ISA is committed to keeping the security community up to date with the latest cybersecurity news.
York University Recovering From Serious Cyber Attack
On May 2, 2020, York University in Toronto suffered a serious cyber incident, according to the school’s community safety blog. The widespread attack affected a “large number of servers and workstations”, disrupting operations for internal staff and students. York’s University Information Technology (UIT) team activated a response plan and “took immediate measures to contain the situation and engaged external investigators to help with determining the scope and extent of the incident.”
The attack appears to have affected a wide array of systems, including the York main and faculty websites, on-campus Internet access, phone systems, Office 365 services and shared drives, Zoom teleconferencing, VPN facilities, internal CRM/financial systems, and even parking/door access systems. York provided daily updates through the first week of the incident as they investigated the nature of the outage and gradually brought services online. Despite the breadth of the attack, things reportedly could have been worse: the blog advised that the UIT’s “quick response significantly reduced the potential damage this cyber attack would have caused”.
The origin of the attack was not reported, however “zip” attachments on emails remain blocked and local cyber experts have speculated that ransomware was involved. In his May 6 blog post, Donald Ipperciel, CIO at York, advised that a “strong return to operational status” has been made, but cautioned users to remain vigilant as “until the remaining systems are investigated and restored, we still remain vulnerable to attack”.
10,000 Legal Documents Exposed in Unsecured Database
UK-based cybersecurity research firm TurgenSec has reported that they have identified a data breach affecting some 10,000 legal documents mentioning up to 193 law firms, including three British “magic circle” firms (a nickname for the five most high-profile London-based law firms). According to TurgenSec’s detailed breach report, unsecured databases containing information about a cache of scanned documents were discovered in February 2020, and they had been working behind the scenes to identify the owner of the data before making a public statement. TurgenSec’s first public comments about the incident were posted on April 28.
The “data controller” was determined to be Laserform Hub, a product acquired by Advanced Computer Software Group Limited in 2006, and launched as a software-as-a-service offering in late 2014. The exposed databases appeared to refer to property transaction forms from Companies House, the UK’s registrar of limited companies. According to the TurgenSec report, databases associated with the firms mentioned in the documents potentially contained staff information including names, email addresses, and hashed (i.e., encrypted) passwords. Other databases associated with the scanned documents per se contained potentially sensitive headers like mother’s maiden name, passport number, eye colour, etc., as well as extensive information about transaction details.
In a formal statement, Justin Young, MSc, CISSP, the Director of Security and Compliance at Advanced advised, “We discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue, secure the data and make contact with the small number of affected customers.” TurgenSec has confirmed that they no longer have access to the exposed data.
Oracle Issues Special Alert on Critical WebLogic Security Bug
Oracle issued an urgent reminder to users of their WebLogic products to install a high-severity software patch released in mid-April.
The bug was reported privately to Oracle earlier this year by at least six different individuals and cybersecurity firms, and a patch was released on April 14. To that point, there had been no reported attempts to exploit the vulnerability in production systems. However, within a day, a “proof-of-concept” attack was designed and posted on GitHub, an open source development platform widely used by software developers around the world. Almost immediately thereafter, actual reports of attacks on WebLogic installations began, heightening the severity of the situation. Oracle reacted with a blog post by Eric Maurice, Oracle’s Director of Security Assurance, underscoring the importance of patching immediately, and with detailed technical instructions on applying the patch.
The bug – coded CVE-2020-2883 – potentially allows a hacker to send malware to a WebLogic server through Oracle’s proprietary T3 protocol. When the server receives and “unpacks” the payload, hidden malicious code can then be run on the WebLogic server itself. Since the vulnerability is exploitable without authentication or user interaction, the bug could then allow the hacker to take full control of the unpatched system, creating opportunities for data exfiltration or launching pads for botnet or website attacks.
The patch update was part of a critical patch update containing 52 new security patches for Oracle Fusion Middleware and WebLogic servers, many of which were rated with a 9.8 score out 10 on the vulnerability severity scale. Visit Oracle’s April 2020 Critical Patch Update Advisory for further details.