NewsBites Volume XXII - Issue #45 June 5, 2020

Top of the News

2020-06-04

Maze Ransomware Hits US Military Subcontractor Westech

The operators of Maze ransomware have hit Westech, a US military subcontractor that is involved in maintenance for the US's Minuteman III nuclear missile program. Hackers appear to have stolen sensitive nuclear missile data from Westech and have begun leaking the files online.

Editor's Note

Maze operators continue to publish exfiltrated data in an attempt to get income irrespective of system recovery plans. Additionally, Maze operators maintain a web site of those who refuse to cooperate with their demands for payment, further complicating the recovery decision process.

Lee Neely

DoppelPaymer Ransomware Operators Claim to Have Hit NASA Contractor

The operators behind the DoppelPaymer ransomware say they have infected the network of DMI, a managed IT and cybersecurity services firm. DMI customers include Fortune 100 companies and government agencies. The hackers appear to have obtained NASA-related files from DMI's network and posted some on a dark web portal.

Netwalker Ransomware Operators Claim to Have Hit University of California, San Francisco Systems

Operators of the Netwalker ransomware have recently been targeting colleges and universities in the US and threatening to publish stolen data if the ransom is not paid. The group has launched attacks against Michigan State University, Columbia College of Chicago, and most recently, they say they have launched a successful attack against systems at the University of California, San Francisco (UCSF). Researchers at UCSF are running "antibody testing and clinical trials for possible coronavirus treatments," according to Bloomberg Law.

Foreign Hackers Targeting US Presidential Campaigns

Google's Threat Analysis group (TAG) says that hackers believed to be acting on behalf of China and Iran have targeted the US presidential campaigns of candidates in both major political parties. The attackers targeted campaign staff with spearphishing emails.

The Rest of the Week's News

2020-06-03

Large Scale WordPress Attack Campaign

Between May 29 and May 31, attackers tried to steal configuration files from more than 1.3 million WordPress websites. The attackers exploited known vulnerabilities in unpatched WordPress plugins and themes. Researchers at WordFence detected and blocked more than 130 million attempted attacks targeting the sites.

Editor's Note

WordPress continues to be a popular target for exploitation. Mitigate the risks by ensuring that you've enabled WordPress core auto-updates. If you don't have a plugin that watches and updates plugins and themes automatically, you can enable those updates by adding a filter as per the WordPress Automatic Updates configuration page (https://wordpress.org/support/article/configuring-automatic-background-updates/: Configuring Automatic Background Updates). WordPress 5.5, when released, makes this easier to enable. Also, even with automatic updates, monitor your site to ensure it is updated and secure.

Lee Neely

Zoom Explains Why End-to-End Encryption is for Paying Customers Only

Zoom says that its end-to-end encryption will be available to paying customers only because it will be easier for the company to comply with FBI requests for access to communications data. A Zoom spokesperson said "We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity."

Editor's Note

Zoom first has to get end-to-end encryption working before we spend much time on whether it should be part of a free offering. Other teleconferencing apps that do include end-to-end encryption on free services get revenue by collecting user information as part of offerings to advertisers - a major privacy issue. Others don't offer it for free either, or only upon submission of a request to support. Businesses evaluating competing offerings should make overall security management tools and security of the application software (especially the client-side agents) more highly weighted criteria than end-to-end encryption for this kind of application.

John Pescatore

When considering end-to-end encryption for video conferencing, understand both your data protection requirements and what the given solution provides. Know what and where content is not encrypted. For example, voice traffic over the PSTN is not encrypted until it reaches the entry point for the service. Also, understand who is managing the keys and who can access them. Lastly, look at any tradeoffs of using end-to-end encryption. The key exchange process may disable or impede functions you utilize, such as joining before the meeting host. Beyond encryption, make sure that you also have the other meeting security settings properly configured.

Lee Neely

Zoom Addresses Two Remote Code Execution Flaws

Zoom has addressed two vulnerabilities that could be exploited to execute code remotely. Cisco Talos researchers detected the flaws earlier this year. They say that Zoom's mitigations fixed one of the flaws in May and partially addressed the other in a server-side update, but "Cisco Talos believes it still requires a fix on the client-side to completely resolve the security risk," according to a Talos Intelligence blog.

Editor's Note

These flaws only affect earlier 4.x versions of Zoom. Current 5.x versions are not affected. You should be using the most recent 5.x version. If you are holding back because of virtual camera support, Zoom added virtual camera support back in recent 5.x versions. It was removed in late 4.x and early 5.x versions. Virtual camera support will allow the use of tools like Manycam to pre-process video.

Johannes Ullrich

Large Number of Exchange Servers Remain Unpatched Against Critical Flaw

According to Rapid7 Research's 2020: Q1 Threat Report, as many as 350,000 Microsoft Exchange Servers remain unpatched against a critical privilege elevation flaw. Microsoft released a patch for the vulnerability in February 2020.The flaw exists in the Exchange Control Panel component, which uses a static cryptographic key that is identical on every installation.

Editor's Note

The patch has been out since February and the CISA CERT put out an alert in March about exploitation of CVE 2020-0688, but three months later 82% of Exchange servers are unpatched, according to Rapid7 scanning! This may indicate delayed server patching since Coronavirus shut downs hit - an important warning sign to check all patch levels immediately.

John Pescatore

Several of today's reports involve "patches." Unfortunately, the cost of using these popular but porous products includes the hidden cost of routine patching or accepting the risk of not doing so. Only you know which is the efficient strategy for your enterprise but for most it will be patching.

William Hugh Murray

Kaspersky: Chinese APT Group's USBCulprit Malware Targets Air-Gapped Systems

Malware dubbed USBCulprit targets air-gapped devices. USBCulprit is being used by a Chinese advanced persistent threat (APT) group, known as Cycldek, that has been attempting to steal government and state secrets from Southeast Asian countries since 2013. Kaspersky says that USBCulprit has been used in attacks on systems in Vietnam, Thailand, and Laos.

Cisco Semi-Annual IOS and IOS XE Software Security Advisory Bundled Publication

Cisco has released updates to address four critical vulnerabilities affecting equipment that use Cisco IOS and IOS XE software. The updates are part of Cisco's June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes a total of 23 advisories addressing 25 vulnerabilities in IOS and IOS XE software.

Editor's Note

This, and the Cisco Nexus vulnerability item, are another reminder that patch processes need to be extended to, and actually prioritized for, critical network security and operational appliances. The CVE-2020-0688 item indicates patching levels overall may have declined with the forced work at home status of employees.

John Pescatore

Cisco Releases Fix for Nexus Switch Flaw

Cisco has released a fix for a high severity vulnerability in its Nexus switches running NX-OS software. The flaw lies in the network stack and could be exploited to bypass network access controls or cause denial-of-service conditions.

Users Urged to Patch SAP Adaptive Server Enterprise Software

Researchers at Trustwave have found several vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software. Two of the vulnerabilities are rated critical; they could be exploited to remotely execute code and manipulate system data. The were addressed in SAP's May update; users who have not patched their systems are advised to apply the patches as soon as possible.

Mozilla Updates Firefox to Version 77, then to 77.0.1

On Tuesday, June 2, Mozilla released Firefox 77, which includes fixes for eight security issues. Five of the vulnerabilities are designated high impact; of those, three could be exploited to allow remote code execution. On Wednesday, June 3, Mozilla updated Firefox to version 77.0.1 in which it "disabled automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way."

Editor's Note

DNS over HTTPS remains a hot topic. The original DNS protocol was designed to be very low latency and require minimum resources. No surprise that servers are having a hard time keeping up with requests once TLS and HTTP overhead is added.

Johannes Ullrich

One of the concerns is not overloading the DNS over HTTPS (DOH) providers. DOH can be enabled and provider selected in the Firefox preferences under network settings. For enterprises, the current version of ESR is 68.9.0 also released June 2.