NewsBites Volume XXII – Issue #82 October 16, 2020

Top of the News

2020-10-14

Cyber Command's TrickBot Disruption Efforts are "Precedent-Setting"

US Cyber Command's efforts to disrupt the TrickBot botnet mark "the first public, obvious operation to stop someone's cyber capability before it could be used against us to cause even greater harm," according to Columbia University cyber conflict researcher Jason Healey. Cyber Command severed communication between infected machines and the botnet's command-and-control servers, and it injected nonsense data into the information TrickBot stole. While the efforts did not cause serious damage to the botnet, the action Cyber Command took "shows the growing reach of US military hackers."

Editor's Note

This is a "tip of the iceberg" story. Paul Nakasone, and the extraordinarily capable leadership team he assembled, created a new NSA that is making a quiet but powerful difference on both the defensive and offensive side of cybersecurity. Both directly and through partnerships with DHS and other organizations, this is the NSA and Cyber Command we always hoped would emerge. Garrett Graff published an insightful review of Gen. Nakasone and his accomplishments in Wired on Monday: https://www.wired.com/story/general-paul-nakasone-cyber-command-nsa/: The Man Who Speaks Softly--and Commands a Big Cyber Army

Alan Paller

Beyond demonstrating the capability of US Cyber Command, this also reveals the recovery capabilities of the TrickBot botnet which will help with the eventual takedown. TrickBot uses Tor to obfuscate C&C servers as well as EmerDNS to register backup servers for fail-over. While it's not clear if a military response was appropriate, statements by Microsoft (www.nytimes.com/2020/10/12/us/politics/election-hacking-microsoft.html: Microsoft Takes Down a Risk to the Election, and Finds the U.S. Doing the Same) and Cyber Command (https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html: Cyber Command has sought to disrupt the world's largest botnet, hoping to reduce its potential impact on the election) support the actions to include election security concerns.

Lee Neely

Microsoft's TrickBot Legal Maneuver Could Help with Botnet Takedowns in the Future

Microsoft, along with several security firms and the Financial Services Information Sharing and Analysis Center (FS-ISAC), also took steps to disrupt TrickBot's activity. While the efforts only temporarily hindered the botnet's operations, the court case in which Microsoft was granted control of TrickBot servers did set a new legal precedent that could help take action against botnets more quickly in the future.

Editor's Note

In the legal filing, Microsoft argued that Trickbot irreparably harms the company "by damaging its reputation, brands, and customer goodwill." In essence, the TrickBot behavior leads users to believe they are seeing intended actions in the Microsoft product. Brian Krebs provides detailed analysis of the case. https://krebsonsecurity.com/2020/10/microsoft-uses-copyright-law-to-disrupt-trickbot-botnet/: Microsoft Uses Trademark Law to Disrupt Trickbot Botnet

Lee Neely

The legal basis for this takedown is arguable; the bad guys are unlikely to come into court to argue their case. Enterprise applications should be as resilient as this botnet.

William Hugh Murray

The Rest of the Week's News

2020-10-15

New York Dept. of Financial Services Calls for Regulation of Social Media Companies After Twitter Hack

In an investigative report into the July 2020 Twitter cybersecurity incident, the New York Department of Financial Services calls for "public oversight of social media," to help improve their cybersecurity practices. The report notes that the "Twitter hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies."

Editor's Note

While the authority of the NY DFS is limited to enterprises that are licensed or chartered by the state of New York, all enterprises can and should operate consistent with their reasonable and useful requirements. The large states are playing a useful role in defining standards of care. In some cases, the states have asserted their authority beyond enterprises that they "license or charter" to those that "operate or offer services in."

William Hugh Murray

Zoom Will Release Preview of End-to-End Encryption Next Week

Zoom plans to release a technical preview of its end-to-end encryption (E2EE) next week. The company will be "proactively soliciting feedback from users for the first 30 days." When Zoom's E2EE is rolled out, the feature will be available to all users.

Editor's Note

Kudos to Zoom for delivering the solution so rapidly. The primary difference here is where encryption keys are generated and who can decrypt the content. In short, with E2EE, the meeting host generates the key and uses PKI to transmit them to participants, while previously the Zoom server generated and transmitted those keys, which meant that Zoom could share them with supporting services such as meeting transcription and live streaming which need decrypted content. Several features are disabled with E2EE such as join before host, breakout rooms, cloud recording and transcription. Read Zoom's FAQs on their blog below to see all the impacts.

Lee Neely

Updates Address Vulnerabilities in PhantomPDF

Updates are available to address four high-severity security flaws in Foxit's PhantomPDF. Users are urged to upgrade PhantomPDF version 10.1 for Windows and PhantomPDF version 4.1 for Mac. The Us Cybersecurity and Infrastructure Security Agency (CISA) warned of the flaws in a vulnerability summary earlier this month.

Editor's Note

The exploit leverages a use-after-free condition to cause malicious code to be executed. The updates address CVE-2020-26534, CVE-2020-26535, CVE-2020-26537 and CVE-2020-26539. The Windows update was released September 28th, Mac version October 9th. The CVSS 3.x scores are 9.8, indicating rapid update is prudent.

Lee Neely

Barnes and Noble Hit by Cyberattack

US bookseller Barnes & Noble has disclosed a security breach that may have compromised customer data. The company issued a statement, saying, "We have a serious network issue and are in the process of restoring our server backups." The attack reportedly occurred on October 10. Since then, users of Barnes & Noble's Nook Digital eBook and eReader platform have said they are unable to access their libraries of eBooks and periodical subscriptions.

Editor's Note

Barnes & Noble believes the attack was due to an intrusion, rather than ransomware, possibly leveraging a previously identified flaw in their VPN servers (CVE-2019-11510). Be sure to not only monitor for inappropriate system access, but also mitigate or remediate flaws in boundary protection devices expeditiously.

Lee Neely

German Authorities Conduct Raids in Connection with FinFisher Spyware

Earlier this month, German authorities searched 15 homes and businesses in connection with FinFisher, a company that develops and sells surveillance software. The company is being investigated over suspicions that it exported its FinSpy surveillance software to countries without an export license. If this is true, the company could be charged with violating the Foreign Trade and Payments Act.

Microsoft's October 2020 Patch Tuesday

On Tuesday, October 13, Microsoft released updates to address nearly 90 security issues in Windows and Windows-related products. Eleven of the vulnerabilities are rated critical. One of the most concerning flaws, CVE-2020-16898, is a Windows TCP/IP remote code execution vulnerability that has been dubbed "Bad Neighbor." The vulnerability can be exploited by sending maliciously crafted packets.

Editor's Note

A lot has been written about the ICMPv6 "Bad Neighbor" vulnerability. While the flaw is pretty straight-forward, exploitation isn't quite as easy, and calling the vulnerability "wormable", while technically correct, is a bit of a stretch. In order to exploit the vulnerability, an attacker has to be on the same network segment as the victim. A worm would only spread in one network segment as the packets are not routable. Remote code execution will also require an information disclosure vulnerability in addition to this code execution vulnerability. If an attacker has a foothold in your network, there are probably a dozen easier to exploit vulnerabilities. https://isc.sans.edu/forums/diary/CVE202016898+Windows+ICMPv6+Router+Advertisement+RRDNS+Option+Remote+Code+Execution+Vulnerability/26684/: CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability

Johannes Ullrich

Adobe Issues Fixes for Another Critical Flash Flaw

Adobe has released updates to fix for a critical flaw in Flash Player that could be exploited to crash vulnerable installations and allow remote code execution. The NULL pointer dereference vulnerability is fixed in versions 32.0.0.445 of Flash Player products.

Editor's Note

Adobe Flash support will be ending this year. As part of this latest update, Adobe will also suggest uninstalling Flash. Please follow Adobe's advice.

Johannes Ullrich

Fixes to Chrome and Microsoft Edge are included in their latest updates. Verify Flash update status via chrome://components and edge://components functions. Better still, disable Flash where not needed.

Lee Neely

Adobe Releases Updates to Fix Nine Flaws in Magento

A pair of critical vulnerabilities in Adobe's Magento ecommerce platform could be exploited to gain read/write access to the database or to execute arbitrary code. These flaws, along with seven other less severe issues, affect both Magento Commerce, which has a licensing fee, and Magento Open Source, which does not. Adobe has released updates to address the vulnerabilities.