Blog

Forescout Cyber Weekly Roundup
October 7, 2019

David Wolf | October 7, 2019

Public Sector

Attacks on enterprise VPN clients receive international alert: NCSC, the UK cyber-intelligence division of GCHQ, sounded the alert on attacks targeting enterprise Virtual Private Network (VPN) clients. The alert highlighted known vulnerabilities in products from vendors Pulse Secure, Palo Alto and Fortinet. VPNs are commonly used across the public sector for remote access and vendor support – will today’s weak VPN clients lead to tomorrow’s supply chain victims?

https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities

A bad time for Real-Time Operating Systems: The United States Computer Emergency Readiness Team (US CERT) issued an advisory that expanded the industrial impact of the Urgent/11 flaws identified in the Interpeak IPnet TCP/IP Stack. Additional real-time operating systems (RTOS) are impacted by this component’s vulnerabilities, including RTOS products by ENEA, Green Hills Software, ITRON and IP Infusion. The issue shows how the fragmented long tail of operating systems is beginning to fray under increased researcher attention, and with affected products stretching all the way back to 2003-era devices, we’ve only just begun to see how far back such component risk will take us in time.

https://www.us-cert.gov/ics/advisories/icsa-19-274-01

Healthcare

Alabama Hospitals Cough Up Crypto in Ransomware Attack: Three hospitals in the DCH Health System have agreed to pay up for decryption keys. The decision, by no accounts taken lightly, illustrates an uncomfortable playbook in an ethics-bound world: How should we, as healthcare privacy and security practitioners, restore system functionality and core business services even while new patients are being turned away due to system downtime?

https://threatpost.com/alabama-hospitals-pay-up-ransomware-attack/148937/

Ransomware attack shutters California healthcare provider: “Another healthcare provider has announced it will be permanently closing its doors as a direct result of a ransomware attack. The devastating attack occurred at Wood Ranch Medical in Simi Valley, CA, which recently announced that the practice will permanently close on December 17, 2019… Earlier this year, Brookside ENT and Hearing Center in Battle Creek, MI similarly experienced a ransomware attack that permanently encrypted patient records.”

https://www.hipaajournal.com/wood-ranch-medical-announces-permanent-closure-due-to-ransomware-attack/

Financial Services

We forgot to protect you: In the age of IoT, many institutions are not properly protected against new threats simply because they either don’t understand them or don’t know them yet. This can, as you might guess, lead to substantial danger to the users and their security.

https://thefintechtimes.com/iot-devices-cybersecurity/

For Financial Services, Cisco Firepower takes a hit: Cisco issued a series of high-severity patches for its Firepower and ASA products, both of which are popular in financial services settings. The releases, which came just one week after Cisco’s official semiannual patch day, demonstrate that even the fortified perimeter and network management systems will be periodically vulnerable to major issues like RCE (remote code execution) and SQLi (SQL injection)—and on the critical FinServ devices used to defend from external forces and govern internal networks.

https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-72541

Operational Technology / Industrial Control Systems

MITRE Corporation and the FDA team up on medical device security: Thanks to FDA sponsorship, MITRE Corp. has delivered an entirely fresh take on Medical Device Cybersecurity Incident Preparedness and Response. Healthcare Delivery Organizations (HDOs) are the primary intended audience for the playbook, which does not re-invent the wheel. At one point, the playbook references device controls via the NIST Cybersecurity Framework (CSF), which “provides additional detail regarding asset inventory (e.g., hardware, software) within the CSF ‘Identify’ function’s asset management category. Each subcategory within asset management maps to an appropriate security control(s) to provide additional implementation best practices.”

https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf

Danish manufacturer Demant expects to lose $95M from September ransomware attack: As Catalin Cimpanu neatly summarized: “Demant is not the only major company to suffer a major cyber-security infection in the past year. Past incidents mostly include ransomware incidents, such as those at defence contractor Rheinmetall, airplane parts manufacturer Asco, aluminum provider Norsk Hydro, cyber-security firm Verint, the UK Police Federation, utility vehicles manufacturer Aebi Schmidt, Arizona Beverages, engineering firm Altran, the Cleveland international airport, and chemicals producers Hexion and Momentive.”

https://www.zdnet.com/article/ransomware-incident-to-cost-danish-company-a-whopping-95-million/

Retail

Tyler Durden’s Film Masterclass: An Asics store on a busy shopping street in Auckland displayed hardcore pornography on its storefront screen after being hacked. The attack was discovered after 9 hours when the employees came in the morning to open the store. Asics did not mention any other effects of the attack in their comment, and described the hacker’s motivation as: “Some men just want to watch the world burn.”

https://www.theguardian.com/world/2019/sep/30/asics-shop-broadcasts-porn-to-passersby-for-nine-hours-after-hack

How dark can Black Friday get: After last year’s outages and attacks on online stores during their golden peak season, Black Friday, e-retailers are looking for cybersecurity and network backup solutions to stay afloat on their busiest day of the year. In this article, retail experts are tackling hard questions and offering some of their own solutions.

https://www.retaildive.com/news/are-retailers-doomed-for-more-outages-this-holiday-season/564239/

State, Local & Education

Ryuk ransomware ringing the bell for school districts: In the first three quarters of 2019, ransomware infections have hit over 500 US schools. And with attacks ramping up during the start of the new schoolyear, Ryuk has left traces in 1/3 of the attacks in the last two weeks. To get the full picture of how state and local institutions are impacted, explore the interactive Google Map entitled The Ransomware War by PC Matic.

https://www.zdnet.com/article/over-500-us-schools-were-hit-by-ransomware-in-2019/

Revolution will not be livestreamed (we promise): After recorded audio of Mark Zuckerberg’s Q&A with Facebook employees leaked to journalists, questions arose whether the social giant holds any animosity towards a presidential hopeful Elizabeth Warren and whether that animosity would translate into swaying the election one way or the other thanks to the massive control they have over what kind of information their userbase receives on a daily basis. While Zuckerberg says this is not the case, the question remains as Facebook’s political influence grows and with the 2020 election just around the corner.

https://www.theverge.com/interface/2019/10/4/20897180/mark-zuckerberg-employee-q-a-public-elizabeth-warren

Editor’s Choice

Another day, another zero-day: Google’s Project Zero team has discovered a fresh batch of unpatched vulnerabilities that could help attackers get a deep access to the OS root of many Android phones. Is your device on the list? Read more, and in the meantime, check your phone updates.

https://www.zdnet.com/article/google-finds-android-zero-day-impacting-pixel-samsung-huawei-xiaomi-devices/

Why AI could help in the industrial security space: “AI could have the most impact in critical infrastructure environments”, said Forescout CTO Rob McNutt. “But it’s not a technology that will get adopted overnight. Critical infrastructure environments bring unique hesitations with AI that other lines of business don’t necessarily have… The adoption of AI also demands a cultural shift inside of the critical infrastructure teams, where people will need to shift from operating equipment to operating software.”

https://www.cyberscoop.com/industrial-ai-rob-mcnutt-forescout-technologies/