Information and Cyber Security News Headline Updated on 29 Feb 2020

The headline on 29 Feb 2020

RSA Keynote: ICS Cybersecurity Year in Review: Major Concerns. In an extraordinary keynote address at RSA 2020 yesterday, Rob Lee provided an authoritative review of the attacks and status of defenses in ICS security. His full (50 minute) keynote is on YouTube (see url below). The data are fascinating and provocative. One interesting insight: the vendors of ICS systems (OEMs) are failing to make basic security fixes, resulting in 91% of ICS systems having “common hardware issues beyond the asset owners’ purview.”

Read more in:

GAO: Critical Infrastructure Must Adopt NIST Cyber Framework. According to a report from the Government Accountability Office (GAO), federal agencies that have the lead in protecting critical infrastructure sectors (sector specific agencies, or SSAs) have for the most part not taken adequate steps to ensure that the sectors they oversee have adopted the National Institute of Standards and Security’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity. There are nine SSAs overseeing 16 critical infrastructure sectors. Two SSAs have developed strategies for determining framework adoption in their designated sectors; two others have taken steps toward developing methods. Most of the SSAs have encouraged their sectors to adopt the framework. GAO recommends that NIST develop time frames for completing initiatives, and that the SSAs gather and report in improvements made from framework adoption.

Note: This is urgent. While the SANS Top Twenty are more applicable to the scale of many enterprises, the NIST Cyber Framework is essential for large enterprises that are part of the economic or national security infrastructures.

Read more in:

Hackers Actively Scanning for Microsoft Exchange Server Vulnerability. Attackers are scanning for systems that have not been patched against the Microsoft Exchange Server remote code execution vulnerability that was fixed in Microsoft’s February Patch Tuesday release.

Read more in:

US Collegiate CTF Competition with Large Scholarships and Direct Connection To Jobs Announced at RSA. College students who hope to qualify for internships and jobs in cybersecurity are now eligible for the Cyber FastTrack Capture the Flag (CTF) leading to $2.2 million in scholarships (including several SANS classes and GIAC certifications) and direct internships and jobs with employers seeking top talent. Open to all college students in the U.S. Deadline to register March 22. Actual competition March 26-27. More information: cyber-fasttrack.org

Note: As of this morning, 2,035 students form 464 US colleges have signed up for the first 2020 CTF. Cyber FastTrack is the only way for college students to discover how their skills stack up. Three Cyber FastTrack CTFs are scheduled for 2020 so students can keep moving up the leaderboard.

Fixes Available for Kr00k Vulnerability in Cypress and Broadcom Chips. A flaw in Wi-Fi chips from Cypress Semiconductor and Broadcom could be exploited to decrypt data sent over Wi-Fi networks. The affected chips are used in a range of devices, including iPhones, iPads, Amazon Echos and Kindles, Android devices, and certain Wi-Fi routers. The vulnerability, dubbed Kr00k lies in the way the chips manage network interruptions: devices could be forced to use encryption keys that are simply a string of zeroes. Most manufacturers have developed fixes for the issue, but it is not known how widely they have been applied.

Read more in:

Criminal Cases Dropped After Evidence Lost in Ransomware Attack. US federal prosecutors dropped 11 narcotics cases against after crucial evidence was lost in a ransomware attack on a Florida police department’s network. The Stuart police department experienced a ransomware attack in April 2019. Some data were recovered, but evidence in the cases was lost. Other jurisdictions around the country have also reported losing evidence in ransomware attacks.

Note: Forensic evidence needs to be stored in a read-only fashion, with accompanying digital signatures to indicate tampering, or better still, keep the master copy off-line.

Read more in: Six suspected drug dealers went free after police lost evidence in ransomware attack

New Mexico School District Hit with Ransomware Again. The Gadsden Independent School District in Las Cruces, New Mexico has been hit with ransomware for the second time in seven months. The district reported that its internet and communications systems were offline. It is not clear if the most recent infection is new or a recurrence of the July attack.

Note: The conversation has focused on paying the ransom or not, and in this case the school district has the ability to recover without paying the ransom. The daunting issue of preventing recurrence remains for everyone impacted by ransomware. Technical countermeasures, exercises to reinforce user training, build the foundation.

Read more in: Ryuk ransomware shuts down New Mexico school district a second time

Bretagne Télécom Ransomware Attack. French cloud services provider Bretagne Télécom was hit with a ransomware attack in early January 2020. The company did not pay a ransom and was able to restore its systems from backups. Bretagne Télécom’s CEO said the attackers exploited a Citrix vulnerability for which a patch was not yet available. The attackers did steal some data from Bretagne Télécom, which they uploaded to a website.

Read more in: DoppelPaymer Hacked Bretagne Télécom Using the Citrix ADC Flaw

Chrome Update Addresses 0-day and Other Vulnerabilities. Google’s latest update for the Chrome browser includes fixes for three security issues, one of which is already being actively exploited. All three flaws have been rated high severity. Chrome 80.0.3987.122 is available for Windows, macOS, and Linux.

Note: These flaws are being actively exploited; rapid updates are prudent. I was pleased to find my IT department was already pushing this update when I returned from travel this week.

Read more in:

Zyxel Flaw Affects Firewall Products. A recently disclosed flaw in some Zyxel Network Attached Storage (NAS) products has been found to also affect certain Zyxel firewall products. Zyxel became aware of the vulnerability several weeks ago after a security expert discovered that an exploit for the vulnerability was being sold on a cybercrime forum.

Australian Telcos Will Need to Employ Multi-Factor Authentication Before Porting Mobile Phone Numbers. Telecommunications companies in Australia will have to actively obtain approval from customers before porting a mobile phone number to a new provider. The Australian Communications and Media Authority (ACMA) said the process will require multi-factor authentication, but did not provide additional details. The Australian Communications Consumer Action Network (ACCAN) wants the ACMA to require “highly secure” methods of authentication.

Note: In the US, all mobile carriers give an option to add a PIN onto the phone porting process, which is better than the default security questions used. This should be a minimum recommendation on all executive mobile phones; going to 2FA is even better.

Read more in: ACMA mandates stronger identity checks when porting Australian mobile numbers

Firefox Begins Rolling Out DNS Over HTTPS by Default in US. On Tuesday, February 25, Mozilla announced that “Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users.” Firefox users outside the US can enable DoH by choice in their Network Settings. While Cloudflare is the default encrypted-DNS service in Firefox, users can manually switch to NextDNS or another service of their choice.

Read more in:

Clearview AI Client List Stolen. Facial recognition software company Clearview AI has disclosed that someone gained unauthorized access to its client list, which includes law enforcement agencies. Clearview did not share details of the breach, although the company did say that its servers were not breached. Clearview has made headlines recently for scraping billions of images from social media.

Read more in:

The headline on 27 Feb 2020

Recent news of Linus Torvalds’ disavowment of ZFS, and the loss of support for Docker causes some to worry about unity in the open source community. Source: TechRadar > Security in the financial industry

More drama over open source licensing: OSI (Open Source Initiative) co-founder Bruce Perens resigned due to his concern that the OSI is “headed toward accepting a license that isn’t freedom respecting”. What really happened? Source: The Register > Bruce Perens quits Open Source Initiative amid row over new data-sharing crypto license: ‘We’ve gone the wrong way with licensing’

How can businesses in the financial industry ensure security with open source components? Source: TechRepublic > Open source: A matter of license and lock-in

The headline on 26 Feb 2020

Coronavirus: More Companies Backing Out of Conferences. AT&T Cybersecurity and Verizon have decided not to attend the RSA Conference in San Francisco this week, citing concerns about the coronavirus. IBM announced its decision not to attend RSA on February 15. The conference is taking place this week as scheduled. Sony and Facebook’s Oculus have pulled out of the Game Developer Conference scheduled for March 16-20 in San Francisco. Coronavirus worries have already caused the cancellation of the World Mobile Congress that was to have taken place in in Barcelona February 24-27. Black Hat Asia 2020 has been postponed to fall 2020, and Cisco has cancelled its Cisco Live! Conference that was scheduled to be held in Melbourne, Australia early next month.

Note:

  • The best advice comes from the WHO and CDC regarding the Coronavirus ad should be incorporated in making a decision relating to attending or hosting an event.
  • The increasing spread of the Coronavirus is a great opportunity for companies to revise their Business Continuity Plans (BCPs). Too often BCPs focus on the IT aspect of an interruption to business and not on the human element. Getting senior management to understand the impact of large numbers of staff being quarantined or out of work sick can help get the buy-in required for the non-IT element of BCPs. The Irish government has published an excellent guide for companies to deal with an influenza outbreak which can be adapted for use with the Coronavirus www.gov.ie: Business Continuity Planning – Checklist of Preparatory Actions in Responding to an Influenza Outbreak

Read more in:

Median Dwell Time for Breaches is Falling Worldwide. According to the M-Trends 2020 Report, the global median “dwell time” – the time from initial intrusion to detection – fell from 78 days to 56 days in just one year. The report also found that while intrusions are being detected more quickly, they are more often discovered by third parties rather than internally.

Note:

  • More rapid discovery of breaches is moving the bar in the right direction. That external parties are discovering them first is an indication that partnering with an external service can help cover gaps in internal services and could be used with an accompanying build or buy decision for the long-term strategy.
  • It is good to see a downward trend in this statistic, however it is still way too high. The fact that breaches are being discovered by third parties rather than the victims is still a worrisome trend. Preventive controls are essential in cybersecurity, but equally important is having appropriate detection controls in place and effective incident response.

Read more in:

U.S. Defense of Department DISA Breach Exposed PII of 200,000 People. The US Department of Defense’s (DoD’s) Defense Information Systems Agency (DISA) has acknowledged a network breach that compromised the personal information of at least 200,000 individuals. On February 11, 2020, DISA sent letters to the people whose data were compromised, telling them that the breach occurred between May and June 2019. DISA secures and manages White House communications.

Read more in:

Wyden Pushing for Release of ShiftState Voatz Audit Results. US Senator Ron Wyden (D-Oregon) is asking a company that conducted an audit on the Voatz mobile voting app to disclose the results. While ShiftState’s audit gave Voatz “high marks,” researchers at MIT recently published a paper enumerating security concerns present in Voatz. Specifically, Wyden wants to know how many “ShiftState personnel that audited Voatz [have] experience in election security, cryptographic protocol design and analysis, side channel analysis, and blockchain security;” whether ShiftState detected the same flaws the MIT researchers found; and whether the company agrees or disagrees with the MIT findings and why.

Note:

  • Something as critical as voting software should have more public security testing references than just a small company that has been in existence for under two years. Voatz has started up a managed bug bounty program, talking about many of the right things security-wise but anything connected to elections needs to have the talk verified to see if the right actions match the talk.
  • The challenge will be finding a repeatable methodology that adequately tests the security of voting apps irrespective of who performs that assessment. Given the stakes, reconciliation of assessments from multiple sources is appropriate to ensure election integrity.

Read more in: Sen. Wyden Questions ShiftState on Voatz Audit

Car Thieves Disabling OnStar, Replacing Vehicle Computers. In “a recent string of stolen Chevrolet Silverado pickups,” thieves disabled the OnStar anti-theft technology almost immediately, reducing the likelihood of the vehicles’ recovery. Surveillance video has shown how fast the thieves operate – pop the lock, open the hood, change the computer, and disable OnStar tracking.

Read more in:

Man Arrested in Connection with Political Website DDoS Attacks. The FBI has arrested a California man for allegedly launching distributed denial-of-service (DDoS) attacks against the website of a political candidate. The suspect’s wife worked as a campaign staffer for one of the victim’s political opponents.

Read more in:

ISS World Recovering from Malware Attack. Copenhagen-based ISS World says it is recovering from a malware attack that hit its network last week. The facilities management has more than half a million employees around the world. ISS says it has determined the “root cause” of the problem, but has not said if the malware is ransomware.

Read more in: Facilities Maintenance Firm Recovering from Malware Attack

NRC Health Ransomware Attack. NRC Health, a company that administers patient satisfaction surveys for hospitals across the US, has acknowledged that its systems were hit with a ransomware attack on February 11. The company shut down its “entire environment” to limit the damage. Hospitals have expressed concern about the security of patient data.

Read more in:

Toll Group Working to Recover from Ransomware Attack. Australian freight delivery provider Toll Group is still recovering from a ransomware attack that hit its network in late January. The company has not and does not plan to pay the ransom demand. Toll customers have expressed frustration with delays that resulted from network downtime.

Read more in: Toll Faces Customer Fallout After Cyberattack

The Most Important Open Source Components and Associated Security Issues. The Census Program II “identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities.” The report is the work of the Linux Foundation’s Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH).

Note:

  • The security of software components continues to be a problem. This report focuses in particular on JavaScript Node Package Manager (npm) packages. Over the last year, a number of npm packages has been compromised. If you are using npm (and at this point, there are hardly any organizations that do not), you need to come up with a way to inventory and audit the packages you use. This isn’t easy, and will take time, but is essential just like your hardware inventory.
  • The challenge of open source is determination of how well it has been assessed. A report like this provides an extra data point to accompany your own assessment and validation processes.

Read more in:

Samsung Discloses Data Security Incident. Samsung said that a data security incident last week allowed some users to view other users’ information. The company says the incident was not related to the mysterious “1/1” push notifications some users reported receiving. Those notifications came from the Find My Mobile app even if the users had it disabled.

Read more in:

FBI Touts Passphrases Over Passwords. A Tech Report from the FBI’s Portland, Oregon Field Office encourages people to use passphrases of at least 15 characters rather than passwords, because the longer passphrases are more difficult to crack. The passphrases do not need to contain numbers, special characters, or a combination of upper- and lower-case letters.

Note: NIST 800-63-3 provides guidance which supports this choice. In addition to length, and lack of special characters, password systems need to prevent the use of single dictionary words and words related to the service or person creating the passphrase. Lastly, the ability to manage a banned-words list built from prior incidents and breaches should be considered.

Read more in:

Zyxel Provides Fix for Zero-day Vulnerability in NAS Devices. Zyxel, which makes networking devices, has released a fix for a remote code execution vulnerability affecting some of its Network Attached Storage (NAS) products. Zyxel learned of the issue nearly two weeks ago, when KrebsOnSecurity notified the company that directions for exploiting the flaw were being offered for sale online. Some of the products affected by the vulnerability are no longer supported.

Read more in:

The headline on 22 Feb 2020

US Natural Gas Pipeline Operator Hit with Ransomware. According to an advisory from the US Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), networks at a natural gas compression facility were infected with ransomware. The incident is believed to be the same one reported by the US Coast Guard in December 2019. The initial vector of attack was a phishing email; the malware then made its way from an office computer through the IT network to the operational technology (OT) network.

Note:

  • Network isolation often includes the need to interact with and transfer data to other non-isolated systems. Using a trusted gateway or one-way link reduces the risks, and data transfer processes still need active anti-malware protections.
  • One should not pass up an opportunity to remind management that e-mail (and browsing) should be isolated from mission-critical applications. We cannot tolerate a situation where the cost of compromise of the enterprise is equal to that of social engineering any one of many users. Consider a combination of strong authentication, restrictive (as opposed to promiscuous or permissive) access control policy, and end-to-end application-layer encryption.

Read more in:

Citrix Says Hackers Had Access to its Networks for Five Months. Hackers maintained an “intermittent” presence inside Citrix networks for five months, according to a February 10, 2020, letter the company sent to users affected by the breach. Between October 13, 2018 and March 8, 2019, the hackers stole data belonging to employees, contractors, interns, and job candidates. Citrix first learned of the breach in March 2019, when the FBI notified the company that hackers had likely accessed the company’s internal network. The FBI told Citrix that the intruders may have used “password spraying” attacks to gain access.

Note:

  • As Citrix is often deployed at the perimeter to provide a virtual desktop on the corporate network, like VPN servers, it is a prime target of attack, and warrants similar monitoring and security oversight. Be sure to apply Citrix’s recently released patch for CVE-2019-19781.
  • I guess whoever wrote the Citrix letter has never tried to sell a house where the real estate listing said “Termites had intermittent access to the structure…

Read more in: Hackers Were Inside Citrix for Five Months

Ring Now Requires 2FA. Ring now requires all users of its camera doorbell products to use two-factor authentication (2FA) when signing into their accounts. Previously, 2FA was optional. The decision follows reports of serious security issues, including not alerting users of failed login attempts and not limiting the number of login attempts.

Note:

  • Good move by Ring (and maybe a bit overdue). It looks like the public pressure caused by several news items about compromised accounts got to them. Google recently implemented similar measures for its Nest devices.
  • All movement away from reliance on reusable passwords is good movement, though not security nirvana. But, millions of consumers are being nudged towards increased use of multi-factor authentication – a good reason to try to make the same progress on enterprise user logins as a key element in fighting phishing attacks.
  • Enable 2FA on all services which offer it. Make it a habit to check periodically on services that didn’t offer it previously to see if offered, and enable it. Also review trusted devices allowed to access the service without 2FA. Setup login alerts, if supported, for visibility into account accesses.
  • Consumers are not nearly as resistant to strong authentication as enterprises are, and as enterprise management seems to believe everyone is. The use of reusable passwords must be restricted to trivial applications (or applications where fraudulent use will be immediately obvious.) “Convenience” is no longer sufficient justification. (In many applications and environments, one-time passwords are more convenient than mandated periodic changes.)

Read more in:

Cisco Security Updates Include Fix for Smart Software Manager Static Password Issue. Cisco has released patches to address 17 security issues in several products, including a critical static password flaw in Cisco Smart Software Manager On-Prem. The release also includes fixes for six high-severity vulnerabilities.

Note: This may not be the result of mere error. History suggests that programmers are reluctant to give total control of their product to users and may use static passwords as long-term back doors.

Read more in:

MGM Resorts Acknowledges 2019 Data Breach. MGM Resorts has disclosed that personal information belonging to more than 10.76 million people who stayed at MGM hotels has been posted to an online hacking forum. Attackers gained unauthorized access to a cloud server last summer.

Read more in:

Swiss Government Says Ransomware Poses Threat to Small and Medium Enterprises. The Swiss Government’s Reporting and Analysis Centre for Information Assurance (MELANI) says that “ransomware continues to pose a significant security risk to small and medium enterprises.” MELANI “has dealt with more than a dozen ransomware cases” in the past few weeks alone. MELANI’s analysis of the incidents concluded that most affected organizations did not have adequate IT security and did not adhere to best practices. The alert lists weaknesses that were used as “gateways” for attack: lack of anti-virus software or ignoring or not taking seriously anti-virus warnings; poorly protected remote access procedures; ignoring or not taking seriously notifications from authorities; not maintaining offline backups; ineffective patch and lifecycle management; lack of network segmentation; and excessive user privileges.

Note: I think this report pretty much sums up the current ransomware issue: Ransomware is an indicator of poor security controls and not implementing “best practices”. Just like with other “commodity” malware like crypto coin miners, you should always be watching out for what else took advantage of these missing controls.

Read more in:

US, UK, and Others Blame Russia’s GRU for Republic of Georgia Cyberattacks. The US, the UK, Australia, and a number of EU countries have formally blamed Russia’s military intelligence (GRU) for launching cyberattacks against targets in the Republic of Georgia in October 2019. Thousands of websites were defaced or taken down, and two television stations’ broadcasts were disrupted.

Read more in:

Adobe Issues Out-of-Cycle Fixes for Critical Flaws. Adobe has released two out-of-cycle fixes that could be exploited to allow remote code execution. The affected products are Adobe After Effects and Adobe Media Encoder. Both flaws are out-of-bounds write vulnerabilities.

Note: According to Adobe, these flaws are unlikely to be exploited, but they can lead to arbitrary remote code execution. I don’t think these are “emergency” patches, but they were not released on Adobe’s normal patch Tuesday.

Read more in:

ISS World Suffers Ransomware Attack. Copenhagen-based ISS World has acknowledged that its internal network was hit with ransomware on Monday, February 17. A company spokesperson said ISS World “immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident.” ISS World provides facilities management services, such as cleaning and catering; it has 500,000 employees worldwide.

Read more in:

2,000 UK Government Mobile Devices Reported Missing in Span of One Year. Over the past year, more than 2,000 UK government mobile devices, including smartphones, laptops, and external storage devices, have been reported missing. More than 1,800 of the devices are believed to be encrypted, but even one unencrypted device in the hands of the wrong individual could expose sensitive data. At least eight UK government departments say they have never been audited by the Information Commissioner’s Office (ICO); others reported that their last audit was several years ago.

Note:

  • There are about 3M UK central government employees; let’s just assume an average of 1 phone/laptop/storage device per employee, which is probably low. 2,000 lost out of 3M is under .1% – a very low number. I think typical average rates for mobile phone losses per year are in the 4% range. 90% of the lost devices having encryption turned on is strong progress from previous years where this same type of report came out in the UK. Enterprises: how do your loss rates and encrypted device percentages compare to the UK government?
  • Current guidance for protecting mobile devices: Both iOS and Android (version 6+) support encryption of the device and can be managed by your MDM (mobile device management software). That will require a passcode to access the device; otherwise it is transparent to the user. Make sure the device passcode strength/option is commensurate with the data protected. Additionally, options exist to sandbox applications with further encryption, but investigate the trade-off between security and usability before rolling them out. Include sending a device wipe in your lost-device reporting processes, along with a good definition of what lost means, including duration.

Read more in: Over 2000 UK Government Devices Go Missing in a Year

Swatting Arrest. A 19-year-old has been arrested in connection with multiple swatting, cyberstalking, and hacking incidents. Tristan Rowe has been charged with cyberstalking and unauthorized access to a computer. Each charge carries a maximum penalty of five years in prison.

Read more in:

Android Linux Kernel Code Changes Introduce New Vulnerabilities. A Google Project Zero researcher says that some smartphone makers are modifying the Android Linux kernel to protect devices from attacks, which can actually introduce new exploitable weaknesses. Jann Horn writes, “I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won’t complicate updates to newer kernel releases.”

Note: While this flaw is specific to the Samsung kernel, extensions that support their Galaxy A50 devices and rely on a race condition to exploit, device manufacturers often need to extend Android OS to support their specific hardware. As such, when purchasing a non-Google-provided device, make sure the vendor has a proven track record with security. Samsung has a record of providing security features back to the community, such as their FIPS certified encryption library, and will address this flaw rapidly.

Read more in:

Apple Will Shorten Duration of Certificate Trust in Safari. After September 1, 2020, Apple’s Safari browser will no longer trust HTTPS certificates that have expiration dates more than 13 months, or 398 days, after they were created. Certificates issued before September 1 will be trusted for 27 months, or 825 days, from their creation dates. Apple announced the change at a Certification Authority Browser Forum meeting earlier this week.

Note:

  • No issue if you are using automatic certificate renewals via Let’s Encrypt. However, this is going to get messy for people who are using internal certificate authorities and if you have a lot of certificates to renew for devices that cannot use a simple scripted system to renew certificates. Now may be a good time to look into a good certificate management solution if you haven’t done so.
  • Apple has not yet updated their guidance on certificate trust requirements (support.apple.com: Requirements for trusted certificates in iOS 13 and macOS 10.15). These changes are intended to raise the bar on trustworthiness of sites claiming to be secure. When issuing shorter-lived certificates, support that with automated processes to alert, if not auto renew, to avoid lapses in coverage.

Read more in: Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months

The headline on 15 Feb 2020

GAO Report Enumerates Census Bureau Security Concerns. A Government Accountability Office (GAO) report on the Census Bureau’s preparedness found that the bureau is lagging on some of its goals, including IT system implementation and cybersecurity issues. The report says that the bureau has not met its goal of ensuring that its self-response site can support up to 600,000 users at a time. GAO also notes that the bureau needs to fix cybersecurity issues “in a timely manner,” implement DHS recommendations, and ensure that the privacy of those responding is protected.

Read more in:

Microsoft’s February Updates Include Fix for Zero-day Flaw in Internet Explorer. Microsoft’s monthly security updates include fixes for 99 vulnerabilities in multiple products. Twelve of the flaws are rated critical; of those, one, a remote code execution vulnerability in Internet Explorer, is being actively exploited. Microsoft disclosed the IE vulnerability in January but a patch had not been available until earlier this week.

Read more in:

Adobe February Updates. Adobe’s security updates for February include fixes for 42 vulnerabilities in multiple products. The updates address 21 critical issues in Framemaker and 12 critical flaws in Reader and Acrobat. The updates also fix critical flaws in Flash Player and Experience Manager.

Note:

  • Hey, Adobe and McAfee – it has been at least 8 years since Adobe patches started trying to trick users into installing McAfee software. That practice continues to make both companies look cheap and sleazy – imagine if Ford said, “Every time a Ford car has a defect that requires a recall, we will try to trick you into turning on a satellite radio service.” Is whatever revenue flows on this deal really worth it???
  • Remember the Flash Player EOL date is 12/31/20, so we’re not yet done patching it. The Adobe Creative Cloud application keeps that suite of applications updated, augmenting the enterprise capabilities. Even so, scanning to make sure they are applied is prudent.
  • Tens last month, tens this month, likely tens next month. How deep must the reservoirs be?

Read more in:

US and German Intel Agencies Owned Controlling Stake in Swiss Encryption Device Maker. According to reports in the US, German, and Swiss press, between 1970 and 1993, the US and West German intelligence agencies were secret majority owners of Crypto AG, a Swiss company that made encryption devices. The reports say that the agencies were able to control aspects of Crypto AG’s business, including manipulating algorithms used in the company’s devices so that the agencies could easily decrypt foreign adversaries’ communications. Crypto AG customers included more than 130 national governments. Germany withdrew from the arrangement in 1993; US intelligence bought its stake and remained in control until it sold off Crypto AG’s assets in 2018. The controlling partnership was shielded behind a trust company in Liechtenstein. Bruce Schneier points out that while the story itself is not news, “what is new is the formerly classified documents describing the details” of how the agencies were able to exploit their access to supposedly encrypted information.

Note: As the article points out, this was no longer a secret by the early 1990s, but Crypto AG products were still used by many who weren’t paying attention to relatively low visibility reports. Today, every piece of software used by businesses (especially mobile applications) is a potential “Crypto AG” scenario. Supply chain security has to focus on risk assessment and testing of products and services in use, not just country of origin.

Read more in:

US Justice Department Charges Huawei with Racketeering and Conspiracy. The US Department of Justice (DoJ) has returned a superseding indictment, charging China’s Huawei Technologies with racketeering and conspiracy to steal trade secrets. The defendants named in the indictment include Huawei and four subsidiaries. The indictment includes examples of Huawei’s alleged theft of intellectual property from US companies

Note:

  • Like the Crypto AG item, this is also another “old news” item. Back in 2003 Cisco went public with intellectual property theft claims against Huawei and later settled a lawsuit. Trade wars between countries raise the press visibility of these issues, but the supply chain risk doesn’t change – accurate assessments and monitoring are needed.
  • In his recent book, Hamilton, the author Ron Chernow noted that the US became an industrial power, in part, by stealing intellectual property and suborning talent from England. While free trade is the preferred way to redress inequities among nations, theft of IP is to be preferred to armed conflict.

Read more in:

Mozilla Updates. Mozilla has released updated versions of Firefox, Firefox ESR, and Thunderbird. Firefox 73 includes fixes for six vulnerabilities; Firefox ESR 68.5 includes fixes for five vulnerabilities; and Thunderbird 68.5 includes fixes for four vulnerabilities.

Note: Your enterprise may already be pushing out these updates. If not, leverage slipstreaming them in with the February Microsoft and Adobe updates you’re already deploying.

Read more in:

Fix Available for Critical Flaw in GDPR Cookie Consent WordPress Plugin. The developers of the GDPR Cookie Consent plugin for WordPress have released an updated version to address a critical flaw. The vulnerability could be exploited to alter website content or to inject malicious JavaScript code. As its name suggests, the plugin is designed to help websites comply with the EU’s General Data Protection Regulation (GDPR); the plugin is estimated to be in use on more than 700,000 websites.

Note: While your WordPress site will detect out-of-date plugins, updating them automatically requires additional software or a plugin. If you’re manually checking and updating, put a reminder on your calendar; don’t wait to find out you have a problem the hard way.

Read more in:

Malicious Extensions Pulled from Google Chrome Store. Google has pulled more than 500 malicious extensions from its Web Store. The extensions redirected users to potentially malicious sites and harvested users’ personal information.

Note: If you have one of these extensions installed, it will be automatically be disabled and marked as malicious. Extensions so marked should be uninstalled.

Read more in:

MIT Researchers Detail Mobile Voting App’s Flaws. In a paper released earlier this week, researchers from the Massachusetts Institute of Technology (MIT) say that the Voatz mobile voting app, which has been used in several US states to allow voters overseas to cast their ballots, contains worrisome security shortcomings. The flaws could be exploited to see data being transmitted from the app, alter users’ votes, and to impersonate a user’s mobile phone. In addition, Voatz does not use blockchain to secure votes in the way its makers say it does. Voatz responded to the papers findings, noting in a blog post that the researchers based their conclusions on an outdated version of the app and that the researchers did not connect to the Voatz servers.

Read more in:

xHelper Android Malware is Vexingly Persistent. Android malware known as xHelper reinfects devices even after factory resets. The malware dropper Trojan was first noticed last spring. Theories that the reinfections came from pre-installed malware or from the Google Play store were disproven. Researchers at Malwarebytes, along with a savvy Android user, discovered that the reinfection came from folders that were not removed even after a factory reset. Malwarebytes has instructions for removing the folders.

Note:

  • In short, the malware dropper hangs out in hidden directories that are not removed during a factory wipe and leverages Google PLAY to reinstall itself. The Malwarebytes article has steps for finding and removing the files. As the dropper uninstalls itself after setting up the processes for installing the malware, your MDM is unlikely to detect it.
  • It seems unlikely that most, or even many, Android users will even know about xHelper, much less do anything about it. One accepts that geeks can manage the security of Android devices. One should not give them to children, the elderly, or the otherwise naive.

Read more in:

Car Mobile Apps Not Always Reset After Vehicles Are Rented or Resold. A man who leased a car from Ford between 2013 and 2016 discovered that he still had access to the vehicle’s controls through the mobile app more than three years later. Another man has twice rented cars and found that he could still access the controls for the vehicles months after he had retuned them.

Note:

  • The same is true for many of those smart TVs in hotels, but especially in Airbnbs and other consumer grade lodging that employees and executives might be using on travel. Good to use this item as an updated warning in awareness campaigns.
  • When selling or turning in your personal vehicle, it is prudent to factory reset the mobile apps, including any phonebook information which has been downloaded. When purchasing a vehicle, make sure you are the only one with access to the online management features, which may require dealer support to verify. Current Rental Car agreements also advise consumers to reset the information prior to turning in the vehicle. In any cases, it’s prudent to make sure the vehicle doesn’t contain prior data before connecting your devices.

Read more in:

Mobile World Congress Tech Show Cancelled Over Coronavirus Worries. The Mobile World Conference tech show, which was scheduled to be held February 24-27 in Barcelona, Spain, has been cancelled due to concerns about the coronavirus. The decision to cancel the conference was made after a number of high-profile vendors announced they would not attend.

Read more in:

Ransomware Targets Texas City and School District. A city and school district in Texas have been hit with ransomware. Computers belonging to the city of Garrison became infected on February 10; Garrison’s mayor says the city has recovered from the attack and is operating as usual as of February 13. Computers at the Nacogdoches Independent School District became infected on February 11; the district is still working to recover access to its data. The city and the school district are about 20 miles apart and do not share a computer system. Officials are investigating whether the two attacks are related.

Read more in: Texas attack: Garrison, Nacogdoches schools hit with ransomware

Florida County Election System Infected with Ransomware in 2016. Palm Beach County (Florida) election supervisor Wendy Sartory Link said that computers at the the county’s election office became infected with ransomware shortly before the 2016 US general election. Link, who became election supervisor in January 2019, learned of the incident during a conversation with the office’s acting IT director.

Read more in:

North Miami Beach Police Systems Hit with Ransomware. Hackers have targeted computers belonging to the North Miami Beach (Florida) Police Department with ransomware. The police department’s IT staff shut down affected machines to curtail the malware’s spread and have alerted the FBI and the Secret Service.

Note: Remember that, while the decision as to how to deal with a “ransomware” attack is a business decision, ensuring that the decision is made prior to the attack is a responsibility of security staff.

Read more in:

The headline on 11 Feb 2020

GAO Report Finds CISA’s Election Security Strategy Has Not Been Finalized. In January 2017, the US Department of Homeland Security (DHS) designated state and local election infrastructure used in federal elections as a component of the country’s overall critical infrastructure. The designation allows DHS to provide state and local election officials with help to protect assets, which include voter registration databases and voting equipment. A report from the Government Accountability Office (GAO) found that DHS’s Cybersecurity and Infrastructure Security Agency (CISA) “has not yet completed its strategic and operations plans to help state and local officials safeguard the 2020 elections or documented how it will address prior challenges.” The report urges CISA to finalize its strategic plan.

Note:

  • While not the end of the world, there is no time for local agencies to implement strategic measures prior to the election. CISA needs to quickly publish prioritized tactical guidance that can be implemented through the rest of this election year.
  • This is not that damning a report, but with the primaries underway and the Presidential election less than 9 months away, I’d say no more time for strategic plans: the focus should be on prioritizing which fires to put out first.

Read more in:

State Election Officials More Accepting of Federal Help. US State election officials are more willing to accept help from the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) than they were in the past. Officials were initially resistant to having their election systems designated as critical infrastructure, but have come to see that information and support provided by CISA can help them proactively secure their election infrastructure. CISA director Christopher Krebs said that two conference calls in January regarding potential cyberthreats from Iranian hackers had 1,700 and 5,900 dial-ins, respectively.

Read more in: Once wary of feds, state election leaders now welcome help

Maryland Jurisdictions Will Not Use Problematic Reporting Network in Upcoming Elections. During a special district primary in Maryland last week, a network designed to send voter information to state officials was shut down because it was causing delays at polling places. Elections officials say they will not require jurisdictions to use the network in the upcoming primary election in April or in the November general election.

Read more in:

Iowa Caucus Reporting App Security Examined. Pro Publica asked security firm Veracode to review code in the caucus tally reporting app used in Iowa last week. The company found security issues it deemed “elementary.” The flaws could be exploited to intercept and alter data, including passwords and vote tallies.

Note: The app vendor’s CEO says the reporting app “…underwent multiple, rigorous tests by a third party” but Veracode says the flaws they found were “elementary.” The standard advice for mission-sensitive software requires the vendor to show evidence of third-party testing of the software – important to have full transparency about the qualifications of who did the testing.

Read more in: The Iowa Caucuses App Had Another Problem: It Could Have Been Hacked

Chrome Will Block Unsecure Downloads. Over the course of 2020, Google’s Chrome browser will block all HTTP downloads started on HTTPS pages, also known as mixed content. Chrome 81, scheduled for release in March 2020, will print console warnings about mixed content. Over the following months, in Chrome 82 through Chrome 85, the browser will warn about and then block mixed content downloads of executables, archives, disk images, images, audio, video, and text. Chrome, 86, scheduled for release in October 2020, will block all mixed content downloads.

Note:

  • When we first started using HTTPS, the overhead was such that we limited it to secure operations only. Now current software and hardware make the overhead negligible and all content should be delivered over secure connections.
  • Google has a lot of resources, and applying them to make the Chrome browser more restrictive on unsecure downloads is a good thing. However, I’d really like to see more Google posts about improvements in pre-release security and privacy testing of apps in Google Play. Google’s Vulnerability Reward Program bug bounty payouts almost doubled from 2018 to 2019, which is kind of like a restaurant saying, “Our volunteer food testers removed twice as many glass shards from our food!” Google’s Play Protect was ranked at or the near the bottom of malware detection by AV-TEST in 2019 – it would be good to see many fewer glass shards in published apps.

Read more in:

Firefox Will Take Step Toward Blocking TLS 1.0 and 1.1. Starting in March 2020, Firefox users will need to intentionally allow connections to websites using TLS 1.0 or 1.1. When users attempt to connect to websites that support only lower versions of TLS, they will see a “Secure Connection Failed” message that offers an option to override and continue to the site.

Note: Browsers negotiate to the highest common denominator which can mask the presence of less secure connection options. Make sure you’re regularly scanning the encryption settings on your web servers to ensure older, less secure connections are disabled, or monitored and documented where enabled. Monitoring may show the need to support older less secure operating systems and browsers may not be as significant as thought, or worth the risk.

Read more in:

Google’s February Android Updates Include Fix for Critical Bluetooth Vulnerability. Google has published its February security updates for Android. In all, the updates address 25 security issues. One of the flaws addressed in the updates is a critical vulnerability affecting Bluetooth in Android Oreo (8.0 and 8.1) and Pie (9.0) that could be exploited to allow remote code execution with no user interaction. The issue is also present Android 10, but the effects are somewhat less severe: exploitation could crash vulnerable devices, but would not allow code execution.

Note: One trusts geeks to be able to operate Android safely, even with late availability of patches. It is important to keep Android out of the hands of children, the elderly, and the otherwise naive.

Read more in:

New Emotet Variant Can Spread Through Wi-Fi Networks. A recently-detected variant of Emotet malware has the ability to spread from infected devices to nearby unsecured Wi-Fi networks. From there, it can attempt to infect connected devices. When Emotet first appeared more than five years ago, it was a banking Trojan. Over the years, it has gained the ability to install a variety of malware on infected devices.

Note: The Japanese CERT, JP-CERT, has a great write up on this malware at www.jpcert.or.jp: [Updated] Alert Regarding Emotet Malware Infection, and they have also released a tool to check for Emotet called EmoCheck; it can be downloaded from the JP-CERT GIT Repository: github.com: JPCERTCC / EmoCheck

Read more in:

US DOJ Announces Charges Against Alleged Chinese Hackers in Equifax Case. A US federal grand jury has returned an indictment charging four members of China’s People’s Liberation Army (PLA) with breaking into Equifax computer systems and stealing data. The breach occurred in 2017 and compromised personal data belonging to nearly 150 million US citizens.

Read more in:

Minebridge Backdoor Used in Attacks Against Financial Sector Firms. A report from FireEye says that since the beginning of 2020, phishing campaigns attempting to spread the Minebridge backdoor have been targeting organizations in the financial sector. The messages contain malicious attachments; if they are opened, macros attempt to install Minebridge. If it is successfully installed on a system, Minebridge can be used to deliver additional malware.

Read more in:

Abandoned Driver Code Lets Hackers Disarm Security Software. Ransomware actors are exploiting a known but unpatched vulnerability in an old and no longer supported Gigabyte motherboard driver to take control of Windows computers and disable security software. The attackers load a driver of their own that kills processes and files related to security products and allows the ransomware to encrypt data without being detected or thwarted.

Read more in:

Rockdale County, GA Ransomware Attack Affects Water Department. Rockdale County, Georgia, is recovering from a ransomware attack that hit its municipal computer systems. County officials have shut down nine servers to contain the infection. The attack has affected the county’s water department and water billing services. Rockdale County was also the target of a ransomware attack in 2017; the county was able to decrypt infected servers at that time.

Read more in: Metro county shuts down 9 servers after ransomware attack on water department

Having Backups May Not Be Sufficient for Ransomware Recovery. While victims of ransomware attacks have successfully restored systems from backups, the ransomware threat landscape is changing. Some attackers now steal data before files are encrypted and upload them if the victims refuse to pay the ransom.

Note:

  • Good isolated differential backups remain necessary for recovery. The tactics have changed to add exfiltration to the attack and has been seen with Maze, Sodinokbi and Chimera. Some mitigation can come through the use of DLP solutions. The consequences of publishing need to be added to the ransom payment decision process, along with an assessment of likely of future payment demands.
  • If your system is compromised, it is compromised. “Ransomware” is only a way to exploit that. These attacks will continue until the cost of attack exceeds the value of success and the risk of punishment goes up. Only the cost of attack and value of success are in our hands. We must increase the cost of attack roughly ten fold in 2020. Strong authentication, least privilege access control, restrictive policy, end-to-end application layer encryption, and mean time to detection of breaches in hours to days. We must ensure the survivability of our data and its timely recovery. Get on with what we can do.

Read more in: Why you can’t bank on backups to fight ransomware anymore

The headline on 07 Feb 2020

Coronavirus Cybersecurity Preparedness. The recent Coronavirus (2019-nCoV) outbreak has brought the topic of an epidemic or pandemic impacting businesses from the hypothetical to the possible. With 25,000 infections and counting, it would be a good time to consider the business and cyber impacts of an illness such as this. The primary risks fall into two categories: (1) fraud and other ways criminals take advantage of situations like this, such as fake donation sites, malware and fake news, and (2) business continuity preparedness measures such as remote access capacity review, understanding limitations of biometric authentication, supply chain considerations, emergency communication plan, and plans for business shutdown if appropriate.
Read more in the SANS ISC diary: isc.sans.edu: Network Security Perspective on Coronavirus Preparedness

Note:

  • Fraud and malware related to the Coronavirus is currently seen in Asia. Catastrophic events tend to be used for fraud as news focuses on them and in the US, impeachment and primaries have dominated the news. Expect more virus-related fraud as news media pay more attention to it. And please let us know if you see anything via our contact form: isc.sans.edu/contact.html
  • The Coronavirus introduces an illness which does not yet have a cure, and is resulting in, sometimes unexpected, quarantine and other restrictions which can have a direct business impact. Johannes Ullrich does an excellent job of summarizing things to consider and revisit in your DR plans in the ISC diary entry.

Additional Resources:
Business Pandemic Influenza Planning Checklist (PDF)
Public Health England Response Plan: Pandemic Influenza Response Plan (PDF)

Iowa Caucus Reporting App Problems. A buggy mobile app that was created for Iowa’s Democratic presidential caucuses did not work as hoped. Some precinct leaders had trouble downloading and installing the app, which was designed to let Iowa’s precincts report caucus tallies. The app appears to have recorded the data correctly, but reported only partial counts due to coding problem in the reporting function. Nevada State Democratic party says it will not use the app in its upcoming caucuses. (Please note that the WSJ story is behind a paywall.)

Note:

  • Think of the Iowa caucus primary as that troublesome business unit in your company that is considered a key performer by management and is allowed to do everything just a little bit differently than all the other business units. The security approach here was “rather than make sure this new app is thoroughly tested, we will only release it to the users at the last minute – that way hackers won’t have time to hack it if there are vulnerabilities.” Not only is that always a bad approach to security, it is absolutely the worst approach to take with that business unit that never follows all the policies and procedures everyone else does. This one will make a very good Harvard Business Review case study – next time a business unit is pressuring to subvert the time require to thoroughly test new stuff, just tell management “We will be at risk of an Iowa caucus implosion….”
  • The issues underscore the need for usability and load testing before a wide scale deployment. The plan for the caucus included backup measures, including a number to call as a backup; unfortunately, the number was released widely and was overwhelmed, creating an intentional denial of service.
  • Testing the app was necessary but not sufficient. The deployment of applications must be end-to-end and must include the training and participation of the end users.
  • Another connection between cybersecurity and the Iowa Caucus App is that many Americans, including very senior government policy makers and politicians, perceive the Iowa App debacle as a cybersecurity-related problem or at least something that cybersecurity people should have anticipated and solved. At the same time many software development organizations consider 5 to 15 minute cybersecurity awareness training as sufficient for their software development people.

Read more in:
Election tech was supposed to clean up the Iowa caucus — instead, it may have killed it
The Iowa Caucus Tech Meltdown Is a Warning
Iowa’s Tally-by-App Experiment Fails (paywall)

Fixes Available for Five Flaws in Cisco Discovery Protocol. Cisco has released fixes for five flaws in the Cisco Discovery Protocol (CDP) that could be exploited to execute code remotely or cause denial-of-service conditions. CPD is enabled by default in most Cisco products, which means there are millions of vulnerable devices that need patching.

Note:

  • This is not the first CDP vulnerability; as such. the best mitigation is to disable it explicitly. A notable concern is the flaws can be used to access other VLANS, possibly allowing access to sensitive traffic such as VoIP or ICS.
  • Cisco has joined Adobe and Microsoft among the infrastructure software providers with routine patches.

Read more in:
Cisco Flaws Put Millions of Workplace Devices at Risk
Critical Cisco ‘CDPwn’ Protocol Flaws Explained: Podcast
Cisco Patches Critical CDP Flaws Affecting Millions of Devices
Cisco Fixes CDP Flaws in Routers, Switches
Five high-level flaws patched in Cisco Discovery Protocol

FBI: DDoS Attack Targeted Voter Registration Website. The FBI issued a Private Industry Notification warning of “a state-level voter registration and voter information website received anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack.” The website was not adversely affected by the attack because it had established rate-limiting on its DNS servers.

Note: Some attention has been paid to the security of voting equipment, but very little paid to the complex “supply chain,” from registration to voting to tallying to announcing results, etc. The business equivalent is the ordering app being very secure and having DDoS protection but the user sign-up app being vulnerable.

Read more in:
FBI warns of DDoS attack on state-level voter registration website
FBI Warns of DDoS Attack on State Voter Registration Site

Critical RCE Flaw in OpenSMTPD Patched. A critical flaw in OpenSMTPD version 6.6 could be exploited to allow remote code execution. The vulnerability is due to improperly sanitized user input that could allow local attackers to gain elevated privileges. Users are being urged to upgrade to OpenSMTPD version 6.6.2p1.

Note:

  • This is a “must patch now” vulnerability (emergency priority) for anybody using OpenBSD with OpenSMTPD. OpenSMTPD is not very popular, and as far as I can tell used only on OpenBSD systems. But OpenBSD, due to its reputation as a secure operating system, is often used for critical systems like security devices and firewalls. The vulnerability is trivial to exploit, and likely already exploited.
  • Exploitation of this flaw harkens back to the Morris Worm. A properly crafted message can be sent which causes the message body to be executed with the privileges of the SMTP daemon. Vulnerable daemons can be detected by vulnerability scanners, the best mitigation is to apply the update.
  • The modern “stack” makes it difficult to fully vet input at the application layer. It is essential that every layer also parse its input.

Read more in:
Critical flaw in OpenSMTPD found, patched
OpenSMTPD 6.6.2p1 portable release

Health Share of Oregon Medicaid Data Compromised. A laptop stolen from a third-party vendor has exposed data belonging to patients of Health Share of Oregon, a Medicaid coordinated care organization. The compromised information includes names, dates of birth, Social Security numbers (SSNs) and Medicaid ID numbers.

Note: It has always been dangerous to store sensitive data on portable devices. The speed and ubiquity of the modern “cloud” (storage, connectivity, and software) makes it not only unnecessary but reckless to do so.

Read more in:
Health Share of Oregon discloses data breach, theft of member PII
Health Share Oregon Announces Security Incident and Data Leak

Cryptomining Malware Found on DOD Network. A researcher participating in a US Department of Defense (DOD) bug bounty program found that a SOS-related server was being used as part of a cryptocurrency mining botnet. He found cryptocurrency mining malware on a DOD-related server. The initial bug report was made regarding a misconfigured Jenkins automation server that could be accessed without credentials. DOD fixed that problem, but when the researcher who made the report looked at his findings more closely, he determined that the server had been compromised before he detected the misconfiguration issue.

Note: It is easy to focus on a single issue and miss other indications of compromise, particularly with pressure to return services to operational status rapidly. Regular scanning and monitoring for indicators can provide a backup for when this happens.

Read more in: Bug hunter finds cryptocurrency-mining botnet on DOD network

NHS Missed Windows 10 Migration Target. The UK’s National Health Service (NHS) has about half a million computers that are still running Windows 7, despite the organization’s plan to migrate all computers to Windows 10 by January 14, 2020. Microsoft ended support for Windows 7 last month.

Read more in: Windows 10 migration struggles: 500,000 NHS computers are still running Windows 7

Coronavirus Concerns Prompt Companies to Pull Out of Tech Shows, Revise Sales Forecasts. LG has decided not to attend the Mobile World Congress (MWC) technology show in Barcelona due to concerns about coronavirus. ZTE has cancelled a planned press conference at the show, which opens on February 24, but still plans to host a booth. A Chinese company that manufacturers iPhones has cut its sales forecast due to the coronavirus outbreak.

Read more in: Coronavirus: LG pulls out of Mobile World Congress

Fondren Orthopedic Patient Data Compromised. A Texas orthopedic practice has started notifying its patients that a malware infection compromised their healthcare information. Fondren Orthopedic Group experienced a cybersecurity incident in November 2019. In a letter to its patients, Fondren said that the incident damaged medical records belonging to more than 34,000; some of the records are beyond recovery.

Read more in:
Malware Destroys Data of 30,000 Fondren Orthopedic Patients
Malware attacks destroy Fondren Orthopedic Group patient records
Notice of Data Incident

University of Maastricht Paid Ransom. The University of Maastricht in the Netherlands says that it paid a 30-bitcoin (US $292,000) ransom to regain access to its computer systems following a December 24, 2019 ransomware attack.

Read more in:
University of Maastricht Paid 30 Bitcoins to Ransomware Attackers
University of Maastricht says it paid hackers 200,000-euro ransom

Baton Rouge Vocational School Ransomware Attack. The computer system at ITI Technical College in Baton Rouge, Louisiana was hit with a ransomware attack in late January. The college’s vice president said that the school did not plan to pay the ransom. IT staff has isolated affected systems and bringing cleared elements back online gradually.

Read more in:
ITI Technical College latest victim of ransomware attacks
Cyberattack Disrupts Baton Rouge, La., College Ahead of Finals

NIST Draft Ransomware Guidelines. The US National Institute of Standards and Technology (NIST) has published two draft practice guidelines regarding ransomware. NIST is accepting public comments on Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events, and Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events through February 26, 2020.

Note: The time allowed for public comment on NIST publications seems to be disproportionate to their size and importance. Few of us are sitting around with time on our hands just waiting to work full time for a month on their latest effort. We should admit that we are only giving lip-service to the idea of “public comment.”

Read more in:
NIST Drafts Guidelines for Coping With Ransomware
Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events

The headline on 04 Feb 2020

Hackers are Hijacking Vulnerable Smart Building Access Systems to Launch DDoS Attacks. Attackers are hijacking vulnerable smart building access systems and using them to launch distributed denial-of-service (DDoS) attacks. There have been increased scanning for Nortek Security & Control (NSC) Linear eMerge E3 systems that are vulnerable to a known critical command injection flaw.

Note: Back in late 2013, SANS held an Internet of Things Security Summit where we pointed out smart building systems as the most likely future attack path for real business damage, vs. other attacks. The growth of commercial real estate being developed with wired and wireless networks built-in, and with elevator, HVAC systems on the network with remote access to all those systems means many companies are putting their internal systems onto building networks that are being run quite often at very low levels of security hygiene.

Read more in:
Linear eMerge E3 Access Controller Actively Being Exploited
Attackers Actively Targeting Flaw in Door-Access Controllers
Attackers Exploit Security Flaws in Smart Building Systems
Hackers are hijacking smart building access systems to launch DDoS attacks

Pentagon Releases Cybersecurity Maturity Model Certification Standard. The US Defense Department (DoD) has released the Cybersecurity Maturity Model Certification version 1.0. The framework describes the cybersecurity standards that DoD contractors must meet if they want to win contracts. CMMC will be applied to some contracts starting later this year; by 2026, all DoD contracts are expected to include CMMC.

Read more in:
Pentagon finalizes CMMC standard for contractors
DoD to Require Cybersecurity Certification From Defense Contractors
Pentagon issues long-awaited cyber framework for the Defense industry
Pentagon finalizes first set of cyber standards for contractors
Cybersecurity Maturity Model Certification (CMMC) (PDF)

EKANS Ransomware Also Kills ICS Processes. The ransomware known as EKANS not only encrypts data on infected systems, it also interrupts Industrial Control Systems (ICS) applications. Before encrypting data, EKANS kills 64 different ICS processes named in a static list. Some versions of MegaCortex ransomware target the same list of ICS processes.

Note: Given the frequency and success of “Ransomware” attacks, we must increase the cost of attack and improve our resilience in the face of such attacks. It is a myth that the advantage is always to the attacker. We can get a ten-fold increase in the cost of attack for a relatively small increase in one’s cost of security. Keep in mind that most of these victims are targets of opportunity. One does not have to “outrun the bear.”

Read more in:
EKANS Ransomware and ICS Operations
Mysterious New Ransomware Targets Industrial Control Systems
New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure
EKANS Ransomware Raises Industrial-Control Worries

Maze Ransomware Hits French Construction Company. A French construction company was hit with Maze ransomware on January 30. Bouygues Construction has shut down its network to prevent the ransomware from encryption additional data. The operators of Maze ransomware have gained a reputation for stealing data from targeted organizations and uploading it if the victims do not pay the ransom.

Read more in:
Bouygues Construction Shuts Down Network to Thwart Maze Ransomware
Maze Ransomware Hits Law Firms and French Giant Bouygues

Tillamook County Will Negotiate with Hackers for Decryption Key. Tillamook (Oregon) County Commissioners have voted unanimously to negotiate with hackers for the decryption key to regain access to the county’s computer systems. Tillamook County systems were with ransomware on January 22, 2020.

Note:

  • This case illustrates the factors that have to be balanced: (1) The need for both public and private meetings to keep the public informed, including the appointment of communication officers and selection of communication means; (2) the complexity of a transition from old to new update information systems; (3) getting professional help where needed; and (4) keeping as much of business, as usual, operating smoothly while (5) informing the public of alternate mechanisms for offline components. The complexity shows why a verified thorough disaster recovery plan is so important.
  • It appears to be the consensus among the NewsBites editors that the decision to pay the ransom is a business, not security, decision. However, the failure to make this decision in advance of an attack is a security decision. There should be accountability.

Read more in:
Cyberattack: County to negotiate for ransomware key
US County’s Computers Still Down Nine Days After Ransomware Attack

The city of Racine, Wisconsin Hit with Ransomware. Computer systems belonging to the city of Racine, Wisconsin were infected with ransomware on January 31. As of February 3, the city’s website, email, and online payment systems were still down. The attack did not affect 911 and public safety systems. Tax collection systems are also operating as usual.

Read more in: Ransomware knocks city of Racine offline

TVEyes Target of Ransomware Attack. Broadcast media monitoring company TVEyes was hit with ransomware early on Thursday, January 30. The company’s CEO said on Friday, January 31 that they had restored servers from backups.

Note:

  • At last, a good news story relating to ransomware and evidence that reliable backups are an effective measure against ransomware.
  • Note that this may only be successful to the extent that one has addressed the vulnerabilities that led to the breach in the first place. We have seen reinfections.

Read more in:
Ransomware hits TV & radio news monitoring service TVEyes
Ransomware hits TV search engine popular among political campaigns

Prosecutors Drop Burglary Charges Against Coalfire Pentesters. Prosecutors in Iowa have dropped burglary charges against two people who broke into a county courthouse after hours as part of a penetration test. The two are employees of Coalfire labs, which had been hired by Iowa’s State Court Administration to test the security of its IT systems and its buildings. Gary DeMercurio and Justin Wynn were arrested in September 2019 and held for hours before being released on bail. The case illustrates the need for establishing pen-testing best practices.

Note:

  • This is awesome news. An important lesson from this case is that security contractors, and especially penetration testers, have the responsibility to educate their customers on all aspects of authorized permission including specific actions and timing and to ensure a common understanding so that they have the pen tester’s back when something goes awry.
  • The case illustrates the need for well documented and agreed terms of service.

Read more in:
KrebsOnSecurity: Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security
Remember those infosec fellas who were cuffed while testing the physical security of a courthouse? The burglary charges have been dropped
Charges dropped against Coalfire security team who broke into the courthouse during the pen test
Exonerated: Charges dropped against pen-testers paid to break into Iowa courthouse

Australian Freight Company Suffers Cyberattack. Australian freight and logistics company Toll Group has shut down several of its IT systems to contain the damage from a cybersecurity incident. Toll customers have experienced problems tracking shipments. The company has not released details about the nature of the cyberattack.

Read more in:
Toll stops services after the security breach
‘Cybersecurity incident’ takes its Toll on the Aussie delivery giant as box-tracking boxen yanked offline
Cybersecurity Incident Mars Australian Freight Giant’s Operations

Six Arrested in Connection with Maltese Bank Cyberattack. The UK’s National Crime Agency (NCA) has arrested six people in connection with a cyberattack against Malta’s Bank of Valletta. The suspects allegedly gained access to the bank’s IT systems in February 2019 and made several large transfers totaling €13 million (the US $14.4 million). The Bank of Valletta said in May 2019 that it had recovered €10 million (the US $11.1 million) of the stolen funds.

Note: Prevention is easier than recovery. That said, early (within hours) reporting of fraudulent transfers to the FBI will greatly improve the chances of recovery. Do you know who to call?

Read more in:
UK Arrests Cyber-Thieves Who Stole Millions from Maltese Bank
A year after Bank of Valletta ‘cyber heist’, cuffs applied as the cash-cleansing case continues
Three suspects arrested in Maltese bank cyber-heist

Raytheon Engineer Arrested for Taking Laptop with Missile Data to China. US federal law enforcement agents have arrested a Raytheon engineer after he took a work laptop containing missile defense systems information to China. Wei Sun has worked at Raytheon since December 2008. In December 2018, Sun traveled abroad with his work laptop in defiance of Raytheon’s exhortations not to bring it on his travels. In January 2019, Sun emailed Raytheon and informed them he was resigning from his position so he could study and work abroad. Sun returned to the US later that month. He initially told Raytheon security officials that he had traveled to Singapore and the Philippines, but eventually admitted that he had traveled to China, Cambodia, and Hong Kong.

Note: Mechanisms to limit sensitive data exposure include specific laptops configured for foreign travel, DLP solutions that limit data storage and access, and location-aware device management which could be used to remotely wipe a device. Even so, the employee is the critical most challenging link in the security chain. In support of the human factor, appropriate consequences with visible actions may act as a deterrent.

Read more in:
Raytheon engineer arrested for taking US missile defense data to China
Missile Engineer Arrested After Taking Secret Info to China
First Superseding Indictment (PDF)

Hackers Insert Themselves in eMail Conversation, Steal Payment in Fine Art Sale. The ownership of a 200-year-old painting by British artist John Constable is in question after hackers infiltrated email conversations regarding payment for the artwork. A museum in the Netherlands had agreed to purchase the painting from a British art dealer for £2.4 million ($3.1 million). Hackers sent a spoofed message directing the museum to transfer the payment into a bank account they controlled. Each party blames the other: the museum maintains that the dealer should have known that spoofed messages were sent, while the dealer maintains that the museum should have verified the details of the bank transfer.

Note:

  • Non-routine payments must be verified out of the band before paying: “Pick up the telephone.” This the responsibility of the payer. Transfers should be confirmed out of the band; this is the responsibility of the paying agent (usually the bank.) The role of reconciling confirmations should be separate from that of authorizing payments in the first place.
  • This is a classic invoice/payment redirection scam, also known as Business Email Compromise. Technical controls such as DMARC, DKIM, and SPF, and also using effective email filtering solutions can help minimize the risk of this type of attack. However, as demonstrated by the blame game in this example, the human factor plays a significant part. Basic manual verification processes can often be the most effective prevention measures. Europol provides some excellent guides on how to protect against scams targeting employees www.europol.europa.eu: Infographic: Fraud Scams Targeting Employees

Read more in:
Hacker snoops on art sale and walks away with $3.1m, victims fight each other in court
Fraudsters Posing as Art Dealer Got Gallery to Pay Millions

NEC Acknowledges December 2016 Breach. Japan’s NEC Corp. has disclosed that its systems were breached in December 2016. The company did not detect the breach until June 2017, when it noticed encrypted traffic being sent from a company server. NEC decrypted the traffic in July 2018 and found that the attackers had exfiltrated data from the company’s defense business division.

Note: Mean time to detection (MTTD) of a breach needs to go from months in 2017 to days in 2020. Many companies that take cybersecurity seriously have or have nearly accomplished that goal. For others, it will never happen because they have not yet established MTTD as a key cybersecurity objective and thus they are not measuring it.

Read more in: Japanese company NEC confirms 2016 security breach

APT34 Targeting US Company Through Spear Phishing eMail. A hacker group with ties to Iran has been sending spear-phishing emails to customers and employees of a company that works with US federal, state, and local governments. The phony messages sent to Westat employees contain malicious Excel spreadsheet attachments. The spreadsheets appear to be black; if recipients enable macros, the content – a phony job satisfaction survey – appears and malware that installs the TONEDEAF backdoor is downloaded in the background.

Read more in: Iranian Hackers Target U.S. Gov. Vendor With Malware

Some US Emergency Alert Systems Remain Unpatched Years After Fix Released. A vulnerability in certain emergency alert systems (EAS) that was disclosed in 2013 remains unpatched on at least 50 systems across the US. The issue lies in the web interfaces for Monroe/Digital Alert Systems EAS hardware.

Note: These systems are effective appliances that are configured to accept and forward emergency messages. The challenge with appliance-type systems is not only monitoring them for security vulnerabilities but also having appropriate processes in place, with accountability, to keep them updated and secure.

Read more in: Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable

Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.