Cyber Security Week in Review (March 22)

Top headlines this week

• Norwegian aluminum company Norsk Hydro was hit with a “severe” ransomware attack. The malware affected production operations in the U.S. and Europe. The company says they do not know the origin of the attack and are still working to contain the effects. 
• Cisco disclosed several vulnerabilities in some of its IP phones. The bugs could allow an attacker to carry out a cross-site request forgery attack or write arbitrary files to the filesystem. Cisco’s IP Phone 8800 series, a desk phone for businesses that includes HD video features, and the 7800 series, which are mainly used in conference rooms at businesses. Snort rules 49509 - 49511 protects users from these vulnerabilities. 
• A new variant of the Mirai botnet is in the wild targeting televisions hosting signage and presentation systems. The malware uses 27 different exploits to infect systems, 11 that are completely new to Mirai. Snort rules 49512 - 49520 protects users from this new variant. 

From Talos

• The new LockerGoga malware straddles the line between a wiper and ransomware. Earlier versions of LockerGoga leverage an encryption process to remove the victim's ability to access files and other data that may be stored on infected systems. A ransom note is then presented to the victim that demands the victim pay the attacker in Bitcoin in exchange for keys that may be used to decrypt the data that LockerGoga has impacted.
• The latest episode of the Beers with Talos podcast covers point-of-sale malware. Additionally, the guys recap the RSA Conference from earlier this month and talk OpSec fails. 
• We recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account or by uploading and executing unsigned kernels on affected systems. Snort rules 47234, 47663, 47809, 47811, 47842, 48261 and 48262 provide coverage for these bugs.
• Our researchers discovered a new way to unmask IPv6 addresses using UPnP. This allows us to enumerate a particular subset of active IPv6 hosts which can then be scanned. We performed comparative scans of discovered hosts on both IPv4 and IPv6 and presented the results and analysis.

The rest of the news

• A health care vendor in Singapore mistakenly exposed the personal information of 800,000 blood donors. The vendor reportedly used an unsecured database on an internet-facing server without properly protecting it from authorized access. All affected donors have been notified by Singapore’s government. 
• Talos Take: "The data leak in Singapore is the latest in a string of these. Last summer (June/July) it was 1.5 million records, earlier this year it was 14,000 HIV patients and now this 800,000 blood donor info that you have," Nigel Houghton, director of Talos operations.
• Google patched a bug in its Photos app that could have allowed an attacker to track users. The vulnerability opened mobile devices to browser-based timing attacks that could produce information about when, where and with whom a user had taken a photo. 
• The European Union hit Google with another fine, this time worth roughly $1.7 billion. A recent report from the European Commission found that Google “shielded itself from competitive pressure” by blocking rivals from placing advertisements on third-party websites by adding certain clauses in AdSense contracts.
• Windows is ending support for Windows 7. The company says it will cease support for the operating system on Jan. 14, 2020. Users are being notified of the change via a recent update. 
• U.S. officials at the recent RSA Conference warned that China is the greatest cyber threat to America, not Russia. Rob Joyce, a cybersecurity adviser at the National Security Agency, compared Russia to a hurricane that can move quickly, while China is closer to the long-term problems that can come with climate change.