Blog

Forescout Cyber Weekly Roundup
September 13, 2019

David Wolf | September 13, 2019

Public Sector

A brave new, 5G world for Chinese cybersecurity: The roll-out of 5G—the “connective tissue” for the IoT, smart cities, revolutionary healthcare and driverless cars—will open up more opportunities for cybersecurity companies, the chairman and CEO of Chinese internet security provider Qihoo 360, Zhou Hongyi, said in a recent interview. As advanced technology gets more complex, its adoption will inevitably result in security flaws, Zhou stated. China has the world’s biggest internet user population at 854 million, and its cybersecurity market is forecast to pass $17B by 2023.

https://www.scmp.com/tech/tech-leaders-and-founders/article/3026108/chinas-5g-industrial-internet-roll-outs-fuel-more

A new spark from an old flame: Last June, Symantec exposed a new cyberespionage group from China, dubbing it “Thrip”. The group is believed to be responsible for attacks on at least 12 organizations across Southeast Asia – but now Symantec reports that it actually might be a part of a bigger conspiracy that has been around for a decade, and with newer methods they might become more powerful.

https://www.cyberscoop.com/thrip-lotus-blossom-symantec-china/

Retail

You shop, we look: A Dutch supermarket chain, Albert Heijn, is testing a fully cashier-less store in its Zaandam headquarters. To enter the store, you must use your contactless debit card, and a complex system of cameras and sensors will automatically bill you up. While this sounds revolutionary, the story still raises concerns over how much data the store can actually gather from a short grocery stop, and how vulnerable all those cameras and sensors might be to a potential security breach.

https://nltimes.nl/2019/09/05/albert-heijn-experiments-cash-register-less-store

Not as sweet as you thought it would be: After an earlier malware attack on point-of-sale terminals at Russell Stover stores and a subsequent data breach, the leaked information was posted for sale on the dark web. This data includes 74,000 records of full customer payment information, which in turn could lead to mass-scale unauthorized purchases and identity theft cases.

https://www.databreaches.net/credit-card-data-from-russell-stover-breach-shows-up-for-sale-on-the-dark-web/

Healthcare

An Apple a day: “Three unprecedented medical studies” sponsored by Apple Inc. will address issues of hearing, heart and movement, and women’s health, the company announced this week. The studies will harvest user data from the iPhone and Apple Watch and will be available through Apple’s new voluntary Research app. The sought-after technical outcomes will “democratize how medical research is conducted”. Public health data harvesting may never be the same.

https://arstechnica.com/gadgets/2019/09/apple-continues-health-push-with-three-new-medical-studies/

Careless shopper exposes patient data: A hospital in the Hague is under investigation after a comprehensive list of patients, including their personal data, medication doses, and complaints filed against the hospital staff, was found in a shopping cart at a local supermarket, with a shopping list scribbled on its back. This is not even the first time this hospital has been under pressure for its security breaches, as last year many employees gained unauthorized access to the medical records of a TV personality.

(NL) https://nos.nl/artikel/2300707-patientgegevens-haga-ziekenhuis-gevonden-in-winkelkarretje-supermarkt.html

Financial Services

Bot-smiths rejoice: “Web scraping doesn’t violate anti-hacking law, appeals court rules”: LinkedIn profile scraping continues to be fair game, despite the many forms of discrimination and spearphishing opportunities such activity may enable. The outcome ultimately impacts financial institutions, whose employees are still too-often assigned guessable corporate email addresses that remain the everyday target of sophisticated social engineering attacks.

https://arstechnica.com/?p=1564309

Not your pal anymore: A scam pretending to be an official PayPal application is luring its victims with promises of high cash-back bonuses for transactions made over its system. The app, after being downloaded, drops a payload of Nemty ransomware, which can encrypt user files and request a ransom for them in a matter of minutes, on unsuspecting victims.

https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/

Operational Technology / Industrial Control Systems

Over a million European IoT radio devices ready and waiting for remote hijack: Critical vulnerabilities were discovered in IoT radio devices manufactured by Telestar Digital GmbH, which shipped with undocumented Telnet service and default credentials (and a clear lack of ProdSec review). Interesting attack scenarios include transmitting audio as commands both locally and remotely. The article notes that although a compromised IoT radio “highlights a problem that impacts all of us – the enslavement of IoT devices to create greater threats”. Like all radio devices in Europe playing German ATC’s 2001 hit single Around the World simultaneously.

https://www.zdnet.com/article/critical-vulnerabilities-impact-over-a-million-iot-radio-devices/

Low energy – US power grid cyberattack linked to unpatched firewalls: Earlier this year, hackers hit US power utilities with a cyberattack that exploited known firewall vulnerabilities, the North American Electric Reliability Corporation (NERC) said in a “Lesson Learned” report last week. While the site was “low-impact” and there was no blackout, attackers were able to repeatedly reboot the devices and cause a denial-of-service condition for about 10 hours. In historical contrast, the New York City blackout of 1977 lasted 25 hours, resulting in citywide looting and arson.

https://www.eenews.net/stories/1061111289

State, Local & Education

Hackers nab $4.2M from Oklahoma state pension fund: The Oklahoma Law Enforcement Retirement System (OLERS) reported a $4.2 million cyber heist this week, and emphasized that “no pension benefits have been impacted or put at risk”. This is not the first time that state pension and payroll systems are tempting targets for hackers, since “they contain large sums of money and sometimes use outdated technology”. When it comes to cyber, ageism pays off for the discriminating hacker.

https://www.publicradiotulsa.org/post/millions-missing-law-enforcement-pension-fund

School’s out – Ransomware disables Illinois school district internet and phones: Rockford Public Schools’ IT systems fell to a ransomware attack which could last “several days”, district officials forecast on Monday. Experts have yet to get a complete picture of the incident and are still trying to evaluate impact. In good news, all 28,000 students were still required to attend school – and some of them may have been more attentive than usual thanks to a lack of WiFi.

https://www.washingtontimes.com/news/2019/sep/9/ransomware-locks-rockford-public-schools-phones-in/

Editor’s Choice

Two zero-day attack paths closed during Microsoft Patch Tuesday: September’s Patch Tuesday update addressed 17 critical vulnerabilities and two elevation-of-privilege (EoP) vulnerabilities under active attack (zero days), namely CVE-2019-1214 and CVE-2019-1215. The underlying service targeted by the latter is not only actively being used against new operating systems, but has also “been targeted by malware in the past, with some references going back as far as 2007”.

https://threatpost.com/microsoft-addresses-two-zero-days-under-active-attack/148185/

Every Exim is an entry to somewhere else: All versions of Exim, the world’s most widely deployed mail transfer agent (MTA), have a critical bug that could allow a remote attacker to run malicious code with root privileges, i.e. access all of the mail processed by the server. Although no public exploit of the bug has been reported so far, the Exim team has released version 4.92.2 to fix the vulnerability, and strongly encourages users to upgrade ASAP. Forescout also offers a Security Policy Template to demonstrate detecting and controlling for Exim-related issues.

https://nakedsecurity.sophos.com/2019/09/10/critical-tls-flaw-opens-exim-servers-to-remote-compromise/