NewsBites Volume XXII - Issue #39 May 15, 2020

Top of the News

2020-05-13

ARCHER Supercomputer Offline

The ARCHER supercomputer, used for academic research in the UK, has been offline since Monday, May 11. According to the ARCHER website, the "incident is part of a much broader issue involving many other sites in the UK and internationally." ARCHER is located at the University of Edinburgh.

Editor's Note

While unauthorized use of resources or unexpected jobs running on a Super Computer raise flags immediately, campus data center resources are a current target for crypto mining. Raising the bar on authentication is appropriate. Adding multi-factor authentication, and deliberate update of SSH keys go a long way towards keeping this in check.

Lee Neely

Patch Tuesday: Microsoft and Adobe

Microsoft's Patch Tuesday for May includes more than 110 fixes. Of those, Microsoft has rated 16 as critical; the rest are rated as important. Adobe's Patch Tuesday release includes fixes for 24 issues in Acrobat and Reader, as well as 12 in the Adobe DNG Software Development Kit.

Editor's Note

A couple of important points: (1) There have been reports of this Microsoft patch release causing more "application error code 0X..." errors than usual, often meaning the update either didn't take, or memory needs were exceeded or there were connectivity issues. The size of the updates and the number of business Windows laptops being updated over marginal home WiFi connectivity could be part of the problem - this is a good month to recheck that all business PCs actually did install the updates. (2) SAP issued a notice about many vulnerabilities in several of their SaaS cloud-based applications and Cisco issued a big list of patches for their ASA appliances and Firepower software, too.

John Pescatore

Adobe gives this update a priority rating of 2, which means there is an elevated risk but no known exploits, and none are expected imminently. Which means pushing the patch with your monthly patch cycle, versus an out-of-band patch is sufficient and should not distract you from applying the larger Microsoft update.

Lee Neely

The rate of published "fixes" suggests that there is a reservoir of known and unknown vulnerabilities in these popular products (e.g., operating systems, browsers, readers, content managers). They present an attack surface much larger than the applications for which they are used and cannot be relied upon to resist those attacks. They should not be exposed to the public networks. Hiding them behind firewalls and end-to-end application layer encryption moves from "good" practice to "essential."

William Hugh Murray

The Rest of the Week's News

2020-05-13

US Accuses China of Cyberattacks Aimed at Stealing COVID-19 Research

In a joint statement, the US Federal Bureau of Investigation (FBI) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) accused the hackers working on behalf of the People's Republic of China (PRC) of launching cyberattacks against US organizations involved in COVID-19 research and attempting to steal intellectual property.

Toll Group Says Ransomware Hackers Downloaded Corporate Data

Australian shipping company Toll Group said that the hackers behind a recent ransomware attack "downloaded some data stored on [a] corporate server." The Toll Group, which experienced another ransomware attack earlier this year, is determined not to pay the ransom.

Editor's Note

This appears to be the Nefilim ransomware which often spreads through unsecure RDP services. It is yet not known if Nefilim operators will threaten to reveal exfiltrated data to ensure payment, as the Maze operators do. The Toll Group claims there was no operational data affected, indicating they not only are aware of what data was on that server, but also that they have taken the necessary steps to assess the risk of that data being exposed.

Lee Neely

Customer Data Exfiltrated in Ransomware Attack on Magellan Health

Arizona-based Magellan Health, Inc., has disclosed that it was the victim of a ransomware attack. The company's systems were initially breached on April 6, 2020, through a phishing email that was spoofed to appear to come from a client. Magellan detected the ransomware attack on April 11. Between the initial breach and launch of the ransomware, the attackers exfiltrated data taken from a company server. The stolen data include customers' personally identifiable information, including names, Social Security numbers, and Taxpayer ID numbers.

Editor's Note

It is essential that healthcare institutions address their vulnerability to extortion attacks; their ability to perform their mission depends on making improvements. At a minimum, there must be a documented plan or risk acceptance that describes how the institution will respond to such attacks.

William Hugh Murray

Scammers Steal Millions from Norwegian State Investment Fund

Fraudsters stole $10 million from Norfund, Norway's state-owned investment fund for developing countries. The scammers gained access to Norfund's network and spent months laying the groundwork for the theft, monitoring the organizations' operations and injecting themselves into communications. The $10 million investment was intended for a Cambodian microfinance organization. The fraudsters infiltrated communications between Norfund and the Cambodian organization over a period of several months. The money that was supposed to go to that organization was instead transferred to an account in Mexico. The fraudulent transaction took place on March 16, 2020, but Norfund did not realize the funds had been stolen until April 30.

CISA Lists Top 10 Most Exploited Vulnerabilities

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has released a list of the 10 vulnerabilities most commonly exploited by foreign hackers between 2016 and 2019. CISA has also listed the vulnerabilities that are most frequently being exploited in 2020. The alert includes a listing of indicators of compromise and mitigations for each of the vulnerabilities. CISA notes that "a concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."

Editor's Note

Pay particular attention to the ones listed for 2020 - the vulnerabilities in VPN (and other security) appliances being exploited is something Johannes Ullrich pointed out in the SANS Top New Attack Trends keynote at RSA (https://www.sans.org/reading-room/whitepapers/threats/paper/38908). The scanning for misconfigured cloud applications is an ongoing issue, but the rush to cloud-based teleconferencing and storage/collaboration apps to support Work From Home has made misconfigurations even more likely.

John Pescatore

Note that the vulnerabilities are listed by CVE which are then summarized, such as vulnerabilities in Microsoft OLE. Mitigations start with basic cyber hygiene - timely application of patches and following security configuration guides. Leverage continuous monitoring, including scanning and testing, to verify products remain updated and secure.

Lee Neely

Ramsay Cyberespionage Toolkit Targets Air-Gapped Networks

Researchers at ESET have found samples of malware that steals information from air-gapped networks. The cyber-espionage toolkit, dubbed Ramsay, appears to be under development; each of the three samples contains new features. Each of the three has been used to conduct attacks through varying attack vectors.

Editor's Note

The ESET research provides information about how the malware spreads, actions it can provide, and how it gathers and exfiltrates data, as well as IOCs to aid discovery and response. Ramsay appears to share roots with the PLANEPATCH and Retro Malware strains. There is no explicit information on how data from air-gapped computer is accessed; the assumption is that data would be intercepted when transferred to those systems over thumb drives or by an attacker with physical access to target systems. The use of a media kiosk, which prevents transfer of malware and direct insertion of media from one system to another, could prevent the transfer of the malware to the air-gapped system; this would not prevent the capture of data from media inserted into a connected compromised system.

Lee Neely

Privilege Elevation Vulnerability in Google's Site Kit WordPress Plugin

A critical flaw in Google's Site Kit WordPress plugin could be exploited to access vulnerable sites' Google Search Console. The privilege elevation vulnerability could be exploited "to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns." Google was alerted to the problem on April 21, 2020, and a fix was released on May 7.

Editor's Note

WordPress plugin weaknesses remain a popular target of exploitation. As the plugins are run with privileges needed to modify the entire WordPress site and installation, any weakness, when exploited, can be significant. While there are ways to convert a site to read only, that requires new processes for updating content and software which may outweigh the benefits or the overhead of judicious monitoring and updating of your site.

Lee Neely

CISA: Lazarus Hacking Group is Using New Malware

The Cybersecurity and Infrastructure Security Agency (CISA) has released three Malware Analysis Reports detailing new variants of malware that are being used by hackers acting on behalf of North Korea's government. The new malware variants are a remote access tool called Copperhedge, and two Trojans, knowns as Taintedscribe and Pebbledash.

US Supreme Court Hearing CFAA Case

The US Supreme Court is hearing a case that could affect the way the Computer Fraud and Abuse Act (CFAA) is enforced. The case the court is hearing involves a police officer who used his access to law enforcement databases to conduct a search in return for payment. Circuit courts are not in agreement about the scope of CFAA. Some say there has to be deliberate malicious hacking for a CFAA violations; others say that merely violating terms of service is sufficient.

Editor's Note

It seems unlikely that the SCOTUS can "fix" the CFAA, written when most access to computers was by insiders. Congress must undertake the thankless job of crafting a law that will outlaw abuse and misuse of computer applications and the Internet while minimizing unintended consequences. Drafting such a law will be difficult but not impossible.

William Hugh Murray

UK Power Grid Middleman Suffers Cyberattack

British power grid middleman Elexon has suffered a cyberattack that affected its internal IT systems. In a bulletin posted to its website, the company provided few details about the incident, but did note that they "are unable to send or receive any emails." The company said on Thursday that it has found the "root cause" of the problem.