NewsBites Volume XXII – Issue #86 October 30, 2020

Top of the News

2020-10-30

A National Cyber Challenge: CyberStart America Free for All U.S. High School Students; $2 Million in College Scholarships

"The US Starts Enders Hacking Game" is the title of today's story on CyberStart America in The Register. Free to every high school student in the country, CyberStart America has a fighting chance of eliminating the advanced cyber skills pipeline advantage that China and Russia have established. Designed both for students who have played with technology and students who had no idea they could be good at it (through the "novice level,") the game allows students to become virtual cyber protection agents where they solve very real world problems. Those who enjoy it can progress through hundreds of challenges learning at every level through cryptography, Linux, Python programing all the way to reverse malware engineering. Teachers report it is the best program for teaching creative problem-solving skills they have seen. Students who solve 20% of the challenges are eligible for the scholarship round where $2,000,000 in college scholarships will be awarded for use at the college of their choice. The qualification round starts on October 30 and lasts until the end of February.

Editor's Note

As of noon today (Eastern) 830 students are engaged.

Alan Paller

Hospitals Under Ransomware Siege (Ref: FBI, HHS and DHS)

On Wednesday, October 28, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services, and the FBI issued a joint cybersecurity advisory saying they are in possession of "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." As of Thursday, networks at nearly two dozen hospitals in the US have been hit with ransomware. Mandiant has released a list of indicators of compromise.

Editor's Note

Hospital cybersecurity matters, as illustrated by last month's death of a German woman who was turned away from a hospital disabled by ransomware and died on the way to a second hospital. https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/

Alan Paller

In the 2019 SANS Top New Attacks and Threat Report, Ed Skoudis detailed the DNS tunneling threat and mitigation approaches that are key to the threats in this latest warning. The publicity around the government agency warnings should be used to get management support for immediate mitigation and enhanced monitoring.

John Pescatore

The Rest of the Week's News

2020-10-27

Ransomware Attack Shut Down Montreal Public Transit Website

A ransomware that hit the network of Société de transport de Montréal (STC) shut down both the transit agency's website and STC's reservation system for adapted transit. The bus and metro networks were not affected. People needing to make reservations for adapted transit rides were unable to do so or to modify existing reservations after 9:15 pm, Sunday, October 25.

Zoom Begins Phase One of End-to-End Encryption Rollout

Zoom has begun rolling out end-to-end encryption (E2EE) for desktop and mobile devices. The initial phase of the rollout is a 30-day technical preview, during which Zoom will gather customer feedback. The current rollout does not offer E2EE for browsers.

Editor's Note

To get the E2EE feature, you need to update your desktop and Zoom mobile clients to the latest version (5.4.0+). Evaluate the scenarios where you need E2EE, including the impacts to existing device access to meetings; for example, the web client and room systems cannot participate in E2EE.

Lee Neely

Vastaamo Fires CEO for Withholding Breach Information

Ville Tapio, CEO of Finnish psychotherapy center Vastaamo, has been fired after it was learned that they prevented details of data breaches from becoming public. Patients have reported that hackers have contacted them, demanding they pay a ransom or have their personal information posted online. The Vastaamo patient database was initially breached in November 2018 and remained vulnerable to intrusion through March 2019.

Editor's Note

Good news to see a CEO fired for suppressing internal knowledge of the second breach from the board and the general public. Vastaamo was acquired as this was happening; the acquiring company has begun legal proceedings because of the impact of this on the value of Vastaamo. Similar to 2017 when Verizon acquired Yahoo before learning of the massive Yahoo breach - and ended up reducing the acquisition price by $350M, which in retrospect was not enough of a reduction.

John Pescatore

Personal data encrypted due to a ransomware attack means, under the EU General Data Protection Regulation (GDPR), the organisation has lost control of the personal data and the ransomware attack is deemed a data breach. Under the GDPR an organisation that suffers a personal data breach, in particular of sensitive data such as that held by Vastaamo, "shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority". It will be interesting to see what actions the Finnish supervisory authority will take in this case.

Brian Honan

Hackers Leaked Swedish Security Company Customer Information

Hackers have posted data stolen from the Gunnebo Group, a Swedish company that provides physical security for organizations around the world. Gunnebo customers include banks, airports, government agencies, and nuclear power plants. In March, KrebsOnSecurity received a tip from Hold Security "about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware." Included in that transaction were credentials for a Remote Desktop Protocol (RDP) account set up by a Gunnebo employee. In August 2020, Gunnebo disclosed that its network was hit with a ransomware attack.

Editor's Note

Since Target, one should recognize the risk from third parties. It is bad enough that one must concern oneself with employee convenience that trumps one's security. One should not have to worry about the convenience of one's security vendors.

William Hugh Murray

Critical Flaw in Oracle WebLogic Server is Being Actively Exploited

A critical remote code execution flaw in Oracle WebLogic server is being actively exploited. Hackers are searching for servers running vulnerable versions of Oracle WebLogic server. Oracle released a fix for the vulnerability last week as part of its quarterly Critical Patch Update.

Editor's Note

While you're still ingesting the 400 updates in the latest Oracle CPU, move the testing and deployment of the WebLogic update to the top of the list, particularly for Internet-facing services.

Lee Neely

Optional Microsoft Update Removes Flash Player from Windows 10

Microsoft has released an optional update for Windows 10 and Windows Server that removes Adobe Flash Player and prevents it from being installed again. Once the update, KB KB4577586, has been installed, it cannot be uninstalled. The update currently removes the version of Flash Player that is bundled with Windows 10. Standalone versions of Flash Player will not be removed, and the Flash Player component in Edge is not affected.

Editor's Note

After applying this update, users are no longer able to install Flash Player. Make sure you actually no longer need it before applying the update.

Johannes Ullrich

his update is available only through the Microsoft Catalog and doesn't comprehensively remove Flash. It is scheduled for general availability in early 2021. As the removal is not comprehensive, you may need to adopt a broader strategy to ensure that Flash is removed and disabled on endpoints. Now is a good time to start your validation process that systems reliant on Flash have been updated to other technology.

Lee Neely

One would like to think that, ten years after Steve Jobs published his analysis, most enterprises have already eliminated this porous product. However, "ten years" suggests just how sticky it is.

William Hugh Murray

Steelcase SEC Filing Divulges Cyberattack

Office furniture manufacturer Steelcase has acknowledged that its network was the target of a cyberattack. The information was disclosed in an October 26 form 8-K filing with the US Securities and Exchange Commission (SEC).

Editor's Note

In the SEC filing, Steelcase notes that it is not aware of any data loss and does not expect material impact from this incident, so technically the disclosure wasn't required. But, in 2018 the SEC issued additional guidance saying "...we also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents." Boards and CXOs have an incentive to err on the side of disclosure to avoid possible insider trading charges.

John Pescatore

Steelcase stated in its 8-K filing that it was not aware of any sensitive or customer data loss from its systems, or any other loss of assets as a result of this attack. They also immediately took action to contain and remediate. The top entry points for ransomware are still phishing email and vulnerable access services such as VDI and unpatched VPN servers. Make sure that you're keeping those Internet-exposed services updated and securely configured.

Lee Neely

FBI: Hackers Targeting Vulnerable SonarQube Instances

In a TLP: White Flash, the FBI has warned that "unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses." The attacks have been occurring since April 2020. Recommended mitigations include changing SonarQube default settings, putting SonarQube instances behind a login screen, and checking for unauthorized access. "SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code."

Editor's Note

Be sure to change the defaults, including passwords when installing services. As code security verification services such as SonarQube are tightly integrated into your Ci/Cd pipeline, they should not be exposed to the Internet to ensure their security functions, such as vulnerability and bug detection, are not compromised.

Lee Neely

Vulnerabilities in Hoermann Gateway Device

Researchers have found a number of vulnerabilities in the Hoermann BiSecur gateway device wireless access control system for garage doors, entrance gates, and other such smart systems. The flaws can be exploited both to open doors and to disable the door opening mechanisms. Some of the vulnerabilities require local network access to exploit; others can be exploited remotely.

Documents Show ICE, IRS Considering Using Hacking Tools

Documents shared with Motherboard show that US Immigration and Customs Enforcement (ICE) and the Internal Revenue Service (IRS) have explored the possibility of using hacking tools in criminal investigations and may have actually used them. The documents were obtained through a Freedom of Information Act (FoIA) lawsuit brought by Privacy International, the ACLU, and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law.

Editor's Note

It is important to understand the tools and techniques used by our adversaries. The difference here is intent and permission.

Lee Neely

Aetna Will Pay $1M USD for HIPAA Violations

The Aetna Life Insurance Company will pay the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1 million to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The fine covers three separate breaches that occurred in 2017 within a six-month period.

Editor's Note

Between the April 2003 compliance date for HIPAA and September 30, 2020, the HHS OCR has settled or imposed a civil money penalty in 85 cases resulting in a total dollar amount of $128,155,082.00 - not an eye-catching amount per year, but since 2016 they have been stepping up the penalties. In 2020, Premera was fined $6.85M for a 10M record breach. These large fines are usually a small portion of the overall cost of the incidents, but they quickly catch the attention of boards and Chief Legal Officers because the fines have $$ directly attached.

John Pescatore

What is interesting here is the discovery of Aetna's lack of review of information protection validation. Regularly review & verify access to and handling of sensitive company information, including PII, and make sure users have training commensurate with the importance of the information they are accessing. In regulated environments, use internal audits to discover shortfalls before the regulator does.