Blog

Forescout Cyber Weekly Roundup
September 30, 2019

David Wolf | September 30, 2019

Public Sector

Club 27: A statement called Advancing Responsible State Behavior in Cyberspace was signed by 27 nations dedicated to improving cybersecurity and responsibility in their actions online. In times of ongoing cyber-attacks between governments, this move could potentially change the game – teaming up may give the participants an upper hand.

https://www.scmagazineuk.com/27-nations-ink-cyber-security-pledge/article/1660686

The player makes the rules for the gamemaster: Amazon is writing its own draft of a legislation bill for facial recognition laws, hoping to present it to lawmakers so that they could include their ideas in an actual bill. As Amazon has a lot to gain here, the future of facial recognition and the privacy issues surrounding it are a huge question mark on the horizon.

https://www.vox.com/recode/2019/9/25/20884427/jeff-bezos-amazon-facial-recognition-draft-legislation-regulation-rekognition

Retail

Maybe it’s best to shop from home: Free WiFi is never fully safe, and some might have to learn it the hard way. Magecart hackers have injected large commercial-grade routers, used in spaces such as airports and hotels, with software designed to steal credit card data from users performing online transactions through US and Chinese stores. The router attacks are a step up in terms of target selection for the clever retail hacking group.

https://www.techrepublic.com/article/hackers-targeting-commercial-routers-to-inject-credit-card-stealing-code-in-shopping-sites/#ftag=RSS56d97e7

Nothing to see here… allegedly: FedEx shareholders are accusing the company of sweeping the extent of the NotPetya ransomware attack under the rug while liquidating shares to get rid of them before the price falls. FedEx claims no wrongdoing, but it goes to show how complicated matters can get following large-scale cyberattack.

https://www.cyberscoop.com/fedex-shareholder-suit-notpetya/

Healthcare

Infamous ransomware gang returns after ‘retirement’, drills into dental practices: Back in May, the presumably Russian hacker group GandCrab surprised many when it announced they were “retiring” after they “cashed out” their ransomware earnings of more than $2bn. Apparently, they’re back. Researchers at Secureworks have linked the group to a new malware called REvil or Sodinokibi, which has caused “major disruption” to hundreds of dental practices in the US. According to the director of the company’s Counter Threat Unit, the notorious hacker group might want to “reduce the overall attention that was focused on the GandCrab ‘brand’ and have relaunched with a new product”.

https://www.bbc.co.uk/news/technology-49817764

Make money from home / Should private medical data be for sale? This article investigates the rise of the healthcare data market and economy, the companies that are keen to monetize medical information, and the ethical concerns raised by civil liberties advocates. The issues go beyond public health at a macro-level and hit closer to home.

https://www.fastcompany.com/90409942/would-you-sell-your-own-health-data-theres-a-market-for-it-but-ethical-concerns-remain

Financial Services

Russian JPMorgan Chase hacker pleads guilty: As we shared in last week’s roundup, the 36-year-old Andrei Tyurin, the Russian hacker accused of stealing financial data of over 80 million JPMorgan Chase & Co. clients in 2014, was planning to indeed plead guilty to “computer intrusion, bank and wire fraud, and online gambling in connection with a sustained hacking campaign targeting US financial institutions”. And now he’s scheduled to receive his sentences (ranging from 5 to 30 years each) on February 13, 2020. The outcome may help set a precedent for future APT hacker cooperation.

http://go.theregister.com/feed/www.theregister.co.uk/2019/09/25/russian_finance_hacker/

Municipal ransomware attacks are in decline, but cybercriminal earnings increase: The amount that cybercriminals were able to extract from local municipalities increased from $5 billion in 2017 to $11.5 billion in 2019, despite the raw number of attacks declining, according to a RiskSense ransomware report published last week. Experts insist that small counties can and should fight back simply by removing legacy software, backing-up data, and updating security products to harden their networks. If the numbers are accurate, then they show that attackers are getting better at targeting legacy systems for financial gain.

https://www.techrepublic.com/article/financial-impact-of-ransomware-attacks-increasing-despite-overall-decrease-in-attacks/#ftag=RSS56d97e7

Operational Technology / Industrial Control Systems

Smart Factories—German manufacturer says malware has caused ‘significant disruption’ to plants in three countries: The sector is also saddled with legacy devices that aren’t properly secured, according to David Wolf, principal security researcher at cybersecurity company Forescout. Among the sectors the Forescout tracks, Wolf said, “manufacturing has a significant ratio of unmanaged Windows devices, and the highest ratio of unknown, unclassified devices, partly because manufacturing firms use a lot of legacy, embedded technology that’s sensitive to active inspection.” Rheinmetall Group said it expects to lose 3-4 million euros per week.

https://www.cyberscoop.com/rheinmetall-malware-disruption-manufacturing/

Do we know what are we gonna do?: One of the most popular talk points in politics concerning cybersecurity is possible attacks on electric grids, but what is actually being done to prepare for the unknown? Government Accountability Office, an agency providing auditing and evaluation services to the US Congress, reports that the Department of Energy has no sort of plan for that, and the time to come up with a solution is now.

https://www.fifthdomain.com/critical-infrastructure/2019/09/25/is-there-a-plan-to-protect-the-electric-grid-from-cyberattacks/

State, Local & Education

Cyberattacks continue to cripple US schools: Wolcott, Connecticut. Mobile County, Alabama. And now Northshore, Washington: It’s SeaTac area’s turn to respond to a ‘significant’ cyberattack. The attack took down the district’s phone and voice mail servers and the food service payment system. According to the K-12 Cybersecurity Resource Center, nearly 700 school districts have been the targets of cyberattacks since 2016, the majority of which were financially motivated.

https://www.databreaches.net/northshore-school-district-hit-by-significant-cyber-attack/

Remaining OT and Public Sector ColdFusion users – update ASAP: Adobe released an emergency patch for three critical security flaws in ColdFusion; the vulnerabilities are rated as critical because they allow code execution and access control bypass. Adobe suggests that users update to ColdFusion 2018 Update 5 and ColdFusion 2016 Update 12.

https://portswigger.net/daily-swig/adobe-issues-emergency-patch-for-critical-coldfusion-vulnerabilities

Editor’s Choice

Microsoft issues emergency patch to address zero-day flaw: Both Internet Explorer and Windows Defender have been recently compromised by two critical vulnerabilities. The first one is a zero-day flaw that “could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user”, Microsoft stated. The vendors have issued an urgent fix for both vulnerabilities and strongly recommend that users update their systems with the latest patched version of the programs. The emergency, out-of-band update comes at a time of “Windows update fatigue”, although the zero-day is under active exploit in the wild.

https://latesthackingnews.com/2019/09/25/microsoft-urgently-patched-two-vulnerabilities-including-a-zero-day/

New Cisco 9.9/10 ‘high-severity’ router flaws and L2 traceroute public exploit: Cisco Systems has disclosed 13 high-severity vulnerabilities affecting its 800 Series 800 Industrial Integrated Services Routers and its 1000 Series Connected Grid Routers. The company’s security alert also warned users to disable an L2 traceroute feature in IOS for which there is public exploit code; this feature is enabled by default on Cisco Catalyst switches. Although none of the flaws detected has been rated as ‘critical’, the bug CVE-2019-12648 has a CVSS (Common Vulnerability Scoring System) score of 9.9/10 thanks to the impact-limiting consequences of design concepts like virtualization, containers and sandboxes. Perhaps Cisco is right and CVSS needs another update.

https://www.zdnet.com/article/cisco-warning-these-routers-running-ios-have-9-910-severity-security-flaw/

Forescout’s Dr. Elisa Costante and VP Ellen Sundra nominated to SC Media’s 2019 Reboot Leadership Awards and FedScoop’s 50 Awards: We’re proud of you Elisa and Ellen! And we’re proud to work with you. Keep up the noble effort, innovative threat-seeking, and world-class systems engineering.