Cyber security news December 2020

This posting is here to collect cyber security news December 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

cybergedeon_flame_color

175 Comments

  1. Tomi Engdahl says:

    Zero-click iMessage zero-day used to hack the iPhones of 36 journalists
    https://arstechnica.com/information-technology/2020/12/zero-click-imessage-zeroday-used-to-hack-the-iphones-of-36-journalists/

    Three dozen journalists had their iPhones hacked in July and August using what at the time was an iMessage zero-day exploit that didn’t require the victims to take any action to be infected, researchers said.

    The exploit and the payload it installed were developed and sold by NSO Group, according to a report published Sunday by Citizen Lab, a group at the University of Toronto that researches and exposes hacks on dissidents and journalists. NSO is a maker of offensive hacking tools that has come under fire over the past few years for selling its products to groups and governments with poor human rights records.

    Reply
  2. Tomi Engdahl says:

    Tillis Targets Criminal Streaming Services with ‘Protecting Lawful Streaming Act’
    https://www.ipwatchdog.com/2020/12/15/tillis-targets-criminal-streaming-services-protecting-lawful-streaming-act/id=128284/

    Pirating Streamed Content to Become Felony
    By Michael Balderston 2 days ago
    Bill to be included in omnibus part of the COVID-19 relief bill

    https://www.tvtechnology.com/news/pirating-streaming-content-to-become-felony

    Reply
  3. Tomi Engdahl says:

    CVE-2020-35489: Unrestricted File Upload Vulnerability found in Contact Form 7 plugin affects 5M+ websites
    https://blog.wpsec.com/contact-form-7-vulnerability/

    Reply
  4. Tomi Engdahl says:

    SolarWinds is the tip of the iceberg
    The recent SolarWinds software supply chain breach is a clear indication that strong OT cybersecurity is a must-have in today’s threat environment.
    https://www.helpnetsecurity.com/2020/12/21/solarwinds-cybersecurity/

    Reply
  5. Tomi Engdahl says:

    Nuclear weapons agency breached amid massive cyber onslaught
    https://www.politico.com/news/2020/12/17/nuclear-agency-hacked-officials-inform-congress-447855

    Hackers accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile.

    Reply
  6. Tomi Engdahl says:

    Wide-reaching hack has defense firms on their toes
    https://www.c4isrnet.com/2020/12/23/wide-reaching-hack-has-defense-firms-on-their-toes/

    WASHINGTON ― Some of the country’s leading defense firms are likely among the 18,000 SolarWinds customers that may have been swept up in one of the country’s worst cyber espionage failures, but investigations to determine the scope of the hackers’ reach will take significant time.

    Experts say there simply are not enough skilled threat-hunting teams to identify all the government and private-sector systems that may have been probed. FireEye, the cybersecurity company that discovered the intrusion into U.S. agencies and was among the victims, has already tallied dozens of casualties. It’s racing to identify more but already, Lockheed Martin, Microsoft, and Booz Allen Hamilton have acknowledged they use SolarWinds products.

    “We have a serious problem. We don’t know what networks they are in, how deep they are, what access they have, what tools they left,” said Bruce Schneier, a prominent security expert and Harvard fellow.

    A major part of the problem is that the SolarWinds’ network management platform at the center of the hack was “not the only initial infection vector,” as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency acknowledged last week. One fear is the attackers were able to migrate from SolarWinds into the supply chains of other programs.

    A malicious actor, widely suspected to be Russia, discovered a way to compromise SolarWinds’ software update service for the Orion IT management platform.

    The cyberattack operated undetected for months and reportedly hit multiple government agencies, including the State Department, the Treasury Department, the Department of Homeland Security, and the Pentagon ― though the Pentagon has not confirmed this. Leading defense contractors are among the firms searching for answers.

    “This is not just the government’s problem ― what agencies got penetrated and how much damage ― but I think it’s also clear that this went into a lot of companies. And when it’s a problem that’s more than the government, it needs a solution that’s bigger than just the government,” Berteau said, adding: “It really needs a national fix, not just a government fix.”

    SolarWinds provided services to Lockheed Martin, General Dynamics, Booz Allen Hamilton, Microsoft and more than 400 companies in the U.S. Fortune 500, according to the company’s client list. Lockheed is the country’s largest defense contractor and all of the companies have sizable defense portfolios.

    Microsoft, which provides much of the department’s office software and is set to become its cloud computing provider, disclosed in a Dec. 17 blog post that more than 40 of its customers were “targeted more precisely and compromised through additional and sophisticated measures.” Of those, 9 percent were government contractors that support defense and national security organizations.

    Security teams then have to assume that the patient is still sick with undetected so-called “secondary infections” and set up the cyber equivalent of closed-circuit monitoring to make sure the intruders are not still around, sneaking out internal emails and other sensitive data.

    While companies are still trying to uncover intrusions and their potential impacts, don’t expect them to be transparent to the public. Until they determine they have an obligation to shareholders to disclose the damage from any breaches, government contractors may want to keep quiet about potential impacts to protect their reputations with customers and the public ― and to avoid both potential legal liability and sharing information about that might benefit the attackers.

    “If I were in their position, it makes sense to give out the most vague and uninformative statement that sounds like you’re getting information,” Lin said. “There’s another question: Are they telling anybody, the FBI or Homeland Security for example? You would want them to share information with U.S. government cybersecurity authorities and law enforcement.”

    However unlikely, the worst case scenarios for the defense industry involve hackers finding their way into classified systems or even manipulating data to make weapons systems malfunction.

    Reply
  7. Tomi Engdahl says:

    SolarWinds Orion Breach, SunBurst, and what you can do about it.
    https://m.youtube.com/watch?v=IBGQb5wciNU

    Julkaistu 23.12.2020
    An overview of the SolarWinds Orion Breach with John Mancini, Ph.D. and Joe Malenfant. SolarWinds suffered a supply chain compromise that trojanized their update, infecting an estimated 18,000 organizations. Dr. Mancini breaks down the what and how it happened, and what organizations can do about to now and in the future.

    Reply
  8. Tomi Engdahl says:

    So, this is Xmas, NSW Health amongst other victims of the SolarWinds hack, that has leaked data since June, 2020. https://www.abc.net.au/news/science/2020-12-23/hack-russia-nsw-health-rio-tinto-serco-solarwinds-cybersecurity/13009348 But its ok, Gladys isn’t protecting any of the CoVID Health Data !!!

    NSW Health, Rio Tinto, Serco named as victims of massive global SolarWinds hack attack
    https://www.abc.net.au/news/science/2020-12-23/hack-russia-nsw-health-rio-tinto-serco-solarwinds-cybersecurity/13009348

    NSW Health has been named in a growing list of victims of a major global cyber attack by Russian hackers — although it says patient information was not stolen.

    Reply
  9. Tomi Engdahl says:

    GoDaddy wins our 2020 award for most evil company email
    The domain registrar tricked employees into thinking they earned a bonus
    https://www.theverge.com/2020/12/24/22199406/godaddy-wins-2020-stupidity-award

    . As The Copper Courier originally reported, GoDaddy sent an email phishing “test” to its employees promising much-needed money

    The employees who clicked the link then reportedly received an email two days later telling them they failed the test. Instead of receiving a holiday bonus, they’d instead be required to take a training course on social engineering.

    Phishing tests are normal, but promising employees fake money definitely falls into the “oh no they didn’t” category.

    Reply
  10. Tomi Engdahl says:

    Mitt Romney Slams Trump For Downplaying Hack: ‘President Has A Blind Spot When It Comes To Russia’
    https://www.forbes.com/sites/jemimamcevoy/2020/12/20/mitt-romney-slams-trump-for-downplaying-hack-president-has-a-blind-spot-when-it-comes-to-russia/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie

    After President Trump downplayed the severity of a major hack that’s breached at least half-a-dozen U.S. government agencies and potentially thousands of businesses, and sought to shift blame from Russia to China, Sen. Mitt Romney (R-Utah) during a Sunday interview with NBC accused the president of having a “blind spot” when it comes to Russia, pushing for a more forceful response from the White House. 

    The former Republican presidential candidate criticized Trump for his tweet Saturday claiming the hack was “greater in the Fake News Media than in actuality,” a characterization that contradicts his administration’s own cybersecurity agency and secretary of state. 

    “The reality here is that the experts, the people who really understand how our systems work … have determined this came from Russia,” said Romney, accusing Trump of long-sustaining a “blind spot” to Russia: “He doesn’t want to recognize Russia as the problem.” 

    “This demands a response,” said Romney. “This is an extraordinarily damaging invasion, and it went on for a long, long time.” 

    Cybersecurity firm FireEye was reportedly the first to see signs of the Russian hack, which U.S. officials have linked to Russia. Hackers may have been able to gain access to sensitive information from thousands of businesses, as well as critical U.S. agencies, including the Department of Defense, the Pentagon, the Department of Justice and the agency that oversees the country’s nuclear weapons stockpile. On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), whose director Trump fired last month after defending the security of the election, issued a warning about the “grave” threat posed by the hack, which the agency dates back to at least March 2020.

    Commenting publicly on the hack for the first time on Saturday, Trump wrote on Twitter that the media was exaggerating its severity and cast doubt on whether Russia was the perpetrator, despite Secretary of State Mike Pompeo telling a conservative radio show host hours earlier that it was “pretty clearly” done by the Russians.

    Trump has long been hesitant to confront Russia and President Vladimir V. Putin—with his handling of this hack reminiscent of his downplaying of Russia’s proven attempts to interfere in the 2016 election. 

    “The Cyber Hack is far greater in the Fake News Media than in actuality,” wrote Trump in a tweet.

    Reply
  11. Tomi Engdahl says:

    The fallout from the SolarWinds hack that infiltrated the US Treasury and Homeland Security will get worse before it gets better
    https://www.businessinsider.com/fallout-solarwinds-hack-get-worse-before-gets-better-2020-12

    Reply
  12. Tomi Engdahl says:

    Google hackers disclose exploit for an UNPATCHED Windows #vulnerability (CVE-2020-0986) that was exploited as 0-day in the wild, for which #Microsoft issued an incomplete patch and then failed to patch it again under the 90-day deadline.

    https://thehackernews.com/2020/12/google-discloses-poorly-patched-now.html?m=1

    Google’s Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code.

    Details of the unpatched flaw were revealed publicly after Microsoft failed to patch it within 90 days of responsible disclosure on September 24.

    Originally tracked as CVE-2020-0986, the flaw concerns an elevation of privilege exploit in the GDI Print / Print Spooler API (“splwow64.exe”) that was reported to Microsoft by an anonymous user working with Trend Micro’s Zero Day Initiative (ZDI) back in late December 2019.

    But with no patch in sight for about six months, ZDI ended up posting a public advisory as a zero-day on May 19 earlier this year, after which it was exploited in the wild in a campaign dubbed “Operation PowerFall” against an unnamed South Korean company.

    Although Microsoft eventually addressed the shortcoming as part of its June Patch Tuesday update, new findings from Google’s security team reveals that the flaw has not been fully remediated.

    “The vulnerability still exists, just the exploitation method had to change,”

    Reply
  13. Tomi Engdahl says:

    Second hacking team was targeting SolarWinds at time of big breach
    https://www.reuters.com/article/us-usa-cyber-solarwinds-idUSKBN28T0U1

    A second hacking group, different from the suspected Russian team now associated with the major SolarWinds data breach, also targeted the company’s products earlier this year, according to a security research blog by Microsoft.

    “The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” the blog said.

    Reply
  14. Tomi Engdahl says:

    Nashville Flights Halted, Phone And Internet Service Hurt By Explosion That Damaged AT&T Building
    https://www.forbes.com/sites/andrewsolender/2020/12/25/nashville-flights-halted-phone-and-internet-service-hurt-by-explosion-that-damaged-att-building/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie

    Flights into and out of Nashville International Airport were halted on Friday after an explosion early Friday morning outside an AT&T transmission building in the city caused widespread internet and phone outages.

    Reply
  15. Tomi Engdahl says:

    Evil USB Cable Can Remotely Accept Commands From Hacker
    https://uk.pcmag.com/news/119592/evil-usb-cable-can-remotely-accept-commands-from-hacker

    The cable itself looks pretty generic, but the security researcher Mike Grover actually fitted a Wi-Fi chip inside one of the sockets, which can be used to remotely send commands to the connected PC.

    Reply
  16. Tomi Engdahl says:

    Apparently AT$T comms hub was taken out and has affected 911, cell, and internet as far away as Georgia.

    ‘Intentional’ explosion rocks buildings in downtown Nashville
    https://americanmilitarynews.com/2020/12/intentional-explosion-rocks-buildings-in-downtown-nashville/?utm_source=asmdss&utm_campaign=alt&utm_medium=facebook

    Aaron told reporters that authorities received calls of shots fired in the area before the explosion took place. Though officers did not see evidence of shots fired, they did find the suspicious vehicle outside the AT&T building and called in the bomb squad.

    The vehicle exploded while the bomb squad was responding, and it is not known whether anybody was inside at the time of the “significant explosion.”

    Reply
  17. Tomi Engdahl says:

    Russian crypto-exchange Livecoin hacked after it lost control of its servers
    https://www.zdnet.com/article/russian-crypto-exchange-livecoin-hacked-after-it-lost-control-of-its-servers/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    Hackers gained access to the Livecoin portal and modified exchange rates to 10-15 times their normal values.

    Russian cryptocurrency exchange Livecoin posted on message on its official website on Christmas Eve claiming it was hacked and lost control of some of its servers, warning customers to stop using its services.

    According to posts on social media, the attack seems to have happened on the night between December 23 and December 24.

    Hackers appear to have taken control of the Livecoin infrastructure and then proceeded to modify the exchange rates to gigantic and unrealistic values.

    Before Livecoin admins managed to gain back access to some of their systems during late December 24, the Bitcoin exchange rate had ballooned from the regular $23,000/BTC to more than $450,000/BTC, Ether grew from $600/ETH to $15,000, and Ripple price increased from $0.27/XRP to more than $17/XRP.

    Once the exchange rates were modified, the mysterious attackers began cashing out accounts, generating gigantic profits.

    Reply
  18. Tomi Engdahl says:

    CSE warns companies to check IT systems following SolarWinds hack
    https://www.cbc.ca/news/politics/cse-solarwinds-warning-1.5854614

    Government agencies, organizations in Canada and abroad believed to be affected, cybersecurity force says

    https://www.cbc.ca/news/politics/cse-solarwinds-warning-1.5854614

    Reply
  19. Tomi Engdahl says:

    Google: Here’s how our huge Gmail and YouTube outage was due to an errant ‘zero’
    Google reveals the most sophisticated systems can throw up unexpected problems
    https://www.zdnet.com/article/google-heres-how-our-huge-gmail-and-youtube-outage-was-due-to-an-errant-zero/

    Google has revealed that a simple ‘zero’ value was behind the failure of its global authentication system that blocked access to YouTube, Gmail, and Google Cloud Platform services.

    A day after the incident on Monday 14, Google said in a prelimiary analysis that the root cause was an issue in its automated storage quota management system, which reduced the capacity of its central identity management system and in turn blocked everyone from accessing many Google services that require users to log in.

    Reply
  20. Tomi Engdahl says:

    The US has suffered a massive cyberbreach. It’s hard to overstate how bad it is
    Bruce Schneier
    https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols

    This is a security failure of enormous proportions – and a wake-up call. The US must rethink its cybersecurity protocols

    Recent news articles have all been talking about the massive Russian cyber-attack against the United States, but that’s wrong on two accounts. It wasn’t a cyber-attack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.

    Espionage is internationally allowed in peacetime. The problem is that both espionage and cyber-attacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isn’t at all targeted, the entire world is at risk – and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.

    Here’s what we know: Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR – previously known as the KGB – hacked into SolarWinds and slipped a backdoor into an Orion software update. (We don’t know how, but last year the company’s update server was protected by the password “solarwinds123” – something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.

    This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself – and can affect all of a supplier’s customers. It’s an increasingly common way to attack networks. Other examples of this sort of attack include fake apps in the Google Play store, and hacked replacement screens for your smartphone.

    Reply
  21. Tomi Engdahl says:

    Recovering from this attack isn’t easy. Because any SVR hackers would establish persistent access, the only way to ensure that your network isn’t compromised is to burn it to the ground and rebuild it, similar to reinstalling your computer’s operating system to recover from a bad hack. This is how a lot of sysadmins are going to spend their Christmas holiday, and even then they can’t be sure.
    https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols

    Reply
  22. Tomi Engdahl says:

    Experts who wrestled with SolarWinds hackers say cleanup could take months – or longer
    https://www.reuters.com/article/us-global-cyber-usa-solarwinds-idUSKBN28Y1K3

    Cybersecurity expert Steven Adair and his team were in the final stages of purging the hackers from a think tank’s network earlier this year when a suspicious pattern in the log data caught their eye.

    The spies had not only managed to break back in – a common enough occurrence in the world of cyber incident response – but they had sailed straight through to the client’s email system, waltzing past the recently refreshed password protections like they didn’t exist.

    “Wow,” Adair recalled thinking in a recent interview. “These guys are smarter than the average bear.”

    Adair – who spent about five years helping defend NASA from hacking threats before eventually founding Volexity – said he had mixed feelings about the episode. On the one hand, he was pleased that his team’s assumption about a SolarWinds connection was right. On the other, they had been at the outer edge of a much bigger story.

    A big chunk of the U.S. cybersecurity industry is now in the same place Volexity was earlier this year, trying to discover where the hackers have been and eliminate the various secret access points the hackers likely planted on their victims’ networks.

    In any case, he predicted a big price tag as caffeinated experts were brought in to pore over digital logs for traces of compromise.

    “There’s a lot of time, treasury, talent and Mountain Dew that’s involved,” he said.

    Reply
  23. Tomi Engdahl says:

    https://thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html?m=1

    An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries as zero-day to deploy the SUPERNOVA malware in target environments.

    According to an advisory published yesterday by the CERT Coordination Center, the SolarWinds Orion API that’s used to interface with all other Orion system monitoring and management products suffers from a security flaw (CVE-2020-10148) that could allow a remote attacker to execute unauthenticated API commands, thus resulting in a compromise of the SolarWinds instance.

    Reply
  24. Tomi Engdahl says:

    The suspected Russian hackers behind the worst U.S. cyber attack in years leveraged reseller access to Microsoft Corp services to penetrate targets that had no compromised network software from SolarWinds Corp, investigators said.

    While updates to SolarWinds’ Orion software was previously the only known point of entry, security company CrowdStrike Holdings Inc said Thursday hackers had won access to the vendor that sold it Office licenses and used that to try to read CrowdStrike’s email.

    https://uk.reuters.com/article/us-global-cyber-usa/suspected-russian-hackers-used-microsoft-vendors-to-breach-customers-idUKKBN28Y1BF

    Many Microsoft software licenses are sold through third parties, and those companies can have near-constant access to clients’ systems as the customers add products or employees.

    Microsoft said Thursday that those customers need to be vigilant.

    “Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms,”

    Reply
  25. Tomi Engdahl says:

    SOLARWINDS HACK INFECTED CRITICAL INFRASTRUCTURE, INCLUDING POWER INDUSTRY
    https://interc.pt/3mP8Tuy

    The companies involved used compromised software, but it’s not clear if hackers entered their networks. Finding out could be difficult

    THE HACKING CAMPAIGN that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries who were also running the software, according to a security firm conducting investigations of some of the breaches.

    In addition to the critical infrastructure companies, the SolarWinds software also infected three firms that provide services for such companies, says Rob Lee, CEO of Dragos, Inc., which specializes in industrial control system security and discovered some of the infections.

    The service companies are known within the industry as original equipment manufacturers, or OEMs. They sometimes have remote access to critical parts of customer networks, as well as privileges that let them make changes to those networks, install new software, or even control critical operations. This means that hackers who breached the OEMs could potentially use their credentials to control critical customer processes.

    “If an OEM has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions,” Lee told The Intercept. “But just because you have access doesn’t mean you know what to do or how to do it. It doesn’t mean they can then flip off the lights; they have to do more after that.”

    Reply
  26. Tomi Engdahl says:

    Hackers threaten to leak plastic surgery pictures
    https://www.bbc.com/news/technology-55439190

    Hackers have stolen the data of a large cosmetic surgery chain and are threatening to publish patients’ before and after photos, among other details.

    The Hospital Group, which has a long list of celebrity endorsements, has confirmed the ransomware attack.

    On its darknet webpage, the hacker group known as REvil said the “intimate photos of customers” were “not a completely pleasant sight”.

    It claimed to have obtained more than 900 gigabytes of patient photographs.

    The Hospital Group, which is also known as the Transform Hospital Group, claims to be the UK’s leading specialist weight loss and cosmetic surgery group.

    The Hospital Group said in a statement: “We can confirm that our IT systems have been subject to a data security breach. None of our patients’ payment card details have been compromised but at this stage, we understand that some of our patients’ personal data may have been accessed.”

    Reply
  27. Tomi Engdahl says:

    Anthony Quinn Warner, self-employed computer guru ID’d as lone Nashville bomber, killed in blast
    https://eu.tennessean.com/story/news/crime/2020/12/27/anthony-quinn-warner-confirmed-person-interest-nashville-explosion/4052711001/

    Federal authorities say a 63-year-old Antioch man was responsible for a Christmas morning bombing that left the suspect dead and captured the nation’s attention over the holiday weekend as officials worked to determine who parked an RV downtown to detonate.

    The RV was parked outside of an AT&T facility, though authorities have not said whether they believe the telecommunications company may have been a target.

    The blast caused extensive damage to phone and internet coverage throughout the region, causing communication blackouts for 911 centers in surrounding counties, leaving customers throughout the state without service and exposing vulnerabilities in infrastructure.

    Gov. Bill Lee on Saturday requested federal aid in effort to help businesses affected by the explosion.

    FBI probing if 5G paranoia was behind Nashville Christmas bombing
    https://nypost.com/2020/12/27/fbi-probing-if-nashville-bomber-was-paranoid-about-5g-technology/

    FBI agents working the Nashville Christmas bombing are asking around about whether Anthony Quinn Warner — a local computer expert named as a “person of interest” — was paranoid about 5G technology, according to a report.

    Agents are probing if Warner, 63, feared that 5G technology was being used to spy on Americans, a source close to the investigation told the NBC News affiliate in Nashville.

    Reply
  28. Tomi Engdahl says:

    ‘Very difficult to defend’: What happens if hackers are inside the Pentagon’s networks?
    https://www.c4isrnet.com/battlefield-tech/it-networks/2020/12/27/very-difficult-to-defend-what-happens-if-hackers-are-inside-the-pentagons-networks/

    WASHINGTON — If Russian hackers suspected of a vast cybersecurity breach slipped into the Pentagon or military’s computer systems, the strength of protective network blockades is key to keeping them from burrowing in to try to access increasing amounts of information.

    “We certainly have a high degree of activity around that right now,” Navy CIO Aaron Weis told C4ISRNET. “We have teams who have acted upon the direct orders from Cyber Command and have executed those things. We continue to engage around that. There are internal meetings that are ongoing where we’re ensuring that we’ve put the right things in place. Absolutely it’s got our full attention.”

    “We certainly have a high degree of activity around that right now,” Navy CIO Aaron Weis told C4ISRNET. “We have teams who have acted upon the direct orders from Cyber Command and have executed those things. We continue to engage around that. There are internal meetings that are ongoing where we’re ensuring that we’ve put the right things in place. Absolutely it’s got our full attention.”

    According to cybersecurity company FireEye, which uncovered the breach, the access that hackers achieved has allowed the malicious actor to move further into computer networks.

    “If an adversary had gotten in and moved laterally, then all the network connection points — any place you have connections between networks and those trust relationships — that becomes very difficult to defend,” said retired Rear Adm. Danelle Barrett, former deputy Navy CIO and cybersecurity division director.

    First, cyber threat hunters must find out whether the intruder persists on the network. Job No. 1 for response teams is to cut off any existing access the trespassers might have, Tighe said. If the intrusion was an espionage campaign, DoD will have to do a damage assessment of what information was affected. If the agency can’t be sure what data and communications were accessed, leaders have to make assumptions about what the hackers may have reached, she said.

    The second, more troubling question is whether hackers altered data in any way, which Tighe said could be more problematic than destroying data.

    “You have data, but you don’t know if it’s really the right data in your network. Depending on what aspect of the DoD you’re in, that could be very damaging,” she explained.

    If the actor entered into a central network through the SolarWinds vulnerability and found lax security on connected systems, that could cause serious problems for the department.

    Communication is likely disrupted during a survey of potential network damage. Specifically, officials shouldn’t send and receive emails on the network if investigators are searching for potential compromises, Tighe said, noting that one of the first things the Cybersecurity and Infrastructure Security Agency did was tell agencies to have a different way of communicating as they coordinate the response.

    In another scenario, subtle, hard-to-detect data manipulations could be introduced into the software of a weapon system so that it malfunctions.

    However, Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University, cautioned that there is no evidence that the Russians have taken that step, and it is unlikely because of the strong reaction it would likely provoke. He also noted that if the Russians were to even threaten such action, that would raise concerns.

    Reply
  29. Tomi Engdahl says:

    Eduskunta on joutunut kyberhyökkäyksen kohteeksi – kansanedustajien sähköpostit vaarassa
    https://www.tivi.fi/uutiset/tv/432bdeae-319c-4182-ab9a-6fceb1d894f1

    Eduskannasta tiedotetaan, että syksyllä sitä vastaan on kohdistunut kyberhyökkäys. Tämä havaittiin eduskunnan sisäisessä teknisessä valvonnassa.

    Tiedotteesta käy ilmi, että hyökkäyksellä on ollut vakavat seuraukset, sillä sen myötä joidenkin eduskunnan sähköpostitilien tietoturva pääsi vaarantumaan. Osa näiden sähköpostitilien omistajista on kansanedustajia.

    ”Eduskuntaan kohdistettu kyberisku on vakava hyökkäys demokratiaamme ja suomalaista yhteiskuntaa kohtaan. Emme voi hyväksyä minkäänlaista vihamielistä kybertoimintaa, olipa se valtiollisen tai ei-valtiollisen tahon toteuttamaa.”

    Keskusrikospoliisin tiedotteessa todetaan, ettei teko ole ollut sattumanvarainen tai vahinko.

    Reply
  30. Tomi Engdahl says:

    One in ten shopping ads promoted on Google potentially lead to phishing sites
    https://cybernews.com/security/one-in-ten-shopping-ads-promoted-on-google-potentially-lead-to-phishing-sites/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=shopping_ads_phishing&fbclid=IwAR2Z04f3SijP2lSkp6xqs4ntjzVAVKi7FDjAyuSesk3GPIAMo5c-YVa9hpc

    With the holiday shopping season in full swing, millions of users are hunting for the best deals online. However, many don’t realize that the amazing deal they just found on Google is actually too good to be true.

    Unfortunately, not all Google ads are created by legitimate advertisers. Some are made by cybercriminals. Such ads will lead users to malicious phishing websites where they can be tricked into buying counterfeit or unsafe products, fall victim to financial scams, or worse.

    What we discovered was eye-opening: 10% of the Google ads we analyzed potentially lead to malicious phishing websites, where cybercriminals could lure users in order to steal their money and personal data.

    You’d think that every single ad you see on Google undergoes a proper security check to ensure it’s not promoting an unsafe website. Sadly, it seems that this isn’t necessarily the case.

    Reply
  31. Tomi Engdahl says:

    Hackers gained access to the Finnish Parliament’s IT system in recent months in an incident that allowed them to access to some emails belonging to members of Parliament. P
    The Speaker of Finland’s Parliament, Anu Vehviläinen, described the incident as an attack on Finland’s democracy.

    “We cannot accept any kind of hostile cyber activity, whether committed by a governmental or non-governmental entity,” Vehviläinen said in a statement.

    https://www.cyberscoop.com/finland-parliament-targeted-espionage-emails/

    Reply
  32. Tomi Engdahl says:

    Tällaisia tietoja edus­kunnan tieto­murrossa on voinut päätyä vääriin käsiin – asiantuntija pitää asiaa vakavana https://www.is.fi/digitoday/tietoturva/art-2000007708557.html

    Ex-kansanedustaja eduskunnan tietomurrosta: ”Siellä on kaikki, mitä ihminen tekee” https://www.is.fi/digitoday/tietoturva/art-2000007708376.html

    Reply
  33. Tomi Engdahl says:

    GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic
    https://www.bleepingcomputer.com/news/security/github-hosted-malware-calculates-cobalt-strike-payload-from-imgur-pic/

    A new strand of malware uses Word files with macros to download a PowerShell script from GitHub.

    This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems.

    Multiple researchers have potentially linked this strain to MuddyWater (aka SeedWorm and TEMP.Zagros), a government-backed advanced persistent threat (APT) group, first observed in 2017 while mainly targeting Middle Eastern entities.

    Reply
  34. Tomi Engdahl says:

    Ticketmaster to pay $10 million in fines after admitting to illegally accessing competitor’s computers
    https://edition.cnn.com/2020/12/30/business/ticketmaster-plea-passwords-computers/index.html

    New York (CNN)Ticketmaster entered into a plea agreement with federal prosecutors in Brooklyn, New York and will pay $10 million in fines to resolve charges that it accessed the computer systems of a competitor without authorization.

    “Ticketmaster employees repeatedly — and illegally — accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” Acting U.S. Attorney Seth DuCharme said Wednesday in a press release.
    Ticketmaster is a subsidiary of LiveNation (LYV).

    According to the deferred prosecution agreement unsealed Wednesday, a former Ticketmaster employee named Zeeshan Zaidi went to work for Live Nation in 2013 as a consultant, and was hired full time to work for Ticketmaster in 2014 after leaving a competing company, which is unnamed in the court filing.
    Zaidi allegedly had access to usernames and passwords for the unnamed competitor, and used them without authorization to access that company’s systems while working for Ticketmaster between 2013 and 2015.

    The deferred prosecution agreement states that the information obtained from accessing the systems was used, for among other things, to prepare “strategy presentations for senior Live Nation and Ticketmaster executives that benchmarked competitor products and services,” including ones offered by the competitor company.

    According to the deferred prosecution agreement, a Ticketmaster executive described that the goal was to “choke off” the victim company and “steal back” one of its clients.
    Zaidi was terminated from Ticketmaster in 2017 and pleaded guilty in Brooklyn federal court in 2019 to one count of conspiring to access protected computers without authorization and to commit wire fraud, according to the deferred prosecution agreement.

    “When employees walk out of one company and into another, it’s illegal for them to take proprietary information with them,”

    Reply
  35. Tomi Engdahl says:

    TransLink warns staff hackers accessed personal banking information in cyberattack
    http://globalnews.ca/news/7548761/translink-cyberattack-personal-info/

    TransLink staff have been told that a cyberattack early this month accessed personal banking information and other files, and is advising employees to sign up for credit monitoring.

    In an internal email to employees at Coast Mountain Bus Company (CMBC) obtained by Global News Wednesday, staff were told the attackers “accessed and may have copied files from a restricted network drive” that contains payroll information for TransLink, CMBC and Metro Vancouver Transit Police employees, along with other network drives.

    “Those restricted network drives include files that contain banking information and some social insurance numbers,”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*