NewsBites Volume XXII – Issue #19 March 06, 2020

Top of the News

2020-03-06

World Health Organization: Scammers are Exploiting Coronavirus Fears

The World Health Organization (WHO) is warning that scammers posing as WHO representatives are trying to trick people into sharing their account access credentials or opening malicious email attachments. Scammers have also been sending email that exploits concerns about COVID-19 to spread malware. Researchers note that more than 4,000 coronavirus-related domains have been registered since the beginning of the year; of those, three percent are considered malicious, and another five percent are suspicious.

Phony Certificate Alerts Spreading Malware

Kaspersky researchers have found that attackers are using fake certificate update warnings to spread malware. When users visit previously infected sites, they see a notification about an expired security certificate. Users are urged to accept the "update," which downloads a file that, when installed, will deliver either the Mokes or Buerak malware.

Editor's Note

When the browsers start blocking sites running outdated SSL/TLS levels, we will see a similar round of phony alerts and attacks.

John Pescatore

With the Let's Encrypt story below, browsers such as Safari raising the bar on certificate security, users are likely to get fooled. They need to know that updates will only come through proper channels.

Lee Neely

The Long Arm of Browser Extensions

When Blue Shield of California learned that its website had been flagged for serving malicious content, further investigation revealed that the malicious code was the result of an employee's browser extension. The employee had recently edited the website, and the Page Ruler extension for Chrome injected the code in question. The Page Ruler extension was sold several years ago and since then, has been reported for spreading malicious code. Brian Krebs reminds us "that browser extensions -- however useful or fun they may seem when you install them -- typically have a great deal of power and can effectively read and/or write all data in your browsing sessions."

Editor's Note

Avoid browser extensions where possible. They not only may have security risks but may also interfere with updates to security and functionality. Review selected extensions regularly to make sure they are needed, supported, and do what you think they do.

Lee Neely

As we said last week, the managers and the developers of applications are both responsible for the content of all software. So-called "extensions" and "plug-ins" have a bad track record and are difficult to evaluate.

William Hugh Murray

The Rest of the Week's News

2020-03-05

Intel Chip Flaw is Unfixable

Researchers have found another flaw affecting Intel chips. This one affects most Intel chips manufactured within the last five years. While the flaw is not trivial to exploit and Intel has released mitigations that can lessen the damage from exploits, the issue cannot be fixed without physically replacing the chip. The problem lies in the Converged Security and Management Engine (CSME).

Editor's Note

There are no active exploits and exploitation is difficult. Mitigate the risk by applying the updates provided. The flaw impacts the trusted platform module and allows for bypass of their Enhance Privacy ID (EPID) digital rights management and on chip encryption system.

Lee Neely

When you look at how easily all the levels of servers and PCs running above the CSME level are compromised, for most enterprises worrying about this is like worrying about a meteorite hitting your house when you don't lock your front doors. However, it does point out that it is always a bad decision to make security an option to turn on after booting up, vs. starting up securely and making it optional to take more risks.

John Pescatore

Breach Exposed T-Mobile Data

T-Mobile has disclosed a data breach that exposed customers' and employees' personal information. An attack launched against T-Mobile's email vendor gave the attackers access to T-Mobile employee email accounts. Some of those accounts contained customer and employee data.

Editor's Note

Email System compromise is a recurring theme. Implementing multi-factor-authentication, strong passwords where used, and disabling legacy protocols that don't support strong authentication are key aids to prevention.

Lee Neely

EMCOR Discloses Ransomware Attack

Connecticut-based engineering and industrial construction company EMCOR Group has acknowledged that its systems became infected with ransomware on February 15, 2020. EMCOR says it is restoring services but has not disclosed whether or not it paid the ransom demand.

Browsers to Start Blocking Sites That Use Old TLS Protocols

By the end of this month, most major browsers will be blocking websites that are using TLS 1.0 and TLS 1.1, which date back to 1996 and 2006, respectively. An estimated 850,000 sites still use the outdated protocols. TLS 1.3 was released in 2018. Shortly thereafter, Mozilla, Google, Apple, and Microsoft announced that they would end support for the older versions of TLS in 2020.

Editor's Note

Make sure your sites and your business partner sites support TLS 1.2 so these changes will be transparent. Leverage services like SSLReports to check and give you a report on your public facing sites.

Lee Neely

UK's ICO Fines Cathay Pacific Over Data Leak

The UK's Information Commissioner's Office (ICO) has fined Cathay Pacific Airways #500,000 (US $647,000) for a data leak that went undetected for four years. The issue exposed personal data of 9.4 million Cathay Pacific customers between 2014 and 2018. The ICO says that during that time, Cathay Pacific systems were inadequately protected.

"Let's Encrypt" Removes Deadline for Revoking Certificates Over CCA Code Problem

Last week, certificate authority (CA) Let's Encrypt discovered a bug in its Certification Authority Authorization (CAA) code. The organization initially set a deadline of March 4 for administrators to replace affected certificates before it would begin revoking those that had not been replaced. On Wednesday, March 4, Let's Encrypt said it would revoke the 1.7 million certificates it knows have been replaced as well as 445 certificates it has deemed high priority. The has not set a revocation deadline for the remaining certificates, noting that it will "revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users."

Editor's Note

Let's Encrypt is also concerned that the balance of the bad certificates will not be replaced. As the certificates are issued for only 90 days, non-updated certificates will expire. You can check the status of your certificates here. https://checkhost.unboundtest.com/

Lee Neely

Netgear Releases Firmware Updates to Fix Router Vulnerabilities

Netgear has made firmware updates available to address a critical remote code execution vulnerability affecting its Wireless AC Router Nighthawk (R7800). Netgear has also warned of 24 additional security issues affecting Nighthawk devices; two of those are rated high severity. Those flaws are both post-authentication command injection issues. One affects the same Nighthawk model R7800, and the other affects "five router models within the R6400, R6700, R6900 and R7900 SKUs and that are running specific vulnerable firmware."

Editor's Note

In a world of cheap hardware and scarce knowledge, skills, abilities, and experience, simply replacing flawed wireless access points is often more efficient than trying to fix them.

William Hugh Murray

Epiq Ransomware Attack

Computer systems at Epiq Global, a legal services and e-discovery company, became infected with ransomware on February 29, 2020. The company made the decision to take its systems offline to prevent the malware from spreading further. Clients have been unable to access e-discovery documents. Tech Crunch reported that an unnamed source said the infection affected all of Epiq's 80 offices. It appears that in December 2019, Epiq's systems became infected with TrickBot malware, which was used as a means for the Ryuk ransomware to infiltrate the systems.

West Virginia Will No Longer Use Voatz Mobile Voting App

West Virginia's Office of the Secretary of State has announced that it will no longer use the Voatz mobile voting app. West Virginia piloted the app in the 2018 general election, allowing voters living overseas to cast their ballots with the help of their mobile devices. The decision in the wake of reports that found "fundamental flaws" in the Voatz app. West Virginia has not ruled out using Voatz in the future if the security concerns are addressed.

Editor's Note

Good decision by West Virginia and other states should follow their lead. Not because we know the Voatz app is not secure, but because Voatz hasn't provided the level of transparency needed to make that critical decision.

John Pescatore

Cisco Issues Fixes for Webex Flaws

Cisco has released updates to address multiple remote code execution vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. The issues "are due to insufficient validation of certain elements within a Webex recording that is stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF)."

Editor's Note

These flaws are specific to their recordings player on Windows; the update is bundled with the Webex meetings client software. Current supported versions have the fix.