NewsBites Volume XXII - Issue #94 December 1, 2020

Top of the News

2020-11-30

Malware Targets macOS

Researchers have detected a new malware variant that targets macOS systems. The malware has been linked to the OceanLotus advanced persistent threat (APT) group, which has ties to the Vietnamese government. The malware spreads through malicious files included in phishing emails.

Editor's Note

The attack depends on users opening a malicious zip file, which uses special characters to avoid detection. As zip files are often a vehicle to deliver malware, consider removing them from inbound messages as well as tagging external messages to raise awareness of their external origin. Additional mitigations include keeping the systems patched as well as reminding users to not open attachments from untrusted/unknown sources.

Lee Neely

New Zealand's New Data Privacy Law Takes Effect December 1, 2020

New Zealand's Privacy Act 2020 takes effect on December 1. Under the new law, organization are obligated to report data breaches that pose a "risk of harm." The law applies to New Zealand-based organizations that handle data as well as organizations that conduct business and/or collect data about New Zealand residents.

Editor's Note

The direct fines are pretty low, maximum of NZ $10K, but could rise to NZ $230K if the NZ Office of the Privacy Commissioner files and succeeds in an Official Complaint. NZ and many US states are moving closer to the EU GDPR which means security controls need to be updated. The demand of consumers is captured by the NZ slogan "Privacy is Precious."

Lee Neely

Texas Governor's Support Leads to 1,150 Students in 235 High Schools Discovering Their Level of Cybersecurity Talent and Vying for $2 Million in Scholarships

Texas Governor Abbott's active support has enabled more than 1,000 high school students to use CyberStart America to discover their cyber aptitude in less than 30 days. Many participants are finding they are hooked on solving cybersecurity problems as "cyber protection agents," even those who never took a computer science or networking or cybersecurity class. New Jersey's Governor Murphy also promoted the program to students and New Jersey's students are cutting into Texas's lead. With 100 more days to go in CyberStart America and every high school student in every state eligible for the free program, at least 30,000 America high school students will be able to begin their professional journey toward a career in cybersecurity and/or computer science with $2 million in college scholarships available to those who do well.

The Rest of the Week's News

2020-11-30

Pennsylvania County Pays $500,000 After Ransomware Attack

The government of Delaware County (Pennsylvania) paid $500,000 to regain access to their systems following a ransomware attack. The county took some of its systems offline after discovering the incident.

Baltimore (Maryland) County Schools Suffers Ransomware Attack

The Baltimore County Public School (BCPS) system was forced to cancel classes and shut its offices on Wednesday, November 25 after its network was hit with ransomware. BCPS exhorted students and staff not to use district-issued Windows computers. District-issued Chromebooks were not affected.

Editor's Note

An advantage of Chromebooks and tablets is that they are self-contained and can be easily reset to a known good state. Even so, they have a different attack surface and need to be securely configured and kept updated. Just as you would have a mobile device management for phones and tablets, use Chrome device management to ensure devices are running appropriate security policies, students operate with minimum privilege and only authorized apps are installed.

Lee Neely

While Chromebooks are used in schools for many reasons, such thin clients are resistant to contamination. They also protect the environment in which they run from security failures on the part of their users. While some enterprise users may require the capabilities of a "personal computer," including programmability, many do not. A preference for thin clients may dramatically reduce the attack surface of an enterprise.

William Hugh Murray

University of Vermont Medical Health Network Still Recovering from October Ransomware Attack

More than a month after a ransomware attack hit systems at the University of Vermont Medical Health Network (UVMHN), the organization is still working on restoring services. UVMHN comprises seven facilities in Vermont and New York State.

Editor's Note

Plan to be off Edge Legacy by March 9th and IE 11 by August 17th. For business applications that must use IE 11 after those dates, provide a hosted browser with access only to approved applications. Deploy alternate browsers, e.g. Chromium Edge, Chrome, or Firefox now so users can get used to them before removing/blocking IE.

Lee Neely

AspenPointe Discloses September Data Breach

Colorado-based healthcare company AspenPointe has disclosed a data breach that affected nearly 300,000 patients. The attackers compromised both personal health information (PHI) and personally identifiable information (PII). The attackers had access to the system for 10 days in mid-September 2020.

Advantech Confirms Ransomware Attack

Advantech, a Taiwan-based company that manufactures chips used in Internet of Things (IoT) devices, has confirmed that its systems were hit with a ransomware attack. The threat actors have posted some Advantech documents online; they are reportedly demanding 750 Bitcoins for ransom.

Microsoft Teams No Longer Supports Internet Explorer

As of Monday, November 30, Microsoft Teams no longer supports Internet Explorer 11. If users log into the web version of Microsoft Teams with IE 11, they will see a message reminding them that the browser is no longer supported and recommending that they use the desktop client instead. The withdrawal of support is one in a series of changes Microsoft is implementing to encourage users to move to their Edge browser.

Editor's Note

Lee Neely

Spamhaus Says 50+ Dormant Domains Springing Back to Life is Suspicious

According to Spamhaus, more than 50 networks sprung back to life after being dormant for some time. The networks, all of which are in the North American region, were revived at the same time; each of the networks was introduced by autonomous system numbers that have also been dormant. Spamhaus has placed most of the suspect networks on its DROP list "until their owners clarify the situation."

Editor's Note

Identification of anomalous behavior such as this is admirable, and a coordinated approach is needed to avoid DOSing legitimate networks, particularly with the criticality of the Internet to business and service delivery.

Lee Neely

TrickBot Botnet Comes Creeping Back

The TrickBot botnet appears to be re-emerging after Microsoft and US Cyber Command efforts to disrupt it earlier this fall. Both organizations targeted the botnet's command-and-control servers. The newest iteration of TrickBot uses a clever obfuscation technique to sneak the payload past detection tools.

US Supreme Court Hears Arguments in CFAA Case

The US Supreme Court is hearing appeal arguments in a case that is likely to determine how broadly or narrowly the Computer Fraud and Abuse Act (CFAA) is interpreted. The case seeks to overturn the conviction of a Georgia police officer who used his legitimate access to a license plate database to search for information at the request of an individual who turned out to be an undercover FBI agent.

Editor's Note

Between 1996 and 2008, the CFAA was amended 4 times; but in the 12 years since then not at all. It is long overdue for more precision in the language. Legislation will always lag technology and threat advances, but overly-broad language not only impacts legitimate security activities but wastes scarce law enforcement and prosecutorial resources.

John Pescatore

Microsoft Defender for Identity Can Detect Zerologon Exploits

Microsoft Defender for Identity, a cloud-based security product, is now capable of detecting attacks that exploit the Zerologon. Microsoft says that customers "will be able to identify the device that attempted the impersonation, the domain controller, the targeted asset, [and] whether the impersonation attempts were successful."

Editor's Note

If you are a MS 365 Defender user, Defender for Identity can help detect network identity compromise attempts, successful or otherwise. Even so, make sure that internet-accessible services require multi-factor authentication to make account compromise far more difficult.