Our weekly application security news roundup for March 21 to 25 2016 features Badlock, the security of hospitals and federal agencies, and a new Android vulnerability. Read on for details on the following headlines:
Researchers have warned administrators and all those responsible for Windows and Samba servers to mark their calendars for April 12, 2016, when researchers plan to disclose a crucial security bug dubbed “Badlock Bug.” According to Badlock.org, they are “pretty sure” it will spawn “exploits soon after we publish all relevant information.”
Although no details have been released on the Badlock bug, there is some credibility behind it, as it was discovered by Stefan Metzmacher, who is a member of the Samba Core Team and currently works for German IT services firm SerNet.
PR-driven vulnerability disclosure is not new, wrote Steve Ragan of CSO. However, “I think that Badlock is likely one of the worst examples of marketing and hype for a vulnerability that we've seen to date,” Ragan said. “Even Heartbleed didn't have a teaser notification three weeks out.”
See our take on this news in Chris Wysopal’s recent blog post.
According to KrebsOnSecurity, more than 1.5 million Verizon Enterprise customers had their contact information leaked on an underground cybercrime forum and was offered for sale for $100,000. Ironically, Verizon Enterprise is the division of the telecom giant that helps Fortune 500 companies respond to data breaches. Verizon said that “no customer proprietary network information (CPNI) or other data was accessed,” and that consumer data was unaffected. The company has patched the flaw and is in the process of notifying customers.
The Office of Management and Budget has released its annual Federal Information Security Modernization Act (FISMA) report that analyzed the government’s cybersecurity posture between October 2014 and September 2015. Federal agencies reported over 77,000 incidents for the fiscal year ending in September 2015, up from 69,800 the previous year and 60,700 in 2013. The incidents range from unauthorized access port scans, probes of agency networks, malware, suspicious activity and unconfirmed third-party notifications.
Overall, agencies had an average score of 89 percent in their ability to detect and block unauthorized software from accessing their systems, and 72 percent in detecting unauthorized hardware and devices, the report said.
According to a new report from 451 Research, federal agencies are stuck in the past when it comes to fighting cybersecurity. 451 Research analyst Garrett Bekker said that federal security professionals are continuing to over-rely on network and endpoint security technologies and fail in the face of multi-stage attacks.
“Only 37 percent are saying that they're increasing investment in protecting data-at-rest, which is most of the breaches are happening,” said Sol Cates, CSO at Vormetric, which sponsored the report. In contrast, 45 percent of respondents from an average U.S. enterprise said they planned to increase spending on protecting data-at-rest.
Locky ransomware, the ransomware that hit the Hollywood hospital last month, is back and has targeted another hospital in Kentucky. According to Krebs on Security, Kentucky-based Methodist Hospital declared an "internal state of emergency" due to a Locky ransomware attack launched on Friday, March 18 that cut off web-based services and electronic communications for five days.
Locky ransomware works by encrypting important files on the infected host and deletes the originals. Victims can only regain access to the files by paying the ransom or by restoring them from a backup.
In the case of Methodist Hospital, the ransomware tried to spread from the initial infection to the entire internal network and succeeded in compromising several other systems. The hackers demanded only four bitcoins—which is a little more than $1,600.
Due to the recent surge of healthcare ransomware attacks, a House Democrat is considering an update to federal health record breach notification laws that would require hospitals and healthcare organizations to notify their patients when they’ve been the victim of a ransomware attack.
“Right now under federal law, there's no requirement that a hospital has to report they've suffered a ransomware attack,” Rep. Ted Lieu said. “We're exploring legislation to fix that loophole.”
Currently, healthcare organizations only need to notify patients when their health records have been compromised or stolen, but ransomware doesn’t always extract data, it only makes it inaccessible. Lieu said the proposed change would give patients better visibility into how their health information is being protected and would also give lawmakers more insight into how many hospitals are being targeted by cybercriminals.
This news was covered by Bloomberg BNA.
A new report by the Government Accountability Office (GAO) found that HealthCare.gov has experienced 316 security incidents in just less than 18 months. GAO said that none of the incidents leaked sensitive data such as names, addresses, birth dates and Social Security numbers, but rather involved electronic probing by hackers. However, GAO said it found shortcomings in the data hub, including insufficiently tight restrictions on admin privileges that allow broad user access throughout the system, inconsistent use of security fixes and an admin network that was not properly secured.
This news was covered on AP.
Millions of Android phones, including Nexus models, are vulnerable to an attack that can execute malicious code and take control of basic functions almost permanently.
“The officials have already uncovered one unidentified Google Play app that attempted to exploit the vulnerability, although they said they didn't consider the app to be doing so for malicious purposes. They are in the process of releasing a fix, but at the moment any phone that hasn't received a security patch level of March 18 or later is vulnerable,” reports Ars Technica.
The flaw bypasses the entire Android security model and has its origins in an elevation privileges vulnerability in the Linux kernel. Linux developers addressed the issue in April of 2015 but never identified it as a security threat. For unknown reasons, Android developers failed to patch the flaw even after they were alerted to the issue in February 2015.
"An elevation of privilege vulnerability in the kernel could enable a local malicious application to execute arbitrary code in the kernel," an Android security advisory published Friday stated. "This issue is rated as a critical severity due to the possibility of a local permanent device compromise and the device would possibly need to be repaired by re-flashing the operating system."
Threatpost also covered the story.
A businessman in China, Su Bin, pleaded guilty to conspiring to hack the networks of major U.S. defense contractors, including Boeing. Su faces a maximum five-year sentence for allegedly conspiring with two other people in China to obtain sensitive military data and export it illegally.
According to U.S. government filings, Su began working in 2008 to target U.S. companies. In 2010, he emailed a file to an anonymous individual in China that contained information about one of Boeing’s military transport aircraft. Su also helped his co-conspirators decide what company employees to target and translated documents from English to Chinese.
The Chinese government has continued to deny any involvement in hacking.
A new Apple zero-day vulnerability has been discovered in both the OS X and iOS operating systems that allows hackers to exploit key protection features and steal sensitive data rom devices. The flaw allows for local privilege escalation and bypasses System Integrity Protection (SIP), Apple’s newest protection feature.
The bug grants attackers the ability to bypass this feature without the need for a kernel exploit. The flaw is a non-memory corruption bug which “allows users to execute arbitrary code on any binary,” according to the researcher that discovered it.
In order to exploit the vulnerability, a hacker must first compromise the target system through whichever means necessary, such as a spear phishing attack or browser exploit.