News & Events

Cybersecurity New Bytes - Early April 2018

Data Breach Hits Major Retailers

A data breach resulting from a common chatbot platform hit Sears, Kmart, Best Buy, and Delta Airlines this week. The compromise of chatbot company [24]7.ai occurred several months earlier but affected companies were not alerted until the first week of April. Retail customers of the affected organizations didn’t need to communicate with the chatbot to have their data compromised. Delta believes that any customer who entered credit card or billing information between 26 September and 12 October, 2017, may have had their information compromised. All four companies cannot verify that information was stolen, only that there is a chance that occurred. Cnet and Naked Security

Energy Grid Cyber Intrusions Probably Enabled by Outdated Cisco Protocol

DHS issued an alert in March citing concerns that Russian actors had infiltrated the U.S. electric grid and other critical infrastructures. The alert stated that, DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS). (See https://www.us-cert.gov/ncas/alerts/TA18-074A).) Information has now emerged that the attacks were directed against the Cisco “Smart Install” (SMI) client, an outdated utility that allowed remote installation of Cisco switches. SMI has been replaced by Cisco’s Network Plug and Play protocol, but many switches still retain the older protocol which remains in background waiting for commands. Attackers have used SMI to modify the TFTP server setting to exfiltrate configuration files, modify the switch general configuration file, replace the IOS operating system image, and establish local accounts used by the attackers to log in and execute IOS commands. Bleeping Computer, 5 April 2018

IoT Botnet Targets Financial Sector

Recent attacks against the global financial sector have been conducted by a botnet based on compromised Internet of Things (IoT) devices such as home routers, TVs, DVRs, and IP cameras. The botnet, possibly related to the IoTroop or Reaper botnet, was first observed in October 2017. It is a variant of the Mirai botnet that took down the Dyn domain name service provider in 2016 causing outages in dozens of U.S. companies. The new botnet may have been launched by a Dutch teenager arrested by police for conducting DDoS attacks against several Dutch organizations. The botnet appears to mostly target MicroTek routers that are widely used in Russia, Brazil, and Ukraine, although the attack affected entities in more than 130 countries. Recorded Future, 5 April 2018

U.S. Pipeline Companies Suffer Cyber Attack

At least four gas pipeline companies across the U.S. experienced outages from 29 March to 4 April due to an apparent cyber attack. While not disrupting the flow of gas through the pipeline system, the outages did affect the network used by customers to communicate their orders to the pipeline operators. No attribution was provided for the attacks, which are under review by the Department of Homeland Security. Bloomberg, 4 April 2018

Google Bug Fixes for April

Google’s security update for April includes 28 fixes. Nine of these are rated “critical” and the remaining 19 are rated “high.” Seven of the critical vulnerabilities are related to the Android Operating System, two tied to Android’s media framework and a Qualcomm Wi-Fi component flaw that allowed an attacker to gain access and execute arbitrary code. Four remote code execution bugs in the Android OS were fixed with the April patches as were additional Qualcom bugs. ThreatPost.com, 3 April 2018

New, Lethal Cyber Weapons on the Horizon

Speakers at a military conference on 9 April painted a dire picture of the future cyber threat horizon, including Internet of Things (IoT) weapons designed to kill people. Author Peter Singer talked about the lack of attention being given to data breaches and power outages in other countries. This presents potential opportunities for adversaries who want to attack the U.S. Dragos CEO Robert Lee discussed a new type of malware called “Trisis” that can attack industrial control systems to cause leaks and explosions rather than simply outages. Singer pointed out additional problems that can be caused by altering video or audio files to confuse military operations at very low cost. Military Times, 9 April 2018

Return to our HOME PAGE