InfoSec News

CISA Statement on Iranian Cybersecurity Threats

By

By William Knowles @c4i
Senior Editor
InfoSec News
June 24, 2019

Release Date:
June 22, 2019

WASHINGTON – In response to reports of an increase in cybersecurity threats, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher C. Krebs issued the following statement:

“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.

“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.

“In times like these it’s important to make sure you’ve shored up your basic defenses, like using multi-factor authentication, and if you suspect an incident – take it seriously and act quickly. You can find other tips and best practices for staying safe online here.

“Anyone who has relevant information or suspects a compromise should immediately contact us at [email protected]

Riviera Beach Florida City Council Agrees to Pay Cybercriminals Nearly $600K Malware Ransom

By

By William Knowles @c4i
Senior Editor
InfoSec News
June 20, 2019

Riviera Beach Florida just became the newest member of a club no city or local government hopes to join. Taking only a few minutes and by a unanimous vote of 5-0 on Monday night the board authorized Riviera Beach’s insurer to pay 65 bitcoins valued at approximately $592K USD. Paying off a malware ransom that has crippled all of the city’s information technology infrastructure since May 29th after someone in the police department clicked on a malicious email.

But unlike the 2000 action flick Proof of Life, there’s no guarantee paying the ransom will unlock the affected computer network and all the encrypted files, and while its 2019, Its not likely Cyber-Insurance companies have former 22nd SAS and 75th Ranger Battalion types running around the world with machine guns blazing for a successful hostage rescue of a malware-infected network.

The council held a special meeting earlier in June to authorize $941,000 for 310 new desktop and 90 laptop computers and other hardware. Much of the existing hardware was a half-dozen-years old and vulnerable to another malware attack, so it was time to replace it anyway, Riviera Beach Councilwoman Julie Botel said.

In a 2016 survey, CIO’s for local governments across the country said more than a third of them were using outdated technology, making them more vulnerable to attacks. Riviera Beach will also spend an additional $25,000 coming out of their budget, to cover its insurance policy deductible.

With rising deficits and pension obligations, its understandable how a city like Riviera Beach or Baltimore Maryland can be compromised so easily when there isn’t the budget to hire a full-time information security professional and institute security awareness training for topics like not clicking on shit or scanning random QR codes.

Chad Loder, Founder & CEO of security awareness training firm Habitu8 posted on Twitter recently.

I’m astounded that some companies still purchase the cheapest security awareness training content “to save money”, but will put 2,000 employees each through an hour of terrible training.

You’re not saving money – you’re wasting it.

Chad Loder (@chadloder) – 19 Jun 2019

Cities across the United States and around the world will now have to decide, what is cheaper? hiring a full-time security professional, a part-time person, a managed service provider, or just paying the ransom and hope the files recover completely. However, hope is not a strategy.

With additional reporting from The Palm Beach Post

NSA Cybersecurity Advisory: Patch Remote Desktop Services on Legacy Versions of Windows

By

FORT MEADE, Md., June 4, 2019 —

The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows. Microsoft has warned that this flaw is potentially “wormable,” meaning it could spread without user interaction across the internet. We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.

CVE-2019-0708, dubbed “BlueKeep,” is a vulnerability in the Remote Desktop (RDP) protocol. It is present in Windows 7, Windows XP, Server 2003 and 2008, and although Microsoft has issued a patch, potentially millions of machines are still vulnerable.

This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches. Please refer to our advisory for additional information. This is critical not just for NSA’s protection of National Security Systems but for all networks. In order to increase resilience against this threat while large networks patch and upgrade, there are additional measures that can be taken:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
  • Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.

The Weather Channel compromised by Malware Attack Trevor

By

By William Knowles @c4i
Senior Editor
InfoSec News
April 19, 2019

The Weather Channel’s normally quiet morning broadcast was suspended for a brief time on Thursday after what it said was a “malicious software attack on the network.”

America’s Morning Headquarters – “AMHQ” the Weather Channel’s morning show, was unable to air at 6 a.m. The Weather Channel showed “Heavy Rescue: 401” until 7:39 a.m. when “AMHQ” was back on the air.

“We experienced issues with this morning’s live broadcast following a malicious software attack on the network,” the Weather Channel said in a statement. “We were able to restore live programming quickly through backup mechanisms. Federal law enforcement is actively investigating the issue. We apologize for any inconvenience to viewers as we work to resolve the matter.”

pic.twitter.com/ovSgrgHxXY

— The Weather Channel (@weatherchannel) April 18, 2019

“The Weather Channel, sadly, has been the victim of a malicious software attack today,” said The Weather Channel anchor Jim Cantore. “Yes, and it has affected our ability to bring you your weather information,” added anchor Stephanie Abrams. “So we just wanted to say thank you again for your patience and we want to get right to today’s severe weather.”

The Weather Channel tweeted “We are experiencing technical difficulties with our live broadcast. We apologize for any inconvenience while we resolve this issue. We appreciate your patience.” — The Weather Channel (@weatherchannel) April 18, 2019

It’s too early to know if this was a targeted attack and what the vector was to upload malware to The Weather Channel. It could have been as simple as phishing the Weather Channel employees with a salacious email like “Reed Timmer and Ginger Zee vacation photos” but it was obvious The Weather Channel had learned inexpensive lessons about making regular backups and keeping copies offline to prevent future compromises like the $300 million ransomware attack on the Maersk Group.

Citrix compromised by international cybercriminals

By

By William Knowles @c4i
Senior Editor
InfoSec News
March 11, 2019

Late last week, Citrix announced in a statement by Chief Security and Information Officer, Stan Black that they were hit by hackers in attacks that potentially exposed terabytes of customer data and potentially internal Citrix corporate secrets.

“On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cybercriminals gained access to the internal Citrix network.”

“Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI.”

“Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly. In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information.”

“While our investigation is ongoing, based on what we know to date, it appears that the hackers may have accessed and downloaded business documents. The specific documents that may have been accessed, however, are currently unknown. At this time, there is no indication that the security of any Citrix product or service was compromised.”