2019 Week 41 Security news summary

-

A couple of weeks ago 3 Alabama hospitals were struck with ransomware on the same day.  This caused patients to be diverted and surgeries to be postponed or moved to other facilities.  It was disclosed this week they have decided to pay for decryption.
-          ThreatPost has this to say about the situation.  They do note that insurance plays a part in deciding to pay without specifically saying that it was an insurance company that made the choice in this case: https://threatpost.com/alabama-hospitals-pay-up-ransomware-attack/148937/
-           

Cyware has an article on the hacking techniques that have been seen so far in 2019.  Some highlights: (https://cyware.com/news/new-hacking-techniques-discovered-in-2019-so-far-3fac14b5)
-          Ctrl-Alt-LED is a technique to use against air-gapped systems that uses the Caps Lock, Num Lock, and Scroll Lock LED’s on the keyboard to broadcast the target data and a camera to record the pulses.  https://cyware.com/news/new-ctrl-alt-led-technique-can-allow-threat-actors-to-exfiltrate-data-from-secure-air-gapped-systems-3d87e1cd
-          WIBattack was a version of Simjacking that I alerted people back a few weeks ago.  It basically uses an SMS to trick unpatched Wireless Internet Browsers to execute a SIM Toolkit instruction set on the SIM card.  https://cyware.com/news/researchers-disclose-new-sim-card-attack-dubbed-wibattack-dc4dcbe7
-          WSD Attack is a new kind of DDoS attack that tricks IOT devices in to responding to a UDP request to whatever IP address is in the packets return address section.  The usage of this is to send these information to lists of IOT devices that are internet connected and they then become your bots.
-          Warshipping is a new take on an old idea.  Basically you mail a web enabled smart phone to the target and then the devices built in WiFi radio is used to connect to the firms wifi.  In other words, it is used against those who assume that they have too big of a physical barrier to have to worry about strong wifi defenses. 
-          Spearphone is a cool one.  This attack uses the accelerometer on an unpatched Android device to pick up the vibrations around the target phone.  This is sensitive enough that you can pick up sound waves to include voices.

Of little surprise to anyone who follows the behind the scenes news in the hacking world, North Korea is spending an estimated 2 billion dollars on its nuclear weapons program by taking the money from other countries financial institutions.  This is pretty impressive for a country that has only TWO connections to the internet.  Part of their success is that they appear to have given cyber warfare as much attention as nuclear and conventional warfare.
-          Read a detailed analysis at YahooNews:  https://news.yahoo.com/cyber-attacks-north-koreas-weapon-174900885.html

11 security holes were discovered in Schneider Electric Modicon controllers.  The affected models are:  Modicon M580, M340, BMENOC 0311, BMENOC 0321, Quantum, Premium, and Modicon BMxCRA & 140CRA.  The flaws are in the Modbus, FTP and TFTP protocals and the REST API.
Security Week has more information here:  https://www.securityweek.com/cisco-finds-11-vulnerabilities-schneider-electric-modicon-controllers

NIST is Looking for help securing the Energy Sectors network.  The specific segment they are focusing on is the flow of data from distributed energy resources (DER’s).  The main reason is that these small site generation systems often use pretty standard IOT technologies for their communications. 
Nextgov has more information about the call for solutions and the underlying issue here:  https://www.nextgov.com/cybersecurity/2019/10/nist-hunting-tech-secure-energy-sectors-network/160477/

140 local governments and hospitals have been had ransomware attacks.  The number one attack vector is still phishing.  Money is still the number one target but in some cases the ransomware is there to block systems during another attack.
CNN has a very detailed write-up of the issue.  https://edition.cnn.com/2019/10/08/business/ransomware-attacks-trnd/index.html

A researcher used a tool he created to link open source intelligence data to the physical addresses of critical infrastructure in the United States.  There is a lot of weeds to get lost in, but one of the key takeaways is the exposure of open or poorly protected ports of Industrial Control Systems (ICS).  Those ports are 1911, 47808, 4911, 502, and 44818.  These are some of the same ports that are associated with the technologies that I mentioned above in relation to Schneider controllers.
SecurityWeek has an article here which was to be a teaser to a talk by the researcher at ICS next week, which he has had to cancel.  https://www.securityweek.com/researcher-shows-how-adversaries-can-gather-intel-us-critical-infrastructure

Comments

Post a Comment

Popular posts from this blog

2021 Week 11 Security Roundup

-
  Summary This blog is geared towards cybersecurity events that are of interest to State, Local, Tribal, and Territorial (SLTT) governments in the United States of America.  It is hoped that this focus will help SLTT information technology workers and policymakers to get the information relevant to their mission.  If you are in other sectors hopefully there is information you can find useful as well.   News Windows Outlook Vulnerability The 0-Day for Microsoft Exchange Server keeps making news.  Over the course of the week threat actors outside of the Haifum Chinese cyber espionage group started to take advantage of the exploit.  Many new breaches were identified over the weekend as organizations large and small rushed to update vulnerable servers.  From the briefings I have sat through over the last week or so, I can only add my echo to the chorus saying that you should immediately patch your on-premises version of Outlook.  Here are some of the developments that we have seen: ZDNet a
Read more

2021 Weeks 32-40 Security Roundup

-
  Summary Let me apologize for the long delay right upfront.  First, we had a round of Covid in the household in a person who is immune-compromised.  Next, I started a new semester in college and the workload was far greater than I expected.  Lastly, this is the start of the budget year for us and I had several projects that have demanded almost every second of my work time.  I hope to get back to weekly updates by November. Lots of news that covers:  health care, education, infrastructure, and SLTT governments around the world.  Since I am hitting the length limitations of Blogger, I will simply invite you to read and try and get caught up yourself.  News UC San Diego Health sued over breach In what is becoming a growing trend UC San Diego Health is being sued for failure to have proper data protection protocols.  The suit is citing breach of contract, negligence, and violating California consumer and medical privacy laws.  Specifically, the suit alleges failure to adequately train em
Read more

2021 Week 29 Security Review

-
  Summary Sorry, this was late this week.  I was in training on Friday with the good folks at the LSU Academy of Counter-Terrorist Education.  If you are a Tribal or other American first responder or researcher in the field of terrorism and not taking advantage of their amazing resources, please check them out at  https://www.ncbrt.lsu.edu/ . Not a lot of new things this week.  There was an update from the City of Tulsa and their breach.  We also saw REvil disappear from both the Web and the dark Web.  Lastly, CIS tools are taking the forefront in the defensive posture of the SLTT landscape. News City of Tulsa Oklahoma breach Tulsa, which was breached back in May ( https://yasb2018.blogspot.com/2021/05/2021-week-19-security-roundup.html ), has announced that at least 27 people had their Social Security number accessed.  The city said they have attempted to reach out to those affected.  To date, more than 18,000 files from the hack have been released to the dark web. https://www.securit
Read more