20200727

UNCLASSIFIED Page 1 27 July 2020 Table of Contents CISA Says Hackers Exploited BIG-IP Vulnerability in Attacks on U.S. Government Garmin services returning after alleged cyber-attack In Barely Three Months, Eight New Ransomware Surface How hackers extorted $1.14m from University of California, San Francisco This week of never-ending security updates continue. Now Apple emits dozens of fixes Cisco releases security fixes for critical VPN, router vulnerabilities DHS pushes toward data center consolidation US Army begins experimenting with new network tools Cloud provider stopped ransomware attack but had to pay ransom demand anyway Pentagon explores what telework capabilities to make permanent FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins Cybercrime Jumped 23% Over Past Year, Says ONS Zoom's Vanity URLs Could Have Been Abused for Phishing Attacks Israeli Water Infrastructure Hit Again by Cyberattacks Hacker behind Ripoff Report extortion attempt extradited to the US CISA Says Hackers Exploited BIG-IP Vulnerability in Attacks on U.S. Government Security Week, 27 Jul 2020: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Friday to warn organizations about the risk posed by a recently patched vulnerability affecting F5 Networks’ BIG-IP application delivery controller (ADC). The critical security hole, identified as CVE-2020-5902 [ link ], allows an attacker with access to the product’s Traffic Management User Interface (TMUI) configuration utility to obtain credentials and other sensitive data, intercept traffic, and execute arbitrary code or commands, resulting in the system getting completely compromised. The issue was disclosed on July 1. A proof-of-concept (PoC) exploit was released a few days later and the first exploitation attempts were spotted on July 5 [ link ]. F5, which released a patch before disclosure, tells customers to assume that their systems have been compromised if they’ve failed to install the patch for CVE- 2020-5902. CISA says government departments and agencies have been seeing scanning and reconnaissance activity associated with this flaw since July 6 [ link ]. The agency has been investigating several potential breaches resulting from the exploitation of this vulnerability, including against U.S. government and commercial organizations, and it has so far confirmed two instances where systems have been compromised. Garmin services returning after alleged cyber-attack BBC, 27 Jul 2020: GPS and fitness-tracker firm Garmin appears to be slowly coming back online following a widespread outage affecting users worldwide. Users of the company's services were unable to access their data due to an alleged ransomware attack. Now customers are starting to report that the service appears to be "partially" Purpose Educate recipients of cyber events to aid in protecting electronically stored DoD, corporate proprietary, and/or Personally Identifiable Information from unauthorized access, theft or espionage Source This publication incorporates open source news articles to educate readers on cyber security matters IAW USC Title 17, section 107, Para a. All articles are truncated to avoid the appearance of copyright infringement Newsletter Team * SA Sylvia Romero Albuquerque FBI * CI Agent Scott Daughtry Purple Arrow Founder Subscription/Questions Click HERE to request for your employer-provided email address to be added to this product’s distribution list Purple Arrow Overview The Purple Arrow Working Group was founded in 2009 to address suspicious reporting originating from New Mexico (NM) cleared companies. Purple Arrow is a subset of the NM CI Working Group. Purple Arrow Members Our membership includes representatives from these New Mexico-focused agencies: 902nd MI, AFOSI, DOE, DCSA, DTRA, FBI, HSI and NCIS Disclaimer Viewpoints, company names, or products within this document are not necessarily the opinion of, or an endorsement by, the FBI or any member of the Purple Arrow Working Group or NM CI Working Group Distribution You may freely forward this product to U.S. person co-workers or other U.S. agency / U.S. company managed email accounts Personal Email/Foreigners The FBI will not send Purple Arrow products to a non-United States employer-provided email account (e.g. Hotmail, Gmail)

UNCLASSIFIED Page 2 working again. Reports claimed that the company had been asked to pay $10m to get its systems back online. Garmin has yet to comment on those claims, or say what was behind the outage. The problem began on Thursday, and affected Garmin users around the world. Pilots who use flyGarmin were unable to download up-to-date aviation databases, which aviation regulators such as the FAA require pilots to have, before they can fly. Customers were also unable to log into Garmin Connect to record and analyse their health and fitness data. In an email to its users on Sunday, Garmin said it would no longer be responding to user queries about delayed uploads to its servers because "most of the issues will resolve themselves". In Barely Three Months, Eight New Ransomware Surface CyWare, 19 Jul 2020: Earlier this year, a report by the FBI’s Internet Crime Complaint Center (IC3) revealed that ransomware losses in 2019 were over $8.9 million, i.e $5.3 million more than the losses in 2018 [ link ]. Moreover, the frequency of attacks and ransomware demand has drastically increased this year. In the past few weeks, more than half-a-dozen new ransomware captured the attention of security researchers. Let’s understand how they operate and who they target in the following list. 1) Avaddon: Launched at the beginning of June, the actors behind Avaddon send emails containing subjects like "Your new photo?" or "Do you like my photo?" with a winking smiley face in the email body and an attached JavaScript downloader. It was reported as one of the largest email campaigns as it distributed over one million messages mainly targeting organizations in the U.S. in one week. 2) AgeLocker: AgeLocker reportedly utilizes the 'Age' encryption tool created by Google to encrypt a victim's files instead of common algorithms, such as AES+RSA. The attackers send the ransom note via email, asking 7 BTC or approximately $64,500 to decrypt the files. 3) Conti: Seeking a similarity in codes used and dropping the same ransomware note as Ryuk’s used to, experts say the malware could be its successor. In a unique technique, the malware exploits Windows Restart Manager and attempts to alert the user to save their data if their file is open and unsaved, thereby maximizing the damage. 4) ThiefQuest: ThiefQuest is a new piece of ransomware which is distributed as a hidden threat inside pirated macOS software uploaded on torrent portals and online forums. ThiefQuest goes beyond just encrypting files. It installs a keylogger, a reverse shell, and attempts to wipe off cryptocurrency wallet-related files. Victims of the malware are asked for a $50 ransom in BTC within three days (72 hours). However, there’s no contact information for victims to get in touch with the attacker. Incident Reporting - Cleared Company: notify your Defense Counterintelligence and Security Service representative. If the event compromised DoD information, you must also initiate the DIBNET process. - Financial Scam/Fraud: submit a complaint to the FBI’s Internet Crime Complaint Center ( IC3 ) - Children: if a child has been targeted via the Internet, contact your state’s Attorney General via their web site. They likely have an Internet Crimes against Children task force that specializes in this crime category Cyber investigations are likely to require the original offending email (to obtain the email headers) and/or log files that are generated/maintained by an IDS, router or firewall. Ensure your IT office preserves this information should law enforcement request them for analysis. Newsletter Archival We do not maintain a formal archive of this newsletter. Your company/agency may archive Purple Arrow products on its internal network. This product may NOT be altered in any way. Cybersecurity Training All employees must understand cyber threats and think defensively every time they use automated systems. Many intrusions occur because a single employee failed basic cybersecurity practices and clicked on a hostile hyperlink or opened a malicious file attachment. The Defense Counterintelligence and Security Agency (formerly known as DSS) offers free cyber training via its Center for Development of Security Excellence (CDSE) website. Click HERE for info

UNCLASSIFIED Page 4 month alone, Proofpoint's cyber-security analysts say they saw more than one million emails with using a variety of phishing lures, including fake Covid-19 test results, sent to organisations in the US, France, Germany, Greece, and Italy. This week of never-ending security updates continue. Now Apple emits dozens of fixes TheRegister, 16 Jul 2020: Apple has released a fresh batch of software security updates for its flagship devices. The July 15 security refresh from Cupertino includes fixes for bugs in iOS, macOS, tvOS, and WatchOS: basically every hardware product from the Cupertino giant. Given the massive patch overload this week, it's a good time to bury bad news. For iOS and iPadOS the 13.6 update includes fixes for 29 CVE-listed vulnerabilities, 10 involving arbitrary code execution. Four of those code execution flaws are exploited by playing corrupted audio files (CVE-2020-9888, CVE-2020-9889, CVE-2020-9890, CVE-2020-9891, all found by Ant-financial Light- Year Security Lab researchers JunDong Xie and XingWei Li.) Code execution was also possible by exploiting AVEVideoEncoder (CVE-2020-9907, from an anonymous researcher), iAP (CVE-2020-9914, found by Andy Davis, British director of security shop NCC Group), ImageIO (CVE-2020-9936, discovered by Mickey Jin of Trend Micro), iOS Kernel (CVE-2020-9923, reported by the alias "Proteas"), and Model I/O (CVE-2020-9878, found by Holger Fuhrmannek of Deutsche Telekom Security). The WebKit browser engine was the subject of three code execution bugs: CVE-2020-9894 (credited to someone with the alias "0011" working with the Trend Micro Zero Day Initiative), CVE-2020-9893 (also credited to "0011"), and CVE-2020-9895 (credit to Wen Xu of GeorgiaTech's SSLab). In those cases, remote code execution was possible by way of a poisoned web page. These remote code execution bugs sometimes show up as jailbreak exploits, with hackers using the flaws as an inroad to lifting the App Store security restrictions. Many of the same issues were addressed in macOS, where the update is known as Catalina 10.15.6 or Security Update 2020-004 (for Mojave and High Sierra users). Cisco releases security fixes for critical VPN, router vulnerabilities ZD Net, 17 Jul 2020: Cisco has issued a security update that tackles 34 vulnerabilities [ link ], five of which are deemed critical. It's been an interesting month for enterprise administrators and security staff with Microsoft's Patch Tuesday including fixes for 123 vulnerabilities across 13 products. In particular, warnings were issued over SigRed (CVE-2020-1350), a 17-year-old critical bug that can be used to hijack Microsoft Windows Server builds. Adobe, SAP, VMware, and Oracle have also released their own security updates. Over this week, Cisco added its own contribution, with the networking giant releasing patches for 34 bugs, the most severe of which can be exploited to conduct remote code execution and privilege escalation attacks. In addition to the critical vulnerabilities, Cisco also issued a wide variety of fixes for products and services including Identity Services, email services, SD-Wan vManage and vEdge, and Webex meetings, among other software. Ranging from high to medium severity, these security issues include SQL injections, cross-site scripting (XSS) bugs, filter bypass, information leaks, and denial-of-service. It is recommended that Cisco customers accept automatic updates or manually apply the latest round of security fixes as soon as possible.

UNCLASSIFIED Page 5 DHS pushes toward data center consolidation FCW, 20 Jul 2020: The Department of Homeland Security is inching closer to making good on a long promised data center consolidation plan. On July 10, the agency issued a draft solicitation [ link ] for Data Center and Cloud Optimization (DCCO) Support Services contract that will manage its enterprise data center, as well as cover implementation and hosting environments at the Stennis Space Center in Mississippi. The data center is owned by NASA and run by its contractor, but DHS uses about 35,000 square feet in the facility. DHS had planned to consolidate data center operations at the Mississippi facility, known as DC 1, and shutter operations at a Virginia location (called DC 2) to save money and to make allowances for components that are pushing operations into commercial cloud. The plan as of last August was to consolidate operations in Mississippi by June 2020, but even then complications were emerging that made the closure of DC 2 by the expiration of a key contact unlikely. On June 10, DHS awarded Perspecta a no-bid extension to continue running operations at DC 2 as systems are transitioned out of the facility. The draft solicitation looks to move from a location-based approach for support services capabilities to a service-based approach that will offer a hybrid IT hosting environment that will serve as a foundation to manage and integrate multi-cloud and co- located applications. US Army begins experimenting with new network tools C4ISRNET, 26 Jul 2020: The U.S. Army’s combat capabilities development team kicked off a monthslong experiment last week to test emerging technologies that could be added into the service’s tactical network. The third annual Network Modernization Experiment at Joint Base McGuire-Dix-Lakehurst in New Jersey started July 20 and ends Oct. 2. NetModX provides an opportunity for the Combat Capabilities Development Command’s C5ISR Center — or Command, Control, Communication, Computers, Cyber, Intelligence, Surveillance, and Reconnaissance Center — to perform field tests with emerging capabilities that have largely been tested in the lab. In this year’s test, the C5ISR Center is testing communications capabilities that allow for distributed mission command systems across the battlefield “and wider area,” said Michael Brownfield, chief of the future capabilities office at the C5ISR Center. “We’ve learned by watching our enemies fight, and we know that to survive on the battlefield, No. 1, they can’t be able to see us,” Brownfield told C4ISRNET in an interview. “And No. 2, we have to distribute our systems across the battlefield to give them multiple targets and multiple dilemmas in order to survive.” NetModX is also testing network resiliency capabilities that could be delivered as part of Capability Set ’23. Preliminary design review for the capability set is scheduled for April next year. To test the effectiveness of the resiliency projects the center developed in the lab, the C5ISR Center created a “state-of-the-art red cell” that attacks the network using enemy’s tactics, techniques and procedures, according to Brownfield. The goal is to make sure the technology can withstand electronic attacks and allow for continuous operations in contested environments when in the hands of deployed soldiers. A modular radio frequency system of systems is undergoing tests, and Brownfield says it will “revolutionize” the fight on the battlefield. The system automatically switches between primary, alternate, contingency and emergency, or PACE, radios by sensing if radio frequencies are being jammed. The system then responds by automatically switching radio channels to allow for seamless communications in a contested environment. Currently, “it’s kind of hard to switch to alternate comms when the person you’re talking to is on their primary, not their alternative comms,” Brownfield said. “And the process is very slow. It’s human-driven.” Now, the automatic PACE system senses the environment in milliseconds, he said. At last year’s experiment,

UNCLASSIFIED Page 7 permanent, saying that department leaders will have to accept the “new normal” of an increasingly remote workforce. Remote access to classified information has also been an issue during the pandemic. Last month, Army chief information officer/G-6 Lt. Gen. Bruce Crawford said the service is rolling out a platform for remote access to secret information for 2,000 users. La’Naia Jones, acting chief information officer of the intelligence community, said that for intel agenices, remote access is “not really a cut and dry question.” “We’re looking at it as, what can we do within that classified data and information, what makes it classified. And are there elements, parts, pieces or processes that we can do on a lower classified domain that can mitigate that?” Jones said. FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins ZDNet, 27 Jul 2020: The Federal Bureau of Investigation sent an alert last week warning about the discovery of new network protocols that have been abused to launch large-scale distributed denial of service (DDoS) attacks. The alert lists three network protocols and a web application as newly discovered DDoS attack vectors. The list includes CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software. Three of the four (CoAP, WS- DD, ARMS) have already been abused in the real-world to launch massive DDoS attacks, the FBI said based on ZDNet's previous reporting. FBI officials believe that these new DDoS threats will continue to be exploited further to cause downtime and damages for the foreseeable future. The purpose of the alert is to warn US companies about the imminent danger, so they can invest in DDoS mitigation systems and create partnerships with their internet service providers to quickly respond to any attacks leveraging these new vectors. The FBI says that because these newly discovered DDoS vectors are network protocols that are essential to the devices they're being used in (IoT devices, smartphones, Macs), device makers are unlikely to remove or disable the protocols in their products, hence the threat of a new wave of DDoS attacks looms going forward. "In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks," the FBI said referring to the new DDoS vectors. As of now, these four new DDoS attack vectors have been used sporadically, but industry experts expect them to become widely abused by DDoS-for-hire services. Cybercrime Jumped 23% Over Past Year, Says ONS InfoSecurity, 20 Jul 2020: Cybercrime offenses reported by individuals and businesses have risen 23% over the past year, according to the Office for National Statistics (ONS). The UK government body explained that 26,215 incidents were referred to the National Fraud Intelligence Bureau (NFIB) by Action Fraud in the year ending March 2020. The year-on-year increase was driven by a large uptick in the two highest-volume “computer misuse” types reported to Action Fraud. “Hacking – social media and email” saw a 55% increase from 12,894 offenses, and “computer viruses/malware” incidents soared by 61% to reach 6745 cases. The double-digit increase in reported cybercrime came in spite of improvements to “internal case review processes” and an online reporting tool at Action Fraud in October 2018 which meant some offenses previously categorized as computer misuse are now being properly identified as fraud, ONS said. On that note, when fraud is added to computer misuse, there was an increase of just 12% in cases reported to the NFIB over the period. “In the year ending March 2020, CSEW-estimated computer misuse offences did not

UNCLASSIFIED Page 8 change from the previous year, remaining at around 900,000 offences,” it noted. Fraud reported to the survey also remained pretty static, at 3.7 million cases. Zoom's Vanity URLs Could Have Been Abused for Phishing Attacks SecurityWeek, 17 Jul 2020: An issue related to the Zoom feature that allows for the customization of meeting URLs could have been exploited for phishing attacks, Check Point reveals. The recently identified security issue is related to the Zoom Vanity URL, a custom URL (e.g. companyname.zoom.us) that organizations are required to use when looking to enable single sign-on (SSO). The customizable vanity pages are rarely accessed by users, as they don’t normally need to type in the URL for the page to access a video meeting, but click on a provided link for that. According to Check Point, an attacker looking to exploit the discovered issue would have pretend to be a legitimate employee within a company, then send invitations that appear to come from the company’s Vanity URL to individuals of interest. However, although the invitation would seem as being sent from the legitimate Vanity URL of the spoofed organization, the URL would actually point to a subdomain registered by the attacker with a name similar to the one of the target. By manipulating the link, the attacker could lure the user to their own meeting and trick them into handing over credentials or other sensitive information by making them believe that they are actually in a meeting with someone from the targeted company. An attacker could also target the dedicated Zoom web interfaces that some organizations use for video conferencing to exploit the bug by redirecting the user to a malicious Vanity URL. “Without particular cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization,” Check Point notes [ link ]. Zoom has added safeguards to ensure the protection of its users, the security firm reported. Israeli Water Infrastructure Hit Again by Cyberattacks Hamodia, 17 Jul 2020: The cyberattacks on Israeli infrastructure continue, with the Israeli Water Authority confirming on Thursday that another cyberattack targeted two Israeli water infrastructure facilities this week. According to officials, the attacks were aimed at agricultural water pumps in the Upper Galilee and infrastructure in the center of the country. The hacks did not cause any damage, the authorities said. The officials did not point at any possible suspects behind the attack. In April, the Water Authority structures were hit by a cyberattack, with Fox News reporting that it was the work of Iranian hackers. Attacks had been launched on control and control systems of wastewater treatment plants, pumping stations and sewers. That attack also reportedly resulted in no damage but was said to have left the Israeli defense establishment outraged as it targeted civilian infrastructure. Hacker behind Ripoff Report extortion attempt extradited to the US ZD Net, 19 Jul 2020: A Cypriot national has been extradited to the US to face charges of hacking into review portal Ripoff Report, extorting the company, and selling access to its backend to a third-party. The man, named Joshua Polloso Epifaniou, 21 years, and a resident of Nicosia, Cyprus, arrived in the US on Friday and is scheduled to be arraigned in front of a US court on Monday, July 20, where he'll be formally charged. According to court documents obtained by ZDNet, US authorities believe Epifaniou used a brute-force attack to gain access to the credentials of a Ripoff Report employee in October 2016. The Cypriot then worked with an SEO (search engine optimization) company to remove bad reviews from the Ripoff Report website for the