Watchtower Weekly InfoSec Roundup: July 9 to July 15
Cyber Attacks & Breaches
(ArlNow) July 10th
Arlington County has revealed a cyberattack that penetrated the county’s payroll system. In a statement, the county says a number of employees were impacted by the intrusion, but did not specify the exact number of impacts. The intrusion appears to be the result of a “phishing” email targeting county employees and not a hack, the press release suggests.
(KCAL 9) July 10th
A phishing attack on a contractor to the Los Angeles County Department of Health Services exposed the personal information of nearly 14,600 patients. The phishing attack happened at the end of March, giving a hacker access to the Nemadji employee’s account for several hours. Officials say there’s no indication that any patient data has been misused, but records from several Nemadji clients – including names, addresses, phone numbers, and patient information – were exposed. The Social Security numbers of two patients were also identified.
(HIPAA Journal) July 10
Essentia Health, in addition to the LA County Department of Health Services, is sending notifications to more than 1,000 patients alerting them to the exposure of some of their protected health information (PHI). Like many healthcare providers, Essentia Health works with a third-party vendor that provides billing services to help recover lost revenue. Those services were provided by a Bruno, MN-based billing services firm called Nemadji Research Corporation.
(News from Finland Helsinki Times) July 10th
The National Bureau of Investigation (KRP) has made progress investigating a suspected data breach at the City of Lahti. KRP revealed that its pre-trial investigation shows that the unauthorized access detected in the city’s data systems earlier this summer was an organized attack rather than an error by an individual user.
(ZDNet) July 11th
(Dark Reading) July 11th
Monroe College, based in the Bronx, New York, has been hit by a ransomware attack demanding $2 million in Bitcoin to release its encrypted data. According to police sources, the attack has had an impact on Monroes College campuses and facilities in Manhattan, New Rochelle, NY, and Florida. The attack was reported to the police on June 10.
(New Hampshire Union Leader) July 13th
A virus that infected Strafford County computers last month has turned into a criminal investigation and moved a U.S. senator to demand more answers. Officials with the county sheriff’s office confirmed the U.S. Secret Service is assisting in a criminal probe into the June 28 virus that forced the county’s information technology team to shut down its network. County Administrator Ray Bower has said the county is about 95% recovered from this virus. Unlike ransomware, there were no demands for cash.
(infosecurity Group) July 15th
Japan-based cryptocurrency exchange Bitpoint has become the latest to lose tens of millions of dollars in a cyber-attack. The firm said it was forced on Friday to stop all services — including withdrawals, deposits, payments, and new account openings — while it investigated the incident. It has also notified the relevant authorities in Japan. Hackers managed to steal funds not only from the firm’s hot wallets, but also its offline cold wallets. After first detecting an error in Ripple remittances, Bitpoint said it realized it had been the victim of a cyber-attack.
(Health IT Security) July 15th
Penobscot Community Health Center in Maine recently began notifying about 13,000 patients that their data was potentially compromised in an eight-month long hack on its billing services vendor, American Medical Collection Agency. So far, up to 12 million Quest Diagnostics patients, 7.7 million LabCorp patients, and 422,000 BioReference patients were all included in the breach victim tally.
Vulnerabilities & Exploits
(TechCrunch) July 9th
Security researchers have found a vulnerability in a networking protocol used in popular hospital anesthesia and respiratory machines, which they say if exploited could be used to maliciously tamper with the devices. Researchers at healthcare security firm Cyber MDX said that the protocol used in the GE Aestiva and GE Aespire devices can be used to send commands if they are connected to a terminal server on the hospital network. Homeland Security released an advisory on Tuesday, saying the flaws required “low skill level” to exploit.
(ZDNet) July 9th
A security researcher has publicly disclosed new vulnerabilities in the USB dongles (receivers) used by Logitech wireless keyboards, mice, and presentation clickers. The vulnerabilities allow attackers to sniff on keyboard traffic, but also inject keystrokes (even into dongles not connected to a wireless keyboard) and take over the computer to which a dongle has been connected.
(Krebs on Security) July 9th
Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes.
(Security Boulevard) July 10th
Security researcher nao_sec discovered a malvertising campaign that was abusing the popcash ad network to redirect users to a landing page for the RIG exploit kit. The researcher told Bleeping Computer that this threat scanned the user’s computer for signs of a specific Shockwave (SWF) vulnerability. If that weakness was unpatched on the user’s computer, the RIG exploit kit ran its exploit code in order to download ERIS.
(Bank InfoSecurity) July 10th
Security researchers have uncovered a new vulnerability in a Siemens software platform that helps maintain industrial control systems for large critical infrastructure facilities, such as nuclear power plants. If exploited, an attacker could gain access to these systems for espionage or cause widespread physical damage.
(iMore) July 11th
Apple has turned off Walkie Talkie, a watchOS 5 feature that allowed two users to push-to-talk to each other using the FaceTime Audio protocol in a walkie-talkie-style fashion. The action is temporary and was taken to allow Apple time to fix a security vulnerability that could have let an attacker eavesdrop on the iPhone paired to the Apple Watch, though there's been no evidence to suggest the exploit had yet been used in the wild.
(SC Magazine) July 12th
The vulnerability, CVE-2019-11581, affects Jira Software, Jira Core, and Jira Service Desk, however, Jira Cloud customers are not affected. The server-side template injection vulnerability was introduced in version 4.4.0 of Jira Server and Data Center. The company said for the issue to be exploited either an SMTP server has been configured in Jira and the Contact Administrators Form be enabled, or an SMTP server has been configured in Jira and an attacker has “JIRA Administrators” access.
(The Hacker News) July 15th
Some vulnerabilities have recently been patched, some are still under the process of being fixed, and many others most likely do exist, but haven't been found just yet. Details of one such critical vulnerability in Instagram surfaced on the Internet that could have allowed a remote attacker to reset the password for any Instagram account and take complete control over it. Discovered and responsibly reported by Indian bug bounty hunter Laxman Muthiyah, the vulnerability resided in the password recovery mechanism implemented by the mobile version of Instagram.
Risks & Warnings
(The Hacker News) July 10th
A new ransomware family has been found targeting Linux-based Network Attached Storage (NAS) devices made by Taiwan-based QNAP Systems and holding users' important data hostage until a ransom is paid, researchers told The Hacker News.
(The Hacker News) July 10th
One of the most powerful, infamous, and advanced piece of government-grade commercial surveillance spyware dubbed FinSpy—also known as FinFisher—has been discovered in the wild targeting users in Myanmar. The FinSpy implant is capable of stealing an extensive amount of personal information from targeted mobile devices, such as SMS/MMS messages, phone call recordings, emails, contacts, pictures, files, and GPS location data.
(The Hacker News) July 11th
Cybersecurity researchers revealed eye-opening details about a widespread Android malware campaign wherein attackers silently replaced installed legitimate apps with their malicious versions on nearly 25 million mobile phones. Dubbed Agent Smith, the malware takes advantage of multiple Android vulnerabilities, such as the Janus flaw and the Man-in-the-Disk flaw, and injects malicious code into the APK files of targeted apps installed on a compromised device and then automatically re-install/updates them without the victims' knowledge or interaction.