NewsBites Volume XXII - Issue #66 August 21, 2020

Top of the News

2020-08-20

Google Fixes Gmail Spoofing Vulnerability

Google has fixed a security issue affecting Gmail and G Suite that could have been exploited to spoof email messages and make them appear to be compliant with Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Google was notified of the issue on April 3, 2020.

Editor's Note

The first exploit takes advantage of an internal server which is trusted to relay email, which can potentially work on any email service. Make sure that your email relays are configured to relay email only from authorized services and verify which domains can send email on your behalf. Make sure you verify your SPF, DKIM, and DMARC settings are set and working as intended.

Lee Neely

CISA, FBI Warn of New North Korean Malware Used in Attacks on Defense Contractors

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint malware analysis report regarding malware they say North Korean hackers have been using in attacks against US defense contractors. The BLINDINGSCAN trojan is capable of harvesting information about infected systems; reading, writing, and executing files; and deleting its tracks.

Editor's Note

The exploit is delivered via Microsoft Word XML documents and two DLLs which install the Hidden Cobra RAT. The CISA report includes information on suggested response actions and mitigation techniques along with information on the HIDDEN COBRA actors. The U.S. Army has also published a report (https://www.documentcloud.org/documents/7038686-US-Army-report-on-North-Korean-military.html) that includes information used for response training that details military tactics, weapons arsenal, command structure, troop types, logistics, and electronic warfare capabilities used by the Korean People's Army (KPA).

Lee Neely

The Rest of the Week's News

2020-08-21

University of Utah Paid $457,000 to Ransomware Operators

The University of Utah has revealed that it paid ransomware operators more than $450,000 to prevent stolen data from being leaked. The university was able to restore computer systems from backups. The attack occurred in mid-July.

WannaRen Ransomware Operators Offer Key

A ransomware group responsible for spreading WannaRen ransomware earlier this year has offered up the malware's decryption key. WannaRen infected tens of thousands of computers belonging to Chinese and Taiwanese companies and home users. WannaRen uses the EternalBlue exploit, which WannaCry operators used in May 2017. Within a week, the malware spread more widely than the operators had intended, so they contacted a cybersecurity company and offered the master decryption key.

Upstate NY Medical Center Recovering From Cyberattack

Samaritan Medical Center in Watertown, New York, is recovering from an unspecified cyberattack that occurred in late July. The attack prevented medical care providers from accessing patients' electronic medical records. The payroll and accounting systems were affected as well. The facility has continued to care for patients.

Hackers Used Canva Design Platform to Create Phishing eMails

Hackers hijacked Australian design platform Canva and used it to create graphics to lend legitimacy to phishing campaigns. More than 4,200 phishing emails have been generated through Canva since February 2020.

Cisco Issues Fix for Critical Flaw in Virtual Wide Area Application Services

On Wednesday, August 19, Cisco released a fix for a critical vulnerability in its Virtual Wide Area Application Services (vWAAS). The flaw could be exploited to obtain administrator privileges without authentication. Cisco also released two high-severity advisories that address vulnerabilities in Cisco Video Surveillance 8000 Series IP cameras and Cisco Smart Software Manager On-Prem (SSM On-Prem), and 21 medium severity advisories.

Microsoft Announces End-of-Support Dates for IE 11 and Edge Legacy

In a blog post on Monday, August 17, Microsoft announced that is it phasing out support for Internet Explorer 11 (IE 11). The Microsoft Teams web app will stop supporting IE 11 as of November 20, 2020; Microsoft 365 apps and services will end support for IE 11 as of August 17, 2021. Microsoft also announced that it will be ending support for Edge Legacy as of March 9, 2021.

Editor's Note

Microsoft is encouraging users to move to the new Microsoft Edge, aka Chromium Edge, which includes an IE emulation mode, which will help some legacy apps work. IE 11 emulation mode will not be able to access Microsoft 365 apps and Teams, after the dates above, because the user agent string identifies the browser as IE 11. Legacy plugins, such as Silverlight, won't work in the new Edge browser, so you may have to provide a sandboxed or virtual legacy browser for those apps which still require it.

Lee Neely

Microsoft Releases Fixes for Flaws in Windows 8.1, Server 2012

Microsoft has released an unscheduled security update to address two high-severity vulnerabilities in Windows 8.1 and Windows Server 2012. Both issues are elevation-of-privilege vulnerabilities that exist in the Windows Remote Access service. The flaws were first disclosed on August 11 in Microsoft's scheduled Patch Tuesday release, but those patches excluded fixes for Windows 8.1 and Server 2012.

Editor's Note

For now, there is neither a published exploit nor exploitation in the wild. There is no workaround other than applying the patch. Updates for these vulnerabilities were included in updates for other operating systems you're already deploying. While mainstream support for Windows 8.1 and Server 2008 ended in late 2018, and you can obtain extended support to 2023, it is time to upgrade or replace these systems with more current products such as Windows 10/Server 2019.

Lee Neely

2020-08-20

FritzFrog P2P Botnet

A peer-to-peer (P2P) botnet dubbed FritzFrog has launched attacks against more than 500 SSH servers at government agencies and private companies over the past eight months. FritzFrog installs backdoors and cryptominers on servers it infects.

Diebold and NCR Release Fixes for ATM Vulnerabilities

Security flaws in ATMs made by Diebold Nixdorf and NCR could be exploited to modify the amount of currency being deposited to a payment card. Known as "deposit forgery" attacks. Vulnerability notes from Carnegie Mellon University's CERT Coordination Center say that the problem is due to the fact that the affected machines "do not encrypt, authenticate, or verify the integrity of messages between [Diebold's cash and check deposit module (CCDM) and NCR's bunch note accepter (BNA)] and the host computer."

Editor's Note

This attack requires physical access to succeed, but it's important to note that the Diebold Nixdorf and NCR products were built assuming they would be used on trusted networks and "do not encrypt, authenticate, or verify the integrity of messages". This is all too common a flaw in "operational technology" that was designed with the assumption that only good guys would have access to the network on which the OT device was deployed. Detailed code review by security experts will often point this out; simple external vulnerability scanning will usually not. There are very few scenarios anymore where sensitive traffic over any network should not at least have integrity controls, if not encryption.

John Pescatore

Operational Technology, such as ATMs, often depends on physical rather than logical security protections; the lock on the door coupled with segmented or isolated networks and often do not include appropriate protections for a traffic across the corporate backbone or the Internet. Even worse, the purpose-built systems may not have the capacity to add encryption or integrity checks, which means you need to implement external controls.

Lee Neely

It is ironic that the first public use of cryptography was for ATMs. The Data Encryption Standard (DES) was developed from the LUCIFER implementation used in early ATMs