NewsBites Volume XXII - Issue #58 July 24, 2020

Top of the News

2020-07-23

CISA and NSA Urge "Immediate Action" to Secure Critical Infrastructure Operations Technology and Control Systems

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that foreign hackers are targeting systems that support US critical infrastructure, The advisory urges critical infrastructure operators to secure their operational technology and control systems as soon as possible. The advisory lists several "recently observed tactics, techniques, and procedures," including spear phishing, ransomware, connecting to Internet-accessible PLCS that do not require authorization for initial access, and modifying control logic and parameters on PLCs.

Editor's Note

This is a critical time to re-focus on phishing prevention. By 2019, over 80% of businesses had at least turned on DMARC services to fight spoofed emails but only around 20% have moved to active prevent policies. Disruption for those that have turned active prevent on has been minimal, security gain enormous. Also, do a user education revisit - especially about all the new messaging/conferencing/collaboration channels that are in use with work from home operations. Finally, try to get at least IT admins moved to two factor authentication and plant the flag to fight for wider adoption after that.

John Pescatore

I shuddered when I read "Internet accessible PLC". PLCs are not designed to be Internet accessible. Fundamentally separate OT from IT; further, separate experiment control systems from environmental health/safety systems. For example, keep the C&C machine separated from the oxygen safety monitor, neither of which should be directly accessible. Use a controlled interface, or air-gap. While remote access is desirable in the current work environment, controls must be maintained to prevent direct attack on these systems, including not providing some remote access. Additionally, have processes for verifying transfer of data and software to and from these systems to prevent introduction of malware.

Lee Neely

In addition to the recommendation that we made earlier in the week that strong authentication should be considered essential for infrastructure controls connected to the public networks, and in addition to implementing DMARC, strong consideration should be given to isolating e-mail and browsing from operational networks.

William Hugh Murray

Alleged Chinese Hackers Indicted on Multiple Charges for Stealing Intellectual Property

The US Department of Justice (DoJ) has unsealed a July 7, 2020 indictment charging two Chinese citizens in connection with a decade of hacking. Li Xiaoyu and Dong Jiazhi allegedly hacked into networks at numerous companies around the world and stole intellectual property and other sensitive data. The defendants allegedly hacked both for personal gain and on behalf of various Chinese government agencies. They also allegedly attempted to extort cryptocurrency by threatening to post stolen source code online. Li and Dong are facing charges of conspiracy to commit computer fraud; conspiracy to commit theft of trade secrets; conspiracy to commit wire fraud; unauthorized access of a computer; and aggravated identity theft.

Editor's Note

Although there is little chance these people will see the inside of a jail - much less a courtroom, indictments like these limit travel flexibility, shine a bright light on the behavior, and thereby raise the cost of attacks.

Alan Paller

Mysterious "Meow" Attacks Wiping Databases

A hacker has been wiping misconfigured databases for no apparent reason other than that they were accessible on the Internet. The attacker overwrites data with the word "Meow." At least 1,800 databases have been affected.

Editor's Note

These attacks don't leave a message or ransom note, they just wipe. There seems to be an uptick in unsecure cloud resource discovery, at least partly due to moving applications and services to better support working from home, to include changing access controls which restricted access to the corporate network. Security scanning and review processes must include verification that your cloud storage has appropriate ACLs implemented. Consider scanning for access from outside your corporate network to locate exposed services. Lastly, verify you have verified backups that you know how to restore for those services.

Lee Neely

I guess in some ways, these attacks are doing us all a favor by taking unprotected, probably already leaked, data out of its misery?

Johannes Ullrich

The default access control rule of "read/write" must be replaced with "read-only" and "execute-only," the rules that were written for large-scale "shared resource" computers. While computers are now so cheap that even children have their own, we share applications, networks, and data on a scale that could not even be imagined when those rules were first recommended.

William Hugh Murray

NY Financial Regulators Charge First American Financial in Connection with Data Leak

The New York State Department of Financial Services (NYSDFS) has charged First American Financial Corp. with exposing millions of documents containing sensitive information between October 2014 and May 2019. The compromised data include driver's license, bank account, and Social Security numbers. This is the first cybersecurity enforcement action NYSDFS has taken.

Editor's Note

Fully verify your access controls are working and comprehensive, particularly for internet facing applications. The problem is the application that provided access to customer data didn't require access control once a valid ImageDocumentID number was provided. Additionally, predictable ID numbers were used, and were indexed by search engines.

Lee Neely

The Rest of the Week's News

2020-07-22

NIST Enters Next Round of Review in Public Key Cryptographic Algorithm Selection

The US National Institute of Standards and technology (NIST) has begun the third round of public review of submissions for the Post-Quantum Cryptography Standardization Process. The initial 65 submissions have been winnowed town through two rounds and now stand at 15. NOST mathematician Dustin Moody said, "At the end of this round, we will choose some algorithms and standardize them."

Editor's Note

Selecting and validating new cryptography standards takes time - it took about 4 years from when NIST first engaged the cryptographic community in 1997 before the Rijndael algorithm was announced for the Advanced Encryption (AES). That open process paid off -- good to see it being followed again. So, not any immediate action around this news item but if you are part of strategic planning, you should include this in the 5 year window.

John Pescatore

This is exciting. Too often we hear of old algorithms which are no longer viable due to increases in computing capabilities. The candidates are grouped into a set that needs to mature more and candidates that could find wide adoption. Expect selected algorithms (two new encryption and two new signature) to be announced in 2022. Check the CRSC publication below for the list of algorithms moving forward.

Lee Neely

There will be no Quantum Apocalypse. Not all algorithms are vulnerable to quantum computing. Unfortunately for us, the RSA algorithm that is widely used for symmetric key exchange is one that is vulnerable and must be replaced. The sooner we address this, the less it will cost us. The later we address it, the greater the chance that we get it right. We must strike a balance. However, quantum computing is likely to be expensive for years to decades; we have time.

William Hugh Murray

Additional Information Emerging About Twitter Hack

Twitter says that the hackers who hijacked high profile accounts last week accessed private messages from 36 accounts, including one that belongs to an elected official from the Netherlands.

Adobe Releases Unscheduled Patches

On Tuesday, July 21, Adobe released four unscheduled security updates that address a total of 13 vulnerabilities in Adobe Reader Mobile, Prelude, Photoshop, and Bridge. Twelve of the vulnerabilities are rated critical.

Editor's Note

Tech sites should stop referring to these "random" patches Adobe releases as "emergency patches." These updates are not particularly important and should be treated like any other patch. See Adobe's "Priority" rating for more guidance on how to prioritize these patches. In this particular case, the priority is quite low. Adobe just stopped sticking with a particular "Patch Tuesday" pattern. The lineup with Microsoft's patch Tuesday is only important for Adobe Flash which is integrated in Microsoft's software.

Johannes Ullrich

Check the Adobe security bulletin site (link below) to be certain which products need updating. Creative Cloud users should already be getting prompts to update Prelude, Photoshop and Bridge. You will need to leverage your MDM to monitor Adobe Reader Mobile.

Lee Neely

Prometei Cryptominer Botnet

The Prometei cryptocurrency mining botnet spreads in several ways, including through the Eternal Blue exploit for Windows Server Message Block. The malware campaign appears to have been active since March.

Diebold Nixdorf Warns ATM's Own Software Stack Used in Jackpotting Attacks

Diebold Nixdorf has issued a warning that jackpotting attacks against some of their ATMs are being conducted with black boxes that contain part of the targeted machines' software stack. Diebold recommends that terminal operators make sure their software is up-to-date, that encryption is enabled on the terminal, and to implement hard-disk encryption and limit physical access to the machines.

Editor's Note

After a rocky start, when many ATMs were not online, they became an example of how to do security and Diebold was a leader. ATMs were on bank premises, operated by banks, using hardened hardware, purpose-built software, and proprietary networks and protocols. Then came the 90s. Every diner and convenience store advertised "ATM inside," ATMs became appliances, used Windows, used dial-up with modems, and IP with ethernet adapters. Cheap and convenient drove out trust and security.

William Hugh Murray

Garmin Mobile App Unavailable Due to Apparent Ransomware Attack

Garmin's mobile application and related services are down due to a probable ransomware attack. The company has not acknowledged that it was hit with ransomware, but employees have talked about it on social media. Garmin has informed its staff that the company will be offline for planned maintenance on July 24 and 25.

Blackbaud Ransomware Attack Affects Multiple Universities

A May 2020 ransomware attack against Blackbaud, a cloud-based education, administration, and fund-raising management software company, compromised personal information belonging to staff and students from at least 10 colleges and universities, as well as non-profits such as Human Rights Watch and Young Minds. Blackbaud disclosed the incident on July 16, noting that it had "paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."

GEDmatch Breach Resulted in Data Exposure

DNA analysis website GEDmatch has acknowledged that following a breach earlier this month, users' permissions were reset, which allowed law enforcement agencies to access their information during searches. GEDmatch gained notoriety in 2018 when police used information in the company's database to catch a serial killer. Following that incident, GEDmatch allowed users to choose whether or not to allow their information to appear in law enforcement search results. The reset permissions were exposed for about three hours before the company became aware of the situation and took the site offline. As of the evening of Thursday, July 23, the site was still unavailable.