Daily Archives: November 14, 2020

Feds investigate Zoom-bombings attack against Gonzaga University Black Student Union

FBI and Spokane police are investigating an incident in which the Gonzaga University Black Student Union was hacked during a Zoom meeting.

The FBI and Spokane police are investigating the hack of Gonzaga University Black Student Union. The hackers broke into a Zoom meeting and bombarded participants with racial and homophobic slurs.

The attackers have hacked a virtual meeting among members of the Black Student Union, they broke into the call using offensive screen names and offending participants and sharing pornography on their screens.

“On Sunday, students of the BSU held a Zoom call to talk about the election, when several people joined the call with offensive screen names and began yelling racial and homophobic slurs and sharing pornography on their screens.” reads the article published by KXLY.

The media outlet revealed that the university has recently hired a therapist from the Black, Indigenous and People of Color (BIPOC) community to help BSU students.

Gonzaga’s leadership’s letter announced that its IT department were able to capture data of the Zoom-bombing, they were also able to identify the IP addresses of the hackers. According to the letter, the sources of that attack were associated with IP addresses both domestic and international.

Unfortunately, the number Zoom-bombings attacks surge since the beginning of the COVID-19 pandemic especially against schools and universities that are using the communication platform for remote learning and meetings.

Both the Spokane Police Department’s criminal investigation unit and the FBI are investigating the attack.

“We are deeply disheartened that we must identify ways to maintain safety and security in virtual meeting experiences, but that is a clear reality,” reads the letter from university leadership. “Students, clubs and organizations, and employees have been alerted to the safety features available through Zoom, as well as guidance on how to make meetings private.”

Pierluigi Paganini

(SecurityAffairs – hacking, Zoom-bombing)

The post Feds investigate Zoom-bombings attack against Gonzaga University Black Student Union appeared first on Security Affairs.

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak:

The list is maintained on this page.

Schneider Electric published a security advisory on Drovorub Linux Malware

Schneider Electric is warning customers of the Drovorub Linux malware that was also analyzed recently by the NSA and the FBI.

Schneider Electric published a security bulletin to warn customers of the Drovorub Linux malware, the malware was analyzed in a joint alert published in August by NSA and the FBI.

According to the US agencies, the Linux malware was allegedly employed in attacks carried out by the Russia-linked cyber espionage group APT28.

The name comes from drovo [дрово], which translates to “firewood”, or “wood” and rub [руб], which translates to “to fell”, or “to chop.”

The FBI and NSA attribute the Drovorub malware to APT28 due to the reuse of the C2 infrastructure in different operations, including a past campaign targeting IoT devices in 2019.

Drovorub is a modular malware that includes the implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.

“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actorcontrolled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.” reads the joint report. “A number of complementary detection techniques effectively identify Drovorub malware activity. However, the Drovorub-kernel module poses a challenge to large-scale detection on the host because it hides Drovorub artifacts from tools commonly used for live-response at scale.”

Drovorub could allow state-sponsored hackers to carry out a broad range of activities, such as stealing files, establishing backdoor access, remote controlling the target’s computer. The malware implements a sophisticated evasion technique, it leverages advanced ‘rootkit’ capabilities to remain under the radar.

The government agencies recommend that US organizations update any Linux system to a version running kernel version 3.7 or later to prevents Drovorub’s rootkit infections.

Drovorub targets systems running Linux kernel versions 3.7 or lower, the researchers pointed out that the malicious code cannot achieve persistence on systems that uses the UEFI secure boot in Full or Thorough mode.

Schneider Electric is urging customers to implement defense-in-depth recommendations to protect Trio Q Data Radio and Trio J Data Radio devices against Drovorub attacks.

The affected products are ethernet and serial data radios that provide long-range wireless data communications for SCADA and remote telemetry applications.

“Schneider Electric is aware of the recently published Drovorub malware. To further mitigate the effects of this malware, Schneider Electric recommends applying a defense in depth approach to protect their Q Data Radio and J Data Radio devices from malware being installed.” reads the security bulletin published by the vendor. “In addition, Schneider Electric recommends customers make use of the available features to reduce the risk of malware installation such as user access controls and the available secure protocols HTTPS and SSH.”

The company’s advisory states that once a device is infected, the malware could allow attackers to communicate with C2 infrastructure, download/upload files, execute arbitrary commands, port forward of network traffic to other hosts on the network, and implement hiding techniques to evade detection.

“Schneider Electric is establishing a remediation plan for all future versions of Trio J-Series Data Radios and Trio Q-Series Data Radios that will include a fix for the Drovorub vulnerability.” concludes the advisory. “We will update this document when the remediation is available. Until then, customers should immediately apply the following mitigations to reduce the risk of exploit. Enable Role-Based Access Control (RBAC).”

The good news is that the company is aware of attacks in the wild involving the Drovorub malware.

Pierluigi Paganini

(SecurityAffairs – hacking, Drovorub Linux Malware)

The post Schneider Electric published a security advisory on Drovorub Linux Malware appeared first on Security Affairs.

Cyber Security Today Week In Review for Nov. 13, 2020

In addition to looking at news highlights I talk to Dinah Davis of Arctic Wolf about ways consumers and businesses can avoid being scammed during the holiday shopping periodIn addition to looking at news highlights I talk to Dinah Davis of Arctic Wolf about ways consumers and businesses can avoid being scammed during the holiday shopping period

The post Cyber Security Today Week In Review for Nov. 13, 2020 first appeared on IT World Canada.

CISA Chief Chris Krebs expects to be fired by the White House

Chris Krebs, the director of DHS’ Cybersecurity and Infrastructure Security Agency, expecting to be fired as White House frustrations hit agency protecting elections.

Chris Krebs, the director of DHS’ Cybersecurity and Infrastructure Security Agency (CISA) expects the White House to fire him, as the Trump administration continues a purge of officials that are considered disloyal to the former President Trump.

Chris Krebs has hardly wort to protect the election process, as a consequence it is not possible for Trump administrators to prove fraud or interference.

Krebs and its staff have made great work ensuring that the 2020 election was not tampered with by nation-state actors, this election was called by the DHS  “the most secure in election history.”

“The November 3rd election was the most secure in American history. Right now, across the country, election officials are reviewing and double checking the entire election process prior to finalizing the result.” reads the statement published by CISA.

“When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes or errors. There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.

Former President Trump, after having lost the election speculated that widespread voter fraud took place during the election, he also filed several lawsuits in several US states disavowing the result of the vote without producing evidence to support his allegations.

Because of the CISA’s support of a fair election process, the White House is expected to call for Krebs’ resignation, according to a Reuters report, citing sources close to the CISA chief.

CISA set up a website dubbed “Rumor Control” to debunk misinformation about the election, a move that aroused the ire of the White House

“White House officials have asked for content to be edited or removed which pushed back against numerous false claims about the election, including that Democrats are behind a mass election fraud scheme. CISA officials have chosen not to delete accurate information.” reported the Reuters agency in exclusive.

“In particular, one person said, the White House was angry about a CISA post rejecting a conspiracy theory that falsely claims an intelligence agency supercomputer and program, purportedly named Hammer and Scorecard, could have flipped votes nationally. No such system exists, according to Krebs, election security experts and former U.S. officials.”

Bryan Ware, assistant director for cybersecurity at CISA, also told Reuters that he had handed in his resignation on Thursday, a U.S. official familiar with his matter said the White House asked for Ware’s resignation earlier this week.

Lawmakers and other observers condemned the decision that the administration has taken.

“Chris Krebs has done a great job protecting our elections,” tweeted Sen. Mark Warner (D-Va.).

“Krebs has been one of the top and most visible election security officials and has aggressively debunked misinformation in the aftermath,” said Patrick Howell O’Neill, a cyber reporter at MIT Technology Review.

It is my opinion that the CISA, under the Krebs’s administration, demonstrated a great efficiency, providing detailed and regular security advisories about cyber threats, threat actors and key vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – hacking, Chris Krebs)

The post CISA Chief Chris Krebs expects to be fired by the White House appeared first on Security Affairs.

Biotech research firm Miltenyi Biotec hit by Mount Locker ransomware

Biotech research firm Miltenyi Biotec disclosed a ransomware attack that took place in October and affected its IT infrastructure worldwide.

Biotech research firm Miltenyi Biotec was hit with a ransomware attack that took place in October and affected its IT infrastructure worldwide.

The company announced that it has fully restored systems after the attack, anyway in some countries local employees are still facing problems with mail and telephone systems.

Miltenyi Biotec is a global biotechnology company headquartered in Cologne, Germany, that provides products and services that support scientists, clinical researchers, and physicians across basic research, translational research, and clinical applications. The company offers solutions covering techniques of sample preparation, cell separation, cell sorting, flow cytometry, cell culture, molecular analysis, clinical applications and small animal imaging. Miltenyi Biotec has more than 3,000 employees in 28 countries and more than 17,000 products.

Miltenyi Biotec is providing the above products, including SARS-CoV-2 antigens, to clinicians and researchers who are working on COVID-19 vaccines and treatments.

“During the last two weeks, there have been isolated cases where order processing was impaired by malware in parts of our global IT infrastructure. Rest assured, all necessary measures have now been taken to contain the issue and recover all affected systems. Based on our current knowledge, we have no indication that the malware has been inadvertently distributed to customers or partners.” reads the announcement published by Miltenyi Biotec.

“As of this time, our operational processes have been fully restored. Should you have experienced any delays with your orders, we ask you to be patient for just a little longer, and to get in contact with us in urgent cases. Please accept our apologies for any inconvenience this may have caused you.”

The company is not aware of data leak resulting from the malware infection. Customers should expect order delays caused by the incident that impacted their systems across the last two weeks.

Customers experiencing difficulties can contact the company using a list of contact numbers available here.  

Miltenyi Biotec did not disclose the family of malware that infected its systems, anyway, Bleeping Computer speculates the involvement of Mount Locker ransomware.

“Even though Miltenyi Biotec has not disclosed the nature of the malware that caused the operational downtime during the last two weeks, the Mount Locker ransomware gang has claimed the attack earlier this month.” reported Bleeping Computer.

On November 4, 2020, Mount Locker ransomware operators have leaked on their data leak site (‘Mount Locker News & Leaks’) 5% out of the 150 GB of data they have allegedly stolen from the company.

Mount Locker ransomware operators have been active since July 2020 and targeted multiple organizations demanding multi-million dollar ransoms.

To make pressure on the victims, Mount Locker operators also threaten them to contact the media, TV channels, and newspapers if the ransom is not paid.

Pierluigi Paganini

(SecurityAffairs – hacking, Mount Locker)

The post Biotech research firm Miltenyi Biotec hit by Mount Locker ransomware appeared first on Security Affairs.