Information and Cyber Security News Headline Updated on 23 November 2019

The headline on 23 November 2019

Texas School District Pays Ransomware Demand. The Port Neches-Groves Independent School District in Texas has paid an undisclosed sum in Bitcoin to regain access to their files that were encrypted by ransomware. The district’s director of information services said that as of Monday, November 18, staff had regained access to nearly all files.

Read more in: The Beaumont Enterprise > PN-G pays ransom to regain access to district files

Veterinary Practices Hit with Ransomware. A ransomware attack affected computers at California-based National Veterinary Associates (NVA), causing problems at roughly 400 of the company’s veterinary practices and animal boarding facilities around the world. NVA discovered the attack on October 27 and hired two companies to help with the recovery. The attack affected patient records, payment systems, and office management software. The company did not say if it paid the ransom.

Read more in:
KrebsOnSecurity > Ransomware Bites 400 Veterinary Hospitals
threatpost > 400 Vet Locations Nipped by Ryuk Ransomware

French Hospital’s Computers Infected with Ransomware. A hospital in Rouen, France, was the victim of a ransomware attack that occurred on Friday, November 15. While the 6,000 computers were unavailable, healthcare providers at Centre Hospitalier Universitaire (CHU) resorted to pen and paper. CHU said that the incident has caused “very long delays in care.” According to Le Monde, France’s cybercrime agency ANSSI helped contain the effects of the attack and helped with the recovery.

Read more in:
BBC > Rouen hospital turns to pen and paper after cyber-attack
The Register > Bon sang! French hospital contracts 6,000 PC-locking ransomware infection
Infosecurity Group > French Hospital Crippled by Ransomware
Le Monde > Frappé par une cyberattaque massive, le CHU de Rouen forcé de tourner sans ordinateurs (in French)

DHS and VotingWorks Release Open Source Post Election Audit Tool. The US Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) and VotingWorks have made an open source post election risk-limiting audit tool available on GitHub. Arlo, as the tool is named, “helps election officials complete a statistically valid audit of vote tabulation processes by comparing the votes marked on a random sample of original paper ballots with the electronically recorded votes for those same ballots.”

Read more in:
VotingWorks > Risk-Limiting Audits with Arlo
GitHub > votingworks/arlo
ZDNet > CISA and VotingWorks release open source post-election auditing tool

Critical Flaws in Oracle E-Business Suite. A pair of critical vulnerabilities in Oracle’s E-Business Suite (EBS) could be exploited to print checks and conduct electronic funds transfers. Oracle released fixes for the flaws in its April 2019 Critical Patch Update. The Onapsis researchers that found the flaws and reported them to Oracle in December 2018 estimate that about half of Oracle EBS customers have not yet applied the fixes.

Note:

  • Regression testing of changes to ERP systems is important, and it takes a lot of maturity to roll updates quickly. Due to the critical nature of the flaws, expedited testing is warranted; mitigate some of the risks by actively watching application logs for unauthorized transactions.

Read more in:
DARKReading > Patch ‘Easily Exploitable’ Oracle EBS Flaws ASAP: Onapsis
Bleeping Computer > Thousands of Enterprises At Risk Due to Oracle EBS Critical Flaws
Onapsis > Oracle PAYDAY Attacks Put Thousands of Global Organizations at Risk of Financial Fraud and Theft
Oracle > Oracle Critical Patch Update Advisory – April 2019

New Russian Law Requires Devices Sold Have Russian Software Pre-Installed. Russia’s parliament has passed a law that would prohibit the sale of certain electronic devices that do not have Russian software pre-installed. The law affects smartphones, computers, and smart TVs. Devices made in other countries may be sold with their own software, but the Russian software must be installed as well. While the law has been touted as promoting Russian software and making devices easier to use in that country, some are concerned that the law will increase surveillance.

Editor’s Note

  • This is a complex issue. Back in 1999, China started trying to mandate use of Chinese encryption software and standards in everything and largely backed off. It has now focused on a “Multi Level Procurement Standard” that only imposes domestic Intellectual Property requirements on use cases with higher levels of impact, similar to what the US calls Critical Infrastructure Systems. The US more recently has simply issued bans on software and hardware from Chinese and Russian suppliers for government use, regardless of criticality, while the UK has taken more of a required testing approach. There are no examples of positive outcomes when governments require software from their own countries get installed on commercial products.
  • As John says, this is complicated and will change over time. Expect trade restrictions and interplay with their ISP restrictions to come into play to force the issue.

Read more in:
BBC > Russia bans sale of gadgets without Russian-made software

Microsoft Patches Windows UAC Flaw. As part of its monthly security update for November, Microsoft last week released a fix for a vulnerability in the User Account Control (UAC) feature in Windows Secure Desktop. UAC is a security feature designed to help prevent unauthorized operating system changes. The flaw could be exploited to gain elevated privileges.

Read more in:
threatpost > High-Severity Windows UAC Flaw Enables Privilege Escalation
Zero Day Initiative > Thanksgiving Treat: Easy-as-Pie Windows 7 Secure Desktop Escalation of Privilege

Cleveland Federal Reserve President: Do a Better Job of Sharing Threat Information. Cleveland Federal Reserve President Loretta Mester said that financial organizations need to undergo tests to see how they handle cyberattacks, noting that “Such a test could help evaluate the financial system’s plans for data and core systems recovery and its reliance on third parties to implement that plan.” Mester also said that financial organizations, regulators, and government agencies need to do a better job of collaborating and sharing threat information. Mester spoke at a conference on financial stability hosted by the Cleveland Federal Reserve.

Read more in:
Reuters > Cleveland Fed’s Mester urges regulators to be more agile on cybersecurity risks

NeverQuest Banking Malware Developer Sentenced to Prison. A US District Count Judge has sentenced Stanislav Lisov to four years in prison for his role in creating NeverQuest, malware designed to steal funds from bank accounts. Lisov admitted that he stole more than $880,000 using NeverQuest.

Read more in:
cyberscoop > NeverQuest banking malware administrator sentenced to 4 years

The headline on 20 November 2019

Phishing Campaign Targets Office 365 Admins. A phishing campaign uses legitimate sender domains to target Office 365 administrators. The emails appear to come from Microsoft, but are actually coming from other compromised organizations. If a phish is successful, the attackers can then use that account to set up more email accounts that appear legitimate and can be used to send additional phishing messages.

Note:

  • The major cause for compromise of cloud services has been enterprise admins using reusable passwords. The business and user side wants to move to cloud; IT should be saying “OK, part of the transition cost is strong authentication by our admins.” This admin privilege management issue does not impact users at all!
  • Enable MFA for administrator accounts and monitor their use. Your admins may wish to keep a “break glass” account with a reusable password. If so, it should be audited, and password changed when used. To help minimize the number of Global Admins in O365, Microsoft is previewing a new role called Global Reader to enable visibility without update capabilities. Disable legacy protocols (IMAP/POP/SMTP) which use legacy or non-MFA authentication. Microsoft can be engaged to assess the security of your O365 environment.
  • In addition to strong authentication, privileged access management mechanisms are indicated here. It is beyond ironic that the place where we are least likely to find strong authentication and are most likely to have shared ID’s and passwords is among privileged users.

Read more in:
threatpost > Office 365 Admins Targeted in Ongoing Phishing Scam
Infosecurity > Office 365 Admins Singled Out in Phishing Campaign

Disney+ Accounts Compromised, Offered for Sale on Hacker Forums. Within hours after the launch of the Disney+ video streaming service, hackers began hijacking accounts and making them available on hacker forums.

Note:

  • The most likely source of compromised account information is credential reuse. While it is tempting to reuse passwords or select passwords that are easy to enter on your streaming device, use unique long passphrases on every account. Disney+ doesn’t support MFA.

Read more in:
ZDNet > Thousands of hacked Disney+ accounts are already for sale on hacking forums
Infosecurity > Hacked Disney+ Accounts on Sale for $1

Louisiana’s Office of Technology Services Takes Down Servers to Contain Ransomware Attack on State Government. State government IT systems and websites in Louisiana were unavailable on Monday. Governor John Bel Edwards said that the state’s cybersecurity team was activated “in response to an attempted ransomware attack.” The state’s Office of Technology Services (OTS) took agency servers offline as a precaution.

Read more in:
ZDNet > Ransomware hits Louisiana state government systems
REUTERS > Louisiana government computers knocked out after ransomware attack
TheHill.com > Louisiana activates cybersecurity team in response to attack on state agencies
BleepingComputer > Louisiana Government Suffers Outage Due to Ransomware Attack

Nunavut Government Recovering from Ransomware Attack. Computer systems belonging to the Nunavut (Canada) government are starting to be restored after a ransomware attack that hit its computers on November 2. The government did not pay the ransom demanded and has instead reverted to faxes, paper forms, and telephone calls to conduct business while government machines are being wiped and reformatted. The Nunavut government keeps monthly and annual backups of its systems and takes a nightly snapshot.

Read more in:
CBC > Nunavut government computer systems coming back online after cyber attack
Nunatsiaq News > Government of Nunavut slowly rebuilds computer network following ransomware attack

Intel to Pull Old Drivers and BIOS Updates from Website. Intel has announced that it will remove old drivers and BIOS updates from its website by Friday, November 22. Many of the drivers that will be purged are for versions of Windows operating systems that Microsoft no longer supports. This means that users running legacy systems need to download the drivers and BIOS updates they need as soon as possible. If they miss the November 22 deadline, there are mirrors of the Intel FTP site.

Read more in:
ZDNet > Intel to remove old drivers and BIOS updates from its site by the end of the week
BleepingComputer > Intel is Removing End of Life Drivers and BIOS Downloads

Google Fixes Gmail Cross-Site Scripting Flaw. Google has fixed a cross-site scripting flaw in the AMP4Email feature. AMP4Email, also known as dynamic email, makes it easier for email to display dynamic content. The feature was made generally available in July. The researcher who found the vulnerability said it “is an example of a real-world exploitation of well-known browser issue called DOM Clobbering.” He notified Google of the flaw in August, and a fix was made available before the issue was publicly disclosed.

Read more in:
research.securitum.com > XSS in GMail’s AMP4Email via DOM Clobbering
ZDNet > Google patches ‘awesome’ XSS vulnerability in Gmail dynamic email feature

Sometimes Medical Device Security is at Vendors’ Discretion. In some cases, the security of Internet of Things (IoT) medical devices on health care organizations’ networks is managed by the vendors. Often, the vendors do not allow the organization to apply patches, change admin credentials, or add anti-malware protection; if the organizations make such changes, the devices’ warranty is voided. One way of managing this issue is to segment the devices.

Note:

  • Big sigh. At Gartner in 2006, I wrote a research note that pointed out “The Food and Drug Administration issued guidance that removed barriers to medical equipment vendors rapidly issuing patches for vulnerabilities in their products because of FDA certification issues. Enterprises should demand that vendors step up the timeliness of their patch processes.” The FDA reiterated that guidance in 2014 and in 2018 put out additional guidance. What has been lacking is health care enterprises mandating security requirements and evaluation criteria for all device procurements. If heath care organizations continue to buy junk, the device manufacturers will continue to sell junk.
  • Mitigations for these devices are similar to other unpatched/minimally secure devices on your network: segment them, monitor their actions, and restrict connectivity to only devices and services that are absolutely needed.

Read more in:
Darkreading > How Medical Device Vendors Hold Healthcare Security for Ransom

Some Macy’s Pages Infected with MageCart Malware. Macy’s, the US department store, has published a Notice of Breach document explaining that the “Checkout” and “My Wallet” pages on macys.com were infected with MageCart malware last month. The malware was added to the pages on October 7, 2019. Macy’s became aware of the situation and removed the malware on October 15. The incident compromised customers’ personal information, including names, addresses, email addresses, payment card numbers, expiration dates, and security codes.

Note:

  • Online merchants that accept credit cards at checkout put themselves and their customers at unnecessary risk of fraud. Merchants should provide, and consumers should prefer, the use of proxies such as PayPal, Apple Pay, and Click2Pay.

Read more in:
SC Magazine > Macys.com Magecart attack yields payment, personal info
BleepingComputer > Macy’s Customer Payment Info Stolen in MageCart Data Breach
DocumentCloud > Macy’s Notice of Data Breach, November 14, 2019

Bluetooth Scanning and Device Theft. An increase in the number of laptops and other devices from cars suggests that thieves may be using Bluetooth scanners to detect devices left inside vehicles. On some devices, if Bluetooth is turned on, the devices will put out a detectable beacon even when they are idle. Law enforcement officials in some jurisdictions say they are aware of thieves using scanners, but did not provide details.

Note:

  • Replacing sleep mode with hibernate turns off the laptop and stops detectable emissions. Also remember to turn off emissions from other mobile devices stored in the car. The simplest fix may be a policy of not leaving devices in vehicles at all.

Read more in:
WIRED > Burglars Really Do Use Bluetooth Scanners to Find Laptops and Phones

Facebook Fixes WhatsApp Remote Code Execution Flaw. Facebook has patched a vulnerability in WhatsApp that could be used to launch remote code execution attacks or cause denial-of-service conditions. The stack-based buffer overflow flaw could be exploited by sending a specially-crafted MP4 video file to a targeted user.

Note:

  • While there are no reports of active exploitation, it’s prudent to update your application now. If you’re no longer using the WhatsApp, uninstall it.

Read more in:
threatpost WhatsApp Remote Code Execution Triggered by Videos
Facebook > CVE-2019-11931

Prison Sentence for Man Operating DDoS-for-Hire Scheme. A US District Judge in North Carolina has sentenced an Illinois man to 13 months in prison for “owning, administering, and supporting illegal booter services” that were used to launch distributed denial-of-service (DDoS) attacks. Sergiy Usatyuk was also ordered to pay more than $500,000 in restitution.

Read more in:
U.S. Department of Justice > Former Operator of Illegal Booter Services Sentenced for Conspiracy to Commit Computer Damage and Abuse
The Register > Denial of service kingpin hit with 13 months denial of freedom and a massive bill to pay
regmedia.co.uk > USA v. Sergiy Petrovich Usatyuk (PDF)