Information and Cyber Security News Headline Updated on 28 Mar 2020

The headline on 28 Mar 2020

Hackers Launching DNS-Hijacking Attacks Against Routers. Hackers are launching DNS-hijacking attacks against D-Link and Linksys routers, redirecting users to malicious sites advertising phony Coronavirus apps. If users download the apps, their devices become infected with information-stealing malware. The hackers are using brute force attacks to obtain routers’ admin passwords.

Note:

  • The best mitigation is to use a strong device password and disable remote management so the router cannot be accessed remotely. Consider setting up a separate DNS server on your network, pointing to your selected authoritative DNS servers. Configuring all endpoints to point to root DNS servers will likely exhaust the NAT tables in your routers. Lastly, most home routers can be configured to forward logs for analysis or alerting; that necessitates monitoring the average home user is not prepared for. It also enables automatic firmware updates.
  • Many of these routers are in SOHO applications where they are installed but not “managed.” As more of us work remotely, these devices become attractive targets. When installing them, it is important to change the default passwords. Since these devices do not implement strong authentication, this is an application where strong passwords are indicated.

Read more in:

US Senator Urges Vendors to Make Sure Network Connectivity Products Are Secure. US Senator Mark Warner (D-Virginia) wants tech vendors to bolster the security of their products. In letters to Google, Netgear, and others, Warner writes that he is seeking their “assistance to ensure that the wireless access points, routers, modems, mesh network systems, and related connectivity products that your firm manufactures remain secure as unprecedented numbers of Americans rely on remote access for work and education as part of COVID-19 social distancing efforts.”

Note:

  • The cynical side of me says most vendors have word processing template automated responses to these letters “urging” them to do something, especially when related legislation never sees the light of day. The glass half full side of me says that most vendors want to sell quality products and have seen that out-of-the-box security is a key part of security. The realistic side says if we buy junk, someone will sell us junk – for business systems, make sure security requirements are in all procurement evaluation criteria. For consumer products used by work-at-home employees, give them guidance on how to change defaults and take advantage of the free SANS resources for secure telework. www.sans.org: SANS Security Awareness Work-from-Home Deployment Kit
  • It is challenging to have users secure devices after the fact, so having devices that, out of the box, require the user to set a strong password, including automatic updates and disabled remote administration, raises the bar. Make sure that home router security best practice advice is included in your home/remote worker guidance.

Read more in:

Apple Updates. Apple has released updates for iOS, macOS, Safari, watchOS, tvOS, and other products. iOS 13.4 includes fixes for 30 security issues, and the macOS update includes fixes for 26 issues.

Note:

  • Make sure the automatic update option is configured on your Apple devices both for the OS and applications. Then, also periodically check for alerts, asking your permission to install updates. iPadOS 13.4 adds support for Apple’s Magic Mouse and Trackpad. iOS and iPadOS 13.4 Mail now always show the move/delete/reply/compose buttons.
  • While the default setting for iOS devices is Automatic Updates “Off,” the conservative setting is “On.” (Go to Settings, General, Software Update, Automatic Updates, On.)

Read more in:

Adobe Creative Cloud Flaw Patch. Adobe has released a patch for a critical flaw in its Creative Cloud Desktop Application for Windows PCs. The vulnerability, a time-of-check-to-time-of-use race condition, could be exploited to delete files from computers. Users should update to Creative Cloud for Windows version 5.1 or later.

Note: That the vulnerability is a TOCTU may be interesting to some, and a caution to developers (to bind conditions that they rely on), it is not relevant to the simple fix for this specific incidence. Update.

Read more in:

DEER.IO Platform Shut Down. The FBI has seized the DEER.IO website and shut down the hacker platform. Earlier this month, DEER.IO’s alleged administrator, Kirill Victorovich Firsov, was arrested and charged with unauthorized solicitation of access devices.

Read more in:

HPE Firmware Fix for Flaw That Could Brick Some Solid State Drives. Hewlett Packard Enterprise has released firmware updates for some of its Serial-Attached SCSI solid-state drives. The update addresses a flaw that causes the drives to fail after 40,000 hours (roughly four-and-a-half years) of operation. HPE addressed a similar issue in November 2019.

Note: The update in November addressed drives failing after 32,768 hours (3.78 years). HPE has also released detection scripts to determine if you have affected drives. The update can be performed online, without a reboot, but is suggested during low I/O intervals. Check the HPE alert for caveats.

Read more in:

Google Resumes Chrome Releases. Google is resuming Chrome and Chrome OS releases “with an adjusted schedule.” (Last week, Google announced it was pausing releases for the browser and operating system due to altered work schedules.) Chrome 81, which had been scheduled for release on March 1, will now be released on April 7. Google has canceled Chrome 82; Chrome 83 is scheduled to be released to the stable channel on May 19.

Read more in:

Chinese Hackers Targeting Wide Range of Industries. Researchers from FireEye say that APT41, a hacking group with ties to China’s government, has been launching cyberattacks against a range of industries, including health care organizations, the military, and oil and gas companies. Between January 20 and March 11 of this year, APT41 launched cyberattacks against more than 75 organizations around the world, exploiting flaws in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central.

Note: This is a good news item to show management to emphasize the need both for making sure remote work is being done securely, and that IT operations keep up with critical patches during these turbulent times.

Read more in:

Google Threat Analysis Group. In 2019, Google’s Threat Analysis Group warned nearly 40,000 users that their accounts were being targeted by state-backed hackers. The attackers focus mostly on accounts belonging to “geopolitical rivals, government officials, journalists, dissidents, and activists.”

Note: This is part of Google’s free advanced protection program, which requires two security keys, or an iPhone or Android, and forces two-factor authentication. Make sure that users recognize alerts from Google as legitimate.

Read more in:

Electronics Manufacturer Hit with Ransomware. Systems at a Connecticut-based electronics manufacturer were hit with ransomware earlier this month. Kimchuk, which makes products for medical equipment, telecommunications companies, the energy grid, and the military, did not pay the ransom. The attackers have published information stolen from the company. The practice of releasing stolen information is growing; the groups responsible for several different families of ransomware have created websites expressly to post stolen data.

Note: Both resistance to breaches and resilience are necessary but the former addresses more risks. Insecurity, measures that operate early usually trumps late.

Read more in:

The headline on 25 Mar 2020

COVID-19 Related Malware. The FBI has issued a warning of an increase in COVID-19-related fraud schemes. The announcement urges people to be alert to phony messages from the Centers for Disease Control (CDC), phishing emails and offers of phony COVID-19 treatment. There have been reports of phony email messages that pretend to be from the head of the World Health Organization and place keystroke logger on users’ computers, and of a fake COVID-19 vaccine website that tries to steal payment card and other personal data.

Note: Also warn users to be on the alert for phishing campaigns, particularly targeting the elderly, around the pending US financial relief package. These campaigns promise extra social security, investment schemes or COVID-19 relief payments in exchange for bank account information. Also, beware of pay-in-advance offers to help victims with services.

Read more in:

Windows 0-day is Being Actively Exploited. Microsoft warns of limited attacks that could leverage two as-yet unpatched vulnerabilities in the Adobe Type Manager Library resulting in remote code execution. For supported versions of Windows 10, this can result in code execution within an AppContainer with limited privileges and capabilities. Microsoft has not yet released a patch and offers a choice of three fixes: disabling preview and details pane in Windows Explorer, disabling the WebClient service, and renaming ATMFD.DLL. Enhanced Security Configuration, which is on by default in Windows Servers, does not mitigate the problem.

Note:

  • While the impact of the attack is lowest on supported versions of Windows 10, there is a chance the attackers are also capable of executing a sandbox escape. Be sure to read the caveats with each of the fixes before rolling one out. The second workaround, disabling the WebClient service, will block attacks attackers are most likely to use, and impacts web distributed authoring and versioning as well as stopping and blocking starting, and services based on WebClient
  • There is no public exploit right now, but targeted attacks are taking advantage of this vulnerability. Microsoft’s initial advisory caused some confusion as the DLL mentioned is not present on newer versions of Windows 10, and Microsoft clarified this in the 1.1 version of the advisory released last night. isc.sans.edu: Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability

Read more in:

Hackers Steal Data from Clinical Medical Research Organization. Earlier this month, a UK clinical medical research company detected and stopped a ransomware attack launched against its systems. Hammersmith Medicines Research (HMR) has conducted trials of various vaccines and drugs, and is planning to begin trials for a potential COVID-19 vaccine. The attackers stole data from Hammersmith, including sensitive information about people who participated in other clinical trials. The data include medical questionnaires, and passport and driver’s license numbers. The group responsible for the ransomware attack has begun posting the stolen information in an attempt to get Hammersmith to pay a ransom.

Note: When one’s networks, systems, applications, and data are compromised, there are many ways for the attackers to monetize the compromise.

Read more in:

South Carolina Fire Department Computers Infected with Ransomware. Computers belonging to the Bluffton Township (South Carolina) Fire Department became infected with ransomware in mid-March. The attack did not affect the department’s ability to respond to emergency calls.

Note: By this time, most large enterprises should be both resistant to and resilient in the face of “ransomware” attacks. However, many of the measures that they have put in place may be beyond the capabilities of many small and medium-sized enterprises (SME). That may be why SMEs are being targeted and successfully attacked. They must look to their vendors and contractors.

Read more in: South Carolina Fire Department Servers Disabled by Hacker

Finastra Systems Infected with Ransomware. UK financial technology company Finastra has disclosed that earlier this month, the company’s “IT security and risk teams actively detected… that a bad-actor was attempting to introduce malware into [their] network in what appears to have been a common ransomware attack.” Finastra took its servers offline to contain the infection.

Read more in:

Countries Are Using Geolocation and Facial Recognition to Track COVID-19. Governments in several countries are using technologies like geolocation and facial recognition to track the spread of COVID-19. In the UK, health officials plan to test a new app that will let people know if they have been in contact with someone who has tested positive for COVID-19. In China, the government has created a system called Health Code, which assigns each individual a color based to identify them as infected, quarantined, or healthy. In Hong Kong, people who have tested positive for COVID-19 or who have been quarantined are given an electronic bracelet, the latest version of which includes a GPS. South Korea has been using CCTV images, payment card records, and mobile phone data, which allows them to retrace the steps of people who test positive for the virus. Israel and the US are also considering surveillance methods. (Please note that the WSJ story is behind a paywall.)

Note: There seems to be a pretty clear agreement in the experienced medical community about the right steps to take, and investigating the contacts by newly discovered infections is pretty important. Doing that quickly and accurately, not just quickly, is key. Any untested technology use that generates high rates of false positives or false negatives will be counterproductive – just as we’ve seen in security.

Read more in:

Google and Microsoft Pausing Major Version Update for Chrome and Edge Browsers. Last week, Google announced that it was pausing major releases of its Chrome browser because of COVID-19-related adjusted work schedules. Google will release new versions of Chrome 80 (which is the current stable version) to address security issues. Microsoft has now announced that it, too, is pausing the release of major versions of its Edge browser, which is based on Chromium.

Note:

  • With most employees working from home, some companies have decided to delay patching to reduce the risks of home users getting “cut off”. That may not be sensible because software makers will focus on patching security flaws and not on new features that may increase tech support traffic. Firefox also reverted a change that would have disabled TLS 1.0/1.1 to avoid problems with some government sites that still require these older TLS versions (see next story).
  • We’re all learning the impacts of increased telework coupled with reduced availability of those that are caring for those impacted by the illness, such as having children home from school or being a caretaker for one who is ill. With the uncertainty, it may still be too soon to re-baseline projects; instead, take a flexible approach and focus on prioritizing deliverables.

Read more in:

Firefox Enables TLS 1.0 and 1.1 Again to Aid Access to COVID-19 Information. Mozilla has reverted to allowing TLS 1.0 and 1.1 to enable users to access COVID-19 information on government websites that have not yet made the switch to TLS 1.2 or 1.3. Earlier this month, Mozilla announced it was ending support for TLS 1.0 and 1.1 with the release of Firefox 74 on March 10.

Note: To make sure you have support for older TLS enabled, go to settings:config and check the value of security.tls.version.fallback-limit. 1 for TLS 1.0, 2 for TLS 1.1, 3 for TLS 1.2 and 4 for TLS 1.3. This setting applies to Firefox 74 and ESR 68.6.

Read more in:

NIST Draft Document on Cybersecurity and Enterprise Risk Management. The US National Institute of Standards and Technology (NIST) is seeking public comment on a draft report, NIST-Interagency Report 8286 | Integrating Cybersecurity and Enterprise Risk Management. NIST will accept comments through April 20, 2020.

Note: This document attempts to create a bridge between Enterprise Risk Management and Cybersecurity Risk Management. One of the challenges is a consistent message relating to cyber risks and how they translate into costs for the organization so that the resulting risk registers are appropriately factored into ERM.

Read more in:

Medical Device Maker Discloses Phishing Attack. Insulin pump manufacturer Tandem Diabetes has disclosed a phishing attack. On its website, Tandem noted that “a limited number of Tandem employee email accounts may have been accessed by an unauthorized user between January 17, 2020, and January 20, 2020.” The affected accounts contained customer information, including names, contact information, clinical data related to diabetes therapy, and in some cases, Social Security numbers.

Read more in:

The headline on 21 Mar 2020

Hackers Use COVID-19 Tracking Map to Hide Spyware. Hackers have weaponized a legitimate COVID-19 tracking map to deliver spyware. Known as SpyMax, the malware can exfiltrate logs for texts and phone calls, and allows the attackers to activate microphones and cameras. The malware appears to be being used to spy on people in Libya.

Note: With workers out of the office, the normal resources which protect them from malware are reduced or absent. Consider providing references to vetted sources of information, web sites or mobile apps, as part of your COVID-19 communication campaign.

Read more in:

Food Delivery Service in Germany Targeted with DDoS Attack. Hackers have launched a distributed denial-of-service (DDoS) attack against the website of a food delivery service in Germany. The hackers demanded a ransom of 2 bitcoins to stop the attack. Lieferando.de, the German branch of Takeaway.com, is back online; it is not clear if they paid the ransom.

Note: Ransomware still depends on social engineering, and the current situation is ripe for users making mistakes that could enable an attack. Encourage workers to focus on deliberate operations – taking an intentional, thoughtful and careful approach to ensure work is conducted safely and securely. A measured approach with regular management check-in, only performing tasks when sufficient staff are available to execute them securely and safely.

Read more in:

Mandiant Ransomware Research Shows Window of Opportunity For Defenders. According to researchers from Mandiant, most ransomware does not deploy until at least three days after attackers have gained their initial foothold in a system. In some cases, the dwell time was much longer. Mandiant looked at “dozens of ransomware incident response investigations from 2017 to 2019.” The researchers also found that most ransomware infections occur at night or on weekends. The blog post notes that “there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.”

Read more in:

Social Media Turning to AI for Moderators. Earlier this week, Facebook users began noticing that their COVID-19-related posts were being taken down. They received notifications from Facebook which said the posts violated community standards. Facebook says the issue was due to a bug in its anti-spam filter. Facebook’s content moderators had been sent home; they cannot work from home due to privacy agreements. Twitter and YouTube have also said they are sending home their content monitors. Some researchers are concerned that with content moderators absent, much of the decision-making regarding permissible posts will be left to automated systems.

Note:

  • Increased reliance on automation is a natural side effect of orders sending employees home. Oversight of that automation, particularly if new, is critical to correct missteps. When regulations prohibit remote oversight of that automation, evaluation of criticality of those jobs needs to be re-evaluated.
  • In the US, the Department of Health and Human Services put out a “Notification of Enforcement Discretion for telehealth remote communications” during the COVID-19 emergency – basically saying remote working using common sense security precautions that may not be fully compliant will not be penalized. Using public-facing social media is still prohibited. While companies should not race into remote working without taking precautions, security should be the issue – not compliance. SANS has released a free secure telework support package at www.sans.org: SANS Security Awareness Work-from-Home Deployment Kit.
  • My FB post that was taken down just got put back 30 minutes ago with a blanket apology note that did mention SPAM. My post was related to COVID, (many, but not all of my FB friends’ deleted posts were on the subject), and I notice FB now has their COVID-19 page, so they may be trying filters to limit misinformation since they have been thoroughly bashed by Congress for that in the past.

Read more in:

Four-Year Sentence for Role in Chinese Espionage Operation. A US federal district judge in California has sentenced Xuehua Edward Peng to 48 months in prison for acting as an agent of the People’s Republic of China (PRC). Peng, who is a US citizen, participated in several “dead-drops,” a scheme to exchange money for information in which the two parties involved do not meet. Peng hid money in designated places and returned later to retrieve Secure Digital (SD) cards containing classified US information. Peng brought the SD cards to China, where he delivered them to a PRC official.

Read more in:

Adobe Patches 29 Critical Flaws. Adobe has issued fixes for more than 40 security issues in Acrobat, Reader, Photoshop, ColdFusion, Genuine Integrity Service, Experience Manager, and Bridge. Twenty-nine of the vulnerabilities are rated critical.

Note: In addition to pushing these updates to your traditional targets, verify that your systems that are now working remotely are both monitored and updated. In the past, it may have been an acceptable risk to wait for updates on remote systems until they reconnected to the corporate network. With the current crisis, that interval is undefined; you should look to patching them in place.

Read more in:

Cisco Releases Fixes for SD-WAN Vulnerabilities. Cisco has released updates to address three vulnerabilities in its software-defined networking for wide-area network (SD-WAN) Solutions software. All three flaws have been rated high severity. The issues affect a range of Cisco products that are running SD-WAN software that is older than the current version: Release 19.2.2.

Read more in:

Mozilla Eliminating Support for FTP in Firefox. Mozilla says that it plans to eliminate support for the FTP protocol in Firefox by the start of 2021. Support for FTP will initially be disabled in Firefox 77, which is scheduled for release in June 2020. Users who want to view and download files over FTP will be able to re-enable support through the Firefox about:config page. However, Mozilla plans to eliminate support for FTP by the start of 2021.

Note:

  • While there are extensions to secure FTP, it is fundamentally an unsecure protocol. Delivery of files over HTTPS is a technically viable alternative. If you retain FTP capabilities, identify the specific use cases and regularly check for alternatives.
  • While low profile and often “legacy” or “orphan,” FTP servers continue to be a source of leakage of data. Enterprises should replace FTP servers in favor of SFTP and HTML.

Read more in: Firefox to remove support for the FTP protocol

Chrome and Chrome OS Releases Paused. Google has paused the upcoming releases of its Chrome browser and Chrome OS. Google says that the reason for the delay is adjusted work schedules due to the Coronavirus. Chrome 81 was scheduled to be released on Tuesday, March 17. In its blog statement, Google notes that it will “continue to prioritize any updates related to security, which will be included in Chrome 80.”

Read more in:

Rogers Communications Notifies Customers of Data Breach. Canadian telecom company Rogers Communications has begun notifying customers that their personal information was compromised. In late February, Rogers learned that an external service provider had exposed a customer database to the Internet.

Read more in:

Local Governments in France are Being Hit With Pysa Ransomware. France’s Computer Emergency Response Team (CERT) has issued an alert about ransomware targeting networks of local governments. The attackers are using a new variant of the Mespinoza ransomware, which is also known as Pysa. The alert describes how the attacks operate and indicators of infection; it also provides recommendations to help organizations minimize the effect of the ransomware.

Read more in:

Information Sharing and Analysis Organization for Political Campaigns. The US now has a Political Campaign Information Sharing and Analysis Organization (PC-ISAO). Established earlier this month by US CyberDome, PC-ISAO “facilitate[s] fully anonymous cyber threat information sharing, …provide[s] technical information in formats that are easy to read, … [and] also facilitate[s] connections amongst members on cybersecurity challenges.”

Read more in:

The headline on 18 Mar 2020

COVID-19 Spear Phishing eMails Used to Spread Malware. An APT group has been sending spear-phishing emails that claim to contain information about COVID-19. The messages, which target users in Mongolia, maliciously crafted Rich Text Format (RTF) document attachments that are used to infect computers with a remote access Trojan (RAT).

Read more in: Coronavirus-Themed APT Attack Spreads Malware

Malicious COVID-19 Android App is Ransomware. An Android app that purports to track confirmed cases of COVID-19 locks up the phone and demands $100 in bitcoin to unlock it. If victims do not pay within 48 hours, the malware says it will erase all the data on the phone. A password to unlock frozen devices has been obtained.

Note: This app will also set a lock on your device if one is not already configured. The DomainTools researchers have reverse engineered the decryption key for the “CovidLock” app and are preparing to release it. Note that financially motivated threat actors are leveraging the COVID-19 crisis for profit. Users need to be careful installing offered mobile applications, particularly from unofficial app stores, expect some apps to make it into the legitimate app stores as well.

Read more in:

Czech Hospital Conducting COVID-19 Testing Hit With Cyberattack. A Czech hospital that is one of the centers for COVID-19 testing in that country was the target of a cyberattack on Friday, March 13. Details of the breach have not been disclosed, but the hospital’s entire IT system was shut down and all surgeries have been canceled. Two of the hospital’s branches were also affected.

Read more in:

US Dept. of Health and Human Services Fended Off Cyberattack. The US Department of Health and Human Services (HHS) noted increased network scanning over the weekend. While it appears to have been an attempt to launch a distributed denial-of-service attack (DDoS), the agency’s systems were not significantly affected.

Note: Expect increased attacks in the name of COVID-19, particularly against businesses involved in testing and treatment; it’s similar to other efforts to shortcut development by exfiltrating other’s intellectual property or research. Verify your defenses, including monitoring and alerting capabilities, with an eye to operational impacts of increased numbers of remote workers, possibly even your SOC. Be prepared to alter your definition of normal due to modified working arrangements.

Read more in:

ShadowServer is Losing its Funding. Cisco has withdrawn its funding from the all-volunteer non-profit organization Shadowserver.org. ShadowServer “help[s] Internet service providers (ISPs) identify and quarantine malware infections and botnets,” and serves Computer Emergency Response Teams (CERTs) around the world, providing daily network reports. The organization needs to migrate operations to a new data center by mid-May.

Note: FluTrackers.com started up around the same time ShadowServer did. FluTrackers enables infectious disease experts to share data about outbreaks and treatments, regardless of whether governments or for-profit companies wanted that information to get out. It put out one of the first early warnings that something was happening in China. I’m sure other security companies will help replace the lost Cisco funding – this kind of model is an important component of the mix of government, commercial and crowd-sourced tools to use against cybersecurity risks.

Read more in:

New Voatz Audit Finds Severe Flaws. A new audit of the Voatz mobile voting app conducted by Trail of Bits found 16 “severe” security issues. Unlike previous audits, this audit had access to the Voatz Core Server and backend software. Trail of Bits confirmed the vulnerabilities found by researchers at the Massachusetts Institute of Technology (MIT) and found additional flaws.

Note:

  • One of the hard parts of audits is moving through the process of acceptance to validation and remediation. While the Trail of Bits audit confirms vulnerabilities from the MIT researchers, the acceptance of and rapid response to their findings shows the advantage of a self-selected audit.
  • It is much easier to secure a purpose-built app running on a single user device than to secure a server running on a general-purpose operating system. As ever, election fraud is far more likely in the tabulating and reporting steps than in vote recording. While not all of the problems identified by Trail of Bits have yet been addressed, most appear to be implementation shortcomings rather than fundamental vulnerabilities.

Read more in:

WordPress Auto-Update Feature. WordPress developers plan to add an auto-update feature to plugins and themes. The WordPress core has had an auto-update mechanism for minor updates since October 2013, with the release of WordPress version 3.7. Users must still manually update between major versions of WordPress core.

Note: This is slated to release with WordPress core version 5.5 scheduled to be released in August. Version 5.4 was just released this March. The feature will include the ability to select which plugins are auto-updated and when updates will happen.

Read more in: WordPress to add auto-update feature for themes and plugins

Fixes Available for Popup Builder WordPress Vulnerabilities. Two flaws in the Popup Builder WordPress plugin have been fixed. One of the vulnerabilities is rated high severity; it could be exploited to inject JavaScript into a popup. Users are advised to upgrade to Popup Builder version 3.64.1.

Read more in: WordPress Plugin Bug in Popup Builder Threatens 100K Websites

Slack Flaw Fixed. Slack has fixed a vulnerability in its messaging platform that could have been exploited to take control of accounts. Slack learned of the flaw in November 2019 though its bug bounty program. Slack fixed the issue within 24 hours of being notified; the report was disclosed to the public last week.

Note: This fix was a server-side fix. Even so, make sure that users with the desktop or mobile app have updated to the current versions – 4.3.2 Linux, 4.3.3 Mac, 4.3.4 Win, 20.03.20 iOS and Android.

Read more in:

Europol and European Law Enforcement Arrest Alleged SIM-Swappers. Europol, along with law enforcement authorities in Spain, Romania, and Austria, have arrested a total of 26 people in connection with two SIM-swapping operations. A SIM-swapping group in Spain stole more than €3 million ($3.35 million), and a group in Austria and Romania stole €500,000 ($559,000).

Note: All security measures have limitations. It is important to recognize those limitations and compensate accordingly. If a subscriber loses service on their mobile, they should contact their service provider immediately. While service providers are anxious to respond courteously and promptly to provisioning requests from subscribers, it is essential to do so securely. Provisioning requests should be authenticated in and out of the band before acting on them. Out-of-band confirmation is one of our most efficient fraud resistance tools.

Read more in:

ENTSO-E Breach: More Details. More details are emerging about the data breach at the European Network of Transmission System Operators for Electricity (ENTSO-E). Hackers appear to have had access to ENTSO-E’s IT network for several weeks. According to analysis from Recorded Future that was published in January, a remote access Trojan (RAT) “command and control (C2) server [was found to be] communicating with a mail server for a European energy sector organization from late November 2019 until at least January 5, 2020.”

Read more in:

Crypto-Currency Scams. Nigerians have reportedly lost hundreds of millions of Naira after being targeted in crypto-currency Ponzi schemes by firms that claim to speculate on cryptocurrency price movements. The scammers are capitalizing on weak regulations for crypto-currency as well as the fast-moving technology that drives it. The Better Business Bureau started tracking cryptocurrency in 2018. The BBB now lists cryptocurrency as the second riskiest scam. 14% of crypto scam victims are in Nigeria, 11% in Indonesia, 9% in the U.S. and 8% in Vietnam.

Note: Beware of scams that offer a high return on investment, particularly cryptocurrency. Lack of regulation and oversight make cryptocurrency attractive for this purpose. The current economic turmoil increases users’ likelihood of falling for these scams.

Read more in:

The headline on 14 Mar 2020

Hackers Use Interactive COVID-19 Map to Spread Malware. Hackers have weaponized a live COVID-19 map to spread the AZORult malware, which steals passwords, payment card information, cookies, and other sensitive data. In a related story, state-sponsored hackers are using COVID-19 information as a lure in phishing attacks.

Note:

  • By now, your company should have warned employees of the inevitable flood of malware and phishing attacks around the COVID-19 pandemic. Good to remind them it will happen again when things start to return to normal.
  • Expect high-quality social engineering attempts due to the plethora of information about COVID-19, and users’ desire to keep up-to-date on the illness and its impacts.

Read more in:

Illinois Public Health District Website Suffers Ransomware Attack. The website of the Champaign-Urbana Public Health District (C-UPHD) in Illinois was hit with ransomware earlier this week. C-UPHD, which serves more than 200,000 people, including students at the University of Illinois’s largest campus, has set up an alternate website while it works to restore its primary site.

Read more in:

Cyberspace Solarium Commission Report. The US Cyberspace Solarium Commission’s report, mandated by the 2019 National Defense Authorization Act, “advocates a new strategic approach to cybersecurity: layered cyber deterrence.” The report makes more than 80 recommendations, which are organized under six pillars: reform the U.S. government’s structure and organization for cyberspace, strengthen norms and non-military tools, promote national resilience, reshape the cyber ecosystem, operationalize cybersecurity collaboration with the private sector, and preserve and employ the military instrument of national power.

Note: We need a revolution; what we are doing is not working. We need to raise the cost of attack tenfold in 2020, a hundredfold in the next five years. We know what to do; we lack the will.

Read more in:

IoT Threat Report: Medical Imaging Devices are Running Outdated OSes. A report from Palo Alto Networks found that 83 percent of medical imaging devices in the US are running outdated operating systems. This marks a 56 percent increase over two years, which can be attributed in part to Microsoft’s end of support for Windows 7 in January 2020. The report “analyzed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organizations in the United States.” The researchers also found that 98 percent of traffic sent by IoT devices is unencrypted.

Read more in:

Microsoft’s Patch Tuesday. Microsoft’s monthly security update for March 2020 addresses 115 security issues, 26 of which are rated critical. None of the vulnerabilities is currently being actively exploited.

Note:

  • A monthly patch day from Microsoft is beginning to sound very outdated, kinda like “telephone dial.” Imagine if the health care recommendation to prevent infection of open wounds was “on every second Tuesday of the month, apply protective covering…” Somehow businesses and IT managers live through faster patching for phones, tablets and browsers, cloud apps and just about everything else, but Windows still has Vulnerability Tuesday?
  • While patch Tuesday is familiar and convenient for scheduling, and more vendors scheduling releases to this cadence is welcomed, the volume of fixes of late warrants a shorter interval between patch releases; particularly for endpoints.

Read more in:

Microsoft Patches Wormable Vulnerability in SMBv3 Protocol. Microsoft has released a fix for a critical remote code execution flaw in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol. Details of the vulnerability were inadvertently released online earlier this week. The vulnerability could be exploited to execute code remotely and spread to other vulnerable machines with no user interaction. The issue affects 32- and 64-bit Windows 10 versions 1903 and 1909 and Windows Server 2019 versions 1903 and 1909.

Read more in:

Necurs Botnet Takedown. Working alongside partners in 35 countries, Microsoft has helped to take down the infrastructure that supported the Necurs botnet, which had been used to spread malware. Necurs comprises more than 9 million computers worldwide. On March 5, 2020, a federal judge in New York gave Microsoft the authority to take control of the computers in the US that are supporting Necurs. Microsoft then analyzed the Necurs algorithm for generating new domains, predicted six million of these potentially harmful domains, and reported them to the associated registry so they could be blocked and prevented from being used by the Necurs operators.

Read more in:

Hackers Spoofing HTTPS Domains to Skim Payment Card Data. Hackers inserted malicious code into a website belonging to a US meat delivery service. The code, which includes a malicious domain, allowed the hackers to intercept customers’ payment information. While the malicious domain has been removed from the company’s website, it has been detected on other companies’ sites.

Read more in: Crafty Web Skimming Domain Spoofs “https”

Deloitte: Ransomware Attacks Against Local Government Increasing in Frequency and Cost. According to a study from Deloitte, ransomware attacks targeting state and local government systems have grown more sophisticated and have become more frequent. The study says that in 2019, there were 163 reported ransomware attacks against local governments; at least $1.8 million in ransom was paid, and millions more spent on recovery efforts. In 2018, there were 55 reported attacks and less than $60,000 in ransom paid.

Note: Part of the issue is these organizations may not have the resources to implement the mitigations needed, particularly differential backups, to aid with recovery as well as mitigations to prevent re-infection. While cyber insurance helps with the ransom payment, the funding for mitigations must be separately obtained, and are reliant on support during the already contested budget negotiation and funding cycle.

Read more in:

FBI Arrest Individual Suspected of Operating deer.io. US federal law enforcement agents have arrested Kirill Victorovitch Firsov for allegedly operating deer.io, an online forum where cybercriminals could buy and sell stolen account credentials. Firsov is scheduled to be arraigned later this week.

Read more in:

Avast Disables JavaScript Engine Over Security Concerns. Avast has disabled the JavaScript engine in its antivirus product after it was found to contain a remote code execution vulnerability. Researchers at Google Project Zero say that the emulator, which checks JavaScript code tor malware before it is allowed to execute, “is unsandboxed and has poor mitigation coverage.”

Note: Timely disablement of the emulator was a good call on Avast’s part. Other endpoint protection will continue to provide protection; even so, consider enablement of JavaScript only for trusted sites.

Read more in:

The headline on 10 Mar 2020

DoJ Issues Guide for Cyber Research. The US Department of Justice (DoJ) has published a document, Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources, to guide “information security practitioners’ cyber threat intelligence gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold.”

Note: There will always be cases on the edges, where criminals claim to be researchers, researchers get accused of being criminals, or companies with deficient software try to use laws like the DMCA to stop researchers from pointing out how bad their software is. If you or your company are thinking about doing your cyber threat research, the DoJ paper is a good starting point for decreasing the odds that you become one of those edge cases and for defending your actions if you do.

Read more in:

ENTSO-E IT Security Breach. The European Network of Transmission System Operators for Electricity (ENTSO-E) has disclosed that its IT network was breached. In a brief statement, ENTSO-E notes that its network is not connected to those of operational Transmission System Operators (TSO). ENTSO-E’s website notes that its security mission is “Pursuing coordinated, reliable and secure operations of the interconnected electricity transmission network while anticipating the decision to cope with upcoming system evolutions.”

Note: That said, the industry culture is to connect the controls of the grid to the public networks to allow operators timely and convenient access to them in a crisis.

Read more in:

CPI Ransomware Attack. Electronics manufacturer Communications & Power Industries (CPI) suffered a ransomware attack in mid-January 2020. The infection spread quickly to all CPI offices as the company’s computers were on an unsegmented network. CPI paid a ransom of US $500,000 but is still working on recovering its systems. CPI customers include the US Department of Defense and the Defense Advanced Research Projects Agency (DARPA).

Note: The root cause appears to be a domain administrator clicking on the malicious link. Controlled use of administrative privileges, including running with the lowest level of privilege is CIS Control 4. Network segmentation, particularly for older operating systems such as XP, is key to not only restrict lateral movement but also mitigate shortfalls in legacy system security.

Read more in: Defense contractor CPI knocked offline by the ransomware attack

Durham, NC Ransomware Attack. Computers belonging to the city of Durham, North Carolina, were infected with Ryuk ransomware over the weekend. The city decided to shut down certain systems, including its phone system. The decision rendered an information phone line unavailable, but emergency services “are operational and emergency calls are being handled.”

Read more in:

Lawmakers Ask Treasury Secretary if Cyber Sanctions Are Working. At a congressional hearing earlier this month, members of the US House Appropriations Committee asked Treasury Secretary Steven Mnuchin if the Treasury Department’s financial sanctions against countries that had launched cyberattacks against the organizations in the US have produced “any sizable positive impact on the reduction of breach attempts on U.S. companies.”

Read more in: Lawmakers grill Mnuchin on Treasury’s cyber sanctions

Siemens Cybersecurity Incident Response Handbook for Energy Sector. Siemens has published its energy sector cybersecurity incident response handbook. The book, which is based on an exercise involving a simulated attack against a fictional electrical utility. The handbook notes that “the focus of cyberattacks against the energy industry has shifted from targeting information technologies (IT) toward operating technologies (OT),” and spells out incident response steps.

Read more in:

DoJ Charges Two Chinese Citizens With Cryptocurrency Money Laundering. The US Department of Justice (DoJ) has indicted two Chinese citizens, Tian Yinyin and Li Jiadong, on charges of helping North Korean cyber thieves launder more than US $100 million in funds stolen in a 2018 cryptocurrency heist. Also, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on the pair.

Read more in:

Unsupported Android Devices. UK consumer rights and advice organization Which? Estimates that more than one billion Android devices worldwide are no longer receiving updates. Of particular concern are devices released in 2012 or earlier, because they do not have built-in protections that newer devices have. Any devices running versions before Android “will carry security risks.”

Note: Android devices, where updates are provided, are supported for only three years; and the last year is typically limited to security updates. As devices age, security updates may move from monthly to quarterly. If you’re an Android shop, plan for at most a three-year lifecycle for these devices. When qualifying devices for enterprise or personal use, verify the support lifecycle before purchase.

Read more in:

Google Releases March Android Updates. Google’s monthly batch of updates for Android includes fixes for 70 security issues. Seventeen of the vulnerabilities are critical remote code execution flaws, sixteen of which are in Qualcomm components. A high severity privilege elevation flaw that affects MediaTek chipsets is being actively exploited.

Note: Unlike computer operating systems, Android updates tend to be cumulative, so make sure that you’ve applied all the updates for your device. Also, check your device manufacturer’s web site to verify the update schedule for your particular devices.

Read more in:

Hackers Exploiting Known Vulnerability in Microsoft Exchange Servers. Attackers are exploiting a known remote code execution vulnerability in Microsoft Exchange servers. The issue lies in the Exchange Control Panel; all Microsoft Exchange email servers released over the past decade have the same backend cryptographic keys. The vulnerability is being exploited by multiple groups of hackers. Microsoft issued a fix for the flaw in its February Patch Tuesday updates.

Note: The patches were released on February 11th; attempted exploits began after the zero-day report went live on February 26. While proof-of-concept code was released to GitHub, and there is also a Metasploit module. This is a difficult bug to exploit. Rolling out the patch quickly is still prudent, even if APT groups are not in your threat matrix.

Read more in:

FDA Warns of Cybersecurity Flaws That Could Affect Medical Devices. The US Food and Drug Administration (FDA) is warning about a group of cybersecurity vulnerabilities that could impact certain medical devices. The vulnerabilities, known collectively as SweynTooth, could be exploited to crash devices, cause denial-of-service or deadlock conditions, and to circumvent security protections to access sensitive functions without authorization. The FDA offers recommendations for patients, healthcare providers, and medical device manufacturers.

Read more in:

GSA Makes .Gov Domains Somewhat Harder to Obtain. As of March 10, 2020, the US General Services Administration (SA) will require entities requesting .gov domains to include notarized signatures on their authorization letters. Previously, applicants needed to submit a completed authorization letter, listing admin, tech, and billing contacts, printed on official letterhead. The IS Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) would like to assume responsibility for granting .gov domains and to “ensure that only authorized users obtain a .gov domain, and proactively validate existing .gov holders.”

Note:

  • Notaries seem like such a quaint idea in the digital age but a few years ago I didn’t notice that my driver’s license had expired, and in over 6 months of traveling, neither did any TSA inspectors at airport security. Then I had to get some form notarized at my local bank, and the Notary said “Nope, can’t do it – your license expired 6 months ago!” Moral of the story: there is still a benefit to a detailed manual inspection of credentials.
  • Validating the identity of the person authorizing the domain request, which is required for granting.GOV domains, is a good start. Strongly issued digital signatures, such as the HSPD-12 credentials, should be considered as an alternative to a Notary.
  • Enterprise identity and authentication are more important than the individual. At enrollment time, it is necessary to ensure that the agent of the enterprise establishing the identity is both authentic and authorized.

Read more in:

The headline on 07 Mar 2020

World Health Organization: Scammers are Exploiting Coronavirus Fears. The World Health Organization (WHO) is warning that scammers posing as WHO representatives are trying to trick people into sharing their account access credentials or opening malicious email attachments. Scammers have also been sending an email that exploits concerns about COVID-19 to spread malware. Researchers note that more than 4,000 coronavirus-related domains have been registered since the beginning of the year; of those, three percent is considered malicious, and another five percent are suspicious.

Read more in:

Phony Certificate Alerts Spreading Malware. Kaspersky researchers have found that attackers are using fake certificate update warnings to spread malware. When users visit previously infected sites, they see a notification about an expired security certificate. Users are urged to accept the “update,” which downloads a file that, when installed, will deliver either the Mokes or Buerak malware.

Note:

  • When the browsers start blocking sites running outdated SSL/TLS levels, we will see a similar round of phony alerts and attacks.
  • With the Let’s Encrypt story below, browsers such as Safari raising the bar on certificate security, users are likely to get fooled. They need to know that updates will only come through proper channels.

Read more in:

The Long Arm of Browser Extensions. When Blue Shield of California learned that its website had been flagged for serving malicious content, further investigation revealed that the malicious code was the result of an employee’s browser extension. The employee had recently edited the website, and the Page Ruler extension for Chrome injected the code in question. The Page Ruler extension was sold several years ago and since then, has been reported for spreading malicious code. Brian Krebs reminds us “that browser extensions — however useful or fun they may seem when you install them — typically have a great deal of power and can effectively read and/or write all data in your browsing sessions.”

Note:

  • Avoid browser extensions where possible. They not only may have security risks but may also interfere with updates to security and functionality. Review selected extensions regularly to make sure they are needed, supported, and do what you think they do.
  • As we said last week, the managers and the developers of applications are both responsible for the content of all software. So-called “extensions” and “plug-ins” have a bad track record and are difficult to evaluate.

Read more in: The Case for Limiting Your Browser Extensions

Intel Chip Flaw is Unfixable. Researchers have found another flaw affecting Intel chips. This one affects most Intel chips manufactured within the last five years. While the flaw is not trivial to exploit and Intel has released mitigations that can lessen the damage from exploits, the issue cannot be fixed without physically replacing the chip. The problem lies in the Converged Security and Management Engine (CSME).

Note:

  • There are no active exploits and exploitation is difficult. Mitigate the risk by applying the updates provided. The flaw impacts the trusted platform module and allows for bypass of their Enhance Privacy ID (EPID) digital rights management and on-chip encryption system.
  • When you look at how easily all the levels of servers and PCs running above the CSME level are compromised, for most enterprises worrying about this is like worrying about a meteorite hitting your house when you don’t lock your front doors. However, it does point out that it is always a bad decision to make security an option to turn on after booting up, vs. starting up securely and making it optional to take more risks.

Read more in:

Breach Exposed T-Mobile Data. T-Mobile has disclosed a data breach that exposed customers’ and employees’ personal information. An attack launched against T-Mobile’s email vendor gave the attackers access to T-Mobile employee email accounts. Some of those accounts contained customer and employee data.

Note: Email System compromise is a recurring theme. Implementing multi-factor-authentication, strong passwords were used, and disabling legacy protocols that don’t support strong authentication are key aids to prevention.

Read more in:

EMCOR Discloses Ransomware Attack. Connecticut-based engineering and industrial construction company EMCOR Group has acknowledged that its systems became infected with ransomware on February 15, 2020. EMCOR says it is restoring services but has not disclosed whether or not it paid the ransom demand.

Read more in:

Browsers to Start Blocking Sites That Use Old TLS Protocols. By the end of this month, most major browsers will be blocking websites that are using TLS 1.0 and TLS 1.1, which date back to 1996 and 2006, respectively. An estimated 850,000 sites still use the outdated protocols. TLS 1.3 was released in 2018. Shortly thereafter, Mozilla, Google, Apple, and Microsoft announced that they would end support for the older versions of TLS in 2020.

Note: Make sure your sites and your business partner sites support TLS 1.2 so these changes will be transparent. Leverage services like SSLReports to check and give you a report on your public-facing sites.

Read more in: Browsers to block access to HTTPS sites using TLS 1.0 and 1.1 starting this month

UK’s ICO Fines Cathay Pacific Over Data Leak. The UK’s Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways £500,000 (US $647,000) for a data leak that went undetected for four years. The issue exposed personal data of 9.4 million Cathay Pacific customers between 2014 and 2018. The ICO says that during that time, Cathay Pacific systems were inadequately protected.

Read more in:

“Let’s Encrypt” Removes Deadline for Revoking Certificates Over CCA Code Problem. Last week, certificate authority (CA) Let’s Encrypt discovered a bug in its Certification Authority Authorization (CAA) code. The organization initially set a deadline of March 4 for administrators to replace affected certificates before it would begin revoking those that had not been replaced. On Wednesday, March 4, Let’s Encrypt said it would revoke the 1.7 million certificates it knows have been replaced as well as 445 certificates it has deemed high priority. They have not set a revocation deadline for the remaining certificates, noting that it will “revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users.”

Note: Let’s Encrypt is also concerned that the balance of the bad certificates will not be replaced. As the certificates are issued for only 90 days, non-updated certificates will expire. You can check the status of your certificates here. checkhost.unboundtest.com: Check whether a host’s certificate needs replacement

Read more in:

Netgear Releases Firmware Updates to Fix Router Vulnerabilities. Netgear has made firmware updates available to address a critical remote code execution vulnerability affecting its Wireless AC Router Nighthawk (R7800). Netgear has also warned of 24 additional security issues affecting Nighthawk devices; two of those are rated high severity. Those flaws are both post-authentication command injection issues. One affects the same Nighthawk model R7800, and the other affects “five router models within the R6400, R6700, R6900 and R7900 SKUs and that are running specific vulnerable firmware.”

Note: In a world of cheap hardware and scarce knowledge, skills, abilities, and experience, simply replacing flawed wireless access points is often more efficient than trying to fix them.

Read more in:

Epiq Ransomware Attack. Computer systems at Epiq Global, a legal services and e-discovery company, became infected with ransomware on February 29, 2020. The company decided to take its systems offline to prevent the malware from spreading further. Clients have been unable to access e-discovery documents. Tech Crunch reported that an unnamed source said the infection affected all of Epiq’s 80 offices. It appears that in December 2019, Epiq’s systems became infected with TrickBot malware, which was used as a means for the Ryuk ransomware to infiltrate the systems.

Read more in:

West Virginia Will No Longer Use Voatz Mobile Voting App. West Virginia’s Office of the Secretary of State has announced that it will no longer use the Voatz mobile voting app. West Virginia piloted the app in the 2018 general election, allowing voters living overseas to cast their ballots with the help of their mobile devices. The decision in the wake of reports that found “fundamental flaws” in the Voatz app. West Virginia has not ruled out using Voatz in the future if the security concerns are addressed.

Note: Good decision by West Virginia and other states should follow their lead. Not because we know the Voatz app is not secure, but because Voatz hasn’t provided the level of transparency needed to make that critical decision.

Read more in:

Cisco Issues Fixes for Webex Flaws. Cisco has released updates to address multiple remote code execution vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. The issues “are due to insufficient validation of certain elements within a Webex recording that is stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF).”

Note: These flaws are specific to their recordings player on Windows; the update is bundled with the Webex meetings client software. Current supported versions have the fix.

Read more in:

The headline on 03 Mar 2020

GhostCat Vulnerability Affects Apache Tomcat Servers (Important to Act Now). A vulnerability in the Tomcat AJP protocol can be exploited to read file contents and access source code and configuration files. If the servers allow file uploads, the flaw can also be exploited to remotely execute code. Dubbed GhostCat because it has existed in Tomcat for more than a decade, the vulnerability affects Tomcat versions 6.x, 7.x, 8.x, and 9.x. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to address the issue.

Note:

  • This vulnerability got a bit “lost” between RSA and Coronavirus. It should have received much more attention as exploitation is underway. Multiple proof of concept exploits are available.
  • The exploit requires the AJP connector to be enabled and its port, often 8009, accessible. Apply updates to Tomcat were explicitly installed. Where Tomcat is bundled with applications, you’ll need to wait for the supplier to provide an update. Mitigations include disabling AJP if you’re not using the service, or restrict access to port 8009. If you are using it, enable the required Secret attribute to require authenticated connections.

Read more in:

WordPress Plugin Flaws Are Being Actively Exploited. Hackers have been exploiting vulnerabilities in several WordPress plugins. Updates are available to address flaws in the Duplicator, Profile Builder, ThemeGrill Demo Importer, Flexible Checkout Fields for WooCommerce, Async JavaScript, 10Web Map Builder for Google Maps, and Modern Events Calendar Lite plugins. Attackers have also been exploiting a vulnerability in ThemeREX Addons; there is currently no update available to address this flaw, and users are urged to remove the plugin from their sites.

Note:

  • If you need to run WordPress: Let WordPress.com run it for you. It appears to be the WordPress business model to make the software impossible to run securely on your own unless you spend a lot of effort or run a very limited, stripped-down version.
  • Don’t just disable unused plugins, remove them so the vulnerable code is deleted from your server. Check your site for new admin accounts, and unexpected content, particularly .php and .zip files in /wp-content/uploads/. Also, make sure you have regular backups of both your site and its database so you can roll back if needed.
  • Application managers and developers are responsible for the quality of all included code, without regard to its source. “Plugins” rarely come with any representation or measure of quality.

Read more in:

RSA: FBI Special Agent Talks Ransomware. At the RSA Conference in San Francisco last week, Joel DeCapua, FBI special agent in the Global Operations and Targeting Unit, told an audience that victims of ransomware have paid more than $140 million over the past six-and-a-half years. That figure accounts only for ransom demands paid in bitcoin. DeCapua also said that the initial vector of intrusion for about three-quarters of ransomware attacks is Remote Desktop Protocol (RDP).

Note:

  • Only expose the RDP service to the Internet by exception on systems sufficiently configured for the service, including strong authentication, active monitoring, and patching. Better still, require a VPN before allowing RDP access.
  • Other speakers suggested the main source of ransomware is phishing. Strong authentication schemes are better than any kind of passwords in resisting either RDP or phishing.

Read more in: Ransomware victims are paying out millions a month. One particular version has cost them the most.

Redcar and Cleveland Council Still Recovering from Ransomware. A ransomware attack hit servers in the UK council of Redcar and Cleveland more than three weeks ago; residents are still unable to access online services. One councilor said they were told recovery would take several months and cost between £11 million and £18 million (US $14 million and $23 million).

Note:

  • Time to recover includes impacts of deciding to rebuild or repair impacted systems, as well as experience with recovery from DR media. When planning for ransomware, don’t forget to include active exercises rebuilding systems to assure those processes work in a timely fashion.
  • We need to accept that there is no guarantee our preventive controls will detect and prevent a ransomware attack. Having an effective BCP can minimize the impact of many ransomware attacks. This story reinforces that stance and the adage “Fail to prepare, prepare to fail.”

Read more in:

RailWorks Ransomware Attack. RailWorks Corp., a railroad track and transit system provider, suffered a ransomware attack in late January 2020. The breach may have compromised personally identifiable information of current and former employees as well as their beneficiaries and dependents; the company has begun notifying affected individuals.

Read more in:

Hackers Target Visser Precision with Ransomware and Steal Data. A “cybersecurity incident” at Visser Precision, a maker of custom parts for companies in the automotive, aerospace, and other industries, is believed to be a ransomware attack. The attackers also stole data belonging to its business partners, and have reportedly already posted some of the stolen documents.

Read more in:

Walgreens App Bug Exposed Users Personal Messages. A privacy issue in the Walgreens mobile app (Android and iOS) secure messaging feature exposed users’ information to other users. The bug allowed some users to view others’ messages, which included some health-related information, for several days last month. Walgreens became aware of the issue on January 15, 2020. It has since been fixed. Walgreens operates more than 9,000 drugstores across the US.

Read more in:

Network Rail/C3UK Data Leak. A database maintained by Internet service provider C3UK was found to be unprotected, exposing information belonging to roughly 10,000 people who used the company’s wi-fi service at railway stations. C3UK is a contractor for Network Rail, which owns and manages the infrastructure of most of the railway network in Great Britain.

Note: While this was a backup, not the full production database, it still included email addresses, gender, mobile device OS information, as well as travel reason, which was intended to be used for targeted advertising. Think twice about the amount of information requested to use free services.

Read more in:

Munson Healthcare Group Data Security Incident. Hackers gained access to email accounts of at least two employees at Munson Healthcare Group in Michigan between July 31 and October 22, 2019. The breach was not detected until January 16, 2020. The compromised accounts had access to patient data, including names, financial account information, Social Security numbers, and insurance, diagnostic, and treatment information. Munson Healthcare operates nine hospitals in Northern Michigan.

Note: It is this kind of continued fraudulent reuse of compromised credentials that strong authentication is designed to resist.

Read more in:

Pro Publica Examines Security of Election-Related Websites. Pro Publica found that at least 50 election-related websites in the US have serious security issues. Some of the sites are running on software that dates back to 2003, some have inadequate encryption, and some contain unnecessary software. The election-related sites provide information for voters about where to vote, how to register to vote, and they provide election results. None of the sites Pro Publica examined had reported cyberattacks.

Note: “Unnecessary software,” including operating system code, is a significant source of vulnerability. Such software often increases the attack surface of systems and applications by more than ten times. This code is often included without any thought being given to its provenance or quality.

Read more in: Some Election-Related Websites Still Run on Vulnerable Software Older Than Many High Schoolers

Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.