Cybersecurity Digest #12: 05/10/2020 – 16/10/2020

Cybersecurity News

• ENCS, the European Network for Cyber Security, and E.DSO, the European Distribution System Operators’ Association,  announced the launch of security requirements for Distribution Automation (DA) of Remote Terminal Units (RTUs). The requirements provide European distribution system operators (DSOs) with a defined set of practical considerations for procuring secure RTUs and are a significant step forward to industry wide requirements.
• A team of five security researchers found 55 vulnerabilities in Apple online services which they have analyzed for three months from July to September. The flaws — including 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity vulnerabilities — could have allowed an attacker to take over a victim’s iCloud account and the sessions of Apple employees with the capability of accessing management tools and sensitive resources.
• Microsoft found a new ransomware MalLocker.B, targeting Android users and lock their screen as part of a ransomware attack. This new ransomware family is known for being hosted on arbitrary websites and distributed on online forums using various social engineering baits, including masquerading as popular apps, video players or cracked games.
• MDSec researcher David Middlehurst discovered that The Windows Update client (wuauclt) can be used by attackers to execute malicious code on Windows 10 systems by loading it from an arbitrary specially crafted DLL with specific command-line options.
• The LetsDefend.io project has opened public access to a service that allows you to simulate the working environment of the corporate Security Operations Center (SOC). The new simulator has a wide range of real events and will be useful for SOC analysts, cybersecurity experts and developers of SIEM systems.
• Microsoft on Tuesday issued fixes for 87 newly discovered security vulnerabilities as part of its October 2020 Patch Tuesday, including two critical remote code execution (RCE) flaws in Windows TCP/IP stack and Microsoft Outlook.
• Members of the intelligence-sharing alliance Five Eyes, along with government representatives for Japan and India, have published yet another statement calling on tech companies to agree to encryption backdoors.
• The US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint security alert stating that hackers have gained access to government networks by combining VPN and Windows bugs. Attacks have targeted federal and state, local, tribal, and territorial (SLTT) government networks. Attacks against non-government networks have also been detected.

Cybersecurity Blog Posts

• James Baxter shared the 10 best cyber security books that should bridge the gap of the state of digital security. The list includes such books like “Ghost In The Wires” by Kevin Mitnick and “Hack-Proof Your Life Now! The New Cybersecurity Rules” by Devin Kropp and Sean Bailey.
• Joshua Wright told about a little known feature of Windows which allows the red team or an attacker to hide services from view, creating an opportunity to evade detection from common host-based threat hunting techniques.
• Brian Carney in his article tells about creating persuasive forensic evidence. He emphasizes the importance of visualization of non-visual evidence and gives various techniques how to produce a well-thought-out visualization of the entire investigation.
• Vulnerability management is one of the most basic security hygiene practices organizations must have in place to avoid being hacked. But many of them are not doing it properly. Augusto Barros described several techniques helping to improve the effectiveness of vulnerability management: prioritization of findings and adding compensating controls in case the full remediation cannot be applied.

Research & Analytics

• Check Point published the Global Threat Index for September 2020 which revealed that an updated version of Valak malware has entered the Index for the first time, ranking as the 9th most prevalent malware. The Emotet trojan remains in 1st place in the Index for the third month in succession, impacting 14% of organizations globally.
• According to 2020 Annual Arctic Wolf Security Operations Report, despite the number of publicly disclosed data breaches being down year over year, the amount of corporate credentials with plaintext passwords exposed on the dark web has increased by 429 percent since March. For a typical organization, this means there are now on average 17 sets of corporate credentials available on the dark web for hackers to execute credential stuffing and brute-force attacks against.
• The World Economic Forum (WEF) released their annual report on global business leaders’ perception of Regional Risks for Doing Business (RRDB) in the form of interactive maps. According to the report, cyber-attack is ranked globally in 4th place, yet in North America it is considered the top risk by far. More interesting is probably the fact that Russia and China both don’t list cyber attack at all in their top five risks.
• According to Kroll Ransomware Attack Trends – 2020, ransomware was the most observed threat year to date accounting for over one-third of all cases as of September 1, 2020. Ryuk, Sodinokibi and Maze are the top three ransomware variants so far in 2020.
• Interisle published Phishing Landscape 2020 report on phishing attacks. The goal of the study was to capture and analyze a large set of information about phishing attacks, to better understand how much phishing is taking place and where it is taking place, and to see if the data suggests better ways to fight phishing.
• BI.ZONE published a new large-scale analytical research Threat Zone 2020 that highlights the key trends in cyberattacks and their impact on the global economy and business. The report covers infrastructure security issues, current vulnerabilities, threat trends and situations in specific industries.
• The 2020 Cybersecurity Perception Study by (ISC)² provides an understanding from 2,500 U.S. and U.K. people from outside the cybersecurity profession about how they view the field and those who work in it. The research indicates that attitudes toward cybersecurity roles are now overwhelmingly positive, although most people still don’t view the field as a career fit for themselves, even as nearly one-third (29%) of respondents say they are considering a career change.
• The DFIR Report specialists provided a detailed description of all stages of the Ryuk ransomware attack. According to them, it takes 29 hours from an email to domain wide ransomware. Ryuk has been one of the most proficient ransomware gangs in the past few years, with the FBI claiming $61 million USD having been paid to the group as of February 2020.
• UEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. At the same time, it has become the target of threat actors to carry out exceptionally persistent attacks. Researchers of Kaspersky discovered a spy campaign that used a malicious UEFI firmware being part of a wider malicious framework dubbed MosaicRegressor.

Major Cyber Incidents

• Software AG, one of the largest software companies in the world, has suffered a ransomware attack. The company’s internal network was breached, files were encrypted, and it was asked for more than $20 million to provide the decryption key. After negotiations failed, the Clop gang published screenshots of the company’s data on a website the hackers operate on the dark web.
• Over 50,000 home security cameras in Singapore homes have been hacked, with the footage stolen and shared online. Some footages were published on adult sites, experts reported that crooks are offering lifetime access to the entire collection for US$150.
• U.S. Bookstore giant Barnes & Noble has disclosed that they were victims of a cyberattack. Hackers gained access to systems that had people’s phone numbers, email addresses, shipping and billing addresses, but the payment information was not affected.
• Puerto Rico’s firefighting department reported that its database was hacked by unknown people demanding $600,000 in an act of alleged extortion. According to the department’s director, the situation has not affected its ability to respond to emergencies.
• The Springfield Public Schools district in Massachusetts has become the victim of a ransomware attack that has caused the closure of schools while they investigate the cyberattack. Springfield is the third largest school district in Massachusetts with over 25,000 students, 4,500 employees, and more than sixty schools that were closed after the incident.
• The largest cruise ship operator, Carnival Corporation & plc, confirms data breach where the personal data of customers and employees were stolen. During a ransomware attack, a portion of one brand’s information technology systems was encrypted, and the unauthorised access also comprised the download of certain data files.