VLCM Cybersecurity Alerts - October, 2019

 

Aside from the normal parade of ghouls and goblins, there were reports of scarier variants in the realm of Cyber Security during the month of October which included active attacks against vulnerabilities found in multiple VPN solutions  The NSA and CISA provided guidance on mitigating those threats.  There was a reminder of the looming end of support for Windows 7 and Server 2008 R2 on January 14, 2020, the usual update notifications from multiple vendors and guidance covering everything from defending against phishing and social engineering attacks, charity fraud, Stalking Apps, guidance on E-Skimming and even tips from the FTC for warding off hackers. At the end of the month came reports of ghouls like Emotet, a Hidden Cobra, and a freakish threat called HOPLIGHT.  In all, nothing to joke about and all trick/no treat if you find yourself unprepared.  VLCM encourages customers to follow the guidance below and to stay alert, stay informed and stay vigilant!

 

october

AR19-304A: MAR-10135536-8 – North Korean Trojan: HOPLIGHT

October 31, 2019

Description

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners, DHS, FBI, and DoD identified Trojan malware variants used by the North Korean government. This malware variant has been identified as HOPLIGHT. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https[:]//www[.]us-cert.gov/hiddencobra.

Full report: https://www.us-cert.gov/ncas/analysis-reports/ar19-304a

 

Google Releases Security Updates for Chrome

October 31, 2019

Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

 

North Korean Malicious Cyber Activity

October 31, 2019

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified a Trojan malware variant—referred to as HOPLIGHT—used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

CISA encourages users and administrators to review Malware Analysis Reports MAR-10135536-8 and the page on HIDDEN COBRA - North Korean Malicious Cyber Activity for more information.

 

Apple Releases Security Updates

October 30, 2019

Content: Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:

 

MS-ISAC Releases Advisory on PHP Vulnerabilities

October 30, 2019

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review MS-ISAC Advisory 2019-116 and the PHP Downloads page and apply the necessary updates.

 

Microsoft Reports Global Cyberattacks on Sporting and Anti-Doping Organizations from Russian Espionage Actors

October 29, 2019

Microsoft publicly released information revealing an uptick in cyberattacks globally targeting anti-doping authorities and sporting organizations. The Microsoft Threat Intelligence Center (MSTIC) routinely tracks malicious activity originating from the Russian advanced persistent threat (APT) group 28, also known as Fancy Bear, STRONTIUM, Swallowtail, Sofacy, Sednit, and Zebrocy. According to Microsoft, APT28 is targeting sporting and anti-doping organizations using spearphishing, password spraying (a brute force technique), fake Microsoft internet domains, as well as open-source and custom malware to exploit internet-connected devices.

To protect against similar attacks, Microsoft recommends:

  • Enabling two-factor authentication on all business and personal email accounts,
  • Learning how to spot phishing schemes and protect yourself from them, and
  • Enabling security alerts about links and files from suspicious websites.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages network defenders to remain vigilant and review the Microsoft article, the World Anti-Doping Agency article, and the following resources for additional information:

 

ACSC Releases Advisory on Emotet Malware Campaign

October 25, 2019

The Australian Cyber Security Centre (ACSC) has released an advisory on an ongoing, widespread Emotet malware campaign. Emotet is a Trojan—commonly spread via malicious email attachments—that attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. ACSC provides indicators of compromise (IOCs) and recommendations to help organizations defend against Emotet malware.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ACSC advisory and CISA’s Alert on Emotet Malware for more information.

 

Samba Releases Security Updates

October 29, 2019

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcements for CVE-2019-10218, CVE-2019-14833, and CVE-2019-14847 and apply the necessary updates and workarounds.

 

FTC Provides Tips for Warding Off Hackers

October 29, 2019

The Federal Trade Commission (FTC) has released an article with tips on how protect your personal information from being stolen by hackers. In support of National Cybersecurity Awareness Month (NCSAM), FTC provides recommendations on how to safeguard phones, computers, accounts, and personally identifiable information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the FTC article and the following additional resources for more information:

 

Mozilla Releases Security Update for Thunderbird

October 24, 2019

Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 68.2 and apply the necessary update.

 

NCSC Releases 2019 Annual Review

October 24, 2019

The United Kingdom's (UK) National Cyber Security Centre (NCSC) has released its Annual Review for 2019, which reports their work and key accomplishments from September 1, 2018, to August 31, 2019. NCSC provides enhanced services to protect the UK against cybersecurity threats.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review NCSC’s 2019 Annual Review for more information.

 

FBI Expands Election Security Resources

October 24, 2019

The Federal Bureau of Investigation (FBI) has released additional election security resources as part of the Protected Voices initiative. Created in partnership with FBI, the Department of Homeland Security, and the Office of the Director of National Intelligence, Protected Voices is an effort to share resources, information, and tools to help mitigate the risk of cyber influence operations targeting U.S. elections.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages political campaigns and the American public to review FBI’s article on Protecting Every Voice, the Protected Voices suite of resources, and CISA’s Tip on Best Practices for Securing Elections Systems.

 

Keep Children and Teens Safe Online

October 24, 2019

The Internal Revenue Service (IRS) has issued a news release urging parents and families to be wary of the risks posed when sharing home devices, shopping online, and using social media.

As part of National Cybersecurity Awareness Month (NCSAM), the Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the following resources for more information about staying safe online. 

 

FBI Releases Article on Defending Against E-Skimming

October 23, 2019

The Federal Bureau of Investigation (FBI) has released an article to raise awareness on e-skimming threats. E-skimming occurs when an attacker injects malicious code onto a website to capture credit or debit card data or personally identifiable information (PII).

The Cybersecurity and Infrastructure Security Agency (CISA) encourages businesses and agencies that take online payments to review the FBI article and consider the following tips to help protect against e-skimming:

Users can report suspected attacks to their local FBI office or to the FBI's Internet Crime Complaint Center at www.ic3.gov.

 

Beware of Stalking Apps

October 23, 2019

The Federal Trade Commission (FTC) has released an article warning consumers of “stalking apps”—spyware that secretly monitors smartphones. These apps can share information like call history, text messages, photos, GPS locations, and browser history without the user's knowledge. Although this can be a useful tool, stalking apps can also be used maliciously.

Smartphone users who suspect an illegitimate stalking app on their device should consider the following steps:

  • Use a rootchecker app to see if the phone is “jailbroken” or modified to allow unrestricted access to the entire file system.
  • Get a new device or remove the stalking app by factory resetting the smartphone and reinstalling the manufacturer’s operating system.
  • Get help. Law enforcement can determine if spyware is on your phone.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages individuals to review FTC’s article and CISA’s Tip on Privacy and Mobile Device Apps for more information.

 

Google Releases Security Updates for Chrome

October 23, 2019

Google has released Chrome version 78.0.3904.70 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

 

Mozilla Releases Security Updates for Firefox and Firefox ESR

October 23, 2019

Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 70 and Firefox ESR 68.2.

 

Juniper Networks Releases Junos OS Security Advisory

October 23, 2019

Juniper Networks has released a security update to address a vulnerability in Junos OS. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Security Advisory and apply the necessary updates.

 

FTC Promotes International Charity Fraud Awareness Week

October 22, 2019

The Federal Trade Commission (FTC) has released an article promoting International Charity Fraud Awareness Week (ICFAW), which runs October 21–25. FTC, the National Association of State Charities Officials, and state and international partners coordinated this campaign to help both charities and donors avoid charity fraud.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages charities and donors to review FTC’s article and the following resources for more information:

 

NSA and NCSC Release Joint Advisory on Turla Group Activity

October 21, 2019

The National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC) have released a joint advisory on advanced persistent threat (APT) group Turla—widely reported to be Russian. The advisory provides an update to NCSC’s January 2018 report on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to steal sensitive data. Additionally, the advisory states that Turla has compromised—and is currently leveraging—an Iranian APT group’s infrastructure and resources, which include the Neuron and Nautilus tools.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources for more information:
•    NSA Advisory Turla Group Exploits Iranian APT To Expand Coverage Of Victims
•    UK NCSC Advisory Turla group exploits Iranian APT to expand coverage of victims
•    January 2018 UK NCSC Report Turla Group Malware

 

AA19-290A: Microsoft Ending Support for Windows 7 and Windows Server 2008 R2

October 17, 2019

Summary

On January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems.[1] After this date, these products will no longer receive free technical support, or software and security updates.

Organizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2.

Technical Details

All software products have a lifecycle. “End of support” refers to the date when the software vendor will no longer provide automatic fixes, updates, or online technical assistance. [2]

For more information on end of support for Microsoft products see the Microsoft End of Support FAQ.

Systems running Windows 7 and Windows Server 2008 R2 will continue to work at their current capacity even after support ends on January 14, 2020. However, using unsupported software may increase the likelihood of malware and other security threats. Mission and business functions supported by systems running Windows 7 and Windows Server 2008 R2 could experience negative consequences resulting from unpatched vulnerabilities and software bugs. These negative consequences could include the loss of confidentiality, integrity, and availability of data, system resources, and business assets.

Mitigations

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and organizations to:

  • Upgrade to a newer operating system.
  • Identify affected devices to determine breadth of the problem and assess risk of not upgrading. 
  • Establish and execute a plan to systematically migrate to currently supported operating systems or employ a cloud-based service. 
  • Contact the operating system vendor to explore opportunities for fee-for-service maintenance, if unable to upgrade.   

References

 

ISC Releases Security Advisories for BIND

October 17, 2019

The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ISC advisories for CVE-2019-6475 and CVE-2019-6476 for more information and to apply the necessary updates and workarounds.

 

Cisco Releases Security Updates

October 17, 2019

Cisco has released security updates to address vulnerabilities in Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities see the Cisco Security Advisories page.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:

 

Multiple Vulnerabilities in Pulse Secure VPN

October 16, 2019

The CERT Coordination Center (CERT/CC) has released information on multiple vulnerabilities affecting Pulse Secure Virtual Private Network (VPN). An attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities have been targeted by advanced persistent threat (APT) actors.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources for more information and to apply the necessary updates:

 

VMware Releases Security Update for Harbor Container Registry for PCF

October 16, 2019

VMware has released a security update to address a vulnerability affecting Harbor Container Registry for Pivotal Cloud Foundry (PCF). An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2019-0016 and apply the necessary update.

 

Oracle Releases October 2019 Security Bulletin

October 15, 2019

Oracle has released its Critical Patch Update for October 2019 to address 219 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Oracle October 2019 Critical Patch Update and apply the necessary updates.

 

Adobe Releases Security Updates for Multiple Products

October 15, 2019

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates:

 

Google Releases Security Updates for Chrome

October 11, 2019

Google has released Chrome version 77.0.3865.120 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

 

FBI Releases Article on Defending Against Phishing and Spearphishing Attacks

October 10, 2019

In recognition of National Cybersecurity Awareness Month (NCSAM), the Federal Bureau of Investigation (FBI) has released an article to raise awareness of phishing and spearphishing. The article provides guidance on recognizing and avoiding these types of attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the FBI article and CISA's Tip on Avoiding Social Engineering and Phishing Attacks. For more information on NCSAM, see the NCSAM 2019 webpage and the NCSAM 2019 Toolkit. Users can report suspected attacks to their local FBI office or to the FBI's Internet Crime Complaint Center at https://www.ic3.gov/.

 

ACSC Releases Small Business Cybersecurity Guide

October 10, 2019

The Australian Cyber Security Centre (ACSC) has released a cybersecurity guide for small businesses. The guide provides checklists to help small business protect themselves against common cybersecurity incidents.

 

The Cybersecurity and Infrastructure Security Agency (CISA) encourages small business owners and administrators to review ACSC’s Small Business Cyber Security Guide and CISA’s Resources for Business page to learn how to defend against cyberattacks.

 

 

Juniper Networks Releases Security Updates

October 10, 2019

Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Security Advisories webpage and apply the necessary updates.

 

Intel Releases Security Updates

October 9, 2019

Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to gain an escalation of privileges on a previously infected machine.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates:

 

iTerm2 Vulnerability

October 9, 2019

The CERT Coordination Center (CERT/CC) has released information on a vulnerability (CVE-2019-9535) affecting iTerm2, a macOS terminal emulator. An attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review CERT/CC’s Vulnerability Note VU#763073, Mozilla’s blog post, and iTerm2’s downloads page for patch information and additional details.

 

Microsoft Releases October 2019 Security Updates

October 8, 2019

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s October 2019 Security Update Summary and Deployment Information and apply the necessary updates.

 

Apple Releases Security Updates

October 8, 2019

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:

 

NSA Releases Advisory on Mitigating Recent VPN Vulnerabilities

October 7, 2019

The National Security Agency (NSA) has released an advisory on advanced persistent threat (APT) actors exploiting multiple vulnerabilities in Virtual Private Network (VPN) applications. A remote attacker could exploit these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review NSA's Cybersecurity Advisory and CISA's Current Activity on Vulnerabilities in Multiple VPN Applications for more information and apply the necessary updates or mitigations.

 

Microsoft Reports Cyberattacks on Targeted Email Accounts

October 4, 2019

The Microsoft Threat Intelligence Center (MSTIC) has released a blog post describing an increase in malicious cyber activity from the Iranian group known as Phosphorus. These threat actors are exploiting password reset or account recovery features to take control of targeted email accounts.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the Microsoft blog for additional information and recommendations and CISA’s Tip on Supplementing Passwords.

 

Vulnerabilities Exploited in Multiple VPN Applications

October 4, 2019

The United Kingdom (UK) National Cyber Security Centre (NCSC) has released an alert on advanced persistent threat (APT) actors exploiting vulnerabilities in Virtual Private Network (VPN) applications. A remote attacker could exploit these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the NCSC Alert for more information and to review the following security advisories and apply the necessary updates:

 

IC3 Issues Alert on Ransomware

October 4, 2019

The Internet Crime Complaint Center (IC3) has released an alert on ransomware threats to U.S. businesses and organizations. Ransomware is a type of malware designed to deny access to a computer system or data until a ransom is paid. Cyber criminals often infect organizations with ransomware through email phishing campaigns or exploiting vulnerabilities in software or Remote Desktop Protocol (RDP).

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the IC3 Alert and CISA’s resource page on ransomware for more information on protecting against and responding to ransomware.

 

NCSC Releases Fact Sheet on DNS Monitoring

October 4, 2019

The Dutch National Cyber Security Centre (NCSC) has released a fact sheet on the increasing difficulty of Domain Name System (DNS) monitoring. NCSC warns that although modernization of transport protocols is helpful, it also makes it more difficult to monitor or modify DNS requests. These changes could render an organization’s security controls ineffective.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators review the Dutch NCSC fact sheet on DNS monitoring for additional information and recommendations.

 

Microsoft Re-Releases Security Updates

October 3, 2019

Microsoft has re-released security updates to address a vulnerability in Microsoft software. A remote attacker could exploit this vulnerability to take control of an affected system. Updates are now available automatically via Windows Update or Windows Server Update Services.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft Security Advisory for CVE-2019-1367 and apply the necessary updates.

 

Cisco Releases Security Updates

October 3, 2019

Cisco has released security updates to address vulnerabilities affecting multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Event Response page and apply the necessary updates.

 

Exim Releases Security Update

October 1, 2019

Exim has released a security update to address a vulnerability affecting Exim versions 4.92 to 4.92.2. A remote attacker could exploit this vulnerability to take control of an affected email server.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Exim CVE-2019-16928 page and upgrade to Exim 4.92.3.