NewsBites Volume XXII – Issue #95 December 4, 2020

Top of the News

2020-12-01

FBI Warns of BEC Scammers Exploiting eMail Forwarding Rules

The FBI has released a Private Industry Notification warning that cyber threat actors are exploiting email forwarding rules to evade detection while conducting business email compromise (BEC) attacks. The thieves are setting email forwarding rules on web-based email clients. If the company admins have not synced email settings for web-based email accounts and desktop clients, the forwarding rule changes could go unnoticed.

Editor's Note

Compromising credentials of internet-accessible email accounts continues to be a target, and in many cases, low-hanging fruit. Implement multi-factor authentication on all internet-accessible services. If you must enable password access, ensure passwords are sufficiently robust; review NIST SP 800-63-3 (https://pages.nist.gov/800-63-3/) for guidance. Make sure that account lock-out and misuse detection on those services are enabled and actively monitored to detect malicious activities.

Lee Neely

These types of attacks have been around for several years; many SIEM products have rules to detect and alarm on mail forwarding changes. Microsoft, SecureSky, and the Center for Internet Security have updated the Microsoft 365 Foundation Benchmark to v1.2 that also addresses mitigating the forwarding risk.

John Pescatore

This is an important warning from the FBI. We've been involved in several email hijacking cases where forwarding rules were set by the criminals at the server side, be that an on-premise or cloud based solution. However, the criminals have made the changes noted by the FBI which have been overlooked by the clients in their initial investigation. Also, be aware this vulnerability can be exploited on older installations of Microsoft Outlook which we have seen in several cases. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide

Brian Honan

Phishing Campaign Targets COVID Cold Chain

An IBM Security X-Force threat intelligence task force "recently uncovered a global phishing campaign targeting organizations associated with a COVID-19 cold chain." British regulators have approved Pfizer's vaccine; US regulators are scheduled to evaluate Pfizer's and Moderna's vaccines next week. Once vaccines are approved, they must be transported at extremely low temperatures, hence the term cold chain for the companies that will provide the specialized refrigeration for vaccine storage and transportation. EU regulators are due to approve this vaccine over the coming weeks.

Editor's Note

As vaccines are approved and distribution begins, expect increased occurrence of attempts to redirect or otherwise disrupt the supply chain, particularly as the viability depends on proper refrigeration. Distributors need to be prepared for aggressive social engineering, including impersonation of officials, intended to redirect supplies.

Lee Neely

Oracle WebLogic Flaw is Being Actively Exploited

Cyber threat actors are actively exploiting a critical vulnerability in Oracle WebLogic. Oracle released a fix for the flaw in its October 2020 Critical Patch Update. The remote code execution flaw is being exploited to drop several different payloads, including one that installs the DarkIRC bot. Users are urged to apply the available patch for CVE-2020-14882 as well as for CVE-2020-14750, a related vulnerability for which Oracle released an unscheduled fix in November.

Editor's Note

The DarkIRC bot is available for $75 through hacker forums; it ultimately installs itself as an auto-run version of chrome.exe leveraging powershell scripts and obfuscated downloads. Use the cost of obtaining an exploit as compared to the cost of the data included in your WebLogic instance when calculating the risk or ROI for this update.

Lee Neely

The Rest of the Week's News

2020-12-01

Alabama School District Hit with Ransomware

Huntsville (Alabama) City Schools have temporarily shut down in the wake of a ransomware attack. The school district has been providing both remote and in-person learning. The attack became apparent on Monday, November 30. The district has asked that all district-owned devices be shut down until further notice. Schools will remain closed for the rest of the week and possibly into next week.

Editor's Note

I am old enough to remember when schools closed for snow days, not ransomware days.

Brian Honan

Online Curriculum Company K12 Pays Ransomware Demand

12, a Virginia-based company that provides customized online learning curricula, paid threat actors to regain access to compromised systems following a November 2020 ransomware attack.

Editor's Note

This attack involved the Ryuk ransomware actors who not only encrypt systems but also exfiltrate data and demand payment for that as well, sometimes called "double-extortion." K12 did isolate the attack and restore those systems; the data exposure threat drove the decision to pay. Make sure your ransomware response process includes decision trees related to exfiltrated data exposure as well as identification of critical and sensitive data. If you are relying on cyber insurance to negotiate payment, make sure your expectations are aligned with the services contracted before needed.

Lee Neely

The decision as to whether or not to pay extortion should be made before the demand and should be documented, for example, in a business resumption plan.

William Hugh Murray

Aerospace Company Embraer Discloses Cyberattack

Brazilian aerospace conglomerate Embraer has disclosed that one of its systems was hit with a cyberattack in November. The incident has been reported to Brazil's Securities and Exchange Commission.

CISA Warns that Foreign Threat Actors are Targeting US Think Tanks

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that it has "observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks." The alert includes an attack profile and recommended mitigations.

Editor's Note

The think-tanks are being targeted because they are often involved in shaping future policies for the new administration. Mitigations build on existing UAT for spear-phishing campaigns. Focus on unwanted and unexpected emails & attachments. Make sure users are operating with least-privilege. Also make sure systems are properly secured, updated, and isolated to prevent lateral movement.

Lee Neely

The list of "mitigations" is long and daunting but is mostly things that should be done in any case. The list is ordered by role (who should do what) but errs on the side of completeness. Given the number of items, it would have been nice if, within role, the list had been ordered by efficiency or effectiveness. Strong authentication, by far our most necessary, effective, and efficient measure, is way down the list, as though it were peer with many less important measures.

William Hugh Murray

TrickBot's Up to New Tricks

A new component in the TrickBot botnet/banking Trojan is capable of modifying the Unified Extensible Firmware Interface (UEFI) on targeted computers. This new feature "makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device," according to researchers at Eclypsium and AdvantIntel.

Allegations that DHS Agents Bought Phone Location Data from Brokers Prompt Lawsuit and Investigation

The American Civil Liberties Union (ACLU) is suing the US government for information about whether the US Department of Homeland Security (DHS) is circumventing warrant requirements and buying cell phone location information from commercial data brokers. According to a 2018 US Supreme Court ruling, law enforcement must obtain a valid search warrant prior to accessing mobile device information, including location. In a related story, the Department of Homeland Security's (DHS's) inspector general is investigating similar allegations.

Editor's Note

This should be interesting to watch. Cell location data to be sold to third-party data aggregators by carriers and "anonymized" for research processes. This case is about data from applications which use the on-device location services, on the premise the user can disable location services negating the need for a warrant. You can opt out by disabling location services, and the reality is opting out is no longer trivial or viable for most users due to the number of applications and services which leverage location services.

Lee Neely

If anyone else can buy it, why not the government? The issue here may not be so much the role of the government as that of the data brokers. This measure results in a public record. It is not the kind of secret surveillance for which a warrant is required.

William Hugh Murray

Cases like this reinforce the recent Schrems II judgment by the Court of Justice of the European Union (CJEU) which invalidated Privacy Shield and now requires much more stringent controls for the transfer of personal data belonging to those resident in the EU to the US.

Brian Honan

iOS Flaw Could Have Been Exploited to Take Control of Vulnerable Devices

A Google Project Zero researcher has found a bug that could have been exploited to take control of iOS devices without user interaction. Ian Beer found that a memory corruption bug affecting the iOS kernel could be exploited through Wi-Fi to remotely gain control of nearby iOS devices. Apple patched the flaw in May 2020 with iOS 12.4.7, iPadOS & iOS 13.5 and watchOS 5.3.7 & 6.2.5.

Editor's Note

The flaws were addressed in Apple's May updates for iOS, iPadOS, and watchOS, which included unexpected updates for older devices. Make sure they were applied, replace devices which cannot run the current OS releases. Ian Beer describes the flaw and research in a 30,000 word Project Zero article (https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html) which is worth reading. His key takeaway is not to conclude nobody would spend six months to hack your phone, but rather that one person, working alone, in isolation, was able to build a capability to seriously compromise devices in close proximity. His recommendations, while iOS focused, should be considered for any system where legacy code and compromises, often driven by time to market, exist.

Lee Neely

Current Version of NDAA Gives CISA Subpoena Power to Identify Owners of Vulnerable Critical Infrastructure

The most recent version of the US National Defense Authorization Act (NDAA) gives the Cybersecurity and Infrastructure Security Agency (CISA) the authority to issue administrative subpoenas to help identify owners of unsecure and/or unpatched Internet-connected devices. The provision would grant CISA the authority to obtain the information from Internet service providers.

Editor's Note

This is another one of those safety vs. privacy issues that require finding a middle ground. I would rather see focus on the federal government requiring ISPs and all telecom providers to stop delivering known attack traffic to their customers. The pandemic has re-emphasized that internet connectivity is a necessary utility, just like drinking water and electricity. We do not allow water providers to deliver toxic water and the power companies aren't allowed to electrocute their customers. The common conduits of known dangerous content are much higher leverage points for legislative efforts.