Volume XXIII – Issue 16 | SANS Newsbites

Top of the News

2021-02-24

US Federal Reserve Outage

The US Federal Reserve Bank experienced an outage on Wednesday, February 24 that affected multiple services, including the Federal Reserve's Account Services, Central Bank, Check 21, Check Adjustments, FedACH, FedCash, FedLine Advantage, FedLine Command, FedLine Direct, FedLine Web, Fedwire Funds, Fedwire Securities and National Settlement Services. The issue was determined to be an operational error and was largely resolved on Wednesday afternoon.

Editor's Note

Typically, close to 60% of system downtime is caused by human error, less than 30% is caused by security-related events. Good to remind management of this - most of the investment for Continuity of Operations, Business Continuity/Disaster Recovery and the newest flavor of the month “Resiliency” should be routinely funded out of the IT budget – and will also provide benefit when ransomware or DDoS type incidents occur.

John Pescatore

This story and the TD Bank story below remind us it’s easy to forget we do get service interruptions for non-cyber security mechanisms and that even with regression testing, a change may still be impactful when deployed to production. Make sure that your roll-back capabilities are still within your MTD. While customer notification is important, having a customer-reachable status dashboard like the Federal Reserve’s allows responders and other staff to remain focused on recovery. If you’re a FI using these services, you should have verified all transactions completed as expected.

Lee Neely

TD Bank Outage on Wednesday, February 24

On Wednesday, February 24, TD Back experienced an outage that prevented customers from accessing bank accounts online, using ATMs, or checking balances by phone. Systems displayed a message saying that “due to planned maintenance activity, access is temporarily down.” Services were restored Wednesday evening, but deposits made that day had not yet been credited to accounts. TD Bank has not provided additional information about the outage.

ThreatNeedle Backdoor Malware Targets Defense Contractors

Kaspersky security researchers have detailed how North Korean hackers use backdoor malware known as ThreatNeedle to steal sensitive information from defense contractors in 12 countries. The hackers from the Lazarus group gained access to targeted networks through spear phishing campaigns. Kaspersky notes that the hackers “overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server.”

Editor's Note

The Lazarus group is also known as Hidden Cobra in the US Intelligence Community, and the ThreatNeedle backdoor has been seen targeting security researchers. Make sure you can detect changes in router configurations, particularly boundary controls or other devices acting as a secure interface. Verify controls are not bypassed, not only via changes by configuration, but also by physical means such as a cable added “to make something work.”

Lee Neely

Cybersecurity Authorities: Hackers are Exploiting Flaws in Accellion’s FTA

The US Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities in Australia, New Zealand, Singapore, and the UK have issued a joint alert warning that threat actors are exploiting vulnerabilities in Accellion’s File Transfer Appliance (FTA). The advisory includes indicators of compromise (IoC) and recommended mitigations. In related stories, two more organizations have acknowledged that they were victims of these attacks: Transport for New South Wales in Australia and Canadian aircraft manufacturer Bombardier.

Editor's Note

The CISA report includes technical details and things to watch for in log files. As active exploitation is attempted, waiting or otherwise assuming you’re not a target isn’t viable. Recommended mitigations include updating to FTA version FTA_9_12_432 or later, and evaluating solutions for migration to a supported file-sharing platform.

Lee Neely

The Rest of the Week's News

2021-02-25

NurseryCam Company Gets Security Help from NCSC

The UK’s National Cyber Security Centre (NCSC) is helping FootfallCam Ltd secure its NurseryCam service. Last week, NurseryCam was forced to temporarily suspend services after a data breach exposed account details of 12,000 users. Footfall operates the NurseryCam service, which allows parents to register accounts and watch their children at daycare centers.

Editor's Note

More lessons learned: look for administrative points with default passwords which are exposed to the Internet, don’t store passwords in the clear or otherwise reversable format. FootfallCam had previously indicated they didn’t have the resources to respond to the incident; NCSC will help with that shortfall.

Lee Neely

Firefox 86 Includes Total Cookie Protection

With the release of Firefox 86, Mozilla has introduced a feature that “confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site.” Known as Total Cookie Protection, the feature is part of the browser’s Enhanced Tracking Protection strict mode.

Editor's Note

Firefox ESR 78.8 corresponds to Firefox 86. This feature is set in the security and privacy settings, or click the shield on the left of the address bar and select protection settings near the bottom (https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_adjust-your-global-enhanced-tracking-protection-settings). While Total Cookie Protection is designed to permit cross-site cookies for authentication services, when toggling enhanced tracking protection (ETP) to strict mode, verify that sites are still functioning, particularly SSO. Note that by default ETP is set to standard.

Lee Neely

Mostly to comply with GDPR, we are now asked by every web site to accept "cookies" without any information about the origin of said cookies. First party cookies are necessary for preserving state in the client/server model. Third party cookies leak information that many of us would prefer not to share. This feature alone is enough to prefer the use of Firefox.

William Hugh Murray

Senate Intelligence Committee Hearing on SolarWinds

At a US Senate Intelligence Committee Hearing regarding the SolarWinds supply chain attack, Microsoft President Brad Smith and FireEye CEO Kevin Mandia called for requiring private sector companies to disclose cyber incidents. SolarWinds CEO Sudhakar Ramakrishna said that communicating with a single government agency equipped to share incident information would streamline the process. The SolarWinds hackers used Amazon’s cloud computing services to disguise their activity; Amazon declined to send a representative to the hearing. The GovInfosecurity story notes that the hearing “raised four key issues: how Amazon Web Services may have been used to host malicious infrastructure; why the attackers conducted a "dry run"; what the true motives were for the attack, which apparently was waged by Russian hackers; how the incident could lead to better cyberthreat and intelligence information sharing.” (Please note that the WSJ story is behind a paywall.)

Editor's Note

Sharing of incident information is useful but operates (too) late. It is past time for software to come with representations of provenance and quality. "Engineers" sign their work. Those who distribute software must be accountable for what they ship. Any solution to the "supply chain" problem that does not include such a fundamental component cannot succeed.

William Hugh Murray

China’s Version of Flash is Also Downloading Adware

Because so much of China’s IT ecosystem relies on Flash, Adobe has allowed a single Chinese company to distribute Flash in that country. (Flash reached its official end-of-life in January 2021.) A security company recently reported alerts associated with the version of Flash being distributed in China. Analysts found that when users downloaded Flash, it was installed along with another file that caused a new browser window to open and display sites with lots of ads.

Editor's Note

This is not the path to getting a running version of Flash on your system. While the version of Flash distributed from flash.cn will not execute outside of China, running the installer will install the bundled adware.

Lee Neely

Canadian Aircraft Manufacturer Bombardier Discloses Data Breach

Canadian aircraft manufacturer Bombardier has disclosed a data breach after hackers posted stolen files on the dark web. The threat actors gained access to the information “by exploiting a vulnerability affecting a third-party file-transfer application,” according to a statement from the company. The files include “personal and other confidential information relating to employees, customers and suppliers.”

Botnet Uses Blockchain to Maintain Persistence

Researchers at Akamai have discovered that a botnet being used to mine cryptocurrency is now using blockchain to facilitate infected machines' communications with the command-and-control server. In the event that the regular command-and-control server is sinkholed, the infected machines search for the IP address of a backup server that is encoded in the Bitcoin blockchain.

Ransomware Attack Hits Finnish IT Company TietoEVRY

Finnish IT services provider TietoEVRY was forced to disconnect services to 25 clients after its network was hit with a ransomware attack. TietoEVRY has contacted authorities and is investigating the incident.

China Used Malicious Firefox Extension to Spy on Tibetan Organizations

Using a malicious Firefox extension, state-sponsored Chinese hackers targeted Tibetan organizations. Researchers from Proofpoint say that the extension allows the hackers to take control of Gmail accounts, including receiving notifications, reading and deleting messages, and sending emails. It also gives hackers access to certain Firefox functions.