NewsBites Volume XXII – Issue #23 March 20, 2020

Top of the News

2020-03-18

Hackers Use COVID-19 Tracking Map to Hide Spyware

Hackers have weaponized a legitimate COVID-19 tracking map to deliver spyware. Known as SpyMax, the malware can exfiltrate logs for texts and phone calls, and allows the attackers to activate microphones and cameras. The malware appears to be being used to spy on people in Libya.

Editor's Note

With workers out of the office, the normal resources which protect them from malware are reduced or absent. Consider providing references to vetted sources of information, web sites or mobile apps, as part of your COVID-19 communication campaign.

Lee Neely

Food Delivery Service in Germany Targeted with DDoS Attack

Hackers have launched a distributed denial-of-service (DDoS) attack against the website of a food delivery service in Germany. The hackers demanded a ransom of 2 bitcoins to stop the attack. Lieferando.de, the German branch of Takeaway.com, is back online; it is not clear if they paid the ransom.

Editor's Note

Ransomware still depends on social engineering, and the current situation is ripe for users making mistakes which could enable an attack. Encourage workers to focus on deliberate operations - taking an intentional, thoughtful and careful approach to ensure work is conducted safely and securely. A measured approach with regular management check-in, only performing tasks when sufficient staff are available to execute them securely and safely.

Lee Neely

Mandiant Ransomware Research Shows Window of Opportunity For Defenders

According to researchers from Mandiant, most ransomware does not deploy until at least three days after attackers have gained their initial foothold in a system. In some cases, the dwell time was much longer. Mandiant looked at "dozens of ransomware incident response investigations from 2017 to 2019." The researchers also found that most ransomware infections occur at night or on weekends. The blog post notes that "there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection."

The Rest of the Week's News

2020-03-17

Social Media Turning to AI for Moderators

Earlier this week, Facebook users began noticing that their COVID-19-related posts were being taken down. They received notifications from Facebook which said the posts violated community standards. Facebook says the issue was due to a bug in its anti-spam filter. Facebook's content moderators had been sent home; they cannot work from home due to privacy agreements. Twitter and YouTube have also said they are sending home their content monitors. Some researchers are concerned that with content moderators absent, much of the decision-making regarding permissible posts will be left to automated systems.

Editor's Note

Increased reliance on automation is a natural side effect of orders sending employees home. Oversight of that automation, particularly if new, is critical to correct missteps. When regulations prohibit remote oversight of that automation, evaluation of criticality of those jobs needs to be re-evaluated.

Lee Neely

In the US, the Department of Health and Human Services put out a "Notification of Enforcement Discretion for telehealth remote communications" during the COVID-19 emergency - basically saying remote working using common sense security precautions that may not be fully compliant will not be penalized. Using public-facing social media is still prohibited. While companies should not race into remote working without taking precautions, security should be the issue - not compliance. SANS has released a free secure telework support package at https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit

John Pescatore

My FB post that was taken down just got put back 30 minutes ago with a blanket apology note that did mention SPAM. My post was related to COVID, (many, but not all of my FB friends' deleted posts were on the subject), and I notice FB now has their own COVID-19 page, so they may be trying filters to limit misinformation since they have been thoroughly bashed by Congress for that in the past.

Stephen Northcutt

Four-Year Sentence for Role in Chinese Espionage Operation

A US federal district judge in California has sentenced Xuehua Edward Peng to 48 months in prison for acting as an agent of the People's Republic of China (PRC). Peng, who is a US citizen, participated in several "dead-drops," a scheme to exchange money for information in which the two parties involved do not meet. Peng hid money in designated places and returned later to retrieve Secure Digital (SD) cards containing classified US information. Peng brought the SD cards to China, where he delivered them to a PRC official.

Adobe Patches 29 Critical Flaws

Adobe has issued fixes for more than 40 security issues in Acrobat, Reader, Photoshop, ColdFusion, Genuine Integrity Service, Experience Manager, and Bridge. Twenty-nine of the vulnerabilities are rated critical.

Editor's Note

In addition to pushing these updates to your traditional targets, verify that your systems that are now working remotely are both monitored and updated. In the past, it may have been an acceptable risk to wait for updates on remote systems until they reconnected to the corporate network. With the current crisis, that interval is undefined; you should look to patching them in place.

Lee Neely

Cisco Releases Fixes for SD-WAN Vulnerabilities

Cisco has released updates to address three vulnerabilities in its software-defined networking for wide-area network (SD-WAN) Solutions software. All three flaws have been rated high severity. The issues affect a range of Cisco products that are running SD-WAN software that is older than the current version: Release 19.2.2.

Mozilla Eliminating Support for FTP in Firefox

Mozilla says that it plans to eliminate support for the FTP protocol in Firefox by the start of 2021. Support for FTP will initially be disabled in Firefox 77, which is scheduled for release in June 2020. Users who want to view and download files over FTP will be able to re-enable support through the Firefox about:config page. However, Mozilla plans to completely eliminate support for FTP by the start of 2021.

Editor's Note

While there are extensions to secure FTP, it is fundamentally an unsecure protocol. Delivery of files over HTTPS is a technically viable alternative. If you retain FTP capabilities, identify the specific use cases and regularly check for alternatives.

Lee Neely

While low profile and often "legacy" or "orphan," FTP servers continue to be a source of leakage of data. Enterprises should replace FTP servers in favor of SFTP and HTML.

William Hugh Murray

Chrome and Chrome OS Releases Paused

Google has paused the upcoming releases of its Chrome browser and Chrome OS. Google says that the reason for the delay is adjusted work schedules due to the Coronavirus. Chrome 81 was scheduled to be released on Tuesday March 17. In its blog statement, Google notes that it will "continue to prioritize any updates related to security, which will be included in Chrome 80."

Rogers Communications Notifies Customers of Data Breach

Canadian telecomm company Rogers Communications has begun notifying customers that their personal information was compromised. In late February, Rogers learned that an external service provider had exposed a customer database to the Internet.

Local Governments in France are Being Hit With Pysa Ransomware

France's Computer Emergency Response Team (CERT) has issued an alert about ransomware targeting networks of local governments. The attackers are using a new variant of the Mespinoza ransomware, which is also known as Pysa. The alert describes how the attacks operate and indicators of infection; it also provides recommendations to help organizations minimize the effect of the ransomware.

Information Sharing and Analysis Organization for Political Campaigns

The US now has a Political Campaign Information Sharing and Analysis Organization (PC-ISAO). Established earlier this month by US CyberDome, PC-ISAO "facilitate[s] fully anonymous cyber threat information sharing, ...provide[s] technical information in formats that are easy to read, ... [and] also facilitate[s] connections amongst members on cybersecurity challenges."