Information and Cyber Security News Headline Updated on 18 Apr 2020

The headline on 18 Apr 2020

GAO Report: Department of Defense Needs to Renew Focus on Cyber Hygiene. A report from the US Government Accountability Office (GAO) says that the Department of Defense (DoD) has either abandoned or stopped keeping track of many of the cyber hygiene goals the agency set for itself in 2015. GAO makes seven recommendations for DoD, several of which focus on assigning responsibility for implementation of cyber hygiene tasks.

Note: One line in this 54-page report captures the glaring problem: “The department does not know the extent that cyber hygiene practices have been implemented to protect DOD networks from key cyberattack techniques.” Importantly, DoD CIOs stated they did not know they were responsible for implementing and monitoring the key Cybersecurity Culture and Compliance Initiatives (DC3I). One reason for this: the report notes that in December 2016, the DoD moved responsibility for DC3I implementation and oversight from the US Cyber Command to the DoD CIO office as part of implementing the November 2014 DOD Directive 5144.02 that said the DoD CIO office had overall cybersecurity responsibility. While I think there has been a lot of progress at the DoD working levels, it looks like over the transition of Presidential administrations, the transition of responsibility for DoD cybersecurity at the top didn’t happen.

Watchdog finds the Pentagon is behind on several cybersecurity initiatives

GAO Rakes DoD Over Cyber Hygiene Implementation

DOD Needs to Take Decisive Actions to Improve Cyber Hygiene (Highlights) (PDF)

DOD Needs to Take Decisive Actions to Improve Cyber Hygiene (PDF)

Texas Judge Approves Mail-in Voting for Anyone Who Requests It. Despite the Texas Attorney general’s insistence that concerns about the COVID-19 pandemic would not qualify as a reason to request a mail-in ballot in that state, a Texas District Judge said he will issue a temporary injunction that will allow registered voters in that state to request mail-in ballots. In Texas, absentee ballots are limited to individuals with a disability that prevents them from voting in person.

Note: So called “computer scientists” (you know who you are) are projecting security requirements onto online voting that are very difficult to meet. They have made the perfect the enemy of the good. Some of these requirements will have to be relaxed to meet the emerging requirement for “travel and date free” voting. We cannot achieve risk free online voting but we can achieve “good enough,” perhaps equal to what we now do with mail, signatures, rubber stamps, and double envelopes. The good enough systems will be diverse and multi-step, to include registration, distribution of ballots, recording of votes, return of ballots, early tabulating and reporting, and late auditing and certifying of the results. It is time to stop carping and to begin designing and implementing.

Texas AG: Fear of COVID-19 not a qualifying reason to receive absentee ballot

Air Force Bug Bounty Program Found More Than 460 Vulnerabilities. A US Air Force bug bounty program that ran last fall turned up more than 460 security issues in the Air Force Virtual Data Center. The remote challenge ran from October 23-November 20, 2019; there was a one-day live element on November 7, 2019.

Ethical hackers find hundreds of vulnerabilities during latest Air Force bug bounty

U.S. Air Force Successfully Hacked By ‘Battalion’ Of 60 Hackers

Linksys Forces Password Reset. Linksys locked all SmartWiFi user accounts on April 2, 2020, after discovering that hackers were breaking into Linksys and D-Link routers and changing their DNS settings to redirect them to malicious sites. The attackers accessed the routers using credential-stuffing attacks. Users need to reset their passwords to regain access to their accounts.

Note: When users reset their Linksys accounts, it triggers a check of all their associated Linksys devices and alerts the users if any their DNS settings were compromised. Of note, there was some confusion about the account reset notification sent. The email legitimate comes fromsubscribermang[email protected] rather than a linksys.com email address.

Linksys asks users to reset passwords after hackers hijacked home routers last month

Google Removes Malicious Chrome Extensions From Web Store. Google has pulled nearly 50 malicious extensions from the Chrome Web Store. These bad apps were pretending to be legitimate cryptocurrency wallet apps, but actually stole cryptowallet keys and other sensitive information.

Note: A key element of the world recovering from the COVID-19 virus is testing, and a critical part of making widespread testing work will be cellphone apps used for demonstrating an individual’s testing status and tracing possible contacts if someone is found to be infected. Google and Apple need to really step up the security of apps and extensions that make it through their testing. Longer times for most apps and extensions to come out of the process are worth it now to significantly elevate the trust/safety level of phones for this coming critical use. Google and Apple are already working together on the tracing side of the problem. A joint effort on radically reducing “badware” that gets through their testing regimes should be a key part of that.

Exclusive: Google removes 49 Chrome extensions caught stealing crypto-wallet keys

Malicious Google Web Extensions Harvest Cryptowallet Secrets

Patch Tuesday. On Tuesday, April 14, Microsoft released fixes for more than 100 security issues in Windows and related software. Nineteen of the flaws are rated critical, which means they can be remotely exploited to gain control of vulnerable machines with no user interaction. Three of the vulnerabilities addressed in the update are being actively exploited: two remote code execution flaws in Adobe Font Manager Library, and a remote code execution flaw in Internet Explorer. Adobe released fixes for vulnerabilities in ColdFusion, After Effects, and Digital Editions.

Read more in:

Microsoft April 2020 Patch Tuesday

Microsoft Patch Tuesday, April 2020 Edition

Don’t Panic, but do make this month’s Patch Tuesday a priority

April 2020 and – rest assured – your Windows PC can still be pwned by something so innocuous as an unruly font

Adobe Fixes ‘Important’ Flaws in ColdFusion, After Effects and Digital Editions

Security Bulletins Posted

Security Update Guide

Zoom Brings in Help to Address Security Issues. Zoom is calling in experts to help it address security and privacy concerns. With millions of people working at home during the COVID-19 epidemic, Zoom’s popularity has ballooned. It has also been subjected to greater scrutiny by both hackers and security experts, who have unearthed a number of security and privacy issues. The company has hired numerous security consultants, many of whom are former privacy and security experts from other high-profile tech companies. (Please note that the WSJ story is behind a paywall.)

Note:

Zoom’s CEO publicly apologized for “falling short” on security and privacy and Zoom has taken a lot of important steps to improve. But, they aren’t the only video conferencing approach in use and we know attackers are going after them all. SANS is doing a series of webinars on the key elements to making sure all remote work is done as securely as possible that you can access at www.sans.org/webcasts/.
There is a lot of FUD around Zoom, and rather than drop it like a hot potato, consideration needs to be given to implementing it securely and applying fixes as they come out. Before jumping to another solution, careful analysis of the security, user experience, and transition costs need to be performed.

Amid Security Concerns: to Zoom or not to Zoom?

Czech Republic Cybersecurity Body Warns of Attacks in Healthcare Sector. The Czech Republic’s central government cybersecurity body has issued a warning that cyberattackers may be targeting healthcare organizations in that country. The Czech health ministry said it had detected and stopped cyberattacks against hospitals. In a separate story, an FBI official said that hackers who appear to be working with the backing of foreign governments are breaking into systems that belong to companies working on COVID-19 research.

FBI official says foreign hackers have targeted COVID-19 research

Immunity Passports. Several countries have begun floating the idea of an “immunity passport,” which would certify that someone is immune to COVID-19. Not only does the idea raise a number of security and privacy issues, but there are still unknowns about immunity to this particular virus.

Note: I carry an immunization record with me when traveling internationally, typically a paper form, as well as a digital backup, to be surrendered for examination by border control based on the risk of your origin point, or verification that you meet local mandatory immunization requirements. While COVID-19 changes those factors, the bigger issue is having an internationally recognized indicator of immunity to COVID-19.

Is it too soon for a “CoronaPass” immunity app?

PoetRAT Targeting Organizations in Azerbaijan. A new remote access Trojan (RAT) that is being called PoetRAT is targeting organizations in Azerbaijan. According to Cisco Talos, “the malware was distributed using URLs that mimic some Azerbaijan government domains.” Once they gained access to a system, PoetRAT operators used additional tools, including keystroke loggers, password stealers, and “a tool used to monitor the hard disk and exfiltrate data automatically.”

New PoetRAT Hits Energy Sector With Data-Stealing Tools

Microsoft Will Extend Support for Windows 10 1809. Microsoft is extending support for Windows 10 1809 and Windows Server 1809. The original end-of-service date, May 12, 2020, has been pushed back to November 10, 2020. Microsoft has recently extended end-of service dates for several other products, including Windows 10 1709, Configuration Manager 1810, SharePoint Server 2010, SharePoint Foundation 2010, and Project Server 2010. Microsoft made the decision to extend support “to help people and organizations focus their attention on retaining business continuity.”

Microsoft Extends Windows 10 Support as #COVID19 Rages

Microsoft throws extended support lifeline for folk stuck on car-crash Windows 10 1809

The headline on 15 Apr 2020

CISA Releases Temporary Telework Security Guidance. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued temporary telework guidance “to help agencies leverage existing resources to secure their networks” as the number of federal employees working from home has increased. The Trusted Internet Connections 3.0 Interim Telework Guidance has five security objectives: manage tragic, protect traffic confidentiality, protect traffic integrity, ensure service resilience, and ensure effective response.

Note:

While this guidance is set to expire at the end of 2020, and is U.S. Government focused, it provides an approach to accessing cloud and on-premise services with sufficient visibility to ensure security and compliance requirements are met, irrespective of your industry or having a formal TIC.
The Trusted Internet Connect 3.0 update is still in draft but added a lot of much-needed flexibility to make it clear how agencies can do remote user access and use cloud services and still stay secure and stay compliant. Between the Managed Trusted Internet Protocol Services (MTIPS) offered by TIC ISPs on the government EIS and other contracts, and the numerous FedRAMP certified cloud-based Security as a Service offerings, government agencies have both guidance and options to make long lasting improvements in both security and productivity for remote work forces.

Read more in:

Oracle’s Quarterly Critical Patch Update – 405 Bugs. Oracle will release its quarterly Critical Patch Update on Tuesday, April 14. It addresses more than 400 vulnerabilities in a range of products. Of those, 286 are remotely exploitable.

Note: This update offers another chance to validate your ability to regression test and patch remotely, including teleworker systems. With the current enhanced remote-work state, regression testing is emphasized as in-person assistance for remediation is more complicated, if not impossible. Postponing updates is sub-optimal as we are seeing increases in malfeasance by those taking advantage of the current situation.

Read more in:

Criminal Ransomware Group Publishes Data Stolen from Industrial Contractor. Cybercriminals have posted data stolen from Visser Precision, a company that manufactures parts for the aerospace, automotive, industrial, and manufacturing industries. Visser’s systems were infected with ransomware earlier this year, but the company did not pay the ransom. The leaked data belong to a number of companies, including Tesla, Boeing, Lockheed Martin, and SpaceX.

San Francisco Airport Website Compromised to Steal Device Credentials. Two San Francisco International Airport websites were infected with data-stealing malware last month. The hackers may have obtained the login credentials for devices belonging to some people who used the sites while they were infected. Users potentially affected by the malware are those who accessed the sites from outside the airport network using Internet Explorer on a Windows device or on a device not maintained by the airport. The malicious code has been removed from the sites, and the airport forced a reset for email and network passwords on March 23.

Note: Travelers should be aware that airports are targets of miscreants and vulnerabilities for the traveler. Airport (WiFi) networks, websites, and (USB 5v) power should be used with caution. Prefer cellular broadband and battery power.

Read more in:

Card Skimmers Target WooCommerce WordPress Plugin. Cybercriminals have been using JavaScript malware to skim payment card details from websites running a WordPress plugin called WooCommerce. In a separate story, the prevalence of online card skimming is rising, likely due to the increase in online shopping related to COVID-19. Data collected by Malwarebytes shows a 26 percent increase in inline card skimming between February and March of this year.

Note:

Judicious review of third-party applications, including plugins for your content management site, is prudent. Payment card processing plugins remain a popular target, particularly with the current world crisis. Beyond keeping plugins updated, make sure that your site and servers are also secured to prevent alternate avenues of attack. Remove unused administrative accounts, ensure strong authentication is used on active accounts, uninstall unused plugins.
This is only one more of many vulnerabilities in WordPress plugins. Most WordPress plugins come without any measure or warranty of quality and should be used only with risk assessment, scrutiny, and maintenance.
Because of the problems Murray and Neely point out, along with the fact that most WordPress users have no IT or cybersecurity expertise, WordPress and its content management system competitors have been the primary vector by which important organizations (including large numbers of city and state agencies and major non-profits) have been compromised.

Read more in:

Police in Netherlands Take Down DDoS-for-Hire Sites, Arrest Alleged Attacker. Police in the Netherlands have arrested a man in connection with distributed denial-of-service (DDoS) attacks against government websites there last month. Police also took down 15 DDoS-for-hire (also known as stresser or booter) websites over the course of one week.

Note: Good to see take-downs of malicious web sites and “attacks as a service” sites now, when everyone is much more dependent on online services. Even better to see ISPs turn on “cleaner pipe” services for free during these times.

Read more in:

VMware Releases Fix for Critical Vulnerability in vCenter Server. VMware has released a fix for a critical vulnerability in its VMware vCenter Server. The flaw has been given a CVSS rating of 10.0. The flaw, which lies in VMware’s Directory Service (vmdir), could be exploited to bypass authentication measures and gain access to sensitive information.

Note: Read the VMware security advisory for specifics on applicability of the vulnerability. The fix is to update affected 6.7 installations to 6.7u3f.

Read more in:

Zoom to Allow Paying Users to Choose Meeting Traffic Routing. Staring Saturday, April 18, users who pay for the Zoom videoconferencing platform will be able to choose which data center regions their meeting traffic travels through. Users will not be able to opt out of their default data center region, which is where their account is provisioned. Zoom’s current data center regions are the United States, Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.

Note:

There was once a myth that “cloud makes location obsolete.” It has never been true. For many reasons, location of data centers still matters. All the major enterprise-class Software as a Service and Infrastructure as a Service providers have offered data center location selection (not always for free). It is good to see Zoom listening to enterprise needs and following suit. Zoom also continues to release security improvements – important to keep up with them and ratchet up the safety of your use of Zoom.
Zoom is not the only video teleconference (VTC) service which routes through distributed data centers. While the primary focus for VTCs should be secure meeting configuration, if you are covering information with location or export controls, the region needs to be appropriate to avoid penalties.
The leakage of video conferencing traffic in the network is a potential risk, but for most applications and environments, this risk does not compare to the risk of improper settings and misuse.

Read more in:

Dell Releases BIOS Attack Detector Tool. Dell has debuted a tool that can detect attempts to modify a device’s BIOS component. The SafeBIOS Events & Indicators of Attack tool will allow admins to isolate computers that may have been compromised.

Read more in:

Google Temporarily Re-enabling FTP in Chrome. Google has decided to re-enable support for FTP in Chrome on the stable channel so users will not run into difficulties accessing information during the COVID-19 crisis. Google disabled support for FTP in Chrome 81, which was released to the stable channel less than a week ago.

Note: FTP has been broken and a vulnerability for a generation. It is an orphan. There is hardly anything legitimate that is not available via an alternate service. Its inclusion in already porous browsers is one more reason to prefer application-specific clients.

Read more in:

DESMI Acknowledges Cyber Attack. A Danish company that manufactures pumps for a variety of industries was hit with a cyberattack last week. All IT systems at DESMI were shut down and are now in the process of being restored with the help of third party experts. DESMI has reported the incident to authorities and police.

Read more in:

The headline on 11 Apr 2020

US and UK Issue Joint Advisory on COVID-19-Related Cyber Attacks. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) have issued a joint advisory warning of an increasing volume of cyberattacks exploiting the spread of COVID-19. Cybercriminals have been sending phishing emails that pretend to come from the World Health Organization or claim to be offering medical equipment.

Note:

The joint advisory covers 4 vectors of observed attacks taking advantage of the current coronavirus situation: (1) Phishing; (2) Targeted Malware; (3) Registration of phony domain names; and (4) Attacks against VPNs, RDP and remote access in general. There are individual news items in this issue of Newsbites on each area with more detailed comments, but the overall theme should be: crank security up a notch – now is the time to risk more false positives until your organization’s work and IT processes/temporary architectures have stabilized. SANS continues to add resources to the free Security Work-From-Home Awareness Deployment kit at www.sans.org and there are daily webcasts on the topic at www.sans.org: Webcasts
The CISA bulletin includes fairly comprehensive lists of attacks seen, IOCs, mitigations as well as resources to help mitigate the risks of COVID-19 related malfeasance.

Read more in:

Interpol Warning of Malware Threat to Organizations Involved in COVID-19 Response. Interpol is warning organizations that are helping with the response to COVID-19 that they are being targeted by ransomware. Interpol has also issued a Purple Notice to inform police in its 194 member countries about the increased threat of ransomware against hospitals and other organizations.

Note: Employees working at home are very unlikely to be rigorous about backing up any newly created information they might develop on their home PCs. Guidance on existing or temporary (such as using cloud storage capabilities of corporate Office365/Dropbox etc. services) should be pushed out.

Read more in:

More People Working From Home Has Increased Remote Desktop Protocol Internet Exposure. Hackers are taking advantage of the increased exposure of the remote desktop protocol (RDP) due to people working from home. In late March, Shodan noted an increase in exposed RDP services. If RDP is going to be exposed to the Internet, it should be carefully configured.

Note:

Last year Johannes Ulrich and the SANS Internet Storm Center posted a good writeup about RDP security – it was focused on the Bluekeep vulnerability but has good general-purpose advice for reducing the risk if you have to use RDP. isc.sans.edu: An Update on the Microsoft Windows RDP “Bluekeep” Vulnerability (CVE-2019-0708) [now with pcaps]
Having users connect to a VPN or other security gateway first, which they then use to access an RDP session, protects the RDP server from direct attacks. Exposing port 3389 to the Internet creates a highly attractive target. Additionally, ensure that strong (e.g. multi-factor) authentication is required before access is granted to prevent the use of discovered credentials. Follow security best practice guides. Implement monitoring and alerting for awareness of unexpected activities. Whether or not you can change your implementation, verify that your security monitoring and controls implemented are working.
Connect to applications, not “desktops.” Prefer end-to-end application-layer encryption. Prefer the production of work product on enterprise owned and managed systems; employee-owned computers should be used only for the remote operation of enterprise applications.

Read more in:

Suspected Malicious Domains Suspended. UK domain name registry Nominet has suspended the registration of about 600 websites due to concerns that they may be designed to spread COVID-19 misinformation or to sell phony products. Rather than waiting until a domain has been reported as malicious, Nominet is scrutinizing websites with names that contain COVID-19-related strings. Nominet does this with the help of its Domain Watch initiative, which uses both automated and manual checking for suspicious domains.

Note:

Help us at SANS Internet Storm Center find some of the scams and phishing sites trying to take advantage of COVID19. We improved our “domain classifier”. It now includes screenshots of the sites so you don’t have to visit them. To help, go to isc.sans.edu/covidclassifier.html. Several domains identified by volunteers have already been shut down.
All the registries should be more aggressive and proactive now – kudos to Nominet. Settings in web security gateways should be moved up in aggressiveness and frequency of updates. The OpenDNS (now part of Cisco) Family Shield or Home DNS-based web blocking services are still free, as are similar home-based capabilities from CleanBrowsing.org, Cloudflare and many major security vendors.
According to SpyCloud researchers, over 136,000 COVID-19 themed domains have popped up since December 2019. Many are merely placeholder domains for future uses. As few as 22% of these domains use HTTPS. spycloud.com: COVID-19 Themed Domain Dataset

Read more in:

Travelex Paid Ransomware Demand in January 2020. According to a report in the Wall Street Journal, London-based currency exchange Travelex paid a 285 bitcoin (the equivalent of $2.3 million at the time of the payment) ransom to regain access to its systems after a ransomware attack earlier this year. (Please note that the WSJ story is behind a paywall.)

Read more in:

Hammersmith Sending Breach Notifications in Wake of Ransomware Attack. UK-based Hammersmith Medicines Research has begun notifying individuals that their personal information was stolen/compromised in a ransomware attack. The hackers published the stolen data on their website, which has since been taken down. Hammersmith is slated to test potential COVID-19 vaccines.

Microsoft Buys Corp.com Domain. Microsoft has agreed to buy the Corp.com domain to keep it out of the hands of potential criminals. The issue is namespace collision, a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.”

Visa: Upgrade Magento. Visa is encouraging online retailers to migrate to the Magento 2.x e-commerce platform before Adobe ends support for Magento 1.x in June 2020. Visa warns that sites that have not migrated to Magento 2.x by the June cutoff date risk exposing payment card information to breaches and will no longer be PCI compliant.

Note: Adobe’s Magento has a history of multiple critical vulnerabilities that are exploited by attackers to steal credit card numbers. Magento 2 was released a few years ago, and support for Magento 1 will end in July. Adobe has given its Magento customers plenty of warning to switch over to Magento 2.

Malicious Website Spoofs Malwarebytes, Spreads Malware. Malicious actors set up a phony Malwarebytes website that attempts to infect visitors’ computers with information-stealing malware known as Raccoon. Malwarebytes’s Threat Intelligence Team examined the phony site’s source code, noting “that someone stole the content from our original site but added something extra.”

Read more in:

xHelper Android Trojan is Persistent. Android malware known as xHelper is proving difficult to get rid of. It spreads by posing as smartphone clean up and speed enhancing apps in unofficial apps stores, affecting Android 6 and 7 devices in Russia, Europe, and parts of Asia. xHelper stays on devices even after it has been deleted and the factory settings have been restored.

Note: The best protection is to only install apps from the official App Store. Do not enable third-party app stores or side-loading of applications. Keep device hardware and software updated to ensure current protections are in place on your device. You should be running Android 9 or higher. This application obtains root privileges and mounts the root file system read-write so it can be written to persistent storage outside the user area, thus surviving a device reset.

Read more in:

Firefox and Chrome Browser Updates. Mozilla and Google have released a second set of updates for their Firefox and Chrome browsers. The Firefox updates include fixes for six security issues, three high risk, and three moderate risk. Users are urged to update to Firefox 75 and Firefox ESR 68.7. Google’s update for Chrome addresses 32 security issues. Chrome 81 was originally scheduled to be released on March 17, but was delayed until April 7.

Note: The new ESR 68.7 introduces features to use the client certificate store on the Mac and exclude domains from the Trusted Recursive Resolver (TRR) using DNS over HTTPS. Using OS Certificate stores is a win over having to provision certificates to both the OS and the provisioned browser and avoids inconsistencies in trust.

Read more in:

Bisq Cryptocurrency Exchange Temporarily Halts Trading After Theft. The Bisq cryptocurrency exchange temporarily stopped trading after hackers exploited a critical vulnerability and stole $250,000 in Bitcoin and Monero from users. A network update had introduced a flaw that allowed the thieves to direct funds to wallets they controlled. The incident was detected on the evening of Tuesday, April 7; trading resumed the following day.

Read more in:

SEC Settles EDGAR Hack Complaint Against Two Traders. The US Securities and Exchange Commission has settled a complaint against two traders who accessed the SEC’s EDGAR electronic filing system and viewed corporate earnings information before it became public. David Kwon and Igor Sabodakha used that information to make trades. Kwon and Sabodakha have agreed to repay their profits and pre-judgment interest from the illegal trades. Sabodakha has also agreed to pay a civil penalty. (Please note that the WSJ story is behind a paywall.)

Read more in:

The headline on 10 Apr 2020

VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952). Under certain conditions vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0. To remediate CVE-2020-3952 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments. Source: VMware Security Advisories > VMSA-2020-0006

The headline on 18 Apr 2020

The headline on 15 Apr 2020

The headline on 11 Apr 2020

The headline on 10 Apr 2020

It looks like you are using an adblocker.