This posting is here to collect cyber security news in February 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
310 Comments
Tomi Engdahl says:
Six arrested after changing Hollywood sign to “HOLLYBOOB”
https://www.latimes.com/california/story/2021-02-01/hollywood-sign-hollyboob-six-arrested
Six people were arrested Monday after scaling steep terrain around the iconic Hollywood sign and strategically changing it to convey what they said was a breast cancer awareness message, according to police.
All six will be cited with misdemeanor trespassing and released, Lurie said. “There’s no vandalism, because the sign wasn’t damaged,” he said.
The sign has been changed before. On New Year’s Day 2017, it was changed to read “HOLLYWeeD.”
“It’s probably just a gag,”
Tomi Engdahl says:
Facebook deletes Robin Hood Stock Traders group with over 150,000 members
https://reclaimthenet.org/facebook-deletes-robin-hood-stock-traders-group-with-over-150000-members/
Tomi Engdahl says:
Robinhood Is Down To 1 Star On Google’s Mobile App Store Again, This Time Google Won’t Intervene
https://www.forbes.com/sites/siladityaray/2021/02/02/robinhood-is-down-to-1-star-on-googles-mobile-app-store-again-this-time-google-wont-intervene/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie
Online stock trading platform Robinhood has seen its review score on Google’s mobile app store plummet to a one-star rating out of five for the second time in less than a week, as irate users flooded the app with negative reviews in retaliation to its decision to curb the trading of several popular but volatile meme stocks like GameStop and AMC last week, highlighting how anger over the incident still persists among online traders.
Tomi Engdahl says:
CISA Says Many Victims of SolarWinds Hackers Had No Direct Link to SolarWinds
https://www.securityweek.com/cisa-says-many-victims-solarwinds-hackers-had-no-direct-link-solarwinds
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says many of the victims of the threat group that targeted Texas-based IT management firm SolarWinds were not directly linked to SolarWinds.
“While the supply chain compromise of SolarWinds first highlighted the significance of this cyber incident, our response has identified the use of multiple additional initial infection vectors. We have found that significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds,” a CISA spokesperson told SecurityWeek.
“This is an ongoing response, and we are still working with our government and private sector partners to fully understand this campaign, and to develop and share timely information to mitigate the threat posed by this adversary,” the agency said.
CISA’s acting director, Brandon Wales, told The Wall Street Journal last week that roughly 30% of the victims identified by the agency did not have a direct connection to SolarWinds. Wales also said some victims were compromised before SolarWinds started delivering malicious product updates to customers.
Tomi Engdahl says:
Russian Hack Brings Changes, Uncertainty to US Court System
https://www.securityweek.com/russian-hack-brings-changes-uncertainty-us-court-system
Trial lawyer Robert Fisher is handling one of America’s most prominent counterintelligence cases, defending an MIT scientist charged with secretly helping China. But how he’ll handle the logistics of the case could feel old school: Under new court rules, he’ll have to print out any highly sensitive documents and hand-deliver them to the courthouse.
Until recently, even the most secretive material — about wiretaps, witnesses and national security concerns – could be filed electronically. But that changed after the massive Russian hacking campaign that breached the U.S. court system’s electronic case files and those of scores of other federal agencies and private companies.
The new rules for filing sensitive documents are one of the clearest ways the hack has affected the court system. But the full impact remains unknown. Hackers probably gained access to the vast trove of confidential information hidden in sealed documents, including trade secrets, espionage targets, whistleblower reports and arrest warrants. It could take years to learn what information was obtained and what hackers are doing with it.
It’s also not clear that the intrusion has been stopped, prompting the rules on paper filings. Those documents are now uploaded to a stand-alone computer at the courthouse — one not connected to the network or Internet. That means lawyers cannot access the documents from outside the courthouse.
Tomi Engdahl says:
Lawmakers Ask NSA About Its Role in Juniper Backdoor Discovered in 2015
https://www.securityweek.com/lawmakers-ask-nsa-about-its-role-juniper-backdoor-discovered-2015
Tomi Engdahl says:
Cyberspies Delivered Malware to Gamers via Supply Chain Attack
https://www.securityweek.com/cyberspies-delivered-malware-gamers-supply-chain-attack
Researchers at cybersecurity firm ESET say they have uncovered an espionage campaign that has targeted online gamers in Asia through a compromised software company.
Called Operation NightScout, the campaign apparently involved a breach at BigNox, the company behind NoxPlayer, an Android emulator that allows users to run mobile apps on PCs or Macs, and which claims to have more than 150 million users worldwide, most of them located in Asia.
After compromising the update mechanism for NoxPlayer, the threat actor behind the attack pushed a series of tailored malicious updates that resulted in three different malware families being installed on the devices of a handful of selected victims.
The highly targeted nature of the attack, ESET’s security researchers say, suggests that the purpose of this campaign is surveillance, and not financial gain: only five out of 100,000 ESET users running NoxPlayer on their machines received a malicious update.
Tomi Engdahl says:
SonicWall zero-day exploited in the wild
https://www.zdnet.com/article/sonicwall-zero-day-exploited-in-the-wild/
Cyber-security firm the NCC Group said on Sunday that it detected
active exploitation attempts against a zero-day vulnerability in
SonicWall networking devices. Details about the nature of the
vulnerability have not been made public to prevent other threat actors
from studying it and launching their own attacks.
Tomi Engdahl says:
New Trickbot module uses Masscan for local network reconnaissance
https://www.zdnet.com/article/new-trickbot-module-uses-masscan-for-local-network-reconnaissance/
Cyber-security experts say they spotted a new component of the
Trickbot malware that performs local network reconnaissance. Named
masrv, the component incorporates a copy of the Masscan open-source
utility in order to scan local networks for other systems with open
ports that can be attacked at a later stage. The idea behind masrv is
to drop the component on newly infected devices, send a series of
Masscan commands, let the component scan the local network, and upload
the scan results to a Trickbot command and control server. also:
https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/
Tomi Engdahl says:
Here’s how hackers can compromise your network via routers that aren’t
protect with IoT device security
https://blog.checkpoint.com/2021/02/01/iot-firmware-security-zero-day-exploitation-prevention/
Security for the “Internet of Things” (or IoT) is still relatively new
to a majority of organizations. Understanding IoT firmware security
will help protect against device attacks that target weak networked
devices like IP cameras, routers, smart meters, medical equipment, and
more.
Tomi Engdahl says:
Russian hack brings changes, uncertainty to US court system
https://apnews.com/article/coronavirus-pandemic-courts-russia-375942a439bee4f4b25f393224d3d778
Until recently, even the most secretive material – about wiretaps,
witnesses and national security concerns – could be filed
electronically. But that changed after the massive Russian hacking
campaign that breached the U.S. court system’s electronic case files
and those of scores of other federal agencies and private companies.
Tomi Engdahl says:
Finnish Information Security Cluster – Kyberala ry
Teknologiateollisuuden toimialayhdistykseksi
https://www.epressi.com/tiedotteet/turvallisuus/finnish-information-security-cluster-kyberala-ry-teknologiateollisuuden-toimialayhdistykseksi.html
Finnish Information Security Cluster Kyberala ry liittyy
Teknologiateollisuuden toimialayhdistykseksi 1.2.2021 alkaen.
Kyberturvateknologia on yhä merkittävämmässä roolissa niin
digitalisoituvassa teollisuudessa kuin koko yhteiskunnassa.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Network security provider SonicWall says hackers are exploiting a critical zero-day vulnerability in its SMA 100 networking devices, and a patch is due Tuesday
Hackers are exploiting a critical zeroday in devices from SonicWall
“Highly sophisticated threat actors” exploit flaws in coordinated attack on SonicWall.
https://arstechnica.com/information-technology/2021/02/hackers-are-exploiting-a-critical-zeroday-in-firewalls-from-sonicwall/
Tomi Engdahl says:
Ransomware: A company paid millions to get their data back, but forgot to do one thing. So the hackers came back again
https://www.zdnet.com/article/ransomware-this-is-the-first-thing-you-should-think-about-if-you-fall-victim-to-an-attack/
A cautionary tale shows how organisations that fall foul of ransomware should concentrate on finding how it happened before anything else – or they could fall victim again.
A company that fell victim to a ransomware attack and paid cyber criminals millions for the decryption key to restore their network fell victim to the exact same ransomware gang under two weeks later after failing to examine why the attack was able to happen in the first place.
The unnamed company fell victim to a ransomware attack and paid millions in bitcoin in order to restore the network and retrieve the files.
However, the company just left it at that, failing to analyse how cyber criminals infiltrated the network – something that came back to haunt them when the same ransomware gang infected the network with the same ransomware less than two weeks later. The company ended up paying a ransom a second time.
“We’ve heard of one organisation that paid a ransom (a little under £6.5million with today’s exchange rates) and recovered their files (using the supplied decryptor), without any effort to identify the root cause and secure their network. Less than two weeks later, the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware. The victim felt they had no other option but to pay the ransom again,” the NCSC blog said.
The NCSC has detailed the incident as a lesson for other organisations – and the lesson is that if you fall victim to a ransomware attack, find out how it was possible for cyber criminals to embed themselves on the network undetected before the ransomware payload was unleashed.
“For most victims that reach out to the NCSC, their first priority is – understandably – getting their data back and ensuring their business can operate again. However, the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer,” said the blog post by an NCSC technical lead for incident management.
The best way to avoid any of this is to ensure your network is secure against cyberattacks in the first place by doing things like making sure operating systems and security patches are up to date and applying multi-factor authentication across the network.
It’s also recommended that organisations regularly backup their networks – and store those backups offline – so in the event of a successful ransomware attack, the network can be restored with the least disruption possible.
Tomi Engdahl says:
Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources
https://mobile.reuters.com/article/amp/idUSKBN2A22K8?__twitter_impression=true
Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told Reuters, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency.
Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.
Tomi Engdahl says:
North Korea-Backed Hackers Targeting Security Researchers
https://spectrum.ieee.org/tech-talk/computing/networks/northkorea-security
According to Google, North Korean-backed hackers are pretending to be security researchers, complete with a fake research blog and bogus Twitter profiles. These actions are supposedly part of spying efforts against actual security experts.
Tomi Engdahl says:
Kobalos – A complex Linux threat to high performance computing infrastructure
https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/
ESET researchers have analyzed malware that has been targeting high performance computing (HPC) clusters, among other high-profile targets. We reverse engineered this small, yet complex, malware that is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows. We have named this malware Kobalos for its tiny code size and many tricks; in Greek mythology, a Kobalos is a small, mischievous creature. Today we publish a paper titled “A wild Kobalos appears: Tricksy Linux malware goes after HPCs” describing the inner working of this threat.
Tomi Engdahl says:
‘Severe’ SolarWinds Vulnerabilities Allow Hackers To Take Over Servers—Update Now
https://www.forbes.com/sites/thomasbrewster/2021/02/03/severe-solarwinds-vulnerabilities-allow-hackers-to-take-over-servers-update-now/
A handful of “severe” vulnerabilities have been discovered in SolarWinds Orion, the same IT management software that was hijacked by alleged Russian hackers to steal data from multiple government agencies, cybersecurity companies and other tech companies.
Tomi Engdahl says:
A Second SolarWinds Hack Deepens Third-Party Software Fears
It appears that not only Russia but also China targeted the company, a reminder of the many ways interconnectedness can go wrong.
https://www.wired.com/story/solarwinds-hack-china-usda/
Tomi Engdahl says:
Robinhood’s Cautionary Tale Of Piling Into ‘Meme Stocks’ Results In Big Losses, Customer Complaints And Lawsuits
http://on.forbes.com/6183HeBAh
Robinhood, the stock trading app marketed to novice investors as the democratization of Wall Street and leveling the playing field, is now the subject of dozens of lawsuits.
Tomi Engdahl says:
Practical Insider Threat Penetration Testing Cases with Scapy (Shell Code and Protocol Evasion)
https://pentestmag.com/practical-insider-threat…/
#pentest #magazine #pentestmag #pentestblog #PTblog #insider #threat #penetration #testing #cases #Scapy #shell #code #protocol #evasion #cybersecurity #infosecurity #infosec
Tomi Engdahl says:
Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks
Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992, reported as abused in the wild.
https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-exploits-to-encrypt-virtual-hard-disks/
Tomi Engdahl says:
Robert McMillan / Wall Street Journal:
SolarWinds CEO says hackers had breached the company’s Office 365 email system for at least nine months starting December 2019 — Investigators still don’t know how the company was breached in attack that will cost millions — The newly appointed chief executive of SolarWinds Corp …
Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says
Investigators still don’t know how the company was breached in attack that will cost millions
https://www.wsj.com/articles/hackers-lurked-in-solarwinds-email-system-for-at-least-9-months-ceo-says-11612317963?mod=djemalertNEWS
The newly appointed chief executive of SolarWinds Corp. SWI 0.25% is still trying to unravel how his company became a primary vector for hackers in a massive attack revealed last year, but said evidence is emerging that they were lurking in the company’s Office 365 email system for months.
The hackers had accessed at least one of the company’s Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts used by the company, Sudhakar Ramakrishna said in an interview Tuesday. “Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader [Office] 365 environment was compromised,” he said.
It is the latest development in the eight-week investigation into one of the worst breaches in U.S. history. SolarWinds, previously a little-known but critical maker of network-management software, is still trying to understand how the hackers first got into the company’s network and when exactly that happened.
Tomi Engdahl says:
Privilege Escalation Flaw Discovered in Microsoft’s Azure Functions
https://www.toolbox.com/security/cloud-security/news/privilege-escalation-flaw-discovered-in-microsofts-azure-functions/
Tomi Engdahl says:
Malicious script steals credit card info stolen by other hackers > https://www.bleepingcomputer.com/news/security/malicious-script-steals-credit-card-info-stolen-by-other-hackers/
Tomi Engdahl says:
Barstool founder Dave Portnoy sells GameStop, AMC shares at $700K loss
https://trib.al/lIUOzop
Outspoken social media personality Dave Portnoy tweeted Tuesday that he has sold his shares in companies GameStop and AMC at a major loss, blaming trading app Robinhood for killing the so-called “Reddit Rally” that he joined and helped promote in recent weeks.
“I have officially sold all my meme stocks. I lost 700k ish,” Portnoy tweeted before taking a personal shot at the CEO of Robinhood. “Vlad and company stole it from me and should be in jail.”
Portnoy’s selling comes as the manic trading blitz that sent cheap stocks to outrageous new heights — fueled by retail traders using Reddit and Robinhood — hits shakey ground. GameStop shares are down more 50 percent Tuesday. The price of silver has also retreated Tuesday and theater chain AMC’s shares are down more than 40 percent.
Portnoy — the founder of Barstool Sports who become a stock-trading folk hero during the pandemic — has been unrelenting in his criticism of the no-fee trading app after it made the controversial decision last week to limit the amount of GameStop and other “meme stocks” that users could buy on Thursday.
“When [Robinhood] shut it down, then cut it back, lets put aside why, they cut of the greatest source of demand,” he posted in response to a question about why GameStop stock was plunging. “They created a RobinHood Dive.”
Robinhood has been easing its buying restrictions since Friday, including by raising billions in dollars to support trading volatility.
But that hasn’t stopped day traders like Portnoy from lashing out at the app for preventing Regular Joes from keeping up the pressure on Wall Street shorts. Portnoy has also accused the company of conspiring with billionaire investors to protect the fat cats from the little guys.
Tomi Engdahl says:
Robinhood CEO confronted by Elon Musk over GameStop stock market ‘conspiracy’ controversy
https://www.independent.co.uk/life-style/gadgets-and-tech/robinhood-elon-musk-gamestop-conspiracy-b1795770.html?utm_content=Echobox&utm_medium=Social&utm_source=Facebook#Echobox=1612197530
“If you had no choice, that’s understandable, but then … who are these people who said you have no choice?”, Mr Musk asked
Vlad Tenev, the CEO of stock-trading app Robinhood, rejects “conspiracy theories” about the purchase and selling of GameStop stock which has skyrocketed in recent days.
While the details are complex, over the past few days a Reddit forum called “WallStreetBets” decided to buy into GameStop shares, increasing the cost and making hedge fund managers face up to huge losses, The Independent’s Ben Chapman explains.
Since some hedge funds had borrowed and sold millions of GameStop’s shares, they were facing huge losses and had to buy the shares back to stop those losses rising further.
When questioned whether something “shady [went] down” by Mr Musk, who pointed out that it was “weird” to get a “$3 billion demand, you know, at 3:30 a.m. in the morning, just suddenly out of nowhere”, Tenev denied the notion.
“The fact of the matter is, people get really pissed off if they’re holding stocks and they want to sell and they can’t. So that’s categorically worse.
Tomi Engdahl says:
More than three billion emails and passwords were just leaked online
By Anthony Spadafora a day ago
https://www.techradar.com/news/more-than-three-billion-emails-and-passwords-were-just-leaked-online
Compilation of Many Breaches contains credentials and data from past leaks
Normally when a data breach occurs, the cybercriminals responsible may leak the usernames and passwords stolen from one organization or company. However, a new compilation recently posted on an online hacking forum contains more than 3.2bn unique pairs of cleartext emails and passwords gathered from past leaks.
Tomi Engdahl says:
Plex Media servers actively abused to amplify DDoS attacks
https://www.bleepingcomputer.com/news/security/plex-media-servers-actively-abused-to-amplify-ddos-attacks/
Plex Media Server systems are actively being abused by DDoS-for-hire services as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks.
Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms, as well as network-attached storage (NAS) devices, Docker containers, and more.
https://support.plex.tv/articles/200380843-overview/
Tomi Engdahl says:
Free coffee! Belgian researcher hacks prepaid vending machines
https://nakedsecurity.sophos.com/2021/02/04/free-coffee-dutch-researcher-hacks-prepaid-vending-machines/
Belgian cybersecurity researcher Polle Vanhoof just published a fascinating and well-written paper about an exploitable hole he found in the payment system used in some Nespresso prepaid coffee machines.
That’s actually much better news than it sounds.
Vanhoof disclosed the flaw back in September 2020; has publicly praised Nespresso in his writeup for its responsiveness in handling the issue; and waited until now to publish his article with Nespresso’s blessing:
https://pollevanhoof.be/nuggets/smart_cards/nespresso
Tomi Engdahl says:
Vote machine biz Smartmatic sues Fox News and Trump chums for $2.7bn over bogus claims of rigged 2020 election
Turns out words have consequences
https://www.theregister.com/2021/02/05/smartmatic_election_lawsuit/
Electronic voting machine maker Smartmatic has sued Fox News, three of its hosts, and two of Donald Trump’s loyalists – Rudy Giuliani and Sidney Powell – for an eye-popping $2.7bn in defamation damages over the false claims it stole the 2020 presidential election for Joe Biden.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Google has patched an actively exploited zero-day vulnerability in its Chrome 88 update — Google Chrome 88.0.4324.150 released with a fix. Users advised to update. — Google has released today version 88.0.4324.150 of the Chrome browser for Windows, Mac, and Linux.
Google patches an actively exploited Chrome zero-day
Google Chrome 88.0.4324.150 released with a fix. Users advised to update.
https://www.zdnet.com/article/google-patches-an-actively-exploited-chrome-zero-day/
Tomi Engdahl says:
Kyle Bradshaw / 9to5Google:
Google delists the popular Chrome extension The Great Suspender for containing malware and is disabling the extension for those who installed it — This afternoon, Google has delisted the popular extension The Great Suspender for containing malware and is proactively disabling the extension for those who have it.
The Great Suspender extension has been removed from Chrome Web Store for containing malware
https://9to5google.com/2021/02/04/the-great-suspender-extension-has-been-removed-from-chrome-web-store-for-containing-malware/
Tomi Engdahl says:
ucy Fisher / Telegraph:
Source: in the past year, the UK has expelled three Chinese spies posing as journalists who purported to work for three different Chinese media agencies — The revelation comes amid concerns in Government about Chinese economic espionage and intellectual property theft from UK institutions
Exclusive: Three Chinese spies posing as journalists expelled from the UK
https://www.telegraph.co.uk/politics/2021/02/04/three-chinese-spies-posing-journalists-expelled-uk/
The revelation comes amid concerns in Government about Chinese economic espionage and intellectual property theft from UK institutions
Tomi Engdahl says:
Liikkeellä erittäin uskottavia huijaussivuja älä mene verkkopankkiin
Google-haun kautta
https://www.finanssiala.fi/uutismajakka/Sivut/Liikkeella-uskottavia-huijaussivuja-ala-mene-verkkopankkiin-Google-haun-kautta.aspx
Huijarit pyrkivät tällä hetkellä erittäin aktiivisesti
verkkopankkeihin tuttujen sähköpostilinkkien avulla. Lisäksi pankit
ovat havainneet uuden huijauskampanjan, jossa rikolliset ovat tavalla
tai toisella saaneet ujutettua huijaussivustojaan Googlen
hakutuloksiin. Pankeista neuvotaan, että ainakaan toistaiseksi ei
kannata mennä verkkopankkiin hakemalla pankkinsa nimeä Googlesta, vaan
kirjoittamalla osoite selaimen osoitekenttään. myös:
https://yle.fi/uutiset/3-11768716
Tomi Engdahl says:
Puhemies Vehviläinen: Kyberhyökkäyksen takia kansanedustajat saavat
tietoturvakoulutusta, myös edustajien uhkailua selvitetään
https://yle.fi/uutiset/3-11767479
Eduskuntaan kohdistui kyberhyökkäys joulun alla. Keskusrikospoliisi
tutkii hyökkäystä törkeänä tietomurtona ja vakoiluna. – Emme voi
vähätellä tätä hyökkäystä, joka on kohdistunut demokratiaamme vastaan.
Kansanedustajille tullaan antamaan tietoturvakoulusta
kyberturvallisuuskeskuksen toimesta, Vehviläinen kertoo.
Tomi Engdahl says:
Kobalos A complex Linux threat to high performance computing
infrastructure
https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/
ESET researchers have analyzed malware that has been targeting high
performance computing (HPC) clusters, among other high-profile
targets. We reverse engineered this small, yet complex, malware that
is portable to many operating systems including Linux, BSD, Solaris,
and possibly AIX and Windows. PDF report:
https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf
Tomi Engdahl says:
Interview With a Russian Cybercriminal
https://www.darkreading.com/endpoint/interview-with-a-russian-cybercriminal/d/d-id/1340029
To better understand the attacker’s perspective, Cisco Talos
researchers interviewed a LockBit ransomware operator. Their
interaction, as with many in the security world, began on Twitter.
This operator, who would not share his name but is referred to as
“Aleks, ” tagged a member of the Talos team in a tweet promoting his
compromise of a Latin American financial institution. also:
https://blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomware.html.
PDF:
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf
Tomi Engdahl says:
Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual
hard disks
https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-exploits-to-encrypt-virtual-hard-disks/
Two VMWare ESXi vulnerabilities, CVE-2019-5544 and CVE-2020-3992,
reported as abused in the wild. System administrators at companies
that rely on VMWare ESXi to manage the storage space used by their
virtual machines are advised to either apply the necessary ESXi
patches or disable SLP support to prevent attacks if the protocol
isn’t needed.
Tomi Engdahl says:
Credit card skimmer piggybacks on Magento 1 hacking spree
https://blog.malwarebytes.com/cybercrime/2021/02/credit-card-skimmer-piggybacks-on-magento-1-hacking-spree/
Back in the fall of 2020 threat actors started to massively exploit a
vulnerability in the no-longer maintained Magento 1 software branch.
As a result, thousands of e-commerce shops were compromised and many
of them injected with credit card skimming code. In the incident we
describe in this post, the threat actors also took into account that
an e-commerce site may get cleaned up from a Magento 1 hack. When that
happens, an alternate version of their skimmer injects its own fields
that mimic a legitimate payments platform.
Tomi Engdahl says:
Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on
U.S. payroll agency sources
https://www.reuters.com/article/us-cyber-solarwinds-china/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSKBN2A22K8
Suspected Chinese hackers exploited a flaw in software made by
SolarWinds Corp to help break into U.S. government computers last
year, five people familiar with the matter told Reuters, marking a new
twist in a sprawling cybersecurity breach that U.S. lawmakers have
labeled a national security emergency. While the alleged Russian
hackers penetrated deep into SolarWinds network and hid a “back door”
in Orion software updates which were then sent to customers, the
suspected Chinese group exploited a separate bug in Orion’s code to
help spread across networks they had already compromised, the sources
said. SolarWinds said it was aware of a single customer that was
compromised by the second set of hackers but that it had “not found
anything conclusive” to show who was responsible. also:
https://www.wired.com/story/solarwinds-hack-china-usda/
Tomi Engdahl says:
Full System Control with New SolarWinds Orion-based and Serv-U FTP
Vulnerabilities
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/
In this blog, I will be discussing three new security issues that I
recently found in several SolarWinds products. All three are severe
bugs with the most critical one allowing remote code execution with
high privileges. To the best of Trustwave’s knowledge, none of the
vulnerabilities were exploited during the recent SolarWinds attacks or
in any “in the wild” attacks. However, given the criticality of these
issues, we recommend that affected users patch as soon as possible. We
have purposely left out specific Proof of Concept (PoC) code in this
post in order to give SolarWinds users a longer margin to patch but we
will post an update to this blog that includes the PoC code on Feb. 9.
Tomi Engdahl says:
Whitespace Steganography Conceals Web Shell in PHP Malware
https://blog.sucuri.net/2021/02/whitespace-steganography-conceals-web-shell-in-php-malware.html
Last November, we wrote about how attackers are using JavaScript
injections to load malicious code from legitimate CSS files. At first
glance, these injections didn’t appear to contain anything except for
some benign CSS rules. A more thorough analysis of the.CSS file
revealed 56, 964 seemingly empty lines containing combinations of
invisible tab (0×09), space (0×20), and line feed (0x0A) characters,
which were converted to binary representation of characters and then
to the text of an executable JavaScript code. It didn’t take long
before we found the same approach used in PHP malware. Here’s what our
malware analyst Liam Smith discovered while recently working on a site
containing multiple backdoors and webshells uploaded by hackers.
Tomi Engdahl says:
1 381 569 suomalaista puhelinnumeroa väärissä käsissä näin neuvoo
asiantuntija
https://www.is.fi/digitoday/tietoturva/art-2000007770210.html
Facebookin vuosia sitten paikkaamaa haavoittuvuutta ehdittiin käyttää
hyväksi 533 miljoonan käyttäjän tietojen kaapimiseksi talteen. Tällä
viikolla tuli julkisuuteen, että tietoja on kaupiteltu
Telegram-viestipalvelussa toimivan automaattisen ohjelman kautta.
Suomalaisia puhelinnumeroita on raportoitu olevan myynnissä kaikkiaan
1 381 569 kappaletta. – Kyllä sitä voi kuvailla poikkeuksellisen
suureksi määräksi. Ainakaan meille ei tämän kokoisia
henkilötietovuotoja ole suomalaisista ilmoitettu, erityisasiantuntija
Juha Tretjakov korostaa.
Tomi Engdahl says:
A network of Twitter bots has attacked the Belgian government’s Huawei
5G ban
https://www.zdnet.com/article/a-network-of-twitter-bots-has-attacked-the-belgian-governments-huawei-5g-ban/
Social media research group Graphika has published a report today
exposing a small network of 14 Twitter accounts that engaged in a
coordinated campaign to criticize the Belgian government’s plan to ban
Huawei from supplying 5G equipment to local telecommunications
providers. The accounts used fake names and posed as Belgium-based
tech and 5G experts. They also used profile images generated using
machine learning GAN algorithms, a technique that is gaining traction
with more and more social media influence networks. Graphika report
(PDF):
https://public-assets.graphika.com/reports/graphika_report_fake_cluster_boosts_huawei.pdf
Tomi Engdahl says:
Suspected Russian Hack Extends Far Beyond SolarWinds Software,
Investigators Say
https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601
Approximately 30% of both the private-sector and government victims
linked to the campaign had no direct connection to SolarWinds, Brandon
Wales, acting director of the Cybersecurity and Infrastructure
Security Agency, said in an interview. Last week, computer security
company Malwarebytes Inc. said that a number of its Microsoft cloud
email accounts were compromised by the same attackers who targeted
SolarWinds, using what Malwarebytes called “another intrusion vector.”
SolarWinds attack is not an outlier, but a moment of reckoning for
security industry, says Microsoft exec
https://www.zdnet.com/article/solarwinds-attack-is-not-an-outlier-but-a-moment-of-reckoning-for-security-industry-says-microsoft-exec/
“What SolarWinds has taught us is that this landscape is more complex
and more sophisticated. Is this a different attack? It is a really
sophisticated attack, ” Vasu Jakkal, Microsoft’s corporate vice
president of security, compliance and identity told ZDNet in an
interview. “These attacks are going to continue to get more
sophisticated. So we should expect that. This is not the first and not
the last. This is not an outlier. This is going to be the norm. This
is why what we do is more important than ever, ” she said. “I believe
that SolarWinds is a moment of reckoning in the industry. This is not
going to change and we have to do better as a defender community and
we have to be unified in our responses. We have been out there,
leading in this response.”
After SolarWinds breach, lawmakers ask NSA for help in cracking
Juniper cold case
https://www.cyberscoop.com/nsa-juniper-backdoor-wyden-espionage/
As the U.S. investigation into the SolarWinds hacking campaign grinds
on, lawmakers are demanding answers from the National Security Agency
about another troubling supply chain breach that was disclosed five
years ago. Juniper revealed its incident in December 2015, saying that
hackers had slipped unauthorized code into the firm’s software that
could allow access to firewalls and the ability to decrypt virtual
private network connections. Despite repeated inquiries from Capitol
Hill and concern in the Pentagon about the potential exposure of its
contractors to the hack there has been no public U.S. government
assessment of who carried out the hack, and what data was accessed.
Tomi Engdahl says:
Regulator Blasts NZ’s Stock Exchange Over DDoS Meltdown
https://www.databreachtoday.co.uk/regulator-blasts-nzs-stock-exchange-over-ddos-meltdown-a-15881
New Zealand’s financial regulator has issued a searing report about IT
security failures at NZX, the country’s stock exchange, that
contributed to a disruptive DDoS attack.
Tomi Engdahl says:
Cybersecurity firm Stormshield hacked. Data (including source code)
stolen
https://grahamcluley.com/cybersecurity-firm-stormshield-hacked-data-including-source-code-stolen/
French cybersecurity firm Stormshield has revealed that it has
suffered a security breach, and hackers have accessed sensitive
information. The company, which is a major provider to the French
government, says that a hacker managed to steal data after gaining
access to a portal used by customers and partners, potentially
accessing support tickets and communications with staff. While
investigating the security breach, Stormshield also discovered that
some of the source code for the Stormshield Network Security (SNS)
firewall was also stolen. This raises the spectre of a malicious
attacker either uncovering security holes in the firewall that might
be exploited in later attacks, or the creation of malicious updates.
also: https://www.stormshield.com/security-incident-stormshield/
Tomi Engdahl says:
https://www.tenable.com/blog/cve-2021-20016-zero-day-vulnerability-in-sonicwall-secure-mobile-access-sma-exploited
SonicWall releases a patch after researchers confirm exploitation of a
zero-day vulnerability in SonicWall Secure Mobile Access. Customers
that deploy any of the affected SMA devices are strongly encouraged to
upgrade as soon as possible. In addition to upgrading, SonicWall
recommends customers reset passwords for those users who have logged
into the device through the web interface as well as enabling
multi-factor authentication as an additional safeguard. SonicWall
notification:
https://www.sonicwall.com/support/product-notification/urgent-patch-available-for-sma-100-series-10-x-firmware-zero-day-vulnerability-updated-feb-3-2-p-m-cst/210122173415410/
Tomi Engdahl says:
Abusing Google Chrome extension syncing for data exfiltration and C&C
https://isc.sans.edu/forums/diary/Abusing+Google+Chrome+extension+syncing+for+data+exfiltration+and+CC/27066/
I had a pleasure (or not) of working on another incident where, among
other things, attackers were using a pretty novel way of exfiltrating
data and using that channel for C&C communication. Some of the methods
observed in analyzed code were pretty scary from a defender’s point of
view, as you will see further below in this diary.