The headline on 29 Feb 2020
RSA Keynote: ICS Cybersecurity Year in Review: Major Concerns. In an extraordinary keynote address at RSA 2020 yesterday, Rob Lee provided an authoritative review of the attacks and status of defenses in ICS security. His full (50 minute) keynote is on YouTube (see url below). The data are fascinating and provocative. One interesting insight: the vendors of ICS systems (OEMs) are failing to make basic security fixes, resulting in 91% of ICS systems having “common hardware issues beyond the asset owners’ purview.”
Read more in:
- The Industrial Cyberthreat Landscape: 2019 Year in Review
- Robert M. Lee of Dragos to Deliver Keynote at RSA Conference 2020
GAO: Critical Infrastructure Must Adopt NIST Cyber Framework. According to a report from the Government Accountability Office (GAO), federal agencies that have the lead in protecting critical infrastructure sectors (sector specific agencies, or SSAs) have for the most part not taken adequate steps to ensure that the sectors they oversee have adopted the National Institute of Standards and Security’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity. There are nine SSAs overseeing 16 critical infrastructure sectors. Two SSAs have developed strategies for determining framework adoption in their designated sectors; two others have taken steps toward developing methods. Most of the SSAs have encouraged their sectors to adopt the framework. GAO recommends that NIST develop time frames for completing initiatives, and that the SSAs gather and report in improvements made from framework adoption.
Note: This is urgent. While the SANS Top Twenty are more applicable to the scale of many enterprises, the NIST Cyber Framework is essential for large enterprises that are part of the economic or national security infrastructures.
Read more in:
- CRITICAL INFRASTRUCTURE PROTECTION | Additional Actions Needed to Identify Framework Adoption and Resulting Improvements (PDF)
- Critical Infrastructure Agencies Must Fully Adopt NIST Cyber Framework, GAO Says
Hackers Actively Scanning for Microsoft Exchange Server Vulnerability. Attackers are scanning for systems that have not been patched against the Microsoft Exchange Server remote code execution vulnerability that was fixed in Microsoft’s February Patch Tuesday release.
Read more in:
- Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
- Microsoft Exchange Server admins urged to treat crypto key flaw as ‘critical’
- CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability
US Collegiate CTF Competition with Large Scholarships and Direct Connection To Jobs Announced at RSA. College students who hope to qualify for internships and jobs in cybersecurity are now eligible for the Cyber FastTrack Capture the Flag (CTF) leading to $2.2 million in scholarships (including several SANS classes and GIAC certifications) and direct internships and jobs with employers seeking top talent. Open to all college students in the U.S. Deadline to register March 22. Actual competition March 26-27. More information: cyber-fasttrack.org
Note: As of this morning, 2,035 students form 464 US colleges have signed up for the first 2020 CTF. Cyber FastTrack is the only way for college students to discover how their skills stack up. Three Cyber FastTrack CTFs are scheduled for 2020 so students can keep moving up the leaderboard.
Fixes Available for Kr00k Vulnerability in Cypress and Broadcom Chips. A flaw in Wi-Fi chips from Cypress Semiconductor and Broadcom could be exploited to decrypt data sent over Wi-Fi networks. The affected chips are used in a range of devices, including iPhones, iPads, Amazon Echos and Kindles, Android devices, and certain Wi-Fi routers. The vulnerability, dubbed Kr00k lies in the way the chips manage network interruptions: devices could be forced to use encryption keys that are simply a string of zeroes. Most manufacturers have developed fixes for the issue, but it is not known how widely they have been applied.
Read more in:
- Flaw in billions of Wi-Fi devices left communications open to eavesdropping
- Kr00k Wi-Fi Vulnerability Affected a Billion Devices
- New Kr00k vulnerability lets attackers decrypt WiFi packets
- Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info
- Billions of Devices Open to Wi-Fi Eavesdropping Attacks
- Cisco Working on Patches for New Kr00k WiFi Vulnerability
- Cisco patches incoming to address Kr00k vulnerability impacting routers, firewall products
Criminal Cases Dropped After Evidence Lost in Ransomware Attack. US federal prosecutors dropped 11 narcotics cases against after crucial evidence was lost in a ransomware attack on a Florida police department’s network. The Stuart police department experienced a ransomware attack in April 2019. Some data were recovered, but evidence in the cases was lost. Other jurisdictions around the country have also reported losing evidence in ransomware attacks.
Note: Forensic evidence needs to be stored in a read-only fashion, with accompanying digital signatures to indicate tampering, or better still, keep the master copy off-line.
New Mexico School District Hit with Ransomware Again. The Gadsden Independent School District in Las Cruces, New Mexico has been hit with ransomware for the second time in seven months. The district reported that its internet and communications systems were offline. It is not clear if the most recent infection is new or a recurrence of the July attack.
Note: The conversation has focused on paying the ransom or not, and in this case the school district has the ability to recover without paying the ransom. The daunting issue of preventing recurrence remains for everyone impacted by ransomware. Technical countermeasures, exercises to reinforce user training, build the foundation.
Bretagne Télécom Ransomware Attack. French cloud services provider Bretagne Télécom was hit with a ransomware attack in early January 2020. The company did not pay a ransom and was able to restore its systems from backups. Bretagne Télécom’s CEO said the attackers exploited a Citrix vulnerability for which a patch was not yet available. The attackers did steal some data from Bretagne Télécom, which they uploaded to a website.
Chrome Update Addresses 0-day and Other Vulnerabilities. Google’s latest update for the Chrome browser includes fixes for three security issues, one of which is already being actively exploited. All three flaws have been rated high severity. Chrome 80.0.3987.122 is available for Windows, macOS, and Linux.
Note: These flaws are being actively exploited; rapid updates are prudent. I was pleased to find my IT department was already pushing this update when I returned from travel this week.
Read more in:
- Stable Channel Update for Desktop
- Mind the gap: Google patches holes in Chrome – exploit already out there for one of them after duo spot code fix
- Google issues Chrome update patching possible zero day
- Chrome 80 update cripples top cybercrime marketplace
- Google patches Chrome zero-day under active attacks
Zyxel Flaw Affects Firewall Products. A recently disclosed flaw in some Zyxel Network Attached Storage (NAS) products has been found to also affect certain Zyxel firewall products. Zyxel became aware of the vulnerability several weeks ago after a security expert discovered that an exploit for the vulnerability was being sold on a cybercrime forum.
- Read more in:
ZyXEL pre-authentication command injection in weblogin.cgi
- Zyxel 0day Affects its Firewall Products, Too
- Zyxel security advisory for the remote code execution vulnerability of NAS and firewall products (updated advisory)
Australian Telcos Will Need to Employ Multi-Factor Authentication Before Porting Mobile Phone Numbers. Telecommunications companies in Australia will have to actively obtain approval from customers before porting a mobile phone number to a new provider. The Australian Communications and Media Authority (ACMA) said the process will require multi-factor authentication, but did not provide additional details. The Australian Communications Consumer Action Network (ACCAN) wants the ACMA to require “highly secure” methods of authentication.
Note: In the US, all mobile carriers give an option to add a PIN onto the phone porting process, which is better than the default security questions used. This should be a minimum recommendation on all executive mobile phones; going to 2FA is even better.
Firefox Begins Rolling Out DNS Over HTTPS by Default in US. On Tuesday, February 25, Mozilla announced that “Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users.” Firefox users outside the US can enable DoH by choice in their Network Settings. While Cloudflare is the default encrypted-DNS service in Firefox, users can manually switch to NextDNS or another service of their choice.
Read more in:
- Firefox continues push to bring DNS over HTTPS by default for US users
- Firefox turns encrypted DNS on by default to thwart snooping ISPs
- Mozilla enables DOH by default for all Firefox users in the US
- Here’s how to enable DoH in each browser, ISPs be damned
Clearview AI Client List Stolen. Facial recognition software company Clearview AI has disclosed that someone gained unauthorized access to its client list, which includes law enforcement agencies. Clearview did not share details of the breach, although the company did say that its servers were not breached. Clearview has made headlines recently for scraping billions of images from social media.
Read more in:
- Facial-Recognition Company That Works With Law Enforcement Says Entire Client List Was Stolen
- Customer data stolen in data breach of facial recognition company Clearview AI
- Clearview AI Reports Breach of Customer List
The headline on 27 Feb 2020
Recent news of Linus Torvalds’ disavowment of ZFS, and the loss of support for Docker causes some to worry about unity in the open source community. Source: TechRadar > Security in the financial industry
More drama over open source licensing: OSI (Open Source Initiative) co-founder Bruce Perens resigned due to his concern that the OSI is “headed toward accepting a license that isn’t freedom respecting”. What really happened? Source: The Register > Bruce Perens quits Open Source Initiative amid row over new data-sharing crypto license: ‘We’ve gone the wrong way with licensing’
How can businesses in the financial industry ensure security with open source components? Source: TechRepublic > Open source: A matter of license and lock-in
The headline on 26 Feb 2020
Coronavirus: More Companies Backing Out of Conferences. AT&T Cybersecurity and Verizon have decided not to attend the RSA Conference in San Francisco this week, citing concerns about the coronavirus. IBM announced its decision not to attend RSA on February 15. The conference is taking place this week as scheduled. Sony and Facebook’s Oculus have pulled out of the Game Developer Conference scheduled for March 16-20 in San Francisco. Coronavirus worries have already caused the cancellation of the World Mobile Congress that was to have taken place in in Barcelona February 24-27. Black Hat Asia 2020 has been postponed to fall 2020, and Cisco has cancelled its Cisco Live! Conference that was scheduled to be held in Melbourne, Australia early next month.
- The best advice comes from the WHO and CDC regarding the Coronavirus ad should be incorporated in making a decision relating to attending or hosting an event.
- The increasing spread of the Coronavirus is a great opportunity for companies to revise their Business Continuity Plans (BCPs). Too often BCPs focus on the IT aspect of an interruption to business and not on the human element. Getting senior management to understand the impact of large numbers of staff being quarantined or out of work sick can help get the buy-in required for the non-IT element of BCPs. The Irish government has published an excellent guide for companies to deal with an influenza outbreak which can be adapted for use with the Coronavirus www.gov.ie: Business Continuity Planning – Checklist of Preparatory Actions in Responding to an Influenza Outbreak
Read more in:
- AT&T, Verizon join RSA exodus over Coronavirus fears
- Coronavirus prompts Verizon to pull out of RSA sponsorship
- Coronavirus forces more companies to skip tech conferences
Median Dwell Time for Breaches is Falling Worldwide. According to the M-Trends 2020 Report, the global median “dwell time” – the time from initial intrusion to detection – fell from 78 days to 56 days in just one year. The report also found that while intrusions are being detected more quickly, they are more often discovered by third parties rather than internally.
- More rapid discovery of breaches is moving the bar in the right direction. That external parties are discovering them first is an indication that partnering with an external service can help cover gaps in internal services and could be used with an accompanying build or buy decision for the long-term strategy.
- It is good to see a downward trend in this statistic, however it is still way too high. The fact that breaches are being discovered by third parties rather than the victims is still a worrisome trend. Preventive controls are essential in cybersecurity, but equally important is having appropriate detection controls in place and effective incident response.
Read more in:
- M-Trends 2020 (PDF)
- Cybersecurity: Hacking victims are uncovering cyberattacks faster – and GDPR is the reason why
- Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
U.S. Defense of Department DISA Breach Exposed PII of 200,000 People. The US Department of Defense’s (DoD’s) Defense Information Systems Agency (DISA) has acknowledged a network breach that compromised the personal information of at least 200,000 individuals. On February 11, 2020, DISA sent letters to the people whose data were compromised, telling them that the breach occurred between May and June 2019. DISA secures and manages White House communications.
Read more in:
- Data Breach Occurs at Agency in Charge of Secure White House Communications
- DISA breach likely exposed personal data on at least 200K
- Pentagon’s tech agency reveals potential breach involving personal data
- DISA exposes personal data of 200,000 people
Wyden Pushing for Release of ShiftState Voatz Audit Results. US Senator Ron Wyden (D-Oregon) is asking a company that conducted an audit on the Voatz mobile voting app to disclose the results. While ShiftState’s audit gave Voatz “high marks,” researchers at MIT recently published a paper enumerating security concerns present in Voatz. Specifically, Wyden wants to know how many “ShiftState personnel that audited Voatz [have] experience in election security, cryptographic protocol design and analysis, side channel analysis, and blockchain security;” whether ShiftState detected the same flaws the MIT researchers found; and whether the company agrees or disagrees with the MIT findings and why.
- Something as critical as voting software should have more public security testing references than just a small company that has been in existence for under two years. Voatz has started up a managed bug bounty program, talking about many of the right things security-wise but anything connected to elections needs to have the talk verified to see if the right actions match the talk.
- The challenge will be finding a repeatable methodology that adequately tests the security of voting apps irrespective of who performs that assessment. Given the stakes, reconciliation of assessments from multiple sources is appropriate to ensure election integrity.
Read more in: Sen. Wyden Questions ShiftState on Voatz Audit
Car Thieves Disabling OnStar, Replacing Vehicle Computers. In “a recent string of stolen Chevrolet Silverado pickups,” thieves disabled the OnStar anti-theft technology almost immediately, reducing the likelihood of the vehicles’ recovery. Surveillance video has shown how fast the thieves operate – pop the lock, open the hood, change the computer, and disable OnStar tracking.
Read more in:
- Chevrolet Silverado Thieves Disable OnStar Tracking
- Thieves Target Chevrolet Silverados, Disable OnStar Tracking
Man Arrested in Connection with Political Website DDoS Attacks. The FBI has arrested a California man for allegedly launching distributed denial-of-service (DDoS) attacks against the website of a political candidate. The suspect’s wife worked as a campaign staffer for one of the victim’s political opponents.
Read more in:
- FBI Arrests Hacker Linked to Former Rep. Katie Hill’s Campaign
- California man arrested on charges his DDoSes took down candidate’s website
- Feds charge California man for 2018 DDoS attacks on congressional campaign
- FBI arrests man accused of launching cyberattacks against former Rep. Katie Hill’s rival
- Campaign staffer’s husband arrested for DDoSing former Rep. Katie Hill’s opponent
ISS World Recovering from Malware Attack. Copenhagen-based ISS World says it is recovering from a malware attack that hit its network last week. The facilities management has more than half a million employees around the world. ISS says it has determined the “root cause” of the problem, but has not said if the malware is ransomware.
NRC Health Ransomware Attack. NRC Health, a company that administers patient satisfaction surveys for hospitals across the US, has acknowledged that its systems were hit with a ransomware attack on February 11. The company shut down its “entire environment” to limit the damage. Hospitals have expressed concern about the security of patient data.
Read more in:
- NRC Health recovering from ransomware attack
- Cyberattack on NRC Health sparks privacy concerns about private patient records stored by US hospitals
Toll Group Working to Recover from Ransomware Attack. Australian freight delivery provider Toll Group is still recovering from a ransomware attack that hit its network in late January. The company has not and does not plan to pay the ransom demand. Toll customers have expressed frustration with delays that resulted from network downtime.
Read more in: Toll Faces Customer Fallout After Cyberattack
The Most Important Open Source Components and Associated Security Issues. The Census Program II “identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities.” The report is the work of the Linux Foundation’s Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH).
- The challenge of open source is determination of how well it has been assessed. A report like this provides an extra data point to accompany your own assessment and validation processes.
Read more in:
- Census Program II – Download Preliminary Report
- The great big open-source census: Most-used libraries revealed – plus 10 things developers should be doing to keep their code secure
- The Linux Foundation identifies most important open-source software components and their problems
Samsung Discloses Data Security Incident. Samsung said that a data security incident last week allowed some users to view other users’ information. The company says the incident was not related to the mysterious “1/1” push notifications some users reported receiving. Those notifications came from the Find My Mobile app even if the users had it disabled.
Read more in:
- Samsung suffers data breach as coronavirus spreads through South Korea
- Samsung cops to data breach after unsolicited ‘1/1’ Find my Mobile push notification
FBI Touts Passphrases Over Passwords. A Tech Report from the FBI’s Portland, Oregon Field Office encourages people to use passphrases of at least 15 characters rather than passwords, because the longer passphrases are more difficult to crack. The passphrases do not need to contain numbers, special characters, or a combination of upper- and lower-case letters.
Note: NIST 800-63-3 provides guidance which supports this choice. In addition to length, and lack of special characters, password systems need to prevent the use of single dictionary words and words related to the service or person creating the passphrase. Lastly, the ability to manage a banned-words list built from prior incidents and breaches should be considered.
Read more in:
- Oregon FBI Tech Tuesday: Building a Digital Defense with Passwords
- FBI recommends passphrases over password complexity
- FBI Recommends Using Long Passphrases Over Strong Passwords
Zyxel Provides Fix for Zero-day Vulnerability in NAS Devices. Zyxel, which makes networking devices, has released a fix for a remote code execution vulnerability affecting some of its Network Attached Storage (NAS) products. Zyxel learned of the issue nearly two weeks ago, when KrebsOnSecurity notified the company that directions for exploiting the flaw were being offered for sale online. Some of the products affected by the vulnerability are no longer supported.
Read more in:
- Zyxel security advisory for the remote code execution vulnerability of NAS products
- Zyxel Fixes 0day in Network Storage Devices
The headline on 22 Feb 2020
US Natural Gas Pipeline Operator Hit with Ransomware. According to an advisory from the US Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), networks at a natural gas compression facility were infected with ransomware. The incident is believed to be the same one reported by the US Coast Guard in December 2019. The initial vector of attack was a phishing email; the malware then made its way from an office computer through the IT network to the operational technology (OT) network.
- Network isolation often includes the need to interact with and transfer data to other non-isolated systems. Using a trusted gateway or one-way link reduces the risks, and data transfer processes still need active anti-malware protections.
- One should not pass up an opportunity to remind management that e-mail (and browsing) should be isolated from mission-critical applications. We cannot tolerate a situation where the cost of compromise of the enterprise is equal to that of social engineering any one of many users. Consider a combination of strong authentication, restrictive (as opposed to promiscuous or permissive) access control policy, and end-to-end application-layer encryption.
Read more in:
- Alert (AA20-049A) Ransomware Impacting Pipeline Operations
- A US gas pipeline operator was infected by malware—your questions answered
- When the air gap is the space between the ears: A natural gas plant let ransomware spread from office IT to ops
- CISA issues warns critical infrastructure sectors after successful ransomware attack on pipeline operator
- DHS says ransomware hit US gas pipeline operator
- US natural gas operator shuts down for 2 days after being infected by ransomware
- Ransomware-hit US gas pipeline shut for two days
- U.S. Pipeline Disrupted by Ransomware Attack
- Could this attack signal the future of ransomware?
- DHS warns of cyber threats to critical systems after attack on pipeline operator
- CISA Shares Details About Ransomware that Shut Down Pipeline Operator
Citrix Says Hackers Had Access to its Networks for Five Months. Hackers maintained an “intermittent” presence inside Citrix networks for five months, according to a February 10, 2020, letter the company sent to users affected by the breach. Between October 13, 2018 and March 8, 2019, the hackers stole data belonging to employees, contractors, interns, and job candidates. Citrix first learned of the breach in March 2019, when the FBI notified the company that hackers had likely accessed the company’s internal network. The FBI told Citrix that the intruders may have used “password spraying” attacks to gain access.
- As Citrix is often deployed at the perimeter to provide a virtual desktop on the corporate network, like VPN servers, it is a prime target of attack, and warrants similar monitoring and security oversight. Be sure to apply Citrix’s recently released patch for CVE-2019-19781.
- I guess whoever wrote the Citrix letter has never tried to sell a house where the real estate listing said “Termites had intermittent access to the structure…
Read more in: Hackers Were Inside Citrix for Five Months
Ring Now Requires 2FA. Ring now requires all users of its camera doorbell products to use two-factor authentication (2FA) when signing into their accounts. Previously, 2FA was optional. The decision follows reports of serious security issues, including not alerting users of failed login attempts and not limiting the number of login attempts.
- Good move by Ring (and maybe a bit overdue). It looks like the public pressure caused by several news items about compromised accounts got to them. Google recently implemented similar measures for its Nest devices.
- All movement away from reliance on reusable passwords is good movement, though not security nirvana. But, millions of consumers are being nudged towards increased use of multi-factor authentication – a good reason to try to make the same progress on enterprise user logins as a key element in fighting phishing attacks.
- Enable 2FA on all services which offer it. Make it a habit to check periodically on services that didn’t offer it previously to see if offered, and enable it. Also review trusted devices allowed to access the service without 2FA. Setup login alerts, if supported, for visibility into account accesses.
- Consumers are not nearly as resistant to strong authentication as enterprises are, and as enterprise management seems to believe everyone is. The use of reusable passwords must be restricted to trivial applications (or applications where fraudulent use will be immediately obvious.) “Convenience” is no longer sufficient justification. (In many applications and environments, one-time passwords are more convenient than mandated periodic changes.)
Read more in:
- Extra Layers of Security and Control
- Ring mandating 2FA logins, ceases some third-party activity
- Ring to enable 2FA for all user accounts after recent hacks
- Ring makes two-factor sign-in mandatory for its video doorbells, security cameras
- Ring Mandates 2FA After Rash of Hacks
Cisco Security Updates Include Fix for Smart Software Manager Static Password Issue. Cisco has released patches to address 17 security issues in several products, including a critical static password flaw in Cisco Smart Software Manager On-Prem. The release also includes fixes for six high-severity vulnerabilities.
Note: This may not be the result of mere error. History suggests that programmers are reluctant to give total control of their product to users and may use static passwords as long-term back doors.
Read more in:
- Oi, Cisco! Who left the ‘high privilege’ login for Smart Software Manager just sitting out in the open?
- Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco
- Cisco Smart Software Manager On-Prem Static Default Credential Vulnerability
MGM Resorts Acknowledges 2019 Data Breach. MGM Resorts has disclosed that personal information belonging to more than 10.76 million people who stayed at MGM hotels has been posted to an online hacking forum. Attackers gained unauthorized access to a cloud server last summer.
Read more in:
- Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum
- MGM Grand Breach Leaked Details of 10.6 Million Guests Last Summer
- MGM admits to 2019 data breach affecting 10.6 million customers
Swiss Government Says Ransomware Poses Threat to Small and Medium Enterprises. The Swiss Government’s Reporting and Analysis Centre for Information Assurance (MELANI) says that “ransomware continues to pose a significant security risk to small and medium enterprises.” MELANI “has dealt with more than a dozen ransomware cases” in the past few weeks alone. MELANI’s analysis of the incidents concluded that most affected organizations did not have adequate IT security and did not adhere to best practices. The alert lists weaknesses that were used as “gateways” for attack: lack of anti-virus software or ignoring or not taking seriously anti-virus warnings; poorly protected remote access procedures; ignoring or not taking seriously notifications from authorities; not maintaining offline backups; ineffective patch and lifecycle management; lack of network segmentation; and excessive user privileges.
Note: I think this report pretty much sums up the current ransomware issue: Ransomware is an indicator of poor security controls and not implementing “best practices”. Just like with other “commodity” malware like crypto coin miners, you should always be watching out for what else took advantage of these missing controls.
Read more in:
- Beware: Ransomware continues to pose a significant security risk for SMEs
- Swiss Govt Says Ransomware Victims Ignored Warnings, Had Poor Security
- Ransomware Wreaks Havoc Across Europe
US, UK, and Others Blame Russia’s GRU for Republic of Georgia Cyberattacks. The US, the UK, Australia, and a number of EU countries have formally blamed Russia’s military intelligence (GRU) for launching cyberattacks against targets in the Republic of Georgia in October 2019. Thousands of websites were defaced or taken down, and two television stations’ broadcasts were disrupted.
Read more in:
- The US Blames Russia’s GRU for Sweeping Cyberattacks in Georgia
- US, UK formally blame Russia for mass-defacement of Georgian websites
- UK says Russia’s GRU behind massive Georgia cyber-attack
- In rare move, State Department calls out Russia for attacks on Georgia last year
- Pompeo, foreign partners condemn Russian cyberattack on country of Georgia
- U.S. and Allies Blame Russia for Cyberattack on Georgia
Adobe Issues Out-of-Cycle Fixes for Critical Flaws. Adobe has released two out-of-cycle fixes that could be exploited to allow remote code execution. The affected products are Adobe After Effects and Adobe Media Encoder. Both flaws are out-of-bounds write vulnerabilities.
Note: According to Adobe, these flaws are unlikely to be exploited, but they can lead to arbitrary remote code execution. I don’t think these are “emergency” patches, but they were not released on Adobe’s normal patch Tuesday.
Read more in:
- Critical Adobe Flaws Fixed in Out-of-Band Update
- Adobe releases out-of-band patch for critical code execution vulnerabilities
- Security Updates Available for Adobe After Effects | APSB20-09
- Security Updates Available for Adobe Media Encoder | APSB20-10
ISS World Suffers Ransomware Attack. Copenhagen-based ISS World has acknowledged that its internal network was hit with ransomware on Monday, February 17. A company spokesperson said ISS World “immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident.” ISS World provides facilities management services, such as cleaning and catering; it has 500,000 employees worldwide.
Read more in:
- ISS World hack leaves thousands of employees offline
- Danish services company ISS hit by malware attack
- Facilities firm ISS World crippled by ransomware attack
2,000 UK Government Mobile Devices Reported Missing in Span of One Year. Over the past year, more than 2,000 UK government mobile devices, including smartphones, laptops, and external storage devices, have been reported missing. More than 1,800 of the devices are believed to be encrypted, but even one unencrypted device in the hands of the wrong individual could expose sensitive data. At least eight UK government departments say they have never been audited by the Information Commissioner’s Office (ICO); others reported that their last audit was several years ago.
- There are about 3M UK central government employees; let’s just assume an average of 1 phone/laptop/storage device per employee, which is probably low. 2,000 lost out of 3M is under .1% – a very low number. I think typical average rates for mobile phone losses per year are in the 4% range. 90% of the lost devices having encryption turned on is strong progress from previous years where this same type of report came out in the UK. Enterprises: how do your loss rates and encrypted device percentages compare to the UK government?
- Current guidance for protecting mobile devices: Both iOS and Android (version 6+) support encryption of the device and can be managed by your MDM (mobile device management software). That will require a passcode to access the device; otherwise it is transparent to the user. Make sure the device passcode strength/option is commensurate with the data protected. Additionally, options exist to sandbox applications with further encryption, but investigate the trade-off between security and usability before rolling them out. Include sending a device wipe in your lost-device reporting processes, along with a good definition of what lost means, including duration.
Read more in: Over 2000 UK Government Devices Go Missing in a Year
Swatting Arrest. A 19-year-old has been arrested in connection with multiple swatting, cyberstalking, and hacking incidents. Tristan Rowe has been charged with cyberstalking and unauthorized access to a computer. Each charge carries a maximum penalty of five years in prison.
Read more in:
- US Teen Arrested Over Alleged Swatting and Cyberstalking
- Tennessee Man Arrested For Engaging In Multi-Year Cyberstalking And Computer Hacking Campaign
Android Linux Kernel Code Changes Introduce New Vulnerabilities. A Google Project Zero researcher says that some smartphone makers are modifying the Android Linux kernel to protect devices from attacks, which can actually introduce new exploitable weaknesses. Jann Horn writes, “I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won’t complicate updates to newer kernel releases.”
Note: While this flaw is specific to the Samsung kernel, extensions that support their Galaxy A50 devices and rely on a race condition to exploit, device manufacturers often need to extend Android OS to support their specific hardware. As such, when purchasing a non-Google-provided device, make sure the vendor has a proven track record with security. Samsung has a record of providing security features back to the community, such as their FIPS certified encryption library, and will address this flaw rapidly.
Read more in:
- Mitigations are attack surface, too
- Changes in Kernel Code Created New Security Bugs in Android Devices
- Google to Samsung: Stop messing with Linux kernel code. It’s hurting Android security
Apple Will Shorten Duration of Certificate Trust in Safari. After September 1, 2020, Apple’s Safari browser will no longer trust HTTPS certificates that have expiration dates more than 13 months, or 398 days, after they were created. Certificates issued before September 1 will be trusted for 27 months, or 825 days, from their creation dates. Apple announced the change at a Certification Authority Browser Forum meeting earlier this week.
- No issue if you are using automatic certificate renewals via Let’s Encrypt. However, this is going to get messy for people who are using internal certificate authorities and if you have a lot of certificates to renew for devices that cannot use a simple scripted system to renew certificates. Now may be a good time to look into a good certificate management solution if you haven’t done so.
- Apple has not yet updated their guidance on certificate trust requirements (support.apple.com: Requirements for trusted certificates in iOS 13 and macOS 10.15). These changes are intended to raise the bar on trustworthiness of sites claiming to be secure. When issuing shorter-lived certificates, support that with automated processes to alert, if not auto renew, to avoid lapses in coverage.
The headline on 15 Feb 2020
GAO Report Enumerates Census Bureau Security Concerns. A Government Accountability Office (GAO) report on the Census Bureau’s preparedness found that the bureau is lagging on some of its goals, including IT system implementation and cybersecurity issues. The report says that the bureau has not met its goal of ensuring that its self-response site can support up to 600,000 users at a time. GAO also notes that the bureau needs to fix cybersecurity issues “in a timely manner,” implement DHS recommendations, and ensure that the privacy of those responding is protected.
Read more in:
- House members fear Census IT ‘debacle’ similar to Iowa caucus fiasco
- Lawmakers grill Census Bureau officials after report on cybersecurity issues
- 2020 Census: Initial Enumeration Underway but Readiness for Upcoming Operations Is Mixed
Microsoft’s February Updates Include Fix for Zero-day Flaw in Internet Explorer. Microsoft’s monthly security updates include fixes for 99 vulnerabilities in multiple products. Twelve of the flaws are rated critical; of those, one, a remote code execution vulnerability in Internet Explorer, is being actively exploited. Microsoft disclosed the IE vulnerability in January but a patch had not been available until earlier this week.
Read more in:
- Microsoft Patch Tuesday, February 2020 Edition
- Microsoft’s February 2020 Patch Tuesday fixes 99 security bugs
- Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches
- CVE-2020-0674 | Scripting Engine Memory Corruption Vulnerability
- Security Update Summary
Adobe February Updates. Adobe’s security updates for February include fixes for 42 vulnerabilities in multiple products. The updates address 21 critical issues in Framemaker and 12 critical flaws in Reader and Acrobat. The updates also fix critical flaws in Flash Player and Experience Manager.
- Hey, Adobe and McAfee – it has been at least 8 years since Adobe patches started trying to trick users into installing McAfee software. That practice continues to make both companies look cheap and sleazy – imagine if Ford said, “Every time a Ford car has a defect that requires a recall, we will try to trick you into turning on a satellite radio service.” Is whatever revenue flows on this deal really worth it???
- Remember the Flash Player EOL date is 12/31/20, so we’re not yet done patching it. The Adobe Creative Cloud application keeps that suite of applications updated, augmenting the enterprise capabilities. Even so, scanning to make sure they are applied is prudent.
- Tens last month, tens this month, likely tens next month. How deep must the reservoirs be?
Read more in:
- Adobe Patch Tuesday: Critical vulnerabilities in Flash Player, Framemaker patched
- Adobe squashes 35 critical vulnerabilities in security patch update
- Adobe Addresses Critical Flash, Framemaker Flaws
- Adobe Releases the February 2020 Security Updates
- Security Updates Available for Adobe Framemaker | APSB20-04
- Security update available for Adobe Acrobat and Reader | APSB20-05
US and German Intel Agencies Owned Controlling Stake in Swiss Encryption Device Maker. According to reports in the US, German, and Swiss press, between 1970 and 1993, the US and West German intelligence agencies were secret majority owners of Crypto AG, a Swiss company that made encryption devices. The reports say that the agencies were able to control aspects of Crypto AG’s business, including manipulating algorithms used in the company’s devices so that the agencies could easily decrypt foreign adversaries’ communications. Crypto AG customers included more than 130 national governments. Germany withdrew from the arrangement in 1993; US intelligence bought its stake and remained in control until it sold off Crypto AG’s assets in 2018. The controlling partnership was shielded behind a trust company in Liechtenstein. Bruce Schneier points out that while the story itself is not news, “what is new is the formerly classified documents describing the details” of how the agencies were able to exploit their access to supposedly encrypted information.
Note: As the article points out, this was no longer a secret by the early 1990s, but Crypto AG products were still used by many who weren’t paying attention to relatively low visibility reports. Today, every piece of software used by businesses (especially mobile applications) is a potential “Crypto AG” scenario. Supply chain security has to focus on risk assessment and testing of products and services in use, not just country of origin.
Read more in:
- ‘The intelligence coup of the century’
- “Operation ‘Rubicon'” #Cryptoleaks: How BND and CIA Deceived Everyone (in German)
- worldwide espionage operation with Swiss company uncovered (in German)
- Crypto AG Was Owned by the CIA
- Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked
- CIA Secretly Owned Swiss Encryption Firm for Years: Reports
US Justice Department Charges Huawei with Racketeering and Conspiracy. The US Department of Justice (DoJ) has returned a superseding indictment, charging China’s Huawei Technologies with racketeering and conspiracy to steal trade secrets. The defendants named in the indictment include Huawei and four subsidiaries. The indictment includes examples of Huawei’s alleged theft of intellectual property from US companies
- Like the Crypto AG item, this is also another “old news” item. Back in 2003 Cisco went public with intellectual property theft claims against Huawei and later settled a lawsuit. Trade wars between countries raise the press visibility of these issues, but the supply chain risk doesn’t change – accurate assessments and monitoring are needed.
- In his recent book, Hamilton, the author Ron Chernow noted that the US became an industrial power, in part, by stealing intellectual property and suborning talent from England. While free trade is the preferred way to redress inequities among nations, theft of IP is to be preferred to armed conflict.
Read more in:
- U.S. charges Huawei with conspiracy to steal trade secrets, racketeering
- US charges Huawei with racketeering and conspiracy to steal trade secrets
- U.S. charges China’s Huawei with racketeering and conspiracy to steal U.S. trade secrets in new indictment
- Chinese Telecommunications Conglomerate Huawei and Subsidiaries Charged in Racketeering Conspiracy and Conspiracy to Steal Trade Secrets
Mozilla Updates. Mozilla has released updated versions of Firefox, Firefox ESR, and Thunderbird. Firefox 73 includes fixes for six vulnerabilities; Firefox ESR 68.5 includes fixes for five vulnerabilities; and Thunderbird 68.5 includes fixes for four vulnerabilities.
Note: Your enterprise may already be pushing out these updates. If not, leverage slipstreaming them in with the February Microsoft and Adobe updates you’re already deploying.
Read more in:
- Mozilla Foundation Security Advisory 2020-05: Security Vulnerabilities fixed in Firefox 73
- Mozilla issues patches for Firefox 73, Firefox ESR 68.5 and Thunderbird 68.5
- Mozilla Firefox 73 Browser Update Fixes High-Severity RCE Bugs
Note: While your WordPress site will detect out-of-date plugins, updating them automatically requires additional software or a plugin. If you’re manually checking and updating, put a reminder on your calendar; don’t wait to find out you have a problem the hard way.
Read more in:
- Critical XSS vulnerability patched in WordPress plugin GDPR Cookie Consent
- WordPress Cookie Consent Plugin Fixes Critical Flaw for 700K Users
- Oh crumbs – Security flaw in WordPress GDPR cookie plugin left 700,000 sites open to abuse
- Critical WordPress Plugin Bug Afflicts 700K Sites
Malicious Extensions Pulled from Google Chrome Store. Google has pulled more than 500 malicious extensions from its Web Store. The extensions redirected users to potentially malicious sites and harvested users’ personal information.
Note: If you have one of these extensions installed, it will be automatically be disabled and marked as malicious. Extensions so marked should be uninstalled.
Read more in:
- Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users
- Google removes 500+ malicious Chrome extensions from the Web Store
- Extensive Fraud Network Found Using Malicious Chrome Extensions
MIT Researchers Detail Mobile Voting App’s Flaws. In a paper released earlier this week, researchers from the Massachusetts Institute of Technology (MIT) say that the Voatz mobile voting app, which has been used in several US states to allow voters overseas to cast their ballots, contains worrisome security shortcomings. The flaws could be exploited to see data being transmitted from the app, alter users’ votes, and to impersonate a user’s mobile phone. In addition, Voatz does not use blockchain to secure votes in the way its makers say it does. Voatz responded to the papers findings, noting in a blog post that the researchers based their conclusions on an outdated version of the app and that the researchers did not connect to the Voatz servers.
Read more in:
- The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections (PDF)
- Voatz Response to Researchers’ Flawed Report
- ‘Sloppy’ Mobile Voting App Used in Four States Has ‘Elementary’ Security Flaws
- MIT researchers disclose vulnerabilities in Voatz mobile voting election app
- Blockchain voting app is dangerously vulnerable, researchers say
- MIT researchers find vulnerabilities in Voatz mobile voting app
- Voting App Flaws Could Have Let Hackers Manipulate Results
xHelper Android Malware is Vexingly Persistent. Android malware known as xHelper reinfects devices even after factory resets. The malware dropper Trojan was first noticed last spring. Theories that the reinfections came from pre-installed malware or from the Google Play store were disproven. Researchers at Malwarebytes, along with a savvy Android user, discovered that the reinfection came from folders that were not removed even after a factory reset. Malwarebytes has instructions for removing the folders.
- In short, the malware dropper hangs out in hidden directories that are not removed during a factory wipe and leverages Google PLAY to reinstall itself. The Malwarebytes article has steps for finding and removing the files. As the dropper uninstalls itself after setting up the processes for installing the malware, your MDM is unlikely to detect it.
- It seems unlikely that most, or even many, Android users will even know about xHelper, much less do anything about it. One accepts that geeks can manage the security of Android devices. One should not give them to children, the elderly, or the otherwise naive.
Read more in:
- Nasty Android malware reinfects its targets, and no one knows how
- Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove
Car Mobile Apps Not Always Reset After Vehicles Are Rented or Resold. A man who leased a car from Ford between 2013 and 2016 discovered that he still had access to the vehicle’s controls through the mobile app more than three years later. Another man has twice rented cars and found that he could still access the controls for the vehicles months after he had retuned them.
- The same is true for many of those smart TVs in hotels, but especially in Airbnbs and other consumer grade lodging that employees and executives might be using on travel. Good to use this item as an updated warning in awareness campaigns.
- When selling or turning in your personal vehicle, it is prudent to factory reset the mobile apps, including any phonebook information which has been downloaded. When purchasing a vehicle, make sure you are the only one with access to the online management features, which may require dealer support to verify. Current Rental Car agreements also advise consumers to reset the information prior to turning in the vehicle. In any cases, it’s prudent to make sure the vehicle doesn’t contain prior data before connecting your devices.
Read more in:
- When Your Used Car is a Little Too ‘Mobile’
- Rental cars can be remotely started, tracked, and more after customers return them
Mobile World Congress Tech Show Cancelled Over Coronavirus Worries. The Mobile World Conference tech show, which was scheduled to be held February 24-27 in Barcelona, Spain, has been cancelled due to concerns about the coronavirus. The decision to cancel the conference was made after a number of high-profile vendors announced they would not attend.
Read more in:
- Mobile World Congress canceled due to coronavirus [Updated]
- MWC 2020: Smartphone showcase cancelled over coronavirus fears
- MWC phone show cancellation a ‘nightmare’ for firms
Ransomware Targets Texas City and School District. A city and school district in Texas have been hit with ransomware. Computers belonging to the city of Garrison became infected on February 10; Garrison’s mayor says the city has recovered from the attack and is operating as usual as of February 13. Computers at the Nacogdoches Independent School District became infected on February 11; the district is still working to recover access to its data. The city and the school district are about 20 miles apart and do not share a computer system. Officials are investigating whether the two attacks are related.
Florida County Election System Infected with Ransomware in 2016. Palm Beach County (Florida) election supervisor Wendy Sartory Link said that computers at the the county’s election office became infected with ransomware shortly before the 2016 US general election. Link, who became election supervisor in January 2019, learned of the incident during a conversation with the office’s acting IT director.
Read more in:
- EXCLUSIVE: PBC elections office hit by ransomware before 2016 election
- Key Florida Elections Office Endured Cyberattack Ahead of 2016 Election
- Florida county election office hit by ransomware before 2016 presidential election
North Miami Beach Police Systems Hit with Ransomware. Hackers have targeted computers belonging to the North Miami Beach (Florida) Police Department with ransomware. The police department’s IT staff shut down affected machines to curtail the malware’s spread and have alerted the FBI and the Secret Service.
Note: Remember that, while the decision as to how to deal with a “ransomware” attack is a business decision, ensuring that the decision is made prior to the attack is a responsibility of security staff.
Read more in:
- Another city hit by ransomware attack. This time the police department is the target.
- Ransomware Actors Targets Police Department in Miami, Demand Millions in Ransom
The headline on 11 Feb 2020
GAO Report Finds CISA’s Election Security Strategy Has Not Been Finalized. In January 2017, the US Department of Homeland Security (DHS) designated state and local election infrastructure used in federal elections as a component of the country’s overall critical infrastructure. The designation allows DHS to provide state and local election officials with help to protect assets, which include voter registration databases and voting equipment. A report from the Government Accountability Office (GAO) found that DHS’s Cybersecurity and Infrastructure Security Agency (CISA) “has not yet completed its strategic and operations plans to help state and local officials safeguard the 2020 elections or documented how it will address prior challenges.” The report urges CISA to finalize its strategic plan.
- While not the end of the world, there is no time for local agencies to implement strategic measures prior to the election. CISA needs to quickly publish prioritized tactical guidance that can be implemented through the rest of this election year.
- This is not that damning a report, but with the primaries underway and the Presidential election less than 9 months away, I’d say no more time for strategic plans: the focus should be on prioritizing which fires to put out first.
Read more in:
- ELECTION SECURITY: DHS Plans Are Urgently Needed to Address Identified Challenges Before the 2020 Elections
- GAO: CISA’s ‘nationwide strategy’ on election security should be enacted as soon as possible
State Election Officials More Accepting of Federal Help. US State election officials are more willing to accept help from the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) than they were in the past. Officials were initially resistant to having their election systems designated as critical infrastructure, but have come to see that information and support provided by CISA can help them proactively secure their election infrastructure. CISA director Christopher Krebs said that two conference calls in January regarding potential cyberthreats from Iranian hackers had 1,700 and 5,900 dial-ins, respectively.
Maryland Jurisdictions Will Not Use Problematic Reporting Network in Upcoming Elections. During a special district primary in Maryland last week, a network designed to send voter information to state officials was shut down because it was causing delays at polling places. Elections officials say they will not require jurisdictions to use the network in the upcoming primary election in April or in the November general election.
Read more in:
- Maryland drops plan to make largest counties share data with state over wireless network on Election Day
- Maryland elections officials shut down network to transmit voter data during special primary because of delays
Iowa Caucus Reporting App Security Examined. Pro Publica asked security firm Veracode to review code in the caucus tally reporting app used in Iowa last week. The company found security issues it deemed “elementary.” The flaws could be exploited to intercept and alter data, including passwords and vote tallies.
Note: The app vendor’s CEO says the reporting app “…underwent multiple, rigorous tests by a third party” but Veracode says the flaws they found were “elementary.” The standard advice for mission-sensitive software requires the vendor to show evidence of third-party testing of the software – important to have full transparency about the qualifications of who did the testing.
Chrome Will Block Unsecure Downloads. Over the course of 2020, Google’s Chrome browser will block all HTTP downloads started on HTTPS pages, also known as mixed content. Chrome 81, scheduled for release in March 2020, will print console warnings about mixed content. Over the following months, in Chrome 82 through Chrome 85, the browser will warn about and then block mixed content downloads of executables, archives, disk images, images, audio, video, and text. Chrome, 86, scheduled for release in October 2020, will block all mixed content downloads.
- When we first started using HTTPS, the overhead was such that we limited it to secure operations only. Now current software and hardware make the overhead negligible and all content should be delivered over secure connections.
- Google has a lot of resources, and applying them to make the Chrome browser more restrictive on unsecure downloads is a good thing. However, I’d really like to see more Google posts about improvements in pre-release security and privacy testing of apps in Google Play. Google’s Vulnerability Reward Program bug bounty payouts almost doubled from 2018 to 2019, which is kind of like a restaurant saying, “Our volunteer food testers removed twice as many glass shards from our food!” Google’s Play Protect was ranked at or the near the bottom of malware detection by AV-TEST in 2019 – it would be good to see many fewer glass shards in published apps.
Read more in:
- Protecting users from insecure downloads in Google Chrome
- Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we’re OK with this
- Chrome to start blocking insecure HTTP file downloads on HTTPS sites
Firefox Will Take Step Toward Blocking TLS 1.0 and 1.1. Starting in March 2020, Firefox users will need to intentionally allow connections to websites using TLS 1.0 or 1.1. When users attempt to connect to websites that support only lower versions of TLS, they will see a “Secure Connection Failed” message that offers an option to override and continue to the site.
Note: Browsers negotiate to the highest common denominator which can mask the presence of less secure connection options. Make sure you’re regularly scanning the encryption settings on your web servers to ensure older, less secure connections are disabled, or monitored and documented where enabled. Monitoring may show the need to support older less secure operating systems and browsers may not be as significant as thought, or worth the risk.
Read more in:
- It’s the Boot for TLS 1.0 and TLS 1.1
- These truly are the end times for TLS 1.0, 1.1: Firefox hopes to ‘eradicate’ weak HTTPS standard by blocking it
Google’s February Android Updates Include Fix for Critical Bluetooth Vulnerability. Google has published its February security updates for Android. In all, the updates address 25 security issues. One of the flaws addressed in the updates is a critical vulnerability affecting Bluetooth in Android Oreo (8.0 and 8.1) and Pie (9.0) that could be exploited to allow remote code execution with no user interaction. The issue is also present Android 10, but the effects are somewhat less severe: exploitation could crash vulnerable devices, but would not allow code execution.
Note: One trusts geeks to be able to operate Android safely, even with late availability of patches. It is important to keep Android out of the hands of children, the elderly, and the otherwise naive.
Read more in:
- Android Security Bulletin—February 2020
- Serious Bluetooth Flaw Fixed in Android Update
- Android owners – you’ll want to get these latest security patches, especially for this nasty Bluetooth hijack flaw
- Google patches Bluetooth vulnerability impacting most Android devices
New Emotet Variant Can Spread Through Wi-Fi Networks. A recently-detected variant of Emotet malware has the ability to spread from infected devices to nearby unsecured Wi-Fi networks. From there, it can attempt to infect connected devices. When Emotet first appeared more than five years ago, it was a banking Trojan. Over the years, it has gained the ability to install a variety of malware on infected devices.
Note: The Japanese CERT, JP-CERT, has a great write up on this malware at www.jpcert.or.jp: [Updated] Alert Regarding Emotet Malware Infection, and they have also released a tool to check for Emotet called EmoCheck; it can be downloaded from the JP-CERT GIT Repository: github.com: JPCERTCC / EmoCheck
Read more in:
- Emotet Now Hacks Nearby Wi-Fi Networks to Spread Like a Worm
- Emotet Hacks Nearby Wi-Fi Networks to Spread to New Victims
- Game over, LAN, game over! Windows software nasty Emotet spotted spreading via brute-forced Wi-Fi networks
US DOJ Announces Charges Against Alleged Chinese Hackers in Equifax Case. A US federal grand jury has returned an indictment charging four members of China’s People’s Liberation Army (PLA) with breaking into Equifax computer systems and stealing data. The breach occurred in 2017 and compromised personal data belonging to nearly 150 million US citizens.
Read more in:
- Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Reporting Agency Equifax
- U.S. charges four members of Chinese military in connection with 2017 Equifax hack
- How 4 Chinese Hackers Allegedly Took Down Equifax
- Equifax was hacked by Chinese military officers, federal prosecutors say
- Justice Department indicts 4 Chinese military members for Equifax breach
Minebridge Backdoor Used in Attacks Against Financial Sector Firms. A report from FireEye says that since the beginning of 2020, phishing campaigns attempting to spread the Minebridge backdoor have been targeting organizations in the financial sector. The messages contain malicious attachments; if they are opened, macros attempt to install Minebridge. If it is successfully installed on a system, Minebridge can be used to deliver additional malware.
Read more in:
- STOMP 2 DIS: Brilliance in the (Visual) Basics
- Financial Firms Targeted With New Type of Backdoor: Report
- U.S. Finance Sector Hit with Targeted Backdoor Campaign
Abandoned Driver Code Lets Hackers Disarm Security Software. Ransomware actors are exploiting a known but unpatched vulnerability in an old and no longer supported Gigabyte motherboard driver to take control of Windows computers and disable security software. The attackers load a driver of their own that kills processes and files related to security products and allows the ransomware to encrypt data without being detected or thwarted.
Read more in:
- Living off another land: Ransomware borrows vulnerable driver to remove security software
- Hackers Use Vulnerable Windows Driver to Turn Off the Antivirus
- Windows trust in abandoned code lets ransomware burrow deep into targeted machines
- Forgotten motherboard driver turns out to be perfect for slipping Windows ransomware past antivirus checks
- RobbinHood Kills Security Processes Before Dropping Ransomware
Rockdale County, GA Ransomware Attack Affects Water Department. Rockdale County, Georgia, is recovering from a ransomware attack that hit its municipal computer systems. County officials have shut down nine servers to contain the infection. The attack has affected the county’s water department and water billing services. Rockdale County was also the target of a ransomware attack in 2017; the county was able to decrypt infected servers at that time.
Having Backups May Not Be Sufficient for Ransomware Recovery. While victims of ransomware attacks have successfully restored systems from backups, the ransomware threat landscape is changing. Some attackers now steal data before files are encrypted and upload them if the victims refuse to pay the ransom.
- Good isolated differential backups remain necessary for recovery. The tactics have changed to add exfiltration to the attack and has been seen with Maze, Sodinokbi and Chimera. Some mitigation can come through the use of DLP solutions. The consequences of publishing need to be added to the ransom payment decision process, along with an assessment of likely of future payment demands.
- If your system is compromised, it is compromised. “Ransomware” is only a way to exploit that. These attacks will continue until the cost of attack exceeds the value of success and the risk of punishment goes up. Only the cost of attack and value of success are in our hands. We must increase the cost of attack roughly ten fold in 2020. Strong authentication, least privilege access control, restrictive policy, end-to-end application layer encryption, and mean time to detection of breaches in hours to days. We must ensure the survivability of our data and its timely recovery. Get on with what we can do.
The headline on 07 Feb 2020
Coronavirus Cybersecurity Preparedness. The recent Coronavirus (2019-nCoV) outbreak has brought the topic of an epidemic or pandemic impacting businesses from the hypothetical to the possible. With 25,000 infections and counting, it would be a good time to consider the business and cyber impacts of an illness such as this. The primary risks fall into two categories: (1) fraud and other ways criminals take advantage of situations like this, such as fake donation sites, malware and fake news, and (2) business continuity preparedness measures such as remote access capacity review, understanding limitations of biometric authentication, supply chain considerations, emergency communication plan, and plans for business shutdown if appropriate.
Read more in the SANS ISC diary: isc.sans.edu: Network Security Perspective on Coronavirus Preparedness
- Fraud and malware related to the Coronavirus is currently seen in Asia. Catastrophic events tend to be used for fraud as news focuses on them and in the US, impeachment and primaries have dominated the news. Expect more virus-related fraud as news media pay more attention to it. And please let us know if you see anything via our contact form: isc.sans.edu/contact.html
- The Coronavirus introduces an illness which does not yet have a cure, and is resulting in, sometimes unexpected, quarantine and other restrictions which can have a direct business impact. Johannes Ullrich does an excellent job of summarizing things to consider and revisit in your DR plans in the ISC diary entry.
Iowa Caucus Reporting App Problems. A buggy mobile app that was created for Iowa’s Democratic presidential caucuses did not work as hoped. Some precinct leaders had trouble downloading and installing the app, which was designed to let Iowa’s precincts report caucus tallies. The app appears to have recorded the data correctly, but reported only partial counts due to coding problem in the reporting function. Nevada State Democratic party says it will not use the app in its upcoming caucuses. (Please note that the WSJ story is behind a paywall.)
- Think of the Iowa caucus primary as that troublesome business unit in your company that is considered a key performer by management and is allowed to do everything just a little bit differently than all the other business units. The security approach here was “rather than make sure this new app is thoroughly tested, we will only release it to the users at the last minute – that way hackers won’t have time to hack it if there are vulnerabilities.” Not only is that always a bad approach to security, it is absolutely the worst approach to take with that business unit that never follows all the policies and procedures everyone else does. This one will make a very good Harvard Business Review case study – next time a business unit is pressuring to subvert the time require to thoroughly test new stuff, just tell management “We will be at risk of an Iowa caucus implosion….”
- The issues underscore the need for usability and load testing before a wide scale deployment. The plan for the caucus included backup measures, including a number to call as a backup; unfortunately, the number was released widely and was overwhelmed, creating an intentional denial of service.
- Testing the app was necessary but not sufficient. The deployment of applications must be end-to-end and must include the training and participation of the end users.
- Another connection between cybersecurity and the Iowa Caucus App is that many Americans, including very senior government policy makers and politicians, perceive the Iowa App debacle as a cybersecurity-related problem or at least something that cybersecurity people should have anticipated and solved. At the same time many software development organizations consider 5 to 15 minute cybersecurity awareness training as sufficient for their software development people.
Fixes Available for Five Flaws in Cisco Discovery Protocol. Cisco has released fixes for five flaws in the Cisco Discovery Protocol (CDP) that could be exploited to execute code remotely or cause denial-of-service conditions. CPD is enabled by default in most Cisco products, which means there are millions of vulnerable devices that need patching.
- This is not the first CDP vulnerability; as such. the best mitigation is to disable it explicitly. A notable concern is the flaws can be used to access other VLANS, possibly allowing access to sensitive traffic such as VoIP or ICS.
- Cisco has joined Adobe and Microsoft among the infrastructure software providers with routine patches.
Read more in:
Cisco Flaws Put Millions of Workplace Devices at Risk
Critical Cisco ‘CDPwn’ Protocol Flaws Explained: Podcast
Cisco Patches Critical CDP Flaws Affecting Millions of Devices
Cisco Fixes CDP Flaws in Routers, Switches
Five high-level flaws patched in Cisco Discovery Protocol
FBI: DDoS Attack Targeted Voter Registration Website. The FBI issued a Private Industry Notification warning of “a state-level voter registration and voter information website received anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack.” The website was not adversely affected by the attack because it had established rate-limiting on its DNS servers.
Note: Some attention has been paid to the security of voting equipment, but very little paid to the complex “supply chain,” from registration to voting to tallying to announcing results, etc. The business equivalent is the ordering app being very secure and having DDoS protection but the user sign-up app being vulnerable.
Critical RCE Flaw in OpenSMTPD Patched. A critical flaw in OpenSMTPD version 6.6 could be exploited to allow remote code execution. The vulnerability is due to improperly sanitized user input that could allow local attackers to gain elevated privileges. Users are being urged to upgrade to OpenSMTPD version 6.6.2p1.
- This is a “must patch now” vulnerability (emergency priority) for anybody using OpenBSD with OpenSMTPD. OpenSMTPD is not very popular, and as far as I can tell used only on OpenBSD systems. But OpenBSD, due to its reputation as a secure operating system, is often used for critical systems like security devices and firewalls. The vulnerability is trivial to exploit, and likely already exploited.
- Exploitation of this flaw harkens back to the Morris Worm. A properly crafted message can be sent which causes the message body to be executed with the privileges of the SMTP daemon. Vulnerable daemons can be detected by vulnerability scanners, the best mitigation is to apply the update.
- The modern “stack” makes it difficult to fully vet input at the application layer. It is essential that every layer also parse its input.
Health Share of Oregon Medicaid Data Compromised. A laptop stolen from a third-party vendor has exposed data belonging to patients of Health Share of Oregon, a Medicaid coordinated care organization. The compromised information includes names, dates of birth, Social Security numbers (SSNs) and Medicaid ID numbers.
Note: It has always been dangerous to store sensitive data on portable devices. The speed and ubiquity of the modern “cloud” (storage, connectivity, and software) makes it not only unnecessary but reckless to do so.
Cryptomining Malware Found on DOD Network. A researcher participating in a US Department of Defense (DOD) bug bounty program found that a SOS-related server was being used as part of a cryptocurrency mining botnet. He found cryptocurrency mining malware on a DOD-related server. The initial bug report was made regarding a misconfigured Jenkins automation server that could be accessed without credentials. DOD fixed that problem, but when the researcher who made the report looked at his findings more closely, he determined that the server had been compromised before he detected the misconfiguration issue.
Note: It is easy to focus on a single issue and miss other indications of compromise, particularly with pressure to return services to operational status rapidly. Regular scanning and monitoring for indicators can provide a backup for when this happens.
NHS Missed Windows 10 Migration Target. The UK’s National Health Service (NHS) has about half a million computers that are still running Windows 7, despite the organization’s plan to migrate all computers to Windows 10 by January 14, 2020. Microsoft ended support for Windows 7 last month.
Coronavirus Concerns Prompt Companies to Pull Out of Tech Shows, Revise Sales Forecasts. LG has decided not to attend the Mobile World Congress (MWC) technology show in Barcelona due to concerns about coronavirus. ZTE has cancelled a planned press conference at the show, which opens on February 24, but still plans to host a booth. A Chinese company that manufacturers iPhones has cut its sales forecast due to the coronavirus outbreak.
Read more in: Coronavirus: LG pulls out of Mobile World Congress
Fondren Orthopedic Patient Data Compromised. A Texas orthopedic practice has started notifying its patients that a malware infection compromised their healthcare information. Fondren Orthopedic Group experienced a cybersecurity incident in November 2019. In a letter to its patients, Fondren said that the incident damaged medical records belonging to more than 34,000; some of the records are beyond recovery.
University of Maastricht Paid Ransom. The University of Maastricht in the Netherlands says that it paid a 30-bitcoin (US $292,000) ransom to regain access to its computer systems following a December 24, 2019 ransomware attack.
Baton Rouge Vocational School Ransomware Attack. The computer system at ITI Technical College in Baton Rouge, Louisiana was hit with a ransomware attack in late January. The college’s vice president said that the school did not plan to pay the ransom. IT staff has isolated affected systems and bringing cleared elements back online gradually.
NIST Draft Ransomware Guidelines. The US National Institute of Standards and Technology (NIST) has published two draft practice guidelines regarding ransomware. NIST is accepting public comments on Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events, and Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events through February 26, 2020.
Note: The time allowed for public comment on NIST publications seems to be disproportionate to their size and importance. Few of us are sitting around with time on our hands just waiting to work full time for a month on their latest effort. We should admit that we are only giving lip-service to the idea of “public comment.”
Read more in:
NIST Drafts Guidelines for Coping With Ransomware
Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
The headline on 04 Feb 2020
Hackers are Hijacking Vulnerable Smart Building Access Systems to Launch DDoS Attacks. Attackers are hijacking vulnerable smart building access systems and using them to launch distributed denial-of-service (DDoS) attacks. There have been increased scanning for Nortek Security & Control (NSC) Linear eMerge E3 systems that are vulnerable to a known critical command injection flaw.
Note: Back in late 2013, SANS held an Internet of Things Security Summit where we pointed out smart building systems as the most likely future attack path for real business damage, vs. other attacks. The growth of commercial real estate being developed with wired and wireless networks built-in, and with elevator, HVAC systems on the network with remote access to all those systems means many companies are putting their internal systems onto building networks that are being run quite often at very low levels of security hygiene.
Read more in:
Linear eMerge E3 Access Controller Actively Being Exploited
Attackers Actively Targeting Flaw in Door-Access Controllers
Attackers Exploit Security Flaws in Smart Building Systems
Hackers are hijacking smart building access systems to launch DDoS attacks
Pentagon Releases Cybersecurity Maturity Model Certification Standard. The US Defense Department (DoD) has released the Cybersecurity Maturity Model Certification version 1.0. The framework describes the cybersecurity standards that DoD contractors must meet if they want to win contracts. CMMC will be applied to some contracts starting later this year; by 2026, all DoD contracts are expected to include CMMC.
Read more in:
Pentagon finalizes CMMC standard for contractors
DoD to Require Cybersecurity Certification From Defense Contractors
Pentagon issues long-awaited cyber framework for the Defense industry
Pentagon finalizes first set of cyber standards for contractors
Cybersecurity Maturity Model Certification (CMMC) (PDF)
EKANS Ransomware Also Kills ICS Processes. The ransomware known as EKANS not only encrypts data on infected systems, it also interrupts Industrial Control Systems (ICS) applications. Before encrypting data, EKANS kills 64 different ICS processes named in a static list. Some versions of MegaCortex ransomware target the same list of ICS processes.
Note: Given the frequency and success of “Ransomware” attacks, we must increase the cost of attack and improve our resilience in the face of such attacks. It is a myth that the advantage is always to the attacker. We can get a ten-fold increase in the cost of attack for a relatively small increase in one’s cost of security. Keep in mind that most of these victims are targets of opportunity. One does not have to “outrun the bear.”
Read more in:
EKANS Ransomware and ICS Operations
Mysterious New Ransomware Targets Industrial Control Systems
New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure
EKANS Ransomware Raises Industrial-Control Worries
Maze Ransomware Hits French Construction Company. A French construction company was hit with Maze ransomware on January 30. Bouygues Construction has shut down its network to prevent the ransomware from encryption additional data. The operators of Maze ransomware have gained a reputation for stealing data from targeted organizations and uploading it if the victims do not pay the ransom.
Tillamook County Will Negotiate with Hackers for Decryption Key. Tillamook (Oregon) County Commissioners have voted unanimously to negotiate with hackers for the decryption key to regain access to the county’s computer systems. Tillamook County systems were with ransomware on January 22, 2020.
- This case illustrates the factors that have to be balanced: (1) The need for both public and private meetings to keep the public informed, including the appointment of communication officers and selection of communication means; (2) the complexity of a transition from old to new update information systems; (3) getting professional help where needed; and (4) keeping as much of business, as usual, operating smoothly while (5) informing the public of alternate mechanisms for offline components. The complexity shows why a verified thorough disaster recovery plan is so important.
- It appears to be the consensus among the NewsBites editors that the decision to pay the ransom is a business, not security, decision. However, the failure to make this decision in advance of an attack is a security decision. There should be accountability.
The city of Racine, Wisconsin Hit with Ransomware. Computer systems belonging to the city of Racine, Wisconsin were infected with ransomware on January 31. As of February 3, the city’s website, email, and online payment systems were still down. The attack did not affect 911 and public safety systems. Tax collection systems are also operating as usual.
Read more in: Ransomware knocks city of Racine offline
TVEyes Target of Ransomware Attack. Broadcast media monitoring company TVEyes was hit with ransomware early on Thursday, January 30. The company’s CEO said on Friday, January 31 that they had restored servers from backups.
- At last, a good news story relating to ransomware and evidence that reliable backups are an effective measure against ransomware.
- Note that this may only be successful to the extent that one has addressed the vulnerabilities that led to the breach in the first place. We have seen reinfections.
Prosecutors Drop Burglary Charges Against Coalfire Pentesters. Prosecutors in Iowa have dropped burglary charges against two people who broke into a county courthouse after hours as part of a penetration test. The two are employees of Coalfire labs, which had been hired by Iowa’s State Court Administration to test the security of its IT systems and its buildings. Gary DeMercurio and Justin Wynn were arrested in September 2019 and held for hours before being released on bail. The case illustrates the need for establishing pen-testing best practices.
- This is awesome news. An important lesson from this case is that security contractors, and especially penetration testers, have the responsibility to educate their customers on all aspects of authorized permission including specific actions and timing and to ensure a common understanding so that they have the pen tester’s back when something goes awry.
- The case illustrates the need for well documented and agreed terms of service.
Read more in:
KrebsOnSecurity: Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security
Remember those infosec fellas who were cuffed while testing the physical security of a courthouse? The burglary charges have been dropped
Charges dropped against Coalfire security team who broke into the courthouse during the pen test
Exonerated: Charges dropped against pen-testers paid to break into Iowa courthouse
Australian Freight Company Suffers Cyberattack. Australian freight and logistics company Toll Group has shut down several of its IT systems to contain the damage from a cybersecurity incident. Toll customers have experienced problems tracking shipments. The company has not released details about the nature of the cyberattack.
Read more in:
Toll stops services after the security breach
‘Cybersecurity incident’ takes its Toll on the Aussie delivery giant as box-tracking boxen yanked offline
Cybersecurity Incident Mars Australian Freight Giant’s Operations
Six Arrested in Connection with Maltese Bank Cyberattack. The UK’s National Crime Agency (NCA) has arrested six people in connection with a cyberattack against Malta’s Bank of Valletta. The suspects allegedly gained access to the bank’s IT systems in February 2019 and made several large transfers totaling €13 million (the US $14.4 million). The Bank of Valletta said in May 2019 that it had recovered €10 million (the US $11.1 million) of the stolen funds.
Note: Prevention is easier than recovery. That said, early (within hours) reporting of fraudulent transfers to the FBI will greatly improve the chances of recovery. Do you know who to call?
Read more in:
UK Arrests Cyber-Thieves Who Stole Millions from Maltese Bank
A year after Bank of Valletta ‘cyber heist’, cuffs applied as the cash-cleansing case continues
Three suspects arrested in Maltese bank cyber-heist
Raytheon Engineer Arrested for Taking Laptop with Missile Data to China. US federal law enforcement agents have arrested a Raytheon engineer after he took a work laptop containing missile defense systems information to China. Wei Sun has worked at Raytheon since December 2008. In December 2018, Sun traveled abroad with his work laptop in defiance of Raytheon’s exhortations not to bring it on his travels. In January 2019, Sun emailed Raytheon and informed them he was resigning from his position so he could study and work abroad. Sun returned to the US later that month. He initially told Raytheon security officials that he had traveled to Singapore and the Philippines, but eventually admitted that he had traveled to China, Cambodia, and Hong Kong.
Note: Mechanisms to limit sensitive data exposure include specific laptops configured for foreign travel, DLP solutions that limit data storage and access, and location-aware device management which could be used to remotely wipe a device. Even so, the employee is the critical most challenging link in the security chain. In support of the human factor, appropriate consequences with visible actions may act as a deterrent.
Hackers Insert Themselves in eMail Conversation, Steal Payment in Fine Art Sale. The ownership of a 200-year-old painting by British artist John Constable is in question after hackers infiltrated email conversations regarding payment for the artwork. A museum in the Netherlands had agreed to purchase the painting from a British art dealer for £2.4 million ($3.1 million). Hackers sent a spoofed message directing the museum to transfer the payment into a bank account they controlled. Each party blames the other: the museum maintains that the dealer should have known that spoofed messages were sent, while the dealer maintains that the museum should have verified the details of the bank transfer.
- Non-routine payments must be verified out of the band before paying: “Pick up the telephone.” This the responsibility of the payer. Transfers should be confirmed out of the band; this is the responsibility of the paying agent (usually the bank.) The role of reconciling confirmations should be separate from that of authorizing payments in the first place.
- This is a classic invoice/payment redirection scam, also known as Business Email Compromise. Technical controls such as DMARC, DKIM, and SPF, and also using effective email filtering solutions can help minimize the risk of this type of attack. However, as demonstrated by the blame game in this example, the human factor plays a significant part. Basic manual verification processes can often be the most effective prevention measures. Europol provides some excellent guides on how to protect against scams targeting employees www.europol.europa.eu: Infographic: Fraud Scams Targeting Employees
NEC Acknowledges December 2016 Breach. Japan’s NEC Corp. has disclosed that its systems were breached in December 2016. The company did not detect the breach until June 2017, when it noticed encrypted traffic being sent from a company server. NEC decrypted the traffic in July 2018 and found that the attackers had exfiltrated data from the company’s defense business division.
Note: Mean time to detection (MTTD) of a breach needs to go from months in 2017 to days in 2020. Many companies that take cybersecurity seriously have or have nearly accomplished that goal. For others, it will never happen because they have not yet established MTTD as a key cybersecurity objective and thus they are not measuring it.
Read more in: Japanese company NEC confirms 2016 security breach
APT34 Targeting US Company Through Spear Phishing eMail. A hacker group with ties to Iran has been sending spear-phishing emails to customers and employees of a company that works with US federal, state, and local governments. The phony messages sent to Westat employees contain malicious Excel spreadsheet attachments. The spreadsheets appear to be black; if recipients enable macros, the content – a phony job satisfaction survey – appears and malware that installs the TONEDEAF backdoor is downloaded in the background.
Read more in: Iranian Hackers Target U.S. Gov. Vendor With Malware
Some US Emergency Alert Systems Remain Unpatched Years After Fix Released. A vulnerability in certain emergency alert systems (EAS) that was disclosed in 2013 remains unpatched on at least 50 systems across the US. The issue lies in the web interfaces for Monroe/Digital Alert Systems EAS hardware.
Note: These systems are effective appliances that are configured to accept and forward emergency messages. The challenge with appliance-type systems is not only monitoring them for security vulnerabilities but also having appropriate processes in place, with accountability, to keep them updated and secure.