IE under fire, Triton goes under the microscope, and Norsk Hydro reeling from ransomware attack
Plus, Minnesota and North Carolina cities hit by hackers
These things also happened.
Need another reason to quit using Internet Explorer? How about this XXE zero-day?
Microsoft has all but killed off Internet Explorer, but more than a few PC owners continue to hold out. Hopefully a bug unveiled this week will help to change a few minds.
A vulnerability discovered by researcher John "hyp3rlinx" Page would allow an attacker to potentially spy on a victim's machine by exploiting an XML External Entity flaw. To do this, the victim would have to open a specially-crafted MHT file.
While information disclosure flaws that require user interaction are hardly critical vulnerabilities, the report should serve as motivation for anyone still using IE to make the switch to Edge (or consider a non-Microsoft browser). Only one version of Internet Explorer, IE11, is still even supported, and Microsoft has already moved Edge to a new engine. Now is the time to finally migrate.
Tenable blows hole in Verizon routers
If you were wondering why your Verizon FiOS router was updating this week, it turns out there was a serious security vulnerability in the nearly ubiquitous home gateway.
Tenable took credit for sussing out a handful of vulnerabilities in the Quantum Gateway routers Verizon supplies customers (unless you opt to buy and use your own unit).
The bugs include login replay, command injection and the disclosure of salted passwords. There is some mitigation, as the bugs would all require the attacker to already be on the network to exploit, but if targeted, they could allow a bad guy to get admin access.
Tenable is recommending all Verizon FiOS customers check their firmware and make sure they have the latest version, 02.02.00.13. Verizon should have already pushed the fix out.
Triton malware rides again with another industrial system hack
Back in 2017, an attack on an oil and gas plant in the Middle East was attributed to piece of industrial Control system malware known as Triton. Since then, the targeted attack crew was pretty silent. Until this week.
APT specialists FireEye say they are responding to another attack from Triton at a "critical infrastructure facility. This latest attack has let the security house get a closer look at the malware and the methods its controllers use to get into their targeted facilities.
Now, FireEye is issuing its first set of guidelines on how to spot the attack and the ways admins and managers can protect vital industrial sites.
"Using the methodologies described in this post, FireEye Mandiant incident responders have uncovered additional intrusion activity from this threat actor – including new custom tool sets – at a second critical infrastructure facility," FireEye says.
"As such, we strongly encourage industrial control system asset owners to leverage the indicators, TTPs, and detections included in this post to improve their defenses and hunt for related activity in their networks."
Oh geez! Hacker hits Minnesota DHS, don't you know
An attack on a single employee of the Minnesota state government may have lead to thousands of peoples' data being exposed.
A targeted attack from Spring of last year is said to have lead to an employee at the state's Department of Human Services having their email account breached. At some point in the last year, that attacker then took over their account, which had access to the personal details of 11,000 citizens.
Fortunately, it does not look like identity theft was the primary aim of the attacker. The compromised account sent two emails to other employees in an attempt to get a wire transfer sent out. Still, because the compromised account had access to files containing the personal details, the department has had to issue an alert to the state.
"State and local governments are highly susceptible to phishing attacks, as we see from the rolling spate of SamSam ransomware attacks," noted Colin Bastable, CEO of Lucy Security. "This looks like a business email compromise (BEC) attack, which takes more planning than a standard phishing attack but can be very profitable."
Greenville, NC locked up by ransomware
Another week, another city government crippled by a ransomware infection.
This time, it's the town of Greenville, North Carolina that is reporting much of its IT system has had to shut down after an unspecified ransomware attack locked down one or more machines.
"The city has shut down the majority of its servers for the foreseeable future," the local Daily Reflector reports. "There was no word on Thursday about when the system would be up and running again."
So now it's time for the obligatory warnings on ransomware: don't pay the demands (there's a good chance you will not be getting your data back either way) and opt instead to completely wipe and restore any infected system. To that end, you should be making regular backups of systems for this reason.
Princeton pushes home IoT scanner
Eggheads at Princeton University have developed a tool they say can help even non-technical users get a grip on what devices are transmitting data in their homes.
The self-explanatory IoT Inspector is a simple app (currently only for MacOS) that allows homeowners to run a full scan of their networks and get a report on what devices are using it, and where they are sending their data.
The idea is to allow people to see exactly what their IoT devices are up to, and perhaps even spot potential IoT botnet infections before they can do serious damage. More importantly, it is being aimed at other researchers and security devs who want to see how devices are behaving in the field.
"We have also built IoT Inspector to help academic researchers. In particular, it is difficult to produce generalizable results in the study of IoT security and privacy," the Ivy-leaguers said.
"Although a researcher can purchase a few devices and conduct penetration tests on them in lab settings, the conclusion may not apply to diverse devices that are actually being used in consumer homes or enterprise networks."
Norsk says malware menace is pushing back its financials
Last month, Norwegian metal and power specialist Norsk Hydro was hit by a nasty ransomware attack that caused it to shut down much of its industrial operations. While that infection has since been corralled, the fallout continues to the point where Norsk Hydro says it can't post its quarterly numbers on time.
"The delayed Q1 2019 reporting date is a result of the previously communicated cyber attack, impacting the availability of certain systems and data to produce the quarterly report," the Norwegian biz says. "The revised date is conditional upon the planned timeline for restoring operational and reporting systems." ®