NewsBites Volume XXII – Issue #25 March 27, 2020

Top of the News

2020-03-23

Hackers Launching DNS-Hijacking Attacks Against Routers

Hackers are launching DNS-hijacking attacks against D-Link and Linksys routers, redirecting users to malicious sites advertising phony Coronavirus apps. If users download the apps, their devices become infected with information-stealing malware. The hackers are using brute force attacks to obtain routers' admin passwords.

Editor's Note

The best mitigation is to use a strong device password and disable remote management so the router cannot be accessed remotely. Consider setting up a separate DNS server on your network, pointing to your selected authoritative DNS servers. Configuring all endpoints to point to root DNS servers will likely exhaust the NAT tables in your routers. Lastly, most home routers can be configured to forward logs for analysis or alerting; that necessitates monitoring the average home user is not prepared for. Also enable automatic firmware updates.

Lee Neely

Many of these routers are in SOHO applications where they are installed but not "managed." As more of us work remotely, these devices become attractive targets. When installing them, it is important to change the default passwords. Since these devices do not implement strong authentication, this is an application where strong passwords are indicated.

William Hugh Murray

US Senator Urges Vendors to Make Sure Network Connectivity Products Are Secure

US Senator Mark Warner (D-Virginia) wants tech vendors to bolster the security of their products. In letters to Google, Netgear, and others, Warner writes that he is seeking their "assistance to ensure that the wireless access points, routers, modems, mesh network systems, and related connectivity products that your firm manufactures remain secure as unprecedented numbers of Americans rely on remote access for work and education as part of COVID-19 social distancing efforts."

Editor's Note

The cynical side of me says most vendors have word processing template automated responses to these letters "urging" them to do something, especially when related legislation never sees the light of day. The glass half full side of me says that most vendors want to sell quality products and have seen that out-of-the-box security is a key part of security. The realistic side says if we buy junk, someone will sell us junk - for business systems, make sure security requirements are in all procurement evaluation criteria. For consumer products used by work-at-home employees, give them guidance on how to change defaults and take advantage of the free SANS resources for secure telework. https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit

John Pescatore

It is challenging to have users secure devices after the fact, so having devices that, out of the box, require the user set a strong password, include automatic updates and disabled remote administration out of the box, raises the bar. Make sure that home router security best practice advice is included in your home/remote worker guidance.

Lee Neely

The Rest of the Week's News

2020-03-25

Apple Updates

Apple has released updates for iOS, macOS, Safari, watchOS, tvOS, and other products. iOS 13.4 includes fixes for 30 security issues, and the macOS update includes fixes for 26 issues.

Editor's Note

While the default setting for iOS devices is Automatic Updates "Off," the conservative setting is "On." (Go to Settings, General, Software Update, Automatic Updates, On.)

William Hugh Murray

Make sure the automatic update option is configured on your Apple devices both for the OS and applications. Then, also periodically check for alerts, asking your permission to install updates. iPadOS 13.4 adds support for Apple's Magic Mouse and Trackpad. iOS and iPadOS 13.4 Mail now always show the move/delete/reply/compose buttons.

Lee Neely

Adobe Creative Cloud Flaw Patch

Adobe has released a patch for a critical flaw in its Creative Cloud Desktop Application for Windows PCs. The vulnerability, a time-of-check-to-time-of-use race condition, could be exploited to delete files from computers. Users should update to Creative Cloud for Windows version 5.1 or later.

Editor's Note

That the vulnerability is a TOCTU may be interesting to some, and a caution to developers (to bind conditions that they rely on), it is not relevant to the simple fix for this specific incidence. Update.

William Hugh Murray

DEER.IO Platform Shut Down

The FBI has seized the DEER.IO website and shut down the hacker platform. Earlier this month, DEER.IO's alleged administrator, Kirill Victorovich Firsov, was arrested and charged with unauthorized solicitation of access devices.

HPE Firmware Fix for Flaw That Could Brick Some Solid State Drives

Hewlett Packard Enterprise has released firmware updates for some of its Serial-Attached SCSI solid state drives. The update addresses a flaw that causes the drives to fail after 40,000 hours (roughly four-and-a-half years) of operation. HPE addressed a similar issue in November 2019.

Editor's Note

The update in November addressed drives failing after 32,768 hours (3.78 years). HPE has also released detection scripts to determine if you have affected drives. The update can be performed online, without a reboot, but is suggested during low I/O intervals. Check the HPE alert for caveats.

Lee Neely

Google Resumes Chrome Releases

Google is resuming Chrome and Chrome OS releases "with an adjusted schedule." (Last week, Google announced it was pausing releases for the browser and operating system due to altered work schedules.) Chrome 81, which had been scheduled for release on March 1, will now be released on April 7. Google has cancelled Chrome 82; Chrome 83 is scheduled to be released to the stable channel on May 19.

Chinese Hackers Targeting Wide Range of Industries

Researchers from FireEye say that APT41, a hacking group with ties to China's government, has been launching cyberattacks against a range of industries, including health care organizations, the military, and oil and gas companies. Between January 20 and March 11 of this year, APT41 launched cyberattacks against more than 75 organizations around the world, exploiting flaws in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central.

Editor's Note

This is a good news item to show management to emphasize the need both for making sure remote work is being done securely, and that IT operations keeps up with critical patches during these turbulent times.

John Pescatore

Google Threat Analysis Group

In 2019, Google's Threat Analysis Group warned nearly 40,000 users that their accounts were being targeted by state-backed hackers. The attackers focus mostly on accounts belonging to "geopolitical rivals, government officials, journalists, dissidents and activists."

Editor's Note

This is part of Google's free advanced protection program, which requires two security keys, or an iPhone or Android, and forces two-factor authentication. Make sure that users recognize alerts from Google as legitimate.

Lee Neely

Electronics Manufacturer Hit with Ransomware

Systems at a Connecticut-based electronics manufacturer were hit with ransomware earlier this month. Kimchuk, which makes products for medical equipment, telecommunications companies, the energy grid, and the military, did not pay the ransom. The attackers have published information stolen from the company. The practice of releasing stolen information is growing; the groups responsible for several different families of ransomware have created websites expressly for the purpose of posting stolen data.

Editor's Note

Both resistance to breaches and resilience are necessary but the former addresses more risks. In security, measures that operate early usually trumps late.