This posting is here to collect cyber security news in February 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
310 Comments
Tomi Engdahl says:
Microsoft now forces secure RPC to block Windows Zerologon attacks
https://www.bleepingcomputer.com/news/security/microsoft-now-forces-secure-rpc-to-block-windows-zerologon-attacks/
Microsoft has enabled enforcement mode for updates addressing the
Windows Zerologon vulnerability on all devices that installed this
month’s Patch Tuesday security updates.
Tomi Engdahl says:
Threat Brief: Windows IPv4 and IPv6 Stack Vulnerabilities (CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094)
https://unit42.paloaltonetworks.com/cve-2021-24074-patch-tuesday/
Tomi Engdahl says:
North Korean Hackers Accused Of ‘Biggest Cryptocurrency Theft Of 2020’—Their Heists Are Now Worth $1.75 Billion
https://www.forbes.com/sites/thomasbrewster/2021/02/09/north-korean-hackers-accused-of-biggest-cryptocurrency-theft-of-2020-their-heists-are-now-worth-175-billion/?sh=1f4bd3695b0b&utm_source=FBPAGE&utm_medium=social&utm_content=4482143151&utm_campaign=sprinklrForbesMainFB
A North Korean hacker crew called Lazarus Group has been accused of carrying out a heist on cryptocurrency exchange KuCoin, dubbed the biggest cryptocurrency theft of last year at $275 million worth of virtual money. That figure represented half of all cryptocurrency stolen in 2020, according to cryptocurrency tracker and law enforcement contractor Chainalysis, which exclusively revealed its attribution of the huge attack to Forbes ahead of the release of its own research report on Tuesday.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Europol, working with US, UK, and others, says 10 people have been arrested for allegedly stealing $100M in cryptocurrency from celebrities via SIM-swap attacks — Eight men were arrested in England and Scotland as part of an investigation into a series of SIM swapping attacks targeting US celebrities.
Authorities arrest SIM swapping gang that targeted celebrities
https://www.zdnet.com/article/authorities-arrest-sim-swapping-gang-that-targeted-celebrities/
Eight men were arrested in England and Scotland as part of an investigation into a series of SIM swapping attacks targeting US celebrities.
Tomi Engdahl says:
A hacker tried to poison the water supply of a town in Florida using TeamViewer. How common is the software in critical infrastructure and is it a good idea to use it?
Why Cybersecurity Experts Hate TeamViewer, the Software Used to Tamper With Florida Water Supply
https://www.vice.com/en/article/akdqxk/why-cybersecurity-experts-hate-teamviewer-the-software-used-to-tamper-with-florida-water-supply?utm_content=1612895404&utm_medium=social&utm_source=VICE_facebook
A hacker tried to poison the water supply of a town in Florida using TeamViewer. How common is the software in critical infrastructure and is it a good idea to use it?
Tomi Engdahl says:
“TeamViewer is almost ubiquitous in industrial environments, particularly since the pandemic started,” said Lesley Carhart, a principal threat analyst at industrial control system security firm Dragos. “It’s not my ideal choice by any means for secure access to ICS environments. But there are ways to make it more secure if it’s the only available option.”
https://www.vice.com/en/article/akdqxk/why-cybersecurity-experts-hate-teamviewer-the-software-used-to-tamper-with-florida-water-supply?utm_content=1612895404&utm_medium=social&utm_source=VICE_facebook
Tomi Engdahl says:
White House Announces Senior Official Is Leading Inquiry Into SolarWinds Hacking
https://www.nytimes.com/2021/02/10/us/politics/biden-russia-solarwinds-hacking.html
The announcement comes after the bipartisan leaders of the Senate Intelligence Committee criticized the administration for its disjointed response.
WASHINGTON — The White House announced on Wednesday that it had put a senior national security official in charge of the response to the broad Russian breach of government computers, only hours after the Democratic chairman of the Senate Intelligence Committee criticized the “disjointed and disorganized response” in the opening weeks of the Biden administration
Tomi Engdahl says:
North Korean hackers stole more than $300 million to pay for nuclear weapons, says confidential UN report
https://www.cnn.com/2021/02/08/asia/north-korea-united-nations-report-intl-hnk/index.html
North Korea’s army of hackers stole hundreds of millions of dollars throughout much of 2020 to fund the country’s nuclear and ballistic missile programs in violation of international law, according to a confidential United Nations report.
Tomi Engdahl says:
The Great Firewall of…America? WTZ!
https://m.youtube.com/watch?v=38za1LYj2XQ&feature=share
This past week on Feb 2 – Feb 7, 2021 a massive attack was conducted on encrypted services, particular VPN’s. VPN traffic was throttled to near unusability.
Basically in 2021, the Great Firewall of the USA was turned on. And then abrubtly turned off.
Purpose of the action was unknown.
Tomi Engdahl says:
New Video Shows Beverly Hills Cops Playing Beatles to Trigger Instagram Copyright Filter
https://www.vice.com/en/article/bvxa7q/new-video-shows-beverly-hills-cops-playing-beatles-to-trigger-instagram-copyright-filter
In at least three cases, Beverly Hills Cops have started playing music seemingly to prevent themselves from being filmed by an activist.
Turns out that Beverly Hills PD isn’t just into Sublime—they also like the Beatles.
In a new video that LA area activist Sennett Devermont says was taken on January 16th, we can see Devermont trying to ask Sergeant Billy Fair—now best known for blasting Sublime at BHPD HQ—a question. But suddenly, he is interrupted by the mournful voice of Paul McCartney:
Yesterday… all my troubles seemed so far away…
Tomi Engdahl says:
Slackista paljastui ikävä bugi Android-käyttäjiä kehotetaan vaihtamaan
salasanansa
https://www.tivi.fi/uutiset/tv/f3b922cf-481a-4437-9ed6-d9822ff5031b
Slack on lähettänyt sähköpostia niille käyttäjille, joiden salasanat
ovat mahdollisesti vaarantuneet. Viestisovellus Slackiin lipsahti
vuodenvaihteessa bugi, jonka vuoksi joidenkin Android-käyttäjien
salasanat varastoitiin kuukauden ajan (21.1221.1.) sovellukseen
selkokielisinä. Teoriassa olisi siis mahdollista, että muut
laitteeseen asennetut sovellukset olisivat voineet päästä käsiksi
Slack-salasanoihin.
Tomi Engdahl says:
VMware very strongly suggests TPM for all servers in tightened vSphere
security guide
https://www.theregister.com/2021/02/11/new_vsphere_7_security_guidance/
Upgrades to version 7.0 are going to require your full attention,
especially if you’re fond of VGA output
Tomi Engdahl says:
Breached water plant employees used the same TeamViewer password and
no firewall
https://arstechnica.com/information-technology/2021/02/breached-water-plant-employees-used-the-same-teamviewer-password-and-no-firewall/
Shortcomings illustrate the lack of security rigor in critical
infrastructure environments.
Tomi Engdahl says:
Military, Nuclear Entities Under Target By Novel Android Malware
https://threatpost.com/military-nuclear-entities-under-target-by-novel-android-malware/163830/
The two malware families have sophisticated capabilities to exfiltrate
SMS messages, WhatsApp messaging content and geolocation.
Lookout Discovers Novel Confucius APT Android Spyware Linked to
India-Pakistan Conflict
https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict
The Lookout Threat Intelligence team has discovered two novel Android
surveillanceware Hornbill and SunBird. We believe with high confidence
that these surveillance tools are used by the advanced persistent
threat group (APT) Confucius, which first appeared in 2013 as a
state-sponsored, pro-India actor primarily pursuing Pakistani and
other South Asian targets.
Tomi Engdahl says:
https://www.securityweek.com/apple-patches-recent-sudo-vulnerability-macos
Tomi Engdahl says:
Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks
https://www.securityweek.com/software-dependencies-exposed-microsoft-apple-high-impact-attacks
Tomi Engdahl says:
Tougher EU Privacy Rules Loom for Messenger, Zoom
https://www.securityweek.com/tougher-eu-privacy-rules-loom-messenger-zoom
Tomi Engdahl says:
Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover
https://www.securityweek.com/vulnerabilities-nextgen-gallery-plugin-exposed-many-wordpress-sites-takeover
Two severe vulnerabilities in the NextGEN Gallery WordPress plugin could have exposed more than 800,000 websites to complete takeover, WordPress security company Defiant reported on Monday.
Tomi Engdahl says:
How a Start-Up Received a $75,000 Bill for 2 Hours of Google Cloud Services
https://www.electropages.com/blog/2021/01/how-start-received-75000-bill-2-hours-google-cloud-services
Tomi Engdahl says:
Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack
https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/
Tomi Engdahl says:
Näin toimii Suomessa nähty kiero verkkopankkihuijaus – tunnusluvulla suojautuminen ei auta, uhri hyväksyy itse rahasiirron
https://www.is.fi/digitoday/tietoturva/art-2000007784669.html
Mies välissä- eli väliintulohyökkäyksellä pankkitili voidaan tyhjentää, vaikka käytössä on tunnuslukulaite tai -sovellus.
Tomi Engdahl says:
Google Meet now lets you check for embarrassing video problems before joining a call
https://www.zdnet.com/article/google-meet-now-lets-you-check-for-embarrassing-video-problems-before-joining-a-call/
Google gives Meet users more tools to test settings, peripherals and configurations before hopping on a video call.
Tomi Engdahl says:
https://www.securityweek.com/vulnerabilities-realtek-wi-fi-module-expose-many-devices-remote-attacks
Tomi Engdahl says:
https://www.securityweek.com/airbus-cybersecurity-subsidiary-stormshield-discloses-data-breach
Tomi Engdahl says:
https://www.securityweek.com/many-wordpress-sites-affected-vulnerabilities-popup-builder-plugin
Tomi Engdahl says:
https://www.securityweek.com/deep-analysis-more-60000-breach-reports-over-three-years
Tomi Engdahl says:
Report: Feds Investigating Meme Stock Frenzy For Market Manipulation
https://www.forbes.com/sites/sarahhansen/2021/02/11/report-feds-investigating-meme-stock-frenzy-for-market-manipulation/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie
Federal authorities are investigating whether massive gains in “meme stocks” like GameStop in January were caused by market manipulation or other illegal behavior, the Wall Street Journal reported Thursday.
Both the Justice Department and the San Francisco U.S. attorney’s office have requested information from online brokers like Robinhood and the social media companies involved in the saga, the Journal reported, citing people familiar with the situation.
The Journal reported that the Commodities Futures Trading Commission has opened an investigation into the trading of silver futures and a silver ETF, which also saw major gains as Reddit traders set their sights on the commodity.
Tomi Engdahl says:
There’ll be no where to run and hide from authorities once smart tracking is applied to the feeds from ubiquitous cameras in cities and towns.
Smart City Video Platform Finds Crimes and Suspects
https://spectrum.ieee.org/tech-talk/computing/networks/smart-tracking-platform-anveshak-proves-effective-on-the-streets-of-bangalore
In many cities, whenever a car is stolen or someone is abducted, there are video cameras on street corners and in public spaces that could help solve those crimes. However, investigators and police departments typically don’t have the time or resources required to sift through hundreds of video feeds and tease out the evidence they need.
Aakash Khochare, a doctoral student at the Indian Institute of Science, in Bangalore, has been working for several years on a platform that could be useful. Khochare’s Anveshak, which means “Investigator” in Hindi, won an IEEE TCSC SCALE Challenge 2019 award in 2019. That annual competition is sponsored by the IEEE Technical Committee on Scalable Computing. Last month, Anveshak was described in detail in a study published in IEEE Transactions on Parallel and Distributed Systems.
“Privacy is an important consideration,” he says. “We are working on incorporating privacy restrictions within the platform, for example by allowing analytics to track vehicles, but not people. Or, analytics that track adults but not children. Anonymization and masking of entities who are not of interest or should not be tracked can also be examined.”
Tomi Engdahl says:
https://hackaday.com/2021/02/12/this-week-in-security-morse-code-malware-literal-and-figurative-watering-holes-and-more/
Tomi Engdahl says:
Singtel Suffers Zero-Day Cyberattack, Damage Unknown
https://threatpost.com/singtel-zero-day-cyberattack/163938/
The Tier 1 telecom giant was caught up in a coordinated, wide-ranging attack using unpatched security bugs in the Accellion legacy file-transfer platform.
Singtel, Tier 1 telecom carrier throughout Asia and owner of Australian telco Optus, has been impacted by a software security hole in a third-party file transfer appliance targeted by attackers. Singtel is one of multiple organizations affected by the bug, including an Australian medical research institution.
Singtel, one of the largest telecom companies in the world, announced Thursday that it was a victim of a cohesive set of cyberattacks
Accellion’s Bug-Riddled File Transfer Software
Accellion noted that it became aware of a zero-day security vulnerability in FTA in mid-December, which it scrambled to patch quickly. But that turned out to be just one of a cascade of zero-days in the platform that the company discovered only after they came under attack from cyber-adversaries.
“This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,”
“The Accellion file transfer product used by Singtel is 20 years old, and continues to be used by many organizations in the financial, governmental and commercial sector to transfer large files, despite Accellion’s offering of newer and more secure file-sharing solutions,” Chloé Messdaghi, chief strategist, Point3 Security, said via email. “That’s problematic – it’s the kind of decision that puts companies at sharply increased risk. The fact is that breaches are going to happen, and possibly through a third party.”
Singtel: Unpatched Security Bug Led to Attack
Tomi Engdahl says:
https://www.infosecurity-magazine.com/opinions/solarwinds-on-premises-active/
Tomi Engdahl says:
A Windows Defender Vulnerability Lurked Undetected for 12 Years
Microsoft has finally patched the bug in its antivirus program after researchers spotted it last fall.
https://www.wired.com/story/windows-defender-vulnerability-twelve-years/
Tomi Engdahl says:
Is This Beverly Hills Cop Playing Sublime’s ‘Santeria’ to Avoid Being Live-Streamed?
Police officers in Beverly Hills have been playing music while being filmed, seemingly in an effort to trigger Instagram’s copyright filters
https://www.vice.com/en/article/bvxb94/is-this-beverly-hills-cop-playing-sublimes-santeria-to-avoid-being-livestreamed
Tomi Engdahl says:
Florida Water Plant Hack: Leaked Credentials Found in Breach Database
https://threatpost.com/florida-water-plant-hack-credentials-breach/163919/
Researchers discovered credentials for the Oldsmar water treatment facility in the massive compilation of data from breaches posted just days before the attack.
Researchers say they found several stolen and leaked credentials for a Florida water-treatment plant, which was hacked last week.
Researchers at CyberNews said they found 11 credential pairs linked to the Oldsmar water plant, in a 2017 compilation of stolen breach credentials. Meanwhile, they also found 13 credential pairs in the more recent “compilation of many breaches”– COMB for short — that occurred just days before the attack.
This collection was leaked on the RaidForums English-language cybercrime community on Feb. 2 and contains a staggering 3.27 billion unique combinations of cleartext email addresses and passwords in an aggregate database.
Of note, officials have not publicly drawn any connection between the credentials discovered in the leaked credential breach databases and the attack last week.
Tomi Engdahl says:
EU states reach an agreement on ePrivacy reform. Here’s what worries privacy advocates
https://cybernews.com/news/eu-states-reach-an-agreement-on-eprivacy-reform-heres-what-worries-privacy-advocates/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=eprivacy_agreement&fbclid=IwAR05_cGxnofHSnP7kPGTETUrWjQmhdtxOgqD7oTH1b-iZ57jL21upATCm88
After four years of talks, EU member states agreed on the ePrivacy reform, and the Portuguese presidency can now start negotiating with the European Parliament on the final text of the bill. ePrivacy rules outline cases when private data can be processed without the user’s consent.
On Wednesday, member states agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services.
The updated ePrivacy rules will define cases in which service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices.
An update to the existing ePrivacy directive of 2002 is needed to cater for new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behavior, The European Council stated in a press release.
Tomi Engdahl says:
A Windows Defender vulnerability lurked undetected for 12 years
Microsoft patched the bug in its A/V program after researchers spotted it last fall.
https://www.wired.com/story/windows-defender-vulnerability-twelve-years/
Tomi Engdahl says:
Almost seven months ago, we warned that critical US infrastructure was so easy to hack that industrial control systems (ICS) in the US, particularly in water and energy sectors, could be breached by anyone. Last Friday, it happened in Florida.
That’s the bad news. The even worse news is that it can happen again, in many small cities across America.
The Oldsmar water treatment facility hack was entirely avoidable – and it can happen again
https://cybernews.com/editorial/oldsmar-water-treatment-facility-hack-was-avoidable-can-happen-again/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=oldsmar_water&fbclid=IwAR00hseAp-e-LtnAyLW9C-BnxfnODLWsjFYpG7fpKFIs2OPX2_yjo45vHdU
Almost seven months ago, we warned that critical US infrastructure was so easy to hack that industrial control systems (ICS) in the US, particularly in water and energy sectors, could be breached by anyone. Last Friday, it happened in Florida.
According to a report from Tampa Bay Times, an attacker compromised a water treatment facility in Oldsmar, Florida and tried to up chemical levels in the water supply to extremely dangerous levels. Bob Gualtieri, the Sheriff of Pinellas County where the city of Oldsmar is located, said the attacker tried to raise levels of sodium hydroxide, a chemical used to control the acidity of water, “by a factor of more than 100.”
Tomi Engdahl says:
Yandex suffers data breach after sysadmin sold access to user emails
https://www.bleepingcomputer.com/news/security/yandex-suffers-data-breach-after-sysadmin-sold-access-to-user-emails/
Russian internet and search company Yandex announced today that one of
its system administrators had enabled unauthorized access to thousands
of user mailboxes.
Tomi Engdahl says:
Sonatype Spots 150+ Malicious npm Packages Copying Recent Software
Supply Chain Attacks that Hit 35 Organizations
https://blog.sonatype.com/sonatype-spots-150-malicious-npm-packages-copying-recent-software-supply-chain-attacks
Just three days ago on February 9th, Sonatype released our findings on
Alex Birsans research in which he used the dependency or namespace
confusion technique to push his malicious proof-of-concept (PoC) code
to internal development builds of over 35 major tech organizations
including Microsoft, Apple, Tesla, Uber and others.. With the news
making headlines, it didn’t take long for other researchers to start
imitating Birsans open source software supply chain attack research..
see also
https://www.bleepingcomputer.com/news/security/copycat-researchers-imitate-supply-chain-attack-that-hit-tech-giants/
Tomi Engdahl says:
Alert (AA21-042A) Compromise of U.S. Water Treatment Facility
https://us-cert.cisa.gov/ncas/alerts/aa21-042a
On February 5, 2021, unidentified cyber actors obtained unauthorized
access to the supervisory control and data acquisition (SCADA) system
at a U.S. drinking water treatment facility. The unidentified actors
used the SCADA systems software to increase the amount of sodium
hydroxide, also known as lye, a caustic chemical, as part of the water
treatment process.
Tomi Engdahl says:
Singtel Suffers Zero-Day Cyberattack, Damage Unknown
https://threatpost.com/singtel-zero-day-cyberattack/163938/
The Tier 1 telecom giant was caught up in a coordinated, wide-ranging
attack using unpatched security bugs in the Accellion legacy
file-transfer platform.
Military, Nuclear Entities Under Target By Novel Android Malware
https://threatpost.com/military-nuclear-entities-under-target-by-novel-android-malware/163830/
The two malware families have sophisticated capabilities to exfiltrate
SMS messages, WhatsApp messaging content and geolocation.
Tomi Engdahl says:
Microsoft is seeing a big spike in Web shell use
https://arstechnica.com/information-technology/2021/02/microsoft-is-seeing-a-big-spike-in-web-shell-use/
Spike shows just how useful and hard to detect these simple programs
can be.
Tomi Engdahl says:
Malvertising campaign on PornHub and other top adult brands exposes
users to tech support scams
https://blog.malwarebytes.com/cybercrime/2021/02/malvertising-campaign-on-top-adult-brands-exposes-users-to-tech-support-scams/
Threat actors involved in tech support scams have been running a
browser locker campaign from November 2020 until February 2021 on the
worlds largest adult platforms including PornHub.
Tomi Engdahl says:
Who is to blame for the malicious Barcode Scanner that got on the
Google Play store?
https://blog.malwarebytes.com/android/2021/02/who-is-to-blame-for-the-malicious-barcode-scanner-that-got-on-the-google-play-store/
In our last blog, Barcode Scanner app on Google Play infects 10
million users with one update, we wrote about a barcode scanner found
on the Google Play store that was infected with
Android/Trojan.HiddenAds.AdQR.. All initial signs led us to believe
that LavaBird LTD was the developer of this malware, but since then, a
representative from LavaBird reached out to us. They claimed it was
not them who was responsible for uploading malicious versions of
Barcode Scanner, package name com.qrcodescanner.barcodescanner, but an
account named The space team.
Tomi Engdahl says:
Supermicro spy chips, the sequel: It really, really happened, and with
bad BIOS and more, insists Bloomberg
https://www.theregister.com/2021/02/12/supermicro_bloomberg_spying/
Server maker says latest article is ‘a mishmash of disparate
allegations’
Tomi Engdahl says:
A Windows Defender vulnerability lurked undetected for 12 years
https://arstechnica.com/information-technology/2021/02/a-windows-defender-vulnerability-lurked-undetected-for-12-years/
Microsoft patched the bug in its A/V program after researchers spotted
it last fall.
Tomi Engdahl says:
https://www.securityweek.com/industry-reactions-us-water-plant-hack-feedback-friday
Tomi Engdahl says:
https://www.theverge.com/2021/2/10/22277054/slack-android-psa-password-reset-email-plaintext
Tomi Engdahl says:
Sandworm intrusion set campaign targeting Centreon systems
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-005/
ANSSI has been informed of an intrusion campaign targeting the
monitoring software Centreon distributed by the French company
CENTREON which resulted in the breach of several French entities.. see
full report
http://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf
Tomi Engdahl says:
Microsoft: SolarWinds attack took more than 1,000 engineers to create
https://www.zdnet.com/article/microsoft-solarwinds-attack-took-more-than-1000-engineers-to-create/
The months-long hacking campaign that affected US government agencies
and cybersecurity vendors was “the largest and most sophisticated
attack the world has ever seen,” Microsoft president Brad Smith has
said, and involved a vast number of developers.. Microsoft, which was
also breached by the bad Orion update, assigned 500 engineers to
investigate the attack said Smith, but the (most likely Russia-backed)
team behind the attack had more than double the engineering resources.