Information and Cyber Security News Headline Updated on 15 Feb 2020

The headline on 15 Feb 2020

GAO Report Enumerates Census Bureau Security Concerns. A Government Accountability Office (GAO) report on the Census Bureau’s preparedness found that the bureau is lagging on some of its goals, including IT system implementation and cybersecurity issues. The report says that the bureau has not met its goal of ensuring that its self-response site can support up to 600,000 users at a time. GAO also notes that the bureau needs to fix cybersecurity issues “in a timely manner,” implement DHS recommendations, and ensure that the privacy of those responding is protected.

Read more in:

Microsoft’s February Updates Include Fix for Zero-day Flaw in Internet Explorer. Microsoft’s monthly security updates include fixes for 99 vulnerabilities in multiple products. Twelve of the flaws are rated critical; of those, one, a remote code execution vulnerability in Internet Explorer, is being actively exploited. Microsoft disclosed the IE vulnerability in January but a patch had not been available until earlier this week.

Read more in:

Adobe February Updates. Adobe’s security updates for February include fixes for 42 vulnerabilities in multiple products. The updates address 21 critical issues in Framemaker and 12 critical flaws in Reader and Acrobat. The updates also fix critical flaws in Flash Player and Experience Manager.

Note:

  • Hey, Adobe and McAfee – it has been at least 8 years since Adobe patches started trying to trick users into installing McAfee software. That practice continues to make both companies look cheap and sleazy – imagine if Ford said, “Every time a Ford car has a defect that requires a recall, we will try to trick you into turning on a satellite radio service.” Is whatever revenue flows on this deal really worth it???
  • Remember the Flash Player EOL date is 12/31/20, so we’re not yet done patching it. The Adobe Creative Cloud application keeps that suite of applications updated, augmenting the enterprise capabilities. Even so, scanning to make sure they are applied is prudent.
  • Tens last month, tens this month, likely tens next month. How deep must the reservoirs be?

Read more in:

US and German Intel Agencies Owned Controlling Stake in Swiss Encryption Device Maker. According to reports in the US, German, and Swiss press, between 1970 and 1993, the US and West German intelligence agencies were secret majority owners of Crypto AG, a Swiss company that made encryption devices. The reports say that the agencies were able to control aspects of Crypto AG’s business, including manipulating algorithms used in the company’s devices so that the agencies could easily decrypt foreign adversaries’ communications. Crypto AG customers included more than 130 national governments. Germany withdrew from the arrangement in 1993; US intelligence bought its stake and remained in control until it sold off Crypto AG’s assets in 2018. The controlling partnership was shielded behind a trust company in Liechtenstein. Bruce Schneier points out that while the story itself is not news, “what is new is the formerly classified documents describing the details” of how the agencies were able to exploit their access to supposedly encrypted information.

Note: As the article points out, this was no longer a secret by the early 1990s, but Crypto AG products were still used by many who weren’t paying attention to relatively low visibility reports. Today, every piece of software used by businesses (especially mobile applications) is a potential “Crypto AG” scenario. Supply chain security has to focus on risk assessment and testing of products and services in use, not just country of origin.

Read more in:

US Justice Department Charges Huawei with Racketeering and Conspiracy. The US Department of Justice (DoJ) has returned a superseding indictment, charging China’s Huawei Technologies with racketeering and conspiracy to steal trade secrets. The defendants named in the indictment include Huawei and four subsidiaries. The indictment includes examples of Huawei’s alleged theft of intellectual property from US companies

Note:

  • Like the Crypto AG item, this is also another “old news” item. Back in 2003 Cisco went public with intellectual property theft claims against Huawei and later settled a lawsuit. Trade wars between countries raise the press visibility of these issues, but the supply chain risk doesn’t change – accurate assessments and monitoring are needed.
  • In his recent book, Hamilton, the author Ron Chernow noted that the US became an industrial power, in part, by stealing intellectual property and suborning talent from England. While free trade is the preferred way to redress inequities among nations, theft of IP is to be preferred to armed conflict.

Read more in:

Mozilla Updates. Mozilla has released updated versions of Firefox, Firefox ESR, and Thunderbird. Firefox 73 includes fixes for six vulnerabilities; Firefox ESR 68.5 includes fixes for five vulnerabilities; and Thunderbird 68.5 includes fixes for four vulnerabilities.

Note: Your enterprise may already be pushing out these updates. If not, leverage slipstreaming them in with the February Microsoft and Adobe updates you’re already deploying.

Read more in:

Fix Available for Critical Flaw in GDPR Cookie Consent WordPress Plugin. The developers of the GDPR Cookie Consent plugin for WordPress have released an updated version to address a critical flaw. The vulnerability could be exploited to alter website content or to inject malicious JavaScript code. As its name suggests, the plugin is designed to help websites comply with the EU’s General Data Protection Regulation (GDPR); the plugin is estimated to be in use on more than 700,000 websites.

Note: While your WordPress site will detect out-of-date plugins, updating them automatically requires additional software or a plugin. If you’re manually checking and updating, put a reminder on your calendar; don’t wait to find out you have a problem the hard way.

Read more in:

Malicious Extensions Pulled from Google Chrome Store. Google has pulled more than 500 malicious extensions from its Web Store. The extensions redirected users to potentially malicious sites and harvested users’ personal information.

Note: If you have one of these extensions installed, it will be automatically be disabled and marked as malicious. Extensions so marked should be uninstalled.

Read more in:

MIT Researchers Detail Mobile Voting App’s Flaws. In a paper released earlier this week, researchers from the Massachusetts Institute of Technology (MIT) say that the Voatz mobile voting app, which has been used in several US states to allow voters overseas to cast their ballots, contains worrisome security shortcomings. The flaws could be exploited to see data being transmitted from the app, alter users’ votes, and to impersonate a user’s mobile phone. In addition, Voatz does not use blockchain to secure votes in the way its makers say it does. Voatz responded to the papers findings, noting in a blog post that the researchers based their conclusions on an outdated version of the app and that the researchers did not connect to the Voatz servers.

Read more in:

xHelper Android Malware is Vexingly Persistent. Android malware known as xHelper reinfects devices even after factory resets. The malware dropper Trojan was first noticed last spring. Theories that the reinfections came from pre-installed malware or from the Google Play store were disproven. Researchers at Malwarebytes, along with a savvy Android user, discovered that the reinfection came from folders that were not removed even after a factory reset. Malwarebytes has instructions for removing the folders.

Note:

  • In short, the malware dropper hangs out in hidden directories that are not removed during a factory wipe and leverages Google PLAY to reinstall itself. The Malwarebytes article has steps for finding and removing the files. As the dropper uninstalls itself after setting up the processes for installing the malware, your MDM is unlikely to detect it.
  • It seems unlikely that most, or even many, Android users will even know about xHelper, much less do anything about it. One accepts that geeks can manage the security of Android devices. One should not give them to children, the elderly, or the otherwise naive.

Read more in:

Car Mobile Apps Not Always Reset After Vehicles Are Rented or Resold. A man who leased a car from Ford between 2013 and 2016 discovered that he still had access to the vehicle’s controls through the mobile app more than three years later. Another man has twice rented cars and found that he could still access the controls for the vehicles months after he had retuned them.

Note:

  • The same is true for many of those smart TVs in hotels, but especially in Airbnbs and other consumer grade lodging that employees and executives might be using on travel. Good to use this item as an updated warning in awareness campaigns.
  • When selling or turning in your personal vehicle, it is prudent to factory reset the mobile apps, including any phonebook information which has been downloaded. When purchasing a vehicle, make sure you are the only one with access to the online management features, which may require dealer support to verify. Current Rental Car agreements also advise consumers to reset the information prior to turning in the vehicle. In any cases, it’s prudent to make sure the vehicle doesn’t contain prior data before connecting your devices.

Read more in:

Mobile World Congress Tech Show Cancelled Over Coronavirus Worries. The Mobile World Conference tech show, which was scheduled to be held February 24-27 in Barcelona, Spain, has been cancelled due to concerns about the coronavirus. The decision to cancel the conference was made after a number of high-profile vendors announced they would not attend.

Read more in:

Ransomware Targets Texas City and School District. A city and school district in Texas have been hit with ransomware. Computers belonging to the city of Garrison became infected on February 10; Garrison’s mayor says the city has recovered from the attack and is operating as usual as of February 13. Computers at the Nacogdoches Independent School District became infected on February 11; the district is still working to recover access to its data. The city and the school district are about 20 miles apart and do not share a computer system. Officials are investigating whether the two attacks are related.

Read more in: Texas attack: Garrison, Nacogdoches schools hit with ransomware

Florida County Election System Infected with Ransomware in 2016. Palm Beach County (Florida) election supervisor Wendy Sartory Link said that computers at the the county’s election office became infected with ransomware shortly before the 2016 US general election. Link, who became election supervisor in January 2019, learned of the incident during a conversation with the office’s acting IT director.

Read more in:

North Miami Beach Police Systems Hit with Ransomware. Hackers have targeted computers belonging to the North Miami Beach (Florida) Police Department with ransomware. The police department’s IT staff shut down affected machines to curtail the malware’s spread and have alerted the FBI and the Secret Service.

Note: Remember that, while the decision as to how to deal with a “ransomware” attack is a business decision, ensuring that the decision is made prior to the attack is a responsibility of security staff.

Read more in:

The headline on 11 Feb 2020

GAO Report Finds CISA’s Election Security Strategy Has Not Been Finalized. In January 2017, the US Department of Homeland Security (DHS) designated state and local election infrastructure used in federal elections as a component of the country’s overall critical infrastructure. The designation allows DHS to provide state and local election officials with help to protect assets, which include voter registration databases and voting equipment. A report from the Government Accountability Office (GAO) found that DHS’s Cybersecurity and Infrastructure Security Agency (CISA) “has not yet completed its strategic and operations plans to help state and local officials safeguard the 2020 elections or documented how it will address prior challenges.” The report urges CISA to finalize its strategic plan.

Note:

  • While not the end of the world, there is no time for local agencies to implement strategic measures prior to the election. CISA needs to quickly publish prioritized tactical guidance that can be implemented through the rest of this election year.
  • This is not that damning a report, but with the primaries underway and the Presidential election less than 9 months away, I’d say no more time for strategic plans: the focus should be on prioritizing which fires to put out first.

Read more in:

State Election Officials More Accepting of Federal Help. US State election officials are more willing to accept help from the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) than they were in the past. Officials were initially resistant to having their election systems designated as critical infrastructure, but have come to see that information and support provided by CISA can help them proactively secure their election infrastructure. CISA director Christopher Krebs said that two conference calls in January regarding potential cyberthreats from Iranian hackers had 1,700 and 5,900 dial-ins, respectively.

Read more in: Once wary of feds, state election leaders now welcome help

Maryland Jurisdictions Will Not Use Problematic Reporting Network in Upcoming Elections. During a special district primary in Maryland last week, a network designed to send voter information to state officials was shut down because it was causing delays at polling places. Elections officials say they will not require jurisdictions to use the network in the upcoming primary election in April or in the November general election.

Read more in:

Iowa Caucus Reporting App Security Examined. Pro Publica asked security firm Veracode to review code in the caucus tally reporting app used in Iowa last week. The company found security issues it deemed “elementary.” The flaws could be exploited to intercept and alter data, including passwords and vote tallies.

Note: The app vendor’s CEO says the reporting app “…underwent multiple, rigorous tests by a third party” but Veracode says the flaws they found were “elementary.” The standard advice for mission-sensitive software requires the vendor to show evidence of third-party testing of the software – important to have full transparency about the qualifications of who did the testing.

Read more in: The Iowa Caucuses App Had Another Problem: It Could Have Been Hacked

Chrome Will Block Unsecure Downloads. Over the course of 2020, Google’s Chrome browser will block all HTTP downloads started on HTTPS pages, also known as mixed content. Chrome 81, scheduled for release in March 2020, will print console warnings about mixed content. Over the following months, in Chrome 82 through Chrome 85, the browser will warn about and then block mixed content downloads of executables, archives, disk images, images, audio, video, and text. Chrome, 86, scheduled for release in October 2020, will block all mixed content downloads.

Note:

  • When we first started using HTTPS, the overhead was such that we limited it to secure operations only. Now current software and hardware make the overhead negligible and all content should be delivered over secure connections.
  • Google has a lot of resources, and applying them to make the Chrome browser more restrictive on unsecure downloads is a good thing. However, I’d really like to see more Google posts about improvements in pre-release security and privacy testing of apps in Google Play. Google’s Vulnerability Reward Program bug bounty payouts almost doubled from 2018 to 2019, which is kind of like a restaurant saying, “Our volunteer food testers removed twice as many glass shards from our food!” Google’s Play Protect was ranked at or the near the bottom of malware detection by AV-TEST in 2019 – it would be good to see many fewer glass shards in published apps.

Read more in:

Firefox Will Take Step Toward Blocking TLS 1.0 and 1.1. Starting in March 2020, Firefox users will need to intentionally allow connections to websites using TLS 1.0 or 1.1. When users attempt to connect to websites that support only lower versions of TLS, they will see a “Secure Connection Failed” message that offers an option to override and continue to the site.

Note: Browsers negotiate to the highest common denominator which can mask the presence of less secure connection options. Make sure you’re regularly scanning the encryption settings on your web servers to ensure older, less secure connections are disabled, or monitored and documented where enabled. Monitoring may show the need to support older less secure operating systems and browsers may not be as significant as thought, or worth the risk.

Read more in:

Google’s February Android Updates Include Fix for Critical Bluetooth Vulnerability. Google has published its February security updates for Android. In all, the updates address 25 security issues. One of the flaws addressed in the updates is a critical vulnerability affecting Bluetooth in Android Oreo (8.0 and 8.1) and Pie (9.0) that could be exploited to allow remote code execution with no user interaction. The issue is also present Android 10, but the effects are somewhat less severe: exploitation could crash vulnerable devices, but would not allow code execution.

Note: One trusts geeks to be able to operate Android safely, even with late availability of patches. It is important to keep Android out of the hands of children, the elderly, and the otherwise naive.

Read more in:

New Emotet Variant Can Spread Through Wi-Fi Networks. A recently-detected variant of Emotet malware has the ability to spread from infected devices to nearby unsecured Wi-Fi networks. From there, it can attempt to infect connected devices. When Emotet first appeared more than five years ago, it was a banking Trojan. Over the years, it has gained the ability to install a variety of malware on infected devices.

Note: The Japanese CERT, JP-CERT, has a great write up on this malware at www.jpcert.or.jp: [Updated] Alert Regarding Emotet Malware Infection, and they have also released a tool to check for Emotet called EmoCheck; it can be downloaded from the JP-CERT GIT Repository: github.com: JPCERTCC / EmoCheck

Read more in:

US DOJ Announces Charges Against Alleged Chinese Hackers in Equifax Case. A US federal grand jury has returned an indictment charging four members of China’s People’s Liberation Army (PLA) with breaking into Equifax computer systems and stealing data. The breach occurred in 2017 and compromised personal data belonging to nearly 150 million US citizens.

Read more in:

Minebridge Backdoor Used in Attacks Against Financial Sector Firms. A report from FireEye says that since the beginning of 2020, phishing campaigns attempting to spread the Minebridge backdoor have been targeting organizations in the financial sector. The messages contain malicious attachments; if they are opened, macros attempt to install Minebridge. If it is successfully installed on a system, Minebridge can be used to deliver additional malware.

Read more in:

Abandoned Driver Code Lets Hackers Disarm Security Software. Ransomware actors are exploiting a known but unpatched vulnerability in an old and no longer supported Gigabyte motherboard driver to take control of Windows computers and disable security software. The attackers load a driver of their own that kills processes and files related to security products and allows the ransomware to encrypt data without being detected or thwarted.

Read more in:

Rockdale County, GA Ransomware Attack Affects Water Department. Rockdale County, Georgia, is recovering from a ransomware attack that hit its municipal computer systems. County officials have shut down nine servers to contain the infection. The attack has affected the county’s water department and water billing services. Rockdale County was also the target of a ransomware attack in 2017; the county was able to decrypt infected servers at that time.

Read more in: Metro county shuts down 9 servers after ransomware attack on water department

Having Backups May Not Be Sufficient for Ransomware Recovery. While victims of ransomware attacks have successfully restored systems from backups, the ransomware threat landscape is changing. Some attackers now steal data before files are encrypted and upload them if the victims refuse to pay the ransom.

Note:

  • Good isolated differential backups remain necessary for recovery. The tactics have changed to add exfiltration to the attack and has been seen with Maze, Sodinokbi and Chimera. Some mitigation can come through the use of DLP solutions. The consequences of publishing need to be added to the ransom payment decision process, along with an assessment of likely of future payment demands.
  • If your system is compromised, it is compromised. “Ransomware” is only a way to exploit that. These attacks will continue until the cost of attack exceeds the value of success and the risk of punishment goes up. Only the cost of attack and value of success are in our hands. We must increase the cost of attack roughly ten fold in 2020. Strong authentication, least privilege access control, restrictive policy, end-to-end application layer encryption, and mean time to detection of breaches in hours to days. We must ensure the survivability of our data and its timely recovery. Get on with what we can do.

Read more in: Why you can’t bank on backups to fight ransomware anymore

The headline on 07 Feb 2020

Coronavirus Cybersecurity Preparedness. The recent Coronavirus (2019-nCoV) outbreak has brought the topic of an epidemic or pandemic impacting businesses from the hypothetical to the possible. With 25,000 infections and counting, it would be a good time to consider the business and cyber impacts of an illness such as this. The primary risks fall into two categories: (1) fraud and other ways criminals take advantage of situations like this, such as fake donation sites, malware and fake news, and (2) business continuity preparedness measures such as remote access capacity review, understanding limitations of biometric authentication, supply chain considerations, emergency communication plan, and plans for business shutdown if appropriate.
Read more in the SANS ISC diary: isc.sans.edu: Network Security Perspective on Coronavirus Preparedness

Note:

  • Fraud and malware related to the Coronavirus is currently seen in Asia. Catastrophic events tend to be used for fraud as news focuses on them and in the US, impeachment and primaries have dominated the news. Expect more virus-related fraud as news media pay more attention to it. And please let us know if you see anything via our contact form: isc.sans.edu/contact.html
  • The Coronavirus introduces an illness which does not yet have a cure, and is resulting in, sometimes unexpected, quarantine and other restrictions which can have a direct business impact. Johannes Ullrich does an excellent job of summarizing things to consider and revisit in your DR plans in the ISC diary entry.

Additional Resources:
Business Pandemic Influenza Planning Checklist (PDF)
Public Health England Response Plan: Pandemic Influenza Response Plan (PDF)

Iowa Caucus Reporting App Problems. A buggy mobile app that was created for Iowa’s Democratic presidential caucuses did not work as hoped. Some precinct leaders had trouble downloading and installing the app, which was designed to let Iowa’s precincts report caucus tallies. The app appears to have recorded the data correctly, but reported only partial counts due to coding problem in the reporting function. Nevada State Democratic party says it will not use the app in its upcoming caucuses. (Please note that the WSJ story is behind a paywall.)

Note:

  • Think of the Iowa caucus primary as that troublesome business unit in your company that is considered a key performer by management and is allowed to do everything just a little bit differently than all the other business units. The security approach here was “rather than make sure this new app is thoroughly tested, we will only release it to the users at the last minute – that way hackers won’t have time to hack it if there are vulnerabilities.” Not only is that always a bad approach to security, it is absolutely the worst approach to take with that business unit that never follows all the policies and procedures everyone else does. This one will make a very good Harvard Business Review case study – next time a business unit is pressuring to subvert the time require to thoroughly test new stuff, just tell management “We will be at risk of an Iowa caucus implosion….”
  • The issues underscore the need for usability and load testing before a wide scale deployment. The plan for the caucus included backup measures, including a number to call as a backup; unfortunately, the number was released widely and was overwhelmed, creating an intentional denial of service.
  • Testing the app was necessary but not sufficient. The deployment of applications must be end-to-end and must include the training and participation of the end users.
  • Another connection between cybersecurity and the Iowa Caucus App is that many Americans, including very senior government policy makers and politicians, perceive the Iowa App debacle as a cybersecurity-related problem or at least something that cybersecurity people should have anticipated and solved. At the same time many software development organizations consider 5 to 15 minute cybersecurity awareness training as sufficient for their software development people.

Read more in:
Election tech was supposed to clean up the Iowa caucus — instead, it may have killed it
The Iowa Caucus Tech Meltdown Is a Warning
Iowa’s Tally-by-App Experiment Fails (paywall)

Fixes Available for Five Flaws in Cisco Discovery Protocol. Cisco has released fixes for five flaws in the Cisco Discovery Protocol (CDP) that could be exploited to execute code remotely or cause denial-of-service conditions. CPD is enabled by default in most Cisco products, which means there are millions of vulnerable devices that need patching.

Note:

  • This is not the first CDP vulnerability; as such. the best mitigation is to disable it explicitly. A notable concern is the flaws can be used to access other VLANS, possibly allowing access to sensitive traffic such as VoIP or ICS.
  • Cisco has joined Adobe and Microsoft among the infrastructure software providers with routine patches.

Read more in:
Cisco Flaws Put Millions of Workplace Devices at Risk
Critical Cisco ‘CDPwn’ Protocol Flaws Explained: Podcast
Cisco Patches Critical CDP Flaws Affecting Millions of Devices
Cisco Fixes CDP Flaws in Routers, Switches
Five high-level flaws patched in Cisco Discovery Protocol

FBI: DDoS Attack Targeted Voter Registration Website. The FBI issued a Private Industry Notification warning of “a state-level voter registration and voter information website received anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack.” The website was not adversely affected by the attack because it had established rate-limiting on its DNS servers.

Note: Some attention has been paid to the security of voting equipment, but very little paid to the complex “supply chain,” from registration to voting to tallying to announcing results, etc. The business equivalent is the ordering app being very secure and having DDoS protection but the user sign-up app being vulnerable.

Read more in:
FBI warns of DDoS attack on state-level voter registration website
FBI Warns of DDoS Attack on State Voter Registration Site

Critical RCE Flaw in OpenSMTPD Patched. A critical flaw in OpenSMTPD version 6.6 could be exploited to allow remote code execution. The vulnerability is due to improperly sanitized user input that could allow local attackers to gain elevated privileges. Users are being urged to upgrade to OpenSMTPD version 6.6.2p1.

Note:

  • This is a “must patch now” vulnerability (emergency priority) for anybody using OpenBSD with OpenSMTPD. OpenSMTPD is not very popular, and as far as I can tell used only on OpenBSD systems. But OpenBSD, due to its reputation as a secure operating system, is often used for critical systems like security devices and firewalls. The vulnerability is trivial to exploit, and likely already exploited.
  • Exploitation of this flaw harkens back to the Morris Worm. A properly crafted message can be sent which causes the message body to be executed with the privileges of the SMTP daemon. Vulnerable daemons can be detected by vulnerability scanners, the best mitigation is to apply the update.
  • The modern “stack” makes it difficult to fully vet input at the application layer. It is essential that every layer also parse its input.

Read more in:
Critical flaw in OpenSMTPD found, patched
OpenSMTPD 6.6.2p1 portable release

Health Share of Oregon Medicaid Data Compromised. A laptop stolen from a third-party vendor has exposed data belonging to patients of Health Share of Oregon, a Medicaid coordinated care organization. The compromised information includes names, dates of birth, Social Security numbers (SSNs) and Medicaid ID numbers.

Note: It has always been dangerous to store sensitive data on portable devices. The speed and ubiquity of the modern “cloud” (storage, connectivity, and software) makes it not only unnecessary but reckless to do so.

Read more in:
Health Share of Oregon discloses data breach, theft of member PII
Health Share Oregon Announces Security Incident and Data Leak

Cryptomining Malware Found on DOD Network. A researcher participating in a US Department of Defense (DOD) bug bounty program found that a SOS-related server was being used as part of a cryptocurrency mining botnet. He found cryptocurrency mining malware on a DOD-related server. The initial bug report was made regarding a misconfigured Jenkins automation server that could be accessed without credentials. DOD fixed that problem, but when the researcher who made the report looked at his findings more closely, he determined that the server had been compromised before he detected the misconfiguration issue.

Note: It is easy to focus on a single issue and miss other indications of compromise, particularly with pressure to return services to operational status rapidly. Regular scanning and monitoring for indicators can provide a backup for when this happens.

Read more in: Bug hunter finds cryptocurrency-mining botnet on DOD network

NHS Missed Windows 10 Migration Target. The UK’s National Health Service (NHS) has about half a million computers that are still running Windows 7, despite the organization’s plan to migrate all computers to Windows 10 by January 14, 2020. Microsoft ended support for Windows 7 last month.

Read more in: Windows 10 migration struggles: 500,000 NHS computers are still running Windows 7

Coronavirus Concerns Prompt Companies to Pull Out of Tech Shows, Revise Sales Forecasts. LG has decided not to attend the Mobile World Congress (MWC) technology show in Barcelona due to concerns about coronavirus. ZTE has cancelled a planned press conference at the show, which opens on February 24, but still plans to host a booth. A Chinese company that manufacturers iPhones has cut its sales forecast due to the coronavirus outbreak.

Read more in: Coronavirus: LG pulls out of Mobile World Congress

Fondren Orthopedic Patient Data Compromised. A Texas orthopedic practice has started notifying its patients that a malware infection compromised their healthcare information. Fondren Orthopedic Group experienced a cybersecurity incident in November 2019. In a letter to its patients, Fondren said that the incident damaged medical records belonging to more than 34,000; some of the records are beyond recovery.

Read more in:
Malware Destroys Data of 30,000 Fondren Orthopedic Patients
Malware attacks destroy Fondren Orthopedic Group patient records
Notice of Data Incident

University of Maastricht Paid Ransom. The University of Maastricht in the Netherlands says that it paid a 30-bitcoin (US $292,000) ransom to regain access to its computer systems following a December 24, 2019 ransomware attack.

Read more in:
University of Maastricht Paid 30 Bitcoins to Ransomware Attackers
University of Maastricht says it paid hackers 200,000-euro ransom

Baton Rouge Vocational School Ransomware Attack. The computer system at ITI Technical College in Baton Rouge, Louisiana was hit with a ransomware attack in late January. The college’s vice president said that the school did not plan to pay the ransom. IT staff has isolated affected systems and bringing cleared elements back online gradually.

Read more in:
ITI Technical College latest victim of ransomware attacks
Cyberattack Disrupts Baton Rouge, La., College Ahead of Finals

NIST Draft Ransomware Guidelines. The US National Institute of Standards and Technology (NIST) has published two draft practice guidelines regarding ransomware. NIST is accepting public comments on Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events, and Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events through February 26, 2020.

Note: The time allowed for public comment on NIST publications seems to be disproportionate to their size and importance. Few of us are sitting around with time on our hands just waiting to work full time for a month on their latest effort. We should admit that we are only giving lip-service to the idea of “public comment.”

Read more in:
NIST Drafts Guidelines for Coping With Ransomware
Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events

The headline on 04 Feb 2020

Hackers are Hijacking Vulnerable Smart Building Access Systems to Launch DDoS Attacks. Attackers are hijacking vulnerable smart building access systems and using them to launch distributed denial-of-service (DDoS) attacks. There have been increased scanning for Nortek Security & Control (NSC) Linear eMerge E3 systems that are vulnerable to a known critical command injection flaw.

Note: Back in late 2013, SANS held an Internet of Things Security Summit where we pointed out smart building systems as the most likely future attack path for real business damage, vs. other attacks. The growth of commercial real estate being developed with wired and wireless networks built-in, and with elevator, HVAC systems on the network with remote access to all those systems means many companies are putting their internal systems onto building networks that are being run quite often at very low levels of security hygiene.

Read more in:
Linear eMerge E3 Access Controller Actively Being Exploited
Attackers Actively Targeting Flaw in Door-Access Controllers
Attackers Exploit Security Flaws in Smart Building Systems
Hackers are hijacking smart building access systems to launch DDoS attacks

Pentagon Releases Cybersecurity Maturity Model Certification Standard. The US Defense Department (DoD) has released the Cybersecurity Maturity Model Certification version 1.0. The framework describes the cybersecurity standards that DoD contractors must meet if they want to win contracts. CMMC will be applied to some contracts starting later this year; by 2026, all DoD contracts are expected to include CMMC.

Read more in:
Pentagon finalizes CMMC standard for contractors
DoD to Require Cybersecurity Certification From Defense Contractors
Pentagon issues long-awaited cyber framework for the Defense industry
Pentagon finalizes first set of cyber standards for contractors
Cybersecurity Maturity Model Certification (CMMC) (PDF)

EKANS Ransomware Also Kills ICS Processes. The ransomware known as EKANS not only encrypts data on infected systems, it also interrupts Industrial Control Systems (ICS) applications. Before encrypting data, EKANS kills 64 different ICS processes named in a static list. Some versions of MegaCortex ransomware target the same list of ICS processes.

Note: Given the frequency and success of “Ransomware” attacks, we must increase the cost of attack and improve our resilience in the face of such attacks. It is a myth that the advantage is always to the attacker. We can get a ten-fold increase in the cost of attack for a relatively small increase in one’s cost of security. Keep in mind that most of these victims are targets of opportunity. One does not have to “outrun the bear.”

Read more in:
EKANS Ransomware and ICS Operations
Mysterious New Ransomware Targets Industrial Control Systems
New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure
EKANS Ransomware Raises Industrial-Control Worries

Maze Ransomware Hits French Construction Company. A French construction company was hit with Maze ransomware on January 30. Bouygues Construction has shut down its network to prevent the ransomware from encryption additional data. The operators of Maze ransomware have gained a reputation for stealing data from targeted organizations and uploading it if the victims do not pay the ransom.

Read more in:
Bouygues Construction Shuts Down Network to Thwart Maze Ransomware
Maze Ransomware Hits Law Firms and French Giant Bouygues

Tillamook County Will Negotiate with Hackers for Decryption Key. Tillamook (Oregon) County Commissioners have voted unanimously to negotiate with hackers for the decryption key to regain access to the county’s computer systems. Tillamook County systems were with ransomware on January 22, 2020.

Note:

  • This case illustrates the factors that have to be balanced: (1) The need for both public and private meetings to keep the public informed, including the appointment of communication officers and selection of communication means; (2) the complexity of a transition from old to new update information systems; (3) getting professional help where needed; and (4) keeping as much of business, as usual, operating smoothly while (5) informing the public of alternate mechanisms for offline components. The complexity shows why a verified thorough disaster recovery plan is so important.
  • It appears to be the consensus among the NewsBites editors that the decision to pay the ransom is a business, not security, decision. However, the failure to make this decision in advance of an attack is a security decision. There should be accountability.

Read more in:
Cyberattack: County to negotiate for ransomware key
US County’s Computers Still Down Nine Days After Ransomware Attack

The city of Racine, Wisconsin Hit with Ransomware. Computer systems belonging to the city of Racine, Wisconsin were infected with ransomware on January 31. As of February 3, the city’s website, email, and online payment systems were still down. The attack did not affect 911 and public safety systems. Tax collection systems are also operating as usual.

Read more in: Ransomware knocks city of Racine offline

TVEyes Target of Ransomware Attack. Broadcast media monitoring company TVEyes was hit with ransomware early on Thursday, January 30. The company’s CEO said on Friday, January 31 that they had restored servers from backups.

Note:

  • At last, a good news story relating to ransomware and evidence that reliable backups are an effective measure against ransomware.
  • Note that this may only be successful to the extent that one has addressed the vulnerabilities that led to the breach in the first place. We have seen reinfections.

Read more in:
Ransomware hits TV & radio news monitoring service TVEyes
Ransomware hits TV search engine popular among political campaigns

Prosecutors Drop Burglary Charges Against Coalfire Pentesters. Prosecutors in Iowa have dropped burglary charges against two people who broke into a county courthouse after hours as part of a penetration test. The two are employees of Coalfire labs, which had been hired by Iowa’s State Court Administration to test the security of its IT systems and its buildings. Gary DeMercurio and Justin Wynn were arrested in September 2019 and held for hours before being released on bail. The case illustrates the need for establishing pen-testing best practices.

Note:

  • This is awesome news. An important lesson from this case is that security contractors, and especially penetration testers, have the responsibility to educate their customers on all aspects of authorized permission including specific actions and timing and to ensure a common understanding so that they have the pen tester’s back when something goes awry.
  • The case illustrates the need for well documented and agreed terms of service.

Read more in:
KrebsOnSecurity: Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security
Remember those infosec fellas who were cuffed while testing the physical security of a courthouse? The burglary charges have been dropped
Charges dropped against Coalfire security team who broke into the courthouse during the pen test
Exonerated: Charges dropped against pen-testers paid to break into Iowa courthouse

Australian Freight Company Suffers Cyberattack. Australian freight and logistics company Toll Group has shut down several of its IT systems to contain the damage from a cybersecurity incident. Toll customers have experienced problems tracking shipments. The company has not released details about the nature of the cyberattack.

Read more in:
Toll stops services after the security breach
‘Cybersecurity incident’ takes its Toll on the Aussie delivery giant as box-tracking boxen yanked offline
Cybersecurity Incident Mars Australian Freight Giant’s Operations

Six Arrested in Connection with Maltese Bank Cyberattack. The UK’s National Crime Agency (NCA) has arrested six people in connection with a cyberattack against Malta’s Bank of Valletta. The suspects allegedly gained access to the bank’s IT systems in February 2019 and made several large transfers totaling €13 million (the US $14.4 million). The Bank of Valletta said in May 2019 that it had recovered €10 million (the US $11.1 million) of the stolen funds.

Note: Prevention is easier than recovery. That said, early (within hours) reporting of fraudulent transfers to the FBI will greatly improve the chances of recovery. Do you know who to call?

Read more in:
UK Arrests Cyber-Thieves Who Stole Millions from Maltese Bank
A year after Bank of Valletta ‘cyber heist’, cuffs applied as the cash-cleansing case continues
Three suspects arrested in Maltese bank cyber-heist

Raytheon Engineer Arrested for Taking Laptop with Missile Data to China. US federal law enforcement agents have arrested a Raytheon engineer after he took a work laptop containing missile defense systems information to China. Wei Sun has worked at Raytheon since December 2008. In December 2018, Sun traveled abroad with his work laptop in defiance of Raytheon’s exhortations not to bring it on his travels. In January 2019, Sun emailed Raytheon and informed them he was resigning from his position so he could study and work abroad. Sun returned to the US later that month. He initially told Raytheon security officials that he had traveled to Singapore and the Philippines, but eventually admitted that he had traveled to China, Cambodia, and Hong Kong.

Note: Mechanisms to limit sensitive data exposure include specific laptops configured for foreign travel, DLP solutions that limit data storage and access, and location-aware device management which could be used to remotely wipe a device. Even so, the employee is the critical most challenging link in the security chain. In support of the human factor, appropriate consequences with visible actions may act as a deterrent.

Read more in:
Raytheon engineer arrested for taking US missile defense data to China
Missile Engineer Arrested After Taking Secret Info to China
First Superseding Indictment (PDF)

Hackers Insert Themselves in eMail Conversation, Steal Payment in Fine Art Sale. The ownership of a 200-year-old painting by British artist John Constable is in question after hackers infiltrated email conversations regarding payment for the artwork. A museum in the Netherlands had agreed to purchase the painting from a British art dealer for £2.4 million ($3.1 million). Hackers sent a spoofed message directing the museum to transfer the payment into a bank account they controlled. Each party blames the other: the museum maintains that the dealer should have known that spoofed messages were sent, while the dealer maintains that the museum should have verified the details of the bank transfer.

Note:

  • Non-routine payments must be verified out of the band before paying: “Pick up the telephone.” This the responsibility of the payer. Transfers should be confirmed out of the band; this is the responsibility of the paying agent (usually the bank.) The role of reconciling confirmations should be separate from that of authorizing payments in the first place.
  • This is a classic invoice/payment redirection scam, also known as Business Email Compromise. Technical controls such as DMARC, DKIM, and SPF, and also using effective email filtering solutions can help minimize the risk of this type of attack. However, as demonstrated by the blame game in this example, the human factor plays a significant part. Basic manual verification processes can often be the most effective prevention measures. Europol provides some excellent guides on how to protect against scams targeting employees www.europol.europa.eu: Infographic: Fraud Scams Targeting Employees

Read more in:
Hacker snoops on art sale and walks away with $3.1m, victims fight each other in court
Fraudsters Posing as Art Dealer Got Gallery to Pay Millions

NEC Acknowledges December 2016 Breach. Japan’s NEC Corp. has disclosed that its systems were breached in December 2016. The company did not detect the breach until June 2017, when it noticed encrypted traffic being sent from a company server. NEC decrypted the traffic in July 2018 and found that the attackers had exfiltrated data from the company’s defense business division.

Note: Mean time to detection (MTTD) of a breach needs to go from months in 2017 to days in 2020. Many companies that take cybersecurity seriously have or have nearly accomplished that goal. For others, it will never happen because they have not yet established MTTD as a key cybersecurity objective and thus they are not measuring it.

Read more in: Japanese company NEC confirms 2016 security breach

APT34 Targeting US Company Through Spear Phishing eMail. A hacker group with ties to Iran has been sending spear-phishing emails to customers and employees of a company that works with US federal, state, and local governments. The phony messages sent to Westat employees contain malicious Excel spreadsheet attachments. The spreadsheets appear to be black; if recipients enable macros, the content – a phony job satisfaction survey – appears and malware that installs the TONEDEAF backdoor is downloaded in the background.

Read more in: Iranian Hackers Target U.S. Gov. Vendor With Malware

Some US Emergency Alert Systems Remain Unpatched Years After Fix Released. A vulnerability in certain emergency alert systems (EAS) that was disclosed in 2013 remains unpatched on at least 50 systems across the US. The issue lies in the web interfaces for Monroe/Digital Alert Systems EAS hardware.

Note: These systems are effective appliances that are configured to accept and forward emergency messages. The challenge with appliance-type systems is not only monitoring them for security vulnerabilities but also having appropriate processes in place, with accountability, to keep them updated and secure.

Read more in: Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable