NewsBites Volume XXII - Issue #48 June 16, 2020

Top of the News

2020-06-15

Australian Beverage Company Falls Prey to Ransomware

Australian beverage company Lion has acknowledged that a ransomware attack last week was responsible for "a partial IT system outage," and that the company "immediately shut down key systems as a precaution."

Editor's Note

Lion is attempting to rebuild rather than pay the ransomware and believes no sensitive data were impacted or exfiltrated. Recovery has necessitated stopping beverage production, just as restrictions are being loosened and Australians are slowly returning to pubs, restaurants, and clubs.

Lee Neely

"Ransomware" attacks have become so routine that every enterprise must have a plan for resisting and mitigating such attacks. While "shutting down key systems" may be part of such a plan, it should be planned rather than ad hoc.

William Hugh Murray

Knoxville Ransomware Attack: More Details

The city of Knoxville, Tennessee, was hit with a ransomware attack last week. The attack prevented police from responding to non-emergency car accidents and forced court sessions to be rescheduled. Knox County systems did not appear to be affected, but connectivity between the networks has been cut off until the issue is resolved. Local news reports say that the hackers have contacted the city to demand a ransom to be paid. There is no word on whether or not the city intends to pay.

Honda Resumes Production After Ransomware Attack

A Honda spokesperson said the company has resumed production at plants in the US, Turkey, India, Brazil and other countries. Some Honda call centers and certain online functions were still affected by the attack. Honda's computer network was infected with ransomware earlier this month.

The Rest of the Week's News

2020-06-15

Outages Across the US Blamed on Network Configuration Changes

Numerous service outages across the US on Monday, June 15, affected mobile providers, ISPs, streaming services, social media platforms and games. While there has been some speculation that the problems were the result of a massive distributed denial-of-service (DDoS) attack, a tweet from Cloudflare CEO Matthew Prince said the cascading failures were caused by "T-Mobile ... making some changes to their network configurations ... [that] went badly."

Editor's Note

Once again, I'll skew old here: just over 30 years ago, a botched ATT switch upgrade took down around half of ATT's network for almost 8 hours. That was 4 years before the first browser came out, but it was a serious interruption to major path of "online" orders of the day. Good reminder about backup plans for employee connectivity during current and future work at home. Cellular data service is not immune to outages either, but most mobile phones can be used as hot spots for backup purposes. Lance Spitzner of SANS has blogged security guidelines for personal hotspots at https://www.sans.org/security-awareness-training/blog/security-awareness-iphone-personal-hotspot-feature

John Pescatore

Routing configuration mistakes have a much more dramatic impact and take longer to rectify than they once did. When I started telecommuting full time, a mentor and seasoned telecommuter wisely advised me to have both a backup computer and a backup network connection such as a cellular hotspot. He also advised me to keep both updated and operational as you never know when they'll be pressed into service. Today, I would add QOS, no data cap, and minimum bandwidth to that list.

Lee Neely

South African Bank Must Reissue 12 Million Payment Cards After Breach

South Africa's Postbank will reissue more than 12 million payment cards to its customers following a December 2018 breach. The bank's 32-character master encryption key, which is used to generate keys for customers' payment cards, was stolen. Between March and December 2019, thieves accessed Postbank accounts and conducted more than $3.2 million in fraudulent transactions. The issue affects not only payment cards, but also cards issued to people for receiving government benefits.

Editor's Note

This is a good story of not only why we protect master encryption keys but also why separation of duties is paramount. Also, master keys and the people who can access them need to be updated periodically to prevent fraud. Lastly, store the keys on dedicated resources designed to protect them.

Lee Neely

Just replacing the cards will cost Postbank $60M; the total cost of the failures that enabled this insider attack will likely be twice that. The failure was in access control of high privilege administrators in what should also require two-person control under onerous change control, tracking, and auditing. That extraordinary level of control over encryption keys is key to the value of encryption and the cost of doing so is invariably a small fraction of the cost of compromise.

John Pescatore

Encryption keys are more likely to be compromised when they are used. Keys that are used routinely should be changed routinely.

William Hugh Murray

June's Windows 10 Cumulative Update Causes Problems

Users have been reporting that Microsoft's latest cumulative update for Windows 10 has caused problems with their networked printers. Users have also been reporting that they have been unable to launch some applications after installing the update.

Citizen Lab and Amnesty International: Spyware Campaign Targeted Indian Human Rights Activists

A joint report from Citizen Lab and Amnesty International describes a spyware scheme that targeted human rights defenders in India. The nine individuals, who are lawyers, activists, and journalists, were targeted with spear phishing emails crafted to install malware that tracked their communications. Three of the nine people are also believed to have been targeted by NSO's Pegasus spyware.

D-Link Router Vulnerabilities

Researchers at Palo Alto Networks Unit 42 global threat intelligence team have found six vulnerabilities on D-Link routers. The flaws affect the DIR-865L model of D-Link routers, a model used for home networks. The researchers found the vulnerabilities in late February 2020. D-Link released a beta patch in late May but noted that support for the routers ended in February 2016. D-Link is urging users to replace the outdated devices.

Editor's Note

It is a sad truth of IoT security that, too often, the upgrade path to fix a security vulnerability involves a dumpster. These devices still function well and may have a few years of life left in them. There are reports of being able to install open source firmware on these devices, but doing so will involve opening the device and soldering a connect to the board. Maybe a good lesson to be learned from buying highly proprietary products.

Johannes Ullrich

The DIR-865L was D-Link's first router to support 802.11ac released in June of 2012. While D-Link provides instructions for installing the updated beta firmware, the better fix is to replace these devices with current routers which have active support and newer technology and security options.

Lee Neely

Cybersecurity Bills Introduced in US Senate

US Senator Gary D. Peters (D-Michigan) has introduced two bills aimed to improving the country's cyber security defenses. The Continuity of Economy Act would direct the White House to "develop a plan to ensure essential functions of the economy are able to continue operating in the event of a cyberattack." The bill grew out of a recommendation made by the Cyber Solarium Commission. The National Guard Cybersecurity Interoperability Act of 2020 would help ensure that the National Guard could provide remote cybersecurity support in the event of a cyber incident.

Data From Multiple Dating Apps Exposed

Researchers found 845 gigabytes of data from a number of dating apps in misconfigured AWS buckets. The researchers who found the unprotected data noticed similarities between the apps that suggested they had a common developer. They reached out to one of the apps, which "quickly replied, asking for additional details about the breach." The researchers sent a link to the unsecured AWS bucket for that particular app; that same day, buckets for all the affected apps were locked down. The exposed data include photos, audio recordings, and screenshots of private chats.

Editor's Note

It may seem like an odd comparison, but all online teleconferencing applications are similar to dating apps - lots of sensitive information needing to (or at least wanting to) be shared, much of it stored and almost all of it stored on cloud storage services that are often misconfigured. This item is a good reminder that we need to remind admins and employees of the security guidelines for online teleconferencing.