NewsBites Volume XXII - Issue #74 September 18, 2020

Top of the News

2020-09-17

US Department of the Interior OIG Audit Report Details Wireless Network Security Problems

According to an audit report from the Department of the Interior Office of Inspector General (DOIOIG), "the Department did not deploy and operate a secure wireless network infrastructure, as required by the National Institute of Standards and Technology (NIST) guidance and industry best practices." Penetration testers were able to access DOI's internal wireless network with a smartphone and about $200 of equipment stashed in a backpack. They were able to intercept and decrypt traffic. The attacks the pen testers conducted were not detected by DOI employees.

Editor's Note

This story is in "The Top of the News" not so much because the results are remarkable, but rather because the organization is remarkable; this is one of only two audit groups in government that have developed the technical skills to perform hands-on audits that go beyond checklists and questionnaires.

Alan Paller

While there are always tradeoffs between security and usability, particularly with Wi-Fi, having an independent entity perform an active test is an important component to verifying the resulting security meets expectations for protecting services available from that network. Also make sure that you are able to detect these activities, which may necessitate the deployment and integration of a Wireless IPS, which can also help detect use of wireless in areas it is not permitted, rogue networks, and unauthorized devices.

Lee Neely

This is an example of the value of active testing by auditors/IGs that I mentioned in the Newsbites 73 item about the USPS audit results. In the DoI report, the authors point out doing active testing is NOT beyond the capabilities of audit team budgets, though it definitely requires investment on the technical skills side. Here's the quote from the report: "We conducted reconnaissance and penetration testing of wireless networks representing each bureau and office. To do this, we assembled portable test units for less than $200 that were easily concealed in a backpack or purse and operated these units with smartphones from publicly accessible areas and locations open to visitors. Our attacks simulated the techniques of malicious actors attempting to break into departmental wireless networks, such as eavesdropping, evil twin, and password cracking."

John Pescatore

DOJ Charges Seven in Connection with Multiple Cyberattacks

The US Department of Justice has charged seven individuals in connection with a series of cyberattacks against software, pharmaceutical and technology companies, non-profit organizations, and universities. Two of the individuals have been arrested in Malaysia; the other five remain at large in China. Some of those charged are allegedly part of the APT41 hacking group.

US Charges Alleged Iranian Hackers

The US Department of Justice has filed charges against two Iranian men, Hooman Heidarian and Mehdi Farhadi, for allegedly launching numerous cyberattacks over the past seven years. The targeted organizations include universities, a defense contractor, a foreign policy organization, and government agencies. Prosecutors believe that Heidarian and Farhadi shared stolen data with Iranian government intelligence officials. Heidarian and Farhadi have not been arrested; they are on the FBI's wanted list.

US Indicts Three for Alleged Theft of Intellectual Property and Other Information

The US Department of Justice has indicted three Iranian individuals, Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati, for allegedly hacking aerospace and satellite companies. Their campaign allegedly ran from July 2015 until at least February 2019 and targeted organizations in the US as well as in other countries. The campaign was allegedly orchestrated "to steal critical information related to United States aerospace and satellite technology and resources."

Criminal Charges and Financial Sanctions in Cryptocurrency Phishing Case

The US Department of the Treasury's Office of Foreign Assets Control has officially sanctioned two Russian individuals, Danil Potekhin and Dmitrii Karasavidi, in connection with a phishing campaign "that targeted customers of two U.S.-based and one foreign-based virtual asset service providers." In addition, the Department of Justice has filed charges against Potekhin and Karasavidi for allegedly stealing millions of dollars' worth of cryptocurrency. They remain at large.

The Rest of the Week's News

2020-09-17

German Authorities Investigating Patient Death After Ransomware Attack on Hospital

In the wake of a ransomware on its network, Dusseldorf University Hospital determined that it would not be equipped to conduct scheduled and outpatient procedures or offer emergency care. A patient with a life-threatening condition was rerouted to a different hospital, which resulted in treatment being delayed by an hour; the patient did not survive. German authorities are investigating the incident as negligent manslaughter.

Editor's Note

While the result here is terrible, the take-away is to verify the viability of your contingency plans. Over the last six months we've been made painfully aware of our limitations in supporting a 100% remote workforce, and adapted accordingly. Now that we've got the mindset, apply that sort of thinking and review to DR plans and adjust where needed.

Lee Neely

Those organizations and Cyber Insurance companies who have made extortion payments to the criminals behind ransomware attacks have enabled these criminals to become better funded, more sophisticated, and more motivated. It's a sad reality that inevitably this evolution in criminals' capabilities would result in serious consequences. If your organization becomes a victim of ransomware take a good look at the long term consequences of what paying that ransom may have. You may get your data back, but others may pay higher cost at a later stage.

Brian Honan

Not so much "negligent" as "reckless," that is unless one wants to charge the hospital with negligence. With the number of extortion attacks against the health care sector, it was only a matter of time until one would result in serious injury or death.

William Hugh Murray

NCSC Warns of Ransomware Attacks Against Education Sector

The UK's National Cyber Security Centre (NCSC) has issued an alert warning of increasing number of ransomware attacks targeting schools and universities. The alert describes common ransomware infection vectors (phishing emails, Remote Desktop Protocol, and unpatched hardware and software vulnerabilities) and provides a list of suggested mitigations.

Editor's Note

Increased distance learning and rapid adoption of technologies to support that has presented both a larger attack surface and increased opportunities for adversaries. This increased remote access heightens the need for diligent application of patches and verified security configurations for new and existing capabilities. Lastly, UAT activities, such as phishing exercises, must continue. Think twice before avoiding COVID-themed items as these are being actively used by adversaries.

Lee Neely

The NCSC has a great guide on combatting malware and ransomware which was recently updated and is available at https://www.ncsc.gov.uk/blog-post/rebooting-malware-and-ransomware-guidance. Europol also has excellent resources on dealing with ransomware at their NoMoreRansom website at https://www.nomoreransom.org.

Brian Honan

Ransomware Attack Disrupts Online Learning for California School District

A ransomware attack affecting the network of the Newhall School District in Valencia, California, resulted in a temporary shutdown of remote learning. District servers remain shut down to allow a forensic investigation.

Editor's Note

Adobe gives this update a priority of 3, meaning the product is historically not a target for attackers, and that updates can be applied at your discretion. While creative cloud users are likely already being prompted to update, make sure the update is added to your minimum baseline checks. Asses your install base when weighing the risks of patching now versus waiting for your October update cycle.

Lee Neely

Adobe Patches Flaws in Media Encoder

Adobe has released an unscheduled update for Media Encoder to address "out-of-bounds read vulnerabilities that could lead to information disclosure in the context of the current user." The flaws affect Adobe Media Encoder versions 14.3.2 and earlier.

BLESA: Bluetooth Low Energy Spoofing Attacks Vulnerability

Researchers from Purdue University have uncovered "design weaknesses" in Bluetooth Low Energy protocol that could put devices at risk of spoofing attacks. The researchers note that "BLE requires limited or no user interaction to establish a connection

between two devices." The weaknesses lie in the fact that "link-layer encryption/authentication is optional" and that authentication procedures can be circumvented.

Editor's Note

Previous research revealed weaknesses in the pairing activities, and impacted both BTLE and traditional Bluetooth. This weakness takes advantage of the specification's provision for things to "just work," which allowed the reconnection to continue without the authentication. Exploiting the weakness requires physical proximity and network access. The weakness is not being exploited in the wild. Some vendors, such as Apple, have released vendor-specific fix for this vulnerability, but not all vendors are expected to follow suit.

Lee Neely

So called "researchers" continue to disclose problems instead of recommending solutions.

William Hugh Murray

Apple iOS Security Updates

Apple has released updates for iOS and iPadOS. The newest versions - iOS 14 and iPadOS 14 - fix 11 security issues, including a privilege elevation vulnerability that can be exploited if users are manipulated into opening a maliciously-crafted file. Apple has also issued updates for Safari, tvOS, and watchOS.

Editor's Note

Unlike last week's release of iOS 13.7 and 13.6 prior to that which did not address any CVEs, iOS 14 does address 11 security issues, so you're going to want to require adoption of this version. Make sure that your MDM agent supports iOS 14; even so you may need to push (or have users install) updated software on their devices prior to installing iOS 14. If you have been using the keychain to store passwords, the new password management functionality now includes breach notification and will alert you as to which of your account passwords have been compromised as well as assist you in changing them.