Cybersecurity News Headlines Update on 09 June, 2021.
Australian Federal Police Arrest Hundreds Using Data Gathered Through Backdoored Chat App
The FBI was able to track criminals into using an FBI-developed app, ANoM, to communicate with each other. The app was distributed on phones configured for the purpose of using the app, and starting in 2018, distributed on black markets. This week, several law enforcement agencies worldwide searched hundreds of locations in a coordinated effort using information collected from the ANoM app. The raids led to 224 arrests, the seizure of 3.7 tons of drugs, and the disruption of 20 “threats to kill.”
US Dept. of Justice Recovers Portion of Colonial Pipeline Ransom
The FBI has recovered $2.3 million of the $4.4 million in Bitcoin paid to the Colonial Pipeline ransomware operators. Colonial Pipeline had taken early steps to notify the FBI which helped them track the payment to a specific cryptocurrency wallet. The FBI seized the bitcoin with the aid of court documents.
Threat Actors are Targeting Unpatched VMware vCenter and Cloud Foundation Software
Threat actors are actively scanning for unpatched versions of VMware vCenter Server and VMware Cloud Foundation software. VMware released fixes for the critical remote code execution vulnerability in late May, but systems remain unpatched.
Colonial Pipeline CEO to Testify Before House and Senate Committees This Week
Colonial Pipeline CEO Joseph Blount is scheduled to testify at the Senate and House Homeland Security Committee hearings on Tuesday, June 8 (Senate) and Wednesday, June 9 (House). According to written testimony, Blount paid the $4.4 million ransom to get the pipeline “back up and running” as quickly as possible. In the document, Blount also indicated that the company believes the attackers gained initial access to the organization’s network with a compromised VPN account password. Although the account was no longer being used, it was still able to access Colonial Pipeline’s network. The account has since been deactivated.
Another Pipeline-Related Attack: LineStar Integrity Services
LineStar Integrity Services, a company that provides pipeline compliance, technology, and integrity maintenance solutions, was hit with a ransomware attack around the same time as the Colonial Pipeline attack. While the company has not made any public statement about the attack, 70 GB of internal LineStar data was recently posted to a leak website.
Google’s Open Source Insights Project
Google’s Open Source Insights Project aims to help developers visualize their dependencies. The Open Source Insights site “provides an interactive view of the dependencies of open source projects.”
GitHub Policy Update
GitHub has updated its policies regarding malware and exploit code hosted on the site. In a blog post, GitHub CSO Mike Hanley writes that they “explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits.” The new policy includes clarification about when GitHub may disrupt attacks, noting that “We do not allow the use of GitHub in direct support of unlawful attacks that cause technical harm, which we've further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss.”
WebExtensions Community Group
Major browser makers Microsoft, Google, and Mozilla have formed the WebExtensions Community Group (WECG) to examine ways “to advance a common browser extension platform.” The group will focus on browser extension security and performance. Other browser makers are invited to join WECG.
Microsoft’s ElectionGuard to be Piloted in Hart InterCivic Voting Machines
US voting machine vendor Hart InterCivic will pilot Microsoft’s ElectionGuard software in its Verity voting systems. ElectionGuard is an open source software that ensures ballots are verifiable. The Verity machines will create paper backups, utilize encryption in a way that protects privacy while allowing votes to be counted, and let voters check whether their vote has been counted.
Siloscape Malware Targets Windows Containers
A researcher at Palo Alto Networks Unit 42 has discovered the first known malware that targets Windows containers. “Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.”
CODESYS Vulnerabilities
Researchers from Positive Technologies have found 10 vulnerabilities in CODESYS automation software. The flaws could be exploited to remotely execute code on programmable logic controllers (PLCs). The vulnerabilities are due to insufficient verification of input data. CODESYS has released advisories (2021-06, 2021-07, and 2021-08) and updates.
University of Florida Health Hospitals Affected by Cyberattack
Two University of Florida (UF) Health hospitals were hit with a cyberattack that has them running under electronic health record (EHR) downtime. The incident has affected The Villages Regional Hospital and Leesburg Hospital. IT teams are investigating what is suspected to be a ransomware attack.
Threat Actors Exploited Pulse Secure Zero-Day to Break into MTA Systems
Cyberthreat actors believed to be operating with the support of China’s government exploited a Pulse Secure zero-day vulnerability to gain access to New York City’s Metropolitan Transportation Authority (MTA) computer systems earlier this spring. A forensic investigation revealed that the intruders attempted to remove evidence of their forays into the network, which raises the possibility that there have been system breaches that MTA has not discovered.
IBM Announces School Systems Chosen to Receive Cybersecurity Grants
IBM has selected six US school systems to receive grants to help strengthen their cybersecurity. The school systems are Brevard Public Schools (Florida), Denver Public Schools (Colorado), KIPP Metro Atlanta Schools (Georgia), Newhall Independent School District (California), Poughkeepsie Independent School District (New York), and Sheldon Independent School District (Texas). “The grants will sponsor IBM Service Corps teams to help six U.S. K-12 public school districts proactively prepare for and respond to cyber threats.”
NIST: Mobile Device Biometric Authentication for First Responders
A report from the US National Institute of Standards and Technology (NIST) “examines how first responders could use mobile device biometrics in authentication and what the unsolved challenges are.” The report is intended to help public safety organizations make choices about first responder authentication options. NIST is accepting comments through July 19, 2021.
White House Memo: Advice to Private Sector on Protection from Ransomware
Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, has released an open letter to corporate executives and business leaders urging them to take action to protect their networks from ransomware. The memo strongly recommends implementing the five best practices from the President’s Executive Order: back up data, system images, and configurations, and regularly test them, and keep the backups offline; update and patch systems promptly; test your incident response plan; check your security team’s work; and segment networks.
DoJ Will Treat Ransomware Investigations with High Priority
According to a senior official from the US Department of Justice, DoJ will give ransomware investigations a priority similar to that of terrorism investigations. Earlier this week, US Attorney’s offices across the country received guidance instructing them to share information about ransomware investigations with a Washington, DC-based task force.
FBI Says REvil Ransomware Group Responsible for JBS Attack; Company Says Facilities are Now Operational
The FBI has “attributed the JBS attack to REvil and Sodinokibi and [is] working diligently to bring the threat actors to justice.” JBS says that all its facilities are once again operational.
Massachusetts Steamship Authority Hit with Ransomware Attack
A ransomware attack affecting the Massachusetts Steamship Authority’s computer network has affected its operations. Customers were unable to make reservations or purchase tickets online or by phone. (Please note that the WSJ story is behind a paywall.)
Fujifilm Shuts Down Network in Wake of Ransomware Attack
Fujifilm has shut down parts of its network after becoming aware of a possible ransomware attack. The Tokyo-based company has also “disconnected from external correspondence.”
Massachusetts Hospital Discloses Ransomware Attack
Sturdy Memorial Hospital in Attleboro, Massachusetts, has disclosed that its network was hit with a ransomware attack in February 2021. Analysis revealed that patient medical and financial data were compromised. The hospital paid a ransom to prevent data from being leaked. The incident also affected healthcare providers that had partnered with Sturdy Memorial for the coordination of patient care. The hospital is now notifying affected patients.
US Supreme Court Ruling Reins in CFAA’s Reach
A ruling from the Supreme Court limits the scope of the Computer Fraud and Abuse Act (CFAA). The case, Van Buren v. the United States, involves a former police officer who accepted money for using his access to a law enforcement database to lookup license plate information. The written majority opinion notes that the court’s job was to “decide whether Van Buren… violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.’ He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”
Amazon Sidewalk is Going Live Next Week
On June 8, 2021, Amazon smart devices, which include Echo and Ring, will automatically be integrated into the Amazon Sidewalk wireless mesh service. Sidewalk will "share a small portion of your internet bandwidth" to "extend the low-bandwidth working range of devices." Users can opt-out of participating through the Alexa and Ring apps.
Nobelium Spear Phishing Campaign Domains Seized
US authorities have seized two domains associated with a recent spear-phishing campaign. The attackers are believed to be Nobelium, the threat actor likely responsible for the SolarWinds Orion supply chain attack. The spear-phishing attacks masqueraded as messages from the US Agency for International Development (USAID) and targeted government agencies think tanks, and non-governmental organizations (NGOs) around the world.
Microsoft Acquires ReFirm Labs
Microsoft has acquired firmware analysis company ReFirm Labs. Microsoft says the acquisition will “enrich our firmware analysis and security capabilities across devices that form the intelligent edge, from servers to IoT.”
US Army Rescinds Workplace IoT Ban
The US Army appears to have rescinded May 20, 2021, memo banning remote workers from using Internet of Things (IoT) devices in their workspaces. The ban was issued over concerns that IoT devices are constantly collecting data and listening.
Digital Flash Card Apps Exposed US Nuclear Weapons Secrets
Sensitive information about US nuclear missile bunkers in Europe was found online by searching for related terms, such as protective aircraft shelters (PAS) and Weapons Storage and Security Systems (WS3). The data were being used in digital flashcard apps. The compromised information includes camera positions, patrol frequency, unique identifiers on badges required for entry, and codewords guards use to indicate they are being actively threatened. The flashcards have been taken down.
Have I Been Pwned Open Sources CodeBase and Will Receive Data from FBI
Last week, Have I Been Pwned (HIBP) founder Troy Hunt announced that the HIBP codebase is now open source through the .NET Foundation. Hunt also announced that HIBP will provide the FBI with a means to share with HIBP lists of compromised passwords obtained in the course of investigations.
Fix Available for Critical Flaw in HPE SIM
Hewlett Packard Enterprises (HP) has released an update to address a critical vulnerability in its System Insight Manager (SIM) software. The flaw was initially disclosed in December 2020; it arises from “a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page.” The flaw could be exploited to allow attackers with no privileges to execute code remotely. The flaw affects HPE SIM versions 7.6.x for Windows only.
SonicWall Offers Fix for Flaw in On-Premises Version of NSM
SonicWall has released updates to address “a post-authentication vulnerability (SNWLID-2021-0014) within the on-premises version of Network Security Manager (NSM).” Users are urged to upgrade to patched versions, Network Security Manager (NSM) 2.2.1-R6 and Network Security Manager (NSM) 2.2.1-R6 (Enhanced), as soon as possible. The issue does not affect software-as-a-service (SaaS) versions of NSM.
Siemens Offers Fix for Flaw Programmable Logic Controllers
Siemens has released a firmware update to address a severe memory protection bypass vulnerability in its SIMATIC S7-1200 and S7-1500 Programmable Logic Controllers (PLCs). Researchers at Claroty detected the flaw and notified Siemens, who released updates on May 28.
The Apple M1 Chip Vulnerability and the Business of Bug Disclosure
Last week, Hector Martin disclosed a vulnerability in Apple’s M1 chip that “allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features.” The flaw is “baked in” to the chip, which means it cannot be fixed or patched. While the vulnerability is interesting, Martin notes that “nobody's going to actually find a nefarious use for this flaw in practical circumstances.” He also writes that the website he created for the flaw, which he dubbed M1RACLES, “poke fun at how ridiculous infosec clickbait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn't mean you need to care.”
Food Processing Giant JBS Hit with Cyberattack
São Paulo-based food processing company JBS has shut down production at several facilities around the world following a cyberattack. Computer networks in Australia, Canada, and the US were affected.
Swedish Infections Diseases Database Temporarily Taken Down After Attempted Intrusions
Sweden’s Public Health Agency (Folkhälsomyndigheten) temporarily took its infectious diseases database offline after detecting several attempted intrusions. The database, which is known as SmiNet, is also used to store information about COVID-19 infections. The database is once again operational; Folkhälsomyndigheten writes that “to further increase security, some adjustments have been made, which means certain restrictions when it comes to reporting data.”
US Army Requires Remote Workers to Remove IoT Devices from Workspace
In a May 25 memo calling for “teleworkers [to] incorporate strong cyber hygiene practices in their daily telework routine,” the US Army wrote that it is requiring all remote workers to remove Internet of Things (IoT) devices from their work areas. (any device with a listening function) The requirement applies to military and civilian employees and contractors.
Visit PUPUWEB Blog for comment and reference link for each topic: https://pupuweb.com/cybersecurity-news-headline-updated-202106/