulnerabilities affecting four widely-used TCP/IP stacks. The flaws can be exploited to cause denial-of-service conditions and take devices offline or gain remote control of vulnerable devices. The issues affect an estimated 100 million devices.

Note:

• While these are issues that need to be “patched now”, the end user may not have the option if vendor firmware is not updated. A better fix is likely an architecture that forces all internal devices to use an internal recursive resolver. While it may not mitigate all the vulnerabilities, it will at least provide visibility into DNS traffic which is crucial for devices that are often only offering limited logging.
• The vulnerable versions of Nucleus NET, FreeBSD, and NetX have been updated, but the trick is waiting on vendor updates to devices with these as an embedded OS. Mitigations include identification and segmentation of devices with the vulnerable TCP/IP stacks, configuring devices to use known good internal DNS servers and monitoring and blocking of malicious or malformed DNS traffic.

Read more in:

• Forescout and JSOF Disclose New DNS Vulnerabilities, Impacting Millions of Enterprise and Consumer Devices
• 100 Million More IoT Devices Are Exposed—and They Won’t Be the Last

Critical Zoom Flaw Allows Remote Code Executions with No User Interaction

Two security researchers from the Netherlands demonstrated an exploit of flaws in the Zoom desktop client that allowed them to take control of a user’s computer. The exploit chains together three vulnerabilities in Zoom to allow remote code execution with no user interaction. The exploit works on the Zoom desktop client for PCs and for Mac.

Note:

• The browser version of Zoom in not affected – a good work around until the patch is available. Good to see that Zoom was one of the sponsors of the Pwn2Own competition that found this one.
• This flaw was revealed and demonstrated during the Pwn2Own event. The vulnerabilities have been reported to Zoom, and no details were made public. The Pwn2Own events have been a great way for researchers to demonstrate their skills responsibly. While depressing to see pretty much every single target fall year after year, this event has been a great source of responsibly disclosed vulnerability details.
• The exploit leverages a weakness in the Zoom Chat product, not the in-session chat which is part of Zoom Meetings or Zoom Video Webinars. The attacker has to either be an accepted external contact or another organizational user. The best mitigation is to use the web client until a fix is released. Also make sure that you’re following best practices to secure online meetings and accept external contact requests only from people you know and trust.
• A rare exception to the rule that one should prefer purpose-built applications to browsers.

Read more in:

• Critical Zoom vulnerability triggers remote code execution without user input
• Huge Zoom flaw lets hackers completely take over your Mac or PC [updated]

NCSC Recommends Actions to Address Fortinet SSL VPN Vulnerability

Britain’s National Cyber Security Centre (NCSC) is urging users to take steps to protect Fortinet SSL VPNs from active exploits. NCSC recommends checking to see if the FortiOS updates have been applied. If they have not, “the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured and then returned to service.”

Note:

• As the flaws are being exploited, assume unpatched devices have been compromised. The strategy recommended by NCSC, effectively a factory wipe and reset, (and patched) is a good way to make sure that your device is operating from a known good configuration. Make sure that all your internet facing and boundary protection devices including VPNs, firewalls, load balancers, WAFs are at the top of both the patch priority and security posture review lists. Ensure they are both properly configured and updated.
• Updating your remote access equipment, while most people still work from home, may be scary. But dealing with an incident involving your remote access equipment while working from home is worse. An upgrade can be scheduled.

Read more in:

• Alert: Critical risk to unpatched Fortinet VPN devices
• Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised
• APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks (PDF)

Unit 42 Researchers Find Cryptojackers Targeting Washington State Educational Organizations

Researchers at Palo Alto Networks’ Unit 42 global threat intelligence team recently detected cryptojacking attacks targeting three educational organizations in Washington state. The incidents were detected on February 16, March 10, and March 15. The Unit 42 report includes a list of indicators of compromise.

Read more in:

• Attackers Conducting Cryptojacking Operation Against U.S. Education Organizations
• Washington State educational organizations targeted in cryptojacking spree

Ransomware Affects Cheese Delivery in the Netherlands

A ransomware attack that targeted Bakker Logistiek, a warehousing and transportation provider, has resulted in a cheese shortage in stores in the Netherlands. Bakker’s director said that due to the attack, they did not know where in their warehouses products were, and that it also prevented the company from receiving orders. The company is using backups to restore operations. They did not indicate if they paid the ransom.

Read more in:

• Dutch supermarkets run out of cheese after ransomware attack
• ‘Cheese hack’ resolved involved ransomware (Dutch)

Expired Certificate Prevents Pulse Secure VPN Logins

An expired code-signing certificate prevented Pulse Secure VPN users from accessing their devices. The problem affects users working from home when they try to connect to company networks through their browsers. The issue is the expired certificate combined with a software bug that fails to verify that timestamped executables are signed.

Note:

• This denial of service/access problem that keeps popping up shows the need for certificate discovery and management tools. There are some commercial products and a number of open source tools (like OpenCA and gnoMint) that provide support at scale for certificate management.
• Certificate use has become pervasive, and certificate lifetimes are shrinking, necessitating active monitoring and automated processes to update them automatically where possible. If nothing else, generate a support ticket with sufficient priority and warning to take action without interruption. When using certificates to sign code, be sure to not only use a timestamp server which captures the certificate validity at the time of signing, but also verify the behavior after the code signing certificate has expired.

Read more in:

• KB44781 – Multiple functionalities/features fail for End-Users with a Certificate error.
• Pulse Secure VPN users can’t login due to expired certificate

US Dept. of Health and Human Services OIG Finds Infosec Program is Not Effective

An audit of the US Department of Health and Human Services (HHS) information security program found it to be not effective. The audit, which was conducted by Ernst & Young LLP on behalf of the HHS Office of Inspector General (OIG), evaluated HHS’s information security program against Federal Information Security Management Act (FISMA) metrics. HHS’s information security program was also found not effective in audits conducted for FY 2018 and FY 2019.

Note: Repeat findings on an audit are not something you want. While HHS does have overall strategy for implementing needed processes and controls, OIG found the specific roadmaps and KPIs were lacking, which would drive completing the implementation of those strategies. Make sure that your enterprise strategy has the information needed for success to the lowest layers, including measurable objectives, defined timelines and funded resources. If you are not going to implement a regulatory requirement, such as the Continuous Diagnostics and Mitigation (CDM) program, work that at the highest levels with the regulator, and document the outcome and update your enterprise roadmap accordingly.

Read more in:

• HHS Information Security Program Still ‘Not Effective’
• Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (Report in Brief)
• Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (PDF)

IcedID Banking Trojan Spreading Through Contact Forms

Researchers from the Microsoft 365 Defender Threat Intelligence Team have detected attackers abusing contact forms on company websites to generate emails that include malicious links that can ultimately lead to machines becoming infected with the IcedID banking Trojan.

Read more in:

• Investigating a unique “form” of email delivery for IcedID malware
• Microsoft Warns of Malware Delivery via Google URLs
• Criminals spread malware using website contact forms with Google URLs
• IcedID Circulates Via Web Forms, Google URLs
• Attackers deliver legal threats, IcedID malware via contact forms
• IcedID Trojan Finding New Ways to Slip Past Defenses

Accellion: University of Colorado

The University of Colorado (CU) has provided additional information about a data breach related to a vulnerability in Accellion’s File Transfer Appliance (FTA). CU says that more than 300,000 unique records containing personally identifiable information were compromised. CU says the compromised data are being held for ransom and that they do not intent to pay the demand.

Read more in:

• Cyberattack Update April 9, 2021
• Accellion breach exposed 300,000 records, University of Colorado says

Kentucky Unemployment Insurance Office Offline to Reset PINs After Attempted Fraud

A cyberattack forced the Kentucky Office of Unemployment Insurance to take account operations offline for several days. Attackers used automated tools to access users’ accounts; in some cases, they changed bank information so that funds were diverted to a different account. The Office of Unemployment Insurance is resetting more than 300,000 PINs to ensure that thieves would not steal payments. Once the operations go back online, users will be assigned a new, 8 digit PIN and will be required to create a new 12 character password.

Note:

• Previously used 4-digit PINs, while encrypted, were trivial to guess, as users often chose predictable values. Having users choose longer passwords, sending account PINs out-of-band, and an emailed multi-factor access code are excellent steps in the right direction.
• While resistant to the rare brute force attacks, it sounds as though this system will continue to be vulnerable to the more prevalent fraudulent credential replay attacks. Strong authentication requires that at least one form of evidence be resistant to replay.

Read more in:

• Kentucky Unemployment Insurance Site Shuttered After Attack
• Important Security Notice About Unemployment Insurance PINs

Biden Nominates Former NSA Officials to Top Cybersec Positions at DHS and White House

The Biden administration has nominated former National Security Agency (NSA) official Jen Easterly to become director of the Cybersecurity and Infrastructure Security Agency (CISA). Biden is also expected to nominated former NSA official Chris Inglis to fill the new position of National Cybersecurity Director.

Note: These nominees have not only cybersecurity expertise, but also track records of partnership with private industry. CISA has used those relationships to increase the relevance, effectiveness and value of their services and guidance to both the public and private sector. Extending this partnership model to other cybersecurity roles is necessary to have comprehensive, relevant and effective security leadership.

Read more in:

• Biden Nominates Former NSA Officials for Top Cybersecurity Roles
• Biden scores praise for nominations of White House, DHS cyber leaders
• Biden to Nominate Former NSA Official Easterly to Head CISA
• White House to nominate NSA veterans Chris Inglis, Jen Easterly as national cyber director, CISA chief

DC Care First BC/BS Health Insurer Loses Clinical and Other Patient PII To Attackers

CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) has disclosed that a January 2021 cyberattack compromised data belonging to current and former enrollees and employees. The compromised data include names, Social Security numbers, claims information, and in some cases, clinical information.

Note: This is a good example of transparency and a proactive response. CHPDC has not only published a notice, but also a FAQ, offered 2 years of free credit monitoring as well as engaged expert help for response, containment and remediation to prevent recurrence. While it’s nice to have full attribution in a cyber-attack, these steps taken represent concrete measurable actions which will help maintain and strengthen business relationships with customers, peers, and providers.

Read more in:

• Major DC insurance provider hacked by ‘foreign cybercriminals’
• Recent Cyberattack: A message from our President & CEO, George Aloth

Threat Actors are Exploiting Unpatched SAP Applications

Threat actors are exploiting known vulnerabilities in SAP applications. In a joint report, SAP and Onapsis noted that “critical SAP vulnerabilities [are] being weaponized in less than 72 hours of a patch release.” Attackers are exploiting the flaws to steal data, conduct fraud, deliver malware, and disrupt operations. Users are urged to update SAP applications.

Note:

• Attackers are now actively targeting unsecured SAP applications. CVE-2020-6287 and CVE-2020-6207 are rated as high-risk due to the potential to gain remote unauthorized system access. While patching your ERP system requires prioritization and adequate regression testing, these aggressive attacks warrant enlisting outside services to expedite the process. Consider immediately restricting access to unpatched SAP systems that are currently Internet-accessible.
• Patching faster continues to be easier to do with ease of spinning up AWS/Azure based full sized test environments, and is critical to do with high impact applications like SAP. The Solar Winds compromise points out that those high impact apps should also be tested for flaws or hidden capabilities, and the production instances monitored for unusual behavior – also a lot easier to do with manageable levels of false positives with modern tools.
• Historically, it has been more important to patch thoroughly than to patch urgently. Recent events suggest that that may be changing. In any case, the time to widespread exploitation seems to be shrinking.

Read more in:

• Active Cyberattacks on Mission-Critical SAP Applications
• SAP issues advisory on the exploit of old vulnerabilities to target enterprise applications
• SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers
• Hackers actively targeting unsecured SAP installs, DHS, SAP and Onapsis warn
• Attackers Actively Seeking, Exploiting Vulnerable SAP Applications
• SAP Bugs Under Active Cyberattack, Causing Widespread Compromise
• Malicious Cyber Activity Targeting Critical SAP Applications

Threat Actors are Using Collaboration Apps to Spread Malware

Threat actors have been targeting collaboration apps, like Slack and Discord, to spread malware. The increased number of people working remotely has expanded the use of these apps; attackers have been using the platforms to deliver malware and exfiltrate data. The activity does not exploit vulnerabilities in the collaboration apps; instead, the threat actors are exploiting existing features and the level of trust that the platforms offer.

Note: These platforms are excellent for sharing and distributing files, and links to them are easily embedded in email. As the use of these services has become commonplace, those links no longer stand out as unusual. Some of the attack vectors, such as token stealing to access Discord, can’t be easily mitigated. If you’re not actively using these collaboration apps for business purposes, consider blocking their domains and adding the client software to your application deny list. If you are using them, make sure that your implementation is following best security practices and is sufficient for protecting the data stored and exchanged there.

Read more in:

• Sowing Discord: Reaping the benefits of collaboration app abuse
• Hackers Are Exploiting Discord and Slack Links to Serve Up Malware
• Threat actors targeted Slack and Discord as the pandemic raged on
• Attackers Blowing Up Discord, Slack with Malware

Critical Flaw in VMware Carbon Black

A critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and gain elevated privileges. The issue is due to incorrect URL handling. Users are urged to upgrade to VMware Carbon Black Workload appliance version 1.0.2.

Read more in:

• Critical Cloud Bug in VMWare Carbon Black Allows Takeover
• VMware Carbon Black Cloud Workload appliance update addresses incorrect URL handling vulnerability (CVE-2021-21982)
• VMware Carbon Black Cloud Workload 1.0.2 Release Notes

Gigaset Android Phone Affected by Supply Chain Attack

Some Gigaset Android smartphones are being infected with malware through a “poisoned” update. The malware can open browser windows, download other malware, and send text messages in an effort to spread. Gigaset says the issue affects “older devices” and that they “expect to be able to provide further information” soon.

Note:

• The troubling detail is that the update came from the Gigaset update servers. Gigaset published a technical solution to remove the malware; there is some disagreement about the completeness of the fix. The better plan may be to power of affected devices, and remove both the battery and SIM. While Gigaset hopes to have better remediation information shortly, as this is impacting older devices, the more expedient and complete resolution may be to replace your device if affected.
• We cannot deal with the supply chain by placing all the responsibility on the end user. We must hold those who distribute malicious code responsible.

Read more in:

• Another supply-chain attack? Android maker Gigaset injects malware into victims’ phones via poisoned update
• Gigaset: malware attacks on the manufacturer’s Android devices are puzzling (German)

Lazarus Group’s Vyveva Backdoor Malware

An advanced persistent threat (APT) group with ties to North Korea reportedly used backdoor malware known as Vyveva in an attack against networks at a South African freight company. The Lazarus APT group appears to have been using Vyveva since late 2018. Vyveva’s “capabilities [include] file exfiltration, ‘timestomping,’ gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators.”

Read more in:

• (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
• Vyveva: Lazarus hacking group’s latest weapon strikes South African freight
• North Korean hackers use new Vyveva malware to attack freighters

Singapore Job Matching Organization Discloses Third-Party Data Breach

Singapore’s Employment and Employability Institute (e2i) has disclosed a data breach affecting 30,000 individuals. The company learned of the breach on March 12 from a third-party vendor whose systems were breached. The incident affects individuals who used e2i services or participated in e2i events between November 2018 and March 2021.

Note: Third-party liability needs to be understood. Make sure that your contracts not only flow down cyber security and data protection requirements but also legal and indemnification clauses. These clauses should be standardized for your supply chain management group and reviewed/updated annually by your cyber and legal staff. The review may drive the need to update existing contracts. Document your decision to update now or wait until renewal.

Read more in: Third-party security breach compromises data of Singapore job-matching service

Malicious Document Builder EtterSilent

Threat actors are using a malicious document builder known as EtterSilent in their campaigns. One version of EtterSilent mimics electronic signature app DocuSign but asks users to enable macros; a second version of EtterSilent has been used to drop the Trickbot banking trojan.

Note: EtterSilent includes features that allow it to bypass Microsoft Defender, Windows Antimalware Scan Interface (AMSI), and popular email services, including Gmail. EtterCell documents, created by the EtterSilent builder, are downloader payloads that use Excel 4.0 macro functions to download and execute malicious payloads.

Read more in:

• Emerging hacking tool ‘EtterSilent’ mimics DocuSign, researchers find
• EtterSilent maldoc builder used by top cybercriminal gangs
• EtterSilent Builder Gains Momentum in Malware Campaigns

Android Malware Hides in App Pretending to be Netflix

Check Point Research (CPR) discovered a wormable malware in a phony app on the Google Play Store. Dubbed “FlixOnline” it disguises itself as a legitimate Netflix client offering unlimited entertainment and a free 60-day premium Netflix subscription due to COVID-19. The malware targets WhatsApp, “listening in” on conversations and auto-responding to messages with malicious content. The application requests overlay and Battery Optimization Ignore and notification permissions to keep the device from shutting down as well as provide access to the WhatsApp communications.

Note:

• Beware of over-permissioned applications bearing false promises. The application is using the permissions granted to access the WhatsApp and dismiss and reply to messages. Overlay permissions are often seen in a credential stealing application. The Netflix link provided is also a credential stealing site. The application has been removed from the Play Store and Play Protect will remove any installed copies. No action is needed for the WhatsApp.
• With each Android release, Google has been reducing the scope of app behavior that is allowed. Taking advantage of that requires carriers/operators to be pushing out updates, users to allow them to happen and sometimes requires newer phones to be used. Google had been improving Play Store security/privacy vetting across 2019 but did not publicly announce significant advances in 2020 or so far in 2021. The Play Store and Apple App Store still represent significant obstacles in preventing malware compared to what PC and server operating systems.

Read more in:

• New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp
• New wormable Android malware poses as Netflix to hijack WhatsApp sessions
• Fake Netflix app on Play Store caught hijacking WhatsApp sessions
• New wormable Android spyware and adware positions since Netflix in order to hijack WhatsApp sessions
• Fake Netflix App on Google Play Spreads Malware Via WhatsApp

Belden Says More Information Was Compromised in 2020 Breach

Belden, a network connectivity device manufacturer based in the US, has disclosed additional information about a 2020 cyberattack. When the company first acknowledged the incident in November, it said that current and former employee data and some business data had been compromised. Now it appears that the compromised data include information about some employee’s family members, and health-related information.

Note: Consider whether your enterprise holds data sensitive for others that you do not really need, use, or adequately protect. The most effective way to ensure that one does not leak sensitive data is not to keep it.

Read more in:

• Belden says health benefits data stolen in 2020 cyberattack
• Belden Issues Supplemental Notification of Data Incident

Previous Data Theft May Have Contributed to Exchange Server Attacks

US government officials and Microsoft are puzzling over how the threat actors behind the Microsoft Exchange Server attacks were able to carry out attacks so broadly and so quickly. One emerging theory is that the threat actors, who have been linked to China, have vast troves of stolen and/or mined information that they used to determine which accounts to target. Anne Neuberger, deputy national security adviser for cyber and emerging technology said, “We face sophisticated adversaries who, we know, have collected large amounts of passwords and personal information in their successful hacks. Their potential ability to operationalize that information at scale is a significant concern.” (Please note that the WSJ story is behind a paywall.)

Read more in:

• Suspected China Hack of Microsoft Shows Signs of Prior Reconnaissance (paywall)
• The Cybersecurity 202: This House Democrat is pushing for more funding for state and local cybersecurity

Aviary Dashboard Analyzes Data Output from Sparrow Detection Tool

The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners have released a dashboard to help “visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise.”

Note: As DHS/CISA continue to refine and require added scans relating to the SolarWinds compromise, this dashboard represents a way to track and monitor the results from scans made using their Sparrow detection tool, which should aid reporting requirements associated with this activity. Even if you’re not bound by these directives, consider this approach to tracking the status and health of SolarWinds environments.

Read more in:

• CISA releases tool to review Microsoft 365 post-compromise activity
• cisagov / Sparrow | Aviary
• Using Aviary to Analyze Post-Compromise Threat Activity in M365 Environments

FBI and CISA Joint Advisory: APT Actors Actively Exploiting Flaws in Fortinet FortiOS

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert about advanced persistent threat (APT) actors scanning on ports 4443, 8443 and 10443 for known vulnerabilities in Fortinet FortiOS SSL VPNs. The threat actors could exploit the vulnerabilities “to gain access to multiple government, commercial, and technology services networks.” Users are urged to apply updates.

Note:

• These are older vulnerabilities, and likely exploited by more than APT actors. Patching a remote access device while everybody is working from home has its risk. But if it is too risky to patch, it would be even worse if the device gets compromised. Patch!
• The vulnerability exploited in CVE-2018-13379 was not only resolved in the May 2019 patch, but also allows attackers to bypass 2FA. Make sure that your Fortinet devices are up-to-date to ensure that your 2FA implementation is not rendered ineffective. Review the IC3 guidance below for important mitigations, beyond updating your devices and enabling multi-factor authentication, important steps include requiring administrative privileges to install software, using network segmentation, auditing the use of administrator accounts, and configuring systems with the principle of least privilege in mind.

Read more in:

• APTs targeting Fortinet, CISA and FBI warn
• Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities
• CISA, FBI warn of hacking threat against Fortinet product
• FBI and CISA: APT Groups Targeting Government Agencies
• FBI: APTs Actively Exploiting Fortinet VPN Security Holes
• Advanced hackers use Fortinet flaws in likely attempt to breach government networks, feds warn
• APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks (PDF)

Malware Disrupts Automobile Inspections

A malware attack affecting automobile emissions testing company Applus Technologies is preventing vehicle inspections in eight US states. The March 30 attack prompted Applus technologies to disconnect their network from the Internet. As it is uncertain when inspections will resume, officials in affected states are notifying law enforcement authorities of the situation, asking them not to issue citations for expired emissions. Applus Technologies is also working with customers to ensure the vehicle owners do not incur fines and penalties.

Read more in:

• Malware attack is preventing car inspections in eight US states
• Cyberattack disables CT DMV emissions testing. When will services return?
• Applus Provides Update

Spear Phishing Campaign Targets Job Seekers on LinkedIn

Threat actors are targeting LinkedIn users with phony job offers. The spear phishing campaign tries to manipulate LinkedIn users into clicking on a malicious ZIP file that installs a fileless backdoor Trojan known as more_eggs. That malware has the capacity to download additional malware, giving threat actors access to the user’s computer.

Note: This attack is targeting out-of-work professionals with a personalized compelling campaign, which means user education has to come through non-work channels such as professional organizations, or reaching out to friends who you know to be job hunting. Make sure they are both aware of the campaign and have current endpoint protection on their system. The motivation appears to be access-for-hire – where access to compromised systems is sold to others for use in subsequent campaigns.

Read more in:

• LinkedIn Spear-Phishing Campaign Targets Job Hunters
• LinkedIn Phishing Ramps Up With More-Targeted Attacks
• Hackers Spearphish Professionals on LinkedIn with Fake Job Offers, Infecting them with Malware, Warns eSentire

Microsoft Outage Caused by Bug

An outage that affected Microsoft’s cloud services on Thursday, April 1 was due to a code defect that overwhelmed the Azure DNS service, which “led to decreased availability of … DNS service.” The issue was resolved by Thursday evening.

Note:

• A good reminder that DNS is still a critical service. Doesn’t matter how big your cloud is if nobody can find it.
• Microsoft services detected the issue and recovered themselves after 39 minutes, which is impressive on its own and Microsoft has made changes to their volumetric spike detection system to reduce that window further. As we put more reliance on cloud service providers, it becomes important to fully understand what their service level objectives are and compare them with your maximum tolerable downtime. Understand and document what recourse is available during a service outage. If you implement monitoring to discover interruptions in service, make sure that it is configured in a way that your CSP will accept your findings as genuine. That may require monitoring from more locations and more sophisticated service checks than initially considered.

Read more in:

• Azure status history
• Microsoft says investigating issues with Microsoft 365 services and features
• Microsoft Cloud services were down for some users
• Microsoft outage caused by overloaded Azure DNS servers

CISA Now Overseeing .GOV Top Level Domain

An appropriations bill that passed US Congress late last year includes the DOTGOV Online Trust in Government Act, which moves oversight of the .gov top level domain from the General Services Administration (GSA) to the Cybersecurity and Infrastructure Security Agency (CISA) as of April 2021. Currently, just 10 percent of local governments have a .GOV domain.

Note:

• Now we just need to get state and local governments to actually use .gov domains. For example here in Florida, one of these three domains is not run by the state. Guess which one: sunbiz.org, myflorida.com, stateofflorida.com. Consistent use of the .gov TLD will make it easier to spot imposters.
• Working with small agencies in the past, the barrier to entry for .GOV domains was just too high as compared to getting a free, or nearly free .US or .ORG domain. Not only does CISA need to get .GOV domains funded, the ROI and time to deliver must outweigh the ease of getting alternate domains. Agency leadership also has to be enrolled in supporting their use as well as informed of options such as grants for technical and non-technical items needed to support transitioning to the new domains.

Read more in: The DOTGOV Act: Local Cybersecurity a National Imperative

Ransomware: Broward County Schools

Ransomware operators recently demanded a $40 million payment after infecting the Broward County Public Schools network. The Florida school district said it does not intend to pay the demanded ransom.

Read more in:

• Conti ransomware gang hits Broward County Schools with $40M demand
• Ransomware gang wanted $40 million in Florida schools cyberattack

Ransomware: CNA Website Operational, Email Functionality Restored

US insurance company CNA has acknowledged that a cyber incident that occurred in late March was a ransomware attack. As of Monday, April 5, the company’s website is operational, and CNA says it “has reestablished email functionality which is protected by multi-factor authentication and a security platform to help detect and block email threats.“ The company has also employed additional security measures.

Note:

• Ben Wright and I are doing a talk at the RSA Conference in May: “How Risky is Cyberinsurance?” One issue we won’t have time to address is concentration of risk – if an insurer suffers a major incident (such as widespread exploitation of Solar Winds or Microsoft Exchange vulnerabilities) will the insurer be able to meet their financial obligations? In this case, S&P and other credit rating firms say they are not changing CNA’s credit rating. But, since many large enterprises do require supply chain/third-party partners to carry insurance, good to check for too large a percentage with a single cyberinsurance carrier.
• Implementing multi-factor authentication on email has to be a foundational setting we all use. Hosted email providers make this easy to implement. Avoid the temptation to allow VIPs and system administrators to opt-out. In short, they have more access and are more targeted than other users, making them more risky.

Read more in:

• CNA website back online after ‘sophisticated cybersecurity attack’
• CNA shares details about ransomware attack, recovery effort
• Security Incident Update (PDF)

Facebook Data Leak

Data belonging to more than 530 million Facebook users data been leaked on the darknet. Compromised data include names, phone numbers, birthdates, email addresses and other identifiers. The leak affects users from more than 100 countries.

Note:

• This appears to be data stolen in a 2019 breach. Even so, much of this data is still accurate. At that time the Facebook and Instagram function to search by phone number was removed. What has happen is the data has been released, for free, and could be used for social engineering or SIM swapping campaigns. Make sure that your mobile number is protected from unauthorized swapping, your spam filters are configured and working; and review your identity/credit monitoring to make sure you are alerted upon use of your personal information.
• As Facebook’s European Head Quarters is based in Ireland, the Irish Data Protection Commission has released a statement in which the line “The DPC attempted over the weekend to establish the full facts and is continuing to do so. It received no proactive communication from Facebook” stood out for me. If Facebook are serious about the personal data of its users I would expect it to be actively informing the Data Protection Commission of its investigations into this issue. www.dataprotection.ie: DPC statement, re: Dataset appearing online

Read more in:

• 533 million Facebook users’ personal data leaked online
• Facebook data on 533 million users posted online
• 533 million Facebook users’ phone numbers leaked on hacker forum
• 533 Million Facebook Account Records Posted to Forum
• Facebook data for over 500M users reportedly leaks online

Kaspersky Researchers Discover a Cyberespionage Campaign Targeting Vietnam

Researchers from Kaspersky have found evidence of a cyberespionage campaign that employs sophisticated tactics to “make it significantly more difficult for researchers to reverse engineer the malware for analysis.” The campaign appears to be the work of Chinese state-sponsored threat actors; it targets Vietnamese government and military organizations.

Read more in:

• Spy Operations Target Vietnam with Sophisticated RAT
• The leap of a Cycldek-related threat actor
• Kaspersky Uncovers New APAC Cyberespionage Campaign
• Advanced threat actors up their game in new APAC cyberespionage campaign

Stanford University Medical School Discloses Accellion-Related Data Breach

In a message to the Stanford community, Stanford University Medical School said that it experienced a data breach that involved Accellion’s File Transfer Appliance file-sharing service. Threat actors have posted data taken from Stanford University Medical School on a leak site. The compromised information includes names, addresses, Social Security numbers, and financial data.

Note:

• A recurring theme with Accellion FTA users is not if they have been breached, but when. The FTA appliance was secure mechanism for transferring sensitive data between service providers and business partners. Universities used them for student, faculty and staff data transfers so the impact of exfiltrated data is very broad. If you still have an FTA appliance, it needs to be decommissioned and replaced. You will want to forensically analyze them to establish what data may have been accessed. If you don’t have in-house expertise, engage security services with direct experience with the FTA breaches to work with you through this process.
• One might conclude that open-source intelligence has failed to communicate this vulnerability. What does this say about the effectiveness of open-source intelligence? SANS is doing its part.

Read more in:

• Hackers leak Social Security numbers, student data in massive data breach
• Message to Stanford community on cybersecurity incident
• Statement on the School of Medicine Cybersecurity Incident
• Stolen Stanford data leaked after Accellion breach

Exchange Server: CISA Requires Agencies to Run Microsoft Safety Scanner

The US Cybersecurity and Infrastructure Security (CISA) has directed federal agencies to “download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode” and “download and run the Test-ProxyLogon.ps1 script as an administrator to analyze Exchange and IIS logs and discover potential attacker activity.” Agencies must perform these actions by noon EDT on Monday, April 5. There are also hardening requirements that must be implemented by June 28, 2021. The new requirements were released as Supplemental Direction to CISA’s March 3 Emergency Directive 21-02.

Note:

• Everybody should run the Microsoft Safety Scanner for Exchange. Even if you patched as soon as the patch was released by Microsoft. The scanner isn’t perfect, but it is easy to run and you should assume that the system was compromised the day before the patch was released.
• The MSERT script is being updated frequently, so be sure to download the latest before performing these scans. The new requirements are not just to harden the OS of the servers, but also verify that you’re employing principle of least privilege for accounts on your exchange server. Also note the requirement to not only be on support OS and Exchange versions but also apply patches within 48 hours of release which leaves little time for regression testing and necessitates verified roll-back procedures.

Read more in:

• Exchange Server attacks: Run this Microsoft malware scanner now, CISA tells government agencies
• CISA gives federal agencies 5 days to find hacked Exchange servers
• Emergency Directive 21-02 Supplemental Direction (March 31, 2021)
• Microsoft Safety Scanner

North Korean State-Sponsored Threat Actors Created Fake Security Company

North Korean state-backed hackers are once again targeting security researchers. This time, the threat actors have set up a phony offensive security company, replete with a website and associated social media accounts. The fake company, SecuriElite, says it is based in Turkey and that it offers penetration testing, software security assessments, and exploits. The same group of threat actors launched a campaign earlier this year involving phone social media accounts, from which they asked targeted researchers if they wanted to collaborate on a project.

Note: Just as you would for services used at home, you need to check references carefully when hiring a security firm. Use known good sources for references. If your industry peers haven’t heard of or don’t have direct experience with a firm, use caution or select again.

Read more in:

• Google: North Korean hackers are targeting researchers through fake offensive security firm
• North Korean hackers return, target infosec researchers in new operation
• Google: North Korean APT Gearing Up to Target Security Researchers Again
• Update on campaign targeting security researchers

Whistleblower: Ubiquiti Breach “Catastrophically Worse Than Reported”

In a letter to the European Data Protection Supervisor, a whistleblower wrote that a breach disclosed by Ubiquiti in January 2021 “was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers.” In a March 31 Update to January 2021 Account Notification, Ubiquiti disclosed that it was targeted by an unsuccessful extortion attempt in January.

Note:

• Unlike similar products, the “controller” function for Ubiquiti’s network and video products is run on premise. But authentication usually happens via Ubiquiti’s cloud authentication service. In addition, the web-based controller software in some cases retrieves components from Ubiquiti’s site. I reviewed the controller web interface, and for example, Ubiquiti is including JavaScript from delighted.com for “optional user surveys”. An attacker, who appears to have had full access to Ubiquiti’s source code and cloud infrastructure, may have been able to swap out that code for something malicious. If you are using Ubiquiti products, make sure you disable remote access to the controller.
• Transparency is key in a breach situation. Be clear about the scope and relevance of affected systems, as well as recovery efforts. Update your disclosure as new information becomes available to maintain the relationship with your customers and users. For third-party contracts, make sure that your security requirements flow down to sub-contractors and that your indemnification and liability clauses are sufficient to protect your business. If you’re using the Ubiquiti cloud management services and you have not changed your password since January 11th, both change it and implement MFA.

Read more in:

• Whistleblower: Ubiquiti Breach “Catastrophic”
• Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’
• Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges
• Ubiquiti breach puts countless cloud-based devices at risk of takeover
• Ubiquiti confirms extortion attempt following security breach
• Update to January 2021 Account Notification

Ransomware: University of Maryland Data Leaked

Ransomware operators are leaking data that appears to have been stolen from systems at the University of Maryland, Baltimore, and the University of California, Merced. The compromised data include tax documents, passport numbers, Social Security numbers (SSNs) and health savings plan enrollment forms.

Note: The Clop group has been harvesting data via Accellion FTA exploits. This dataset includes both employee and student data. While the universities have taken steps to prevent recurrence, employees and students need to make sure they are also taking steps to prevent identity theft for themselves and any family members also included on benefit, tuition, or grant application forms.

Read more in: Ransomware group targets universities in Maryland, California in new data leaks

Medical Researchers Targeted in Phishing Campaign

A report from Proofpoint says that state sponsored threat actors have targeted medical researchers in the US and Israel with credential phishing attacks. The campaign began in December 2020. Proofpoint says “the tactics and techniques observed in BadBlood (Proofpoint’s name for the campaign) continue to mirror those used in historic TA453 (aka Charming Kitten) campaigns.”

Note:

• Capturing reusable credentials continues to be the “easy button” for getting access to systems and information. In this campaign they are using look-alike sites to harvest credentials, and while users may notice that the 1drv[.]casa is not a legitimate Microsoft login site, many will miss that clue. The more complete solution is ubiquitous multi-factor authentication. Don’t allow any users to opt-out, reducing the effectiveness of captured credentials. If possible, integrate your password processes with breach data checks to identify and trigger updates for passwords which have been breached.
• Almost every time I read a long report about a complex state-sponsored attack, in the first paragraph I’ll see “phishing” and “harvested login-credential.” After that will be catchy names for the threat actor or malware, and descriptions of what the attackers did after easily “harvesting credentials” – i.e., taking advantage of the use of reusable passwords by obvious targets, like sys admins, medical researchers during a pandemic, security researchers, CFOs, etc. There has been a lot of hype recently about “Zero Trust” architectures, which can’t exist when those targets are still using easily compromised credentials.

Read more in:

• BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns
• Iranian credential thieves targeting medical researchers
• APT Charming Kitten Pounces on Medical Researchers
• Attackers Target Medical Research Staff with Credential Phishing Attacks

US Justice Dept. Warns of Vaccine Survey Phishing Campaigns

The US Justice Department says it has received reports of fraudulent COVID-19 surveys that are being sent to consumers in email and in text messages. The message says the recipient is eligible to receive a prize for answering the questions and asks them to provide a credit card number to pay shipping and handling.

Note: This takes its cues from the old Nigerian scam, where you are tricked into providing a small fee in exchange for a huge reward. And as in that scenario, the temptation to participate is heightened by the campaign message. As then, the task is to train users, friends and family to click only on links from known senders. The DOJ site below has links for not only reporting suspected phishing campaigns, but also references for users who may have provided information to fraudsters as well as protection measures for future use. As we are in tax season, consider an IRS Identity protection PIN to prevent fraudulent filing of a tax return on your SSN. www.irs.gov: Get An Identity Protection PIN (IP PIN)

Read more in:

• US DOJ: Phishing attacks use vaccine surveys to steal personal info
• Justice Department Warns About Fake Post-Vaccine Survey Scams

SolarWinds: US Malware Analysis Report

The US Department of Homeland Security (DGS) and US Cyber Command are planning to release a malware analysis report that details malicious code allegedly used by the threat actors behind the SolarWinds supply chain attack. The report was initially scheduled to be released on March 31, but has since been delayed.

Read more in:

• US to publish details on suspected Russian hacking tools used in SolarWinds espionage
• USA to publish detailed analysis of SolarWinds hacking tools

Indictment in Kansas Water Utility Breach

US federal authorities have indicted Wyatt A. Travnichek for allegedly tampering with a public water system in Kansas. The incident occurred in late March 2019. Travnichek allegedly gained access to the Post Rock Rural Water District’s computer system and shut down cleaning and disinfection procedures. Travnichek has been charged with tampering with a public water system and reckless damage to a protected computer wit unauthorized access.

Read more in:

• Feds Indict Kansas Man for Allegedly Hacking Into Water Supply
• Kansas man indicted in connection with 2019 hack at water utility
• Feds say man broke into public water system and shut down safety processes
• Indictment: Kansas Man Indicted for Tampering With a Public Water System

RSA: DHS Secretary Describes Planned 60-Day Cybersecurity Sprints

Speaking to a virtual audience at the RSA conference, US Department of Homeland Security (DHS) Secretary Alejandro Mayorkas said that DHS and the Cybersecurity and Infrastructure Security Agency (CISA) are planning a series of 60-day sprints to address cybersecurity goals. There are six areas of focus, including ransomware, resiliency of industrial control systems at water and sewage treatment facilities, and election security. Mayorkas also noted the forthcoming executive order, which will aim to “advance the federal government’s ability to prevent and respond to cyber incidents.”

Read more in: DHS Secretary Outlines 60-Day Cybersecurity Recovery Plan

Executive Order to Address Breach Disclosure

Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the Biden administration is working closely with the private sector on a forthcoming executive order, which is expected to make “fundamental improvements to national cybersecurity.” Among other elements, the draft executive order would require organizations that do business with the federal government to disclose network breaches with a matter of days.

Note:

• Breach disclosure, encryption at rest, and 2FA for companies working with the Federal Government appear to be the core themes of the pending order. When implementing encryption, have a clear understanding of where and when data is, and is not, encrypted. Contracts with the Federal Government already include incident response and disclosure requirements, with pre-identified contacts and defined timelines. Additionally, a clear understanding of how that information needs to be protected, where and when it is reported, and by whom, are key to maintaining trust in the business relationship. If you don’t have similar provisions in contracts with service providers, you need to add them.
• The first federal US breach notification law was proposed in 2003. Sad to see that 18 years later US legislators still have been unable to act in this area. Since several states have joined California in passing state level laws, most companies would prefer a federal standard requirement. So, action is badly needed on this and perhaps the FCC will tackle cell phone number spoofing, too.

Read more in: Companies Must Quickly Report Hacks to U.S. Under Proposed Order

Brown University Data Center Shut Down Following Cyber Incident

Brown University’s CIO and chief digital officer said they shut down the school’s data center after detecting “a cybersecurity threat to the University’s Microsoft Windows-based technology infrastructure” on March 30. The Computing and Information Services team has begun restoring systems.

Note: Many services are back online, or are being restored shortly. Brown University is using their Computing and Information Services Alerts page to provide status updates on impacted services. it.brown.edu: Computing & Information Services Alerts

Read more in:

• Brown U. cuts off data center after detecting ‘cybersecurity threat’
• IT Security Threat and Temporary Systems Outage

Harris Federation Ransomware Attack Affects 50 UK Schools

The UK’s non-profit Harris Federation, which operates 50 primary and secondary schools in London and Essex, has disclosed that it suffered a ransomware attack in late March. The incident occurred the same day the National Cyber Security Centre warned that ransomware operators are targeting the education sector. The attack affected servers, telephone systems, and email systems. Devices that the schools issued to students have also been disabled.

Read more in:

• And that’s yet another UK education body under attack from ransomware: Servers, email, phones yanked offline
• A highly sophisticated ransomware attack leaves 36,000 students without email
• A Message to Parents and Pupils