Cyber security news February 2021

This posting is here to collect cyber security news in February 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

310 Comments

  1. Tomi Engdahl says:

    Microsoft now forces secure RPC to block Windows Zerologon attacks
    https://www.bleepingcomputer.com/news/security/microsoft-now-forces-secure-rpc-to-block-windows-zerologon-attacks/
    Microsoft has enabled enforcement mode for updates addressing the
    Windows Zerologon vulnerability on all devices that installed this
    month’s Patch Tuesday security updates.

    Reply
  2. Tomi Engdahl says:

    Threat Brief: Windows IPv4 and IPv6 Stack Vulnerabilities (CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094)
    https://unit42.paloaltonetworks.com/cve-2021-24074-patch-tuesday/

    Reply
  3. Tomi Engdahl says:

    North Korean Hackers Accused Of ‘Biggest Cryptocurrency Theft Of 2020’—Their Heists Are Now Worth $1.75 Billion
    https://www.forbes.com/sites/thomasbrewster/2021/02/09/north-korean-hackers-accused-of-biggest-cryptocurrency-theft-of-2020-their-heists-are-now-worth-175-billion/?sh=1f4bd3695b0b&utm_source=FBPAGE&utm_medium=social&utm_content=4482143151&utm_campaign=sprinklrForbesMainFB

    A North Korean hacker crew called Lazarus Group has been accused of carrying out a heist on cryptocurrency exchange KuCoin, dubbed the biggest cryptocurrency theft of last year at $275 million worth of virtual money. That figure represented half of all cryptocurrency stolen in 2020, according to cryptocurrency tracker and law enforcement contractor Chainalysis, which exclusively revealed its attribution of the huge attack to Forbes ahead of the release of its own research report on Tuesday.

    Reply
  4. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Europol, working with US, UK, and others, says 10 people have been arrested for allegedly stealing $100M in cryptocurrency from celebrities via SIM-swap attacks — Eight men were arrested in England and Scotland as part of an investigation into a series of SIM swapping attacks targeting US celebrities.

    Authorities arrest SIM swapping gang that targeted celebrities
    https://www.zdnet.com/article/authorities-arrest-sim-swapping-gang-that-targeted-celebrities/

    Eight men were arrested in England and Scotland as part of an investigation into a series of SIM swapping attacks targeting US celebrities.

    Reply
  5. Tomi Engdahl says:

    A hacker tried to poison the water supply of a town in Florida using TeamViewer. How common is the software in critical infrastructure and is it a good idea to use it?

    Why Cybersecurity Experts Hate TeamViewer, the Software Used to Tamper With Florida Water Supply
    https://www.vice.com/en/article/akdqxk/why-cybersecurity-experts-hate-teamviewer-the-software-used-to-tamper-with-florida-water-supply?utm_content=1612895404&utm_medium=social&utm_source=VICE_facebook

    A hacker tried to poison the water supply of a town in Florida using TeamViewer. How common is the software in critical infrastructure and is it a good idea to use it?

    Reply
  6. Tomi Engdahl says:

    “TeamViewer is almost ubiquitous in industrial environments, particularly since the pandemic started,” said Lesley Carhart, a principal threat analyst at industrial control system security firm Dragos. “It’s not my ideal choice by any means for secure access to ICS environments. But there are ways to make it more secure if it’s the only available option.”
    https://www.vice.com/en/article/akdqxk/why-cybersecurity-experts-hate-teamviewer-the-software-used-to-tamper-with-florida-water-supply?utm_content=1612895404&utm_medium=social&utm_source=VICE_facebook

    Reply
  7. Tomi Engdahl says:

    White House Announces Senior Official Is Leading Inquiry Into SolarWinds Hacking
    https://www.nytimes.com/2021/02/10/us/politics/biden-russia-solarwinds-hacking.html

    The announcement comes after the bipartisan leaders of the Senate Intelligence Committee criticized the administration for its disjointed response.

    WASHINGTON — The White House announced on Wednesday that it had put a senior national security official in charge of the response to the broad Russian breach of government computers, only hours after the Democratic chairman of the Senate Intelligence Committee criticized the “disjointed and disorganized response” in the opening weeks of the Biden administration

    Reply
  8. Tomi Engdahl says:

    North Korean hackers stole more than $300 million to pay for nuclear weapons, says confidential UN report
    https://www.cnn.com/2021/02/08/asia/north-korea-united-nations-report-intl-hnk/index.html

    North Korea’s army of hackers stole hundreds of millions of dollars throughout much of 2020 to fund the country’s nuclear and ballistic missile programs in violation of international law, according to a confidential United Nations report.

    Reply
  9. Tomi Engdahl says:

    The Great Firewall of…America? WTZ!
    https://m.youtube.com/watch?v=38za1LYj2XQ&feature=share

    This past week on Feb 2 – Feb 7, 2021 a massive attack was conducted on encrypted services, particular VPN’s. VPN traffic was throttled to near unusability.

    Basically in 2021, the Great Firewall of the USA was turned on. And then abrubtly turned off.

    Purpose of the action was unknown.

    Reply
  10. Tomi Engdahl says:

    New Video Shows Beverly Hills Cops Playing Beatles to Trigger Instagram Copyright Filter
    https://www.vice.com/en/article/bvxa7q/new-video-shows-beverly-hills-cops-playing-beatles-to-trigger-instagram-copyright-filter

    In at least three cases, Beverly Hills Cops have started playing music seemingly to prevent themselves from being filmed by an activist.

    Turns out that Beverly Hills PD isn’t just into Sublime—they also like the Beatles.

    In a new video that LA area activist Sennett Devermont says was taken on January 16th, we can see Devermont trying to ask Sergeant Billy Fair—now best known for blasting Sublime at BHPD HQ—a question. But suddenly, he is interrupted by the mournful voice of Paul McCartney:

    Yesterday… all my troubles seemed so far away…

    Reply
  11. Tomi Engdahl says:

    Slackista paljastui ikävä bugi Android-käyttäjiä kehotetaan vaihtamaan
    salasanansa
    https://www.tivi.fi/uutiset/tv/f3b922cf-481a-4437-9ed6-d9822ff5031b
    Slack on lähettänyt sähköpostia niille käyttäjille, joiden salasanat
    ovat mahdollisesti vaarantuneet. Viestisovellus Slackiin lipsahti
    vuodenvaihteessa bugi, jonka vuoksi joidenkin Android-käyttäjien
    salasanat varastoitiin kuukauden ajan (21.1221.1.) sovellukseen
    selkokielisinä. Teoriassa olisi siis mahdollista, että muut
    laitteeseen asennetut sovellukset olisivat voineet päästä käsiksi
    Slack-salasanoihin.

    Reply
  12. Tomi Engdahl says:

    VMware very strongly suggests TPM for all servers in tightened vSphere
    security guide
    https://www.theregister.com/2021/02/11/new_vsphere_7_security_guidance/
    Upgrades to version 7.0 are going to require your full attention,
    especially if you’re fond of VGA output

    Reply
  13. Tomi Engdahl says:

    Breached water plant employees used the same TeamViewer password and
    no firewall
    https://arstechnica.com/information-technology/2021/02/breached-water-plant-employees-used-the-same-teamviewer-password-and-no-firewall/
    Shortcomings illustrate the lack of security rigor in critical
    infrastructure environments.

    Reply
  14. Tomi Engdahl says:

    Military, Nuclear Entities Under Target By Novel Android Malware
    https://threatpost.com/military-nuclear-entities-under-target-by-novel-android-malware/163830/
    The two malware families have sophisticated capabilities to exfiltrate
    SMS messages, WhatsApp messaging content and geolocation.

    Lookout Discovers Novel Confucius APT Android Spyware Linked to
    India-Pakistan Conflict
    https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict
    The Lookout Threat Intelligence team has discovered two novel Android
    surveillanceware Hornbill and SunBird. We believe with high confidence
    that these surveillance tools are used by the advanced persistent
    threat group (APT) Confucius, which first appeared in 2013 as a
    state-sponsored, pro-India actor primarily pursuing Pakistani and
    other South Asian targets.

    Reply
  15. Tomi Engdahl says:

    Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover
    https://www.securityweek.com/vulnerabilities-nextgen-gallery-plugin-exposed-many-wordpress-sites-takeover

    Two severe vulnerabilities in the NextGEN Gallery WordPress plugin could have exposed more than 800,000 websites to complete takeover, WordPress security company Defiant reported on Monday.

    Reply
  16. Tomi Engdahl says:

    Näin toimii Suomessa nähty kiero verkkopankkihuijaus – tunnusluvulla suojautuminen ei auta, uhri hyväksyy itse rahasiirron
    https://www.is.fi/digitoday/tietoturva/art-2000007784669.html

    Mies välissä- eli väliintulohyökkäyksellä pankkitili voidaan tyhjentää, vaikka käytössä on tunnuslukulaite tai -sovellus.

    Reply
  17. Tomi Engdahl says:

    Google Meet now lets you check for embarrassing video problems before joining a call
    https://www.zdnet.com/article/google-meet-now-lets-you-check-for-embarrassing-video-problems-before-joining-a-call/

    Google gives Meet users more tools to test settings, peripherals and configurations before hopping on a video call.

    Reply
  18. Tomi Engdahl says:

    Report: Feds Investigating Meme Stock Frenzy For Market Manipulation
    https://www.forbes.com/sites/sarahhansen/2021/02/11/report-feds-investigating-meme-stock-frenzy-for-market-manipulation/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie

    Federal authorities are investigating whether massive gains in “meme stocks” like GameStop in January were caused by market manipulation or other illegal behavior, the Wall Street Journal reported Thursday. 

    Both the Justice Department and the San Francisco U.S. attorney’s office have requested information from online brokers like Robinhood and the social media companies involved in the saga, the Journal reported, citing people familiar with the situation. 

    The Journal reported that the Commodities Futures Trading Commission has opened an investigation into the trading of silver futures and a silver ETF, which also saw major gains as Reddit traders set their sights on the commodity.

    Reply
  19. Tomi Engdahl says:

    There’ll be no where to run and hide from authorities once smart tracking is applied to the feeds from ubiquitous cameras in cities and towns.

    Smart City Video Platform Finds Crimes and Suspects
    https://spectrum.ieee.org/tech-talk/computing/networks/smart-tracking-platform-anveshak-proves-effective-on-the-streets-of-bangalore

    In many cities, whenever a car is stolen or someone is abducted, there are video cameras on street corners and in public spaces that could help solve those crimes. However, investigators and police departments typically don’t have the time or resources required to sift through hundreds of video feeds and tease out the evidence they need.

    Aakash Khochare, a doctoral student at the Indian Institute of Science, in Bangalore, has been working for several years on a platform that could be useful. Khochare’s Anveshak, which means “Investigator” in Hindi, won an IEEE TCSC SCALE Challenge 2019 award in 2019. That annual competition is sponsored by the IEEE Technical Committee on Scalable Computing. Last month, Anveshak was described in detail in a study published in IEEE Transactions on Parallel and Distributed Systems.

    “Privacy is an important consideration,” he says. “We are working on incorporating privacy restrictions within the platform, for example by allowing analytics to track vehicles, but not people. Or, analytics that track adults but not children. Anonymization and masking of entities who are not of interest or should not be tracked can also be examined.”

    Reply
  20. Tomi Engdahl says:

    Singtel Suffers Zero-Day Cyberattack, Damage Unknown
    https://threatpost.com/singtel-zero-day-cyberattack/163938/

    The Tier 1 telecom giant was caught up in a coordinated, wide-ranging attack using unpatched security bugs in the Accellion legacy file-transfer platform.

    Singtel, Tier 1 telecom carrier throughout Asia and owner of Australian telco Optus, has been impacted by a software security hole in a third-party file transfer appliance targeted by attackers. Singtel is one of multiple organizations affected by the bug, including an Australian medical research institution.

    Singtel, one of the largest telecom companies in the world, announced Thursday that it was a victim of a cohesive set of cyberattacks

    Accellion’s Bug-Riddled File Transfer Software
    Accellion noted that it became aware of a zero-day security vulnerability in FTA in mid-December, which it scrambled to patch quickly. But that turned out to be just one of a cascade of zero-days in the platform that the company discovered only after they came under attack from cyber-adversaries.

    “This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,”

    “The Accellion file transfer product used by Singtel is 20 years old, and continues to be used by many organizations in the financial, governmental and commercial sector to transfer large files, despite Accellion’s offering of newer and more secure file-sharing solutions,” Chloé Messdaghi, chief strategist, Point3 Security, said via email. “That’s problematic – it’s the kind of decision that puts companies at sharply increased risk. The fact is that breaches are going to happen, and possibly through a third party.”

    Singtel: Unpatched Security Bug Led to Attack

    Reply
  21. Tomi Engdahl says:

    A Windows Defender Vulnerability Lurked Undetected for 12 Years
    Microsoft has finally patched the bug in its antivirus program after researchers spotted it last fall.
    https://www.wired.com/story/windows-defender-vulnerability-twelve-years/

    Reply
  22. Tomi Engdahl says:

    Is This Beverly Hills Cop Playing Sublime’s ‘Santeria’ to Avoid Being Live-Streamed?
    Police officers in Beverly Hills have been playing music while being filmed, seemingly in an effort to trigger Instagram’s copyright filters
    https://www.vice.com/en/article/bvxb94/is-this-beverly-hills-cop-playing-sublimes-santeria-to-avoid-being-livestreamed

    Reply
  23. Tomi Engdahl says:

    Florida Water Plant Hack: Leaked Credentials Found in Breach Database
    https://threatpost.com/florida-water-plant-hack-credentials-breach/163919/

    Researchers discovered credentials for the Oldsmar water treatment facility in the massive compilation of data from breaches posted just days before the attack.

    Researchers say they found several stolen and leaked credentials for a Florida water-treatment plant, which was hacked last week.

    Researchers at CyberNews said they found 11 credential pairs linked to the Oldsmar water plant, in a 2017 compilation of stolen breach credentials. Meanwhile, they also found 13 credential pairs in the more recent “compilation of many breaches”– COMB for short — that occurred just days before the attack.

    This collection was leaked on the RaidForums English-language cybercrime community on Feb. 2 and contains a staggering 3.27 billion unique combinations of cleartext email addresses and passwords in an aggregate database.

    Of note, officials have not publicly drawn any connection between the credentials discovered in the leaked credential breach databases and the attack last week.

    Reply
  24. Tomi Engdahl says:

    EU states reach an agreement on ePrivacy reform. Here’s what worries privacy advocates
    https://cybernews.com/news/eu-states-reach-an-agreement-on-eprivacy-reform-heres-what-worries-privacy-advocates/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=eprivacy_agreement&fbclid=IwAR05_cGxnofHSnP7kPGTETUrWjQmhdtxOgqD7oTH1b-iZ57jL21upATCm88

    After four years of talks, EU member states agreed on the ePrivacy reform, and the Portuguese presidency can now start negotiating with the European Parliament on the final text of the bill. ePrivacy rules outline cases when private data can be processed without the user’s consent.

    On Wednesday, member states agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services.

    The updated ePrivacy rules will define cases in which service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices.

    An update to the existing ePrivacy directive of 2002 is needed to cater for new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behavior, The European Council stated in a press release.

    Reply
  25. Tomi Engdahl says:

    A Windows Defender vulnerability lurked undetected for 12 years
    Microsoft patched the bug in its A/V program after researchers spotted it last fall.
    https://www.wired.com/story/windows-defender-vulnerability-twelve-years/

    Reply
  26. Tomi Engdahl says:

    Almost seven months ago, we warned that critical US infrastructure was so easy to hack that industrial control systems (ICS) in the US, particularly in water and energy sectors, could be breached by anyone. Last Friday, it happened in Florida.
    That’s the bad news. The even worse news is that it can happen again, in many small cities across America.

    The Oldsmar water treatment facility hack was entirely avoidable – and it can happen again
    https://cybernews.com/editorial/oldsmar-water-treatment-facility-hack-was-avoidable-can-happen-again/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=oldsmar_water&fbclid=IwAR00hseAp-e-LtnAyLW9C-BnxfnODLWsjFYpG7fpKFIs2OPX2_yjo45vHdU

    Almost seven months ago, we warned that critical US infrastructure was so easy to hack that industrial control systems (ICS) in the US, particularly in water and energy sectors, could be breached by anyone. Last Friday, it happened in Florida.

    According to a report from Tampa Bay Times, an attacker compromised a water treatment facility in Oldsmar, Florida and tried to up chemical levels in the water supply to extremely dangerous levels. Bob Gualtieri, the Sheriff of Pinellas County where the city of Oldsmar is located, said the attacker tried to raise levels of sodium hydroxide, a chemical used to control the acidity of water, “by a factor of more than 100.”

    Reply
  27. Tomi Engdahl says:

    Yandex suffers data breach after sysadmin sold access to user emails
    https://www.bleepingcomputer.com/news/security/yandex-suffers-data-breach-after-sysadmin-sold-access-to-user-emails/
    Russian internet and search company Yandex announced today that one of
    its system administrators had enabled unauthorized access to thousands
    of user mailboxes.

    Reply
  28. Tomi Engdahl says:

    Sonatype Spots 150+ Malicious npm Packages Copying Recent Software
    Supply Chain Attacks that Hit 35 Organizations
    https://blog.sonatype.com/sonatype-spots-150-malicious-npm-packages-copying-recent-software-supply-chain-attacks
    Just three days ago on February 9th, Sonatype released our findings on
    Alex Birsans research in which he used the dependency or namespace
    confusion technique to push his malicious proof-of-concept (PoC) code
    to internal development builds of over 35 major tech organizations
    including Microsoft, Apple, Tesla, Uber and others.. With the news
    making headlines, it didn’t take long for other researchers to start
    imitating Birsans open source software supply chain attack research..
    see also
    https://www.bleepingcomputer.com/news/security/copycat-researchers-imitate-supply-chain-attack-that-hit-tech-giants/

    Reply
  29. Tomi Engdahl says:

    Alert (AA21-042A) Compromise of U.S. Water Treatment Facility
    https://us-cert.cisa.gov/ncas/alerts/aa21-042a
    On February 5, 2021, unidentified cyber actors obtained unauthorized
    access to the supervisory control and data acquisition (SCADA) system
    at a U.S. drinking water treatment facility. The unidentified actors
    used the SCADA systems software to increase the amount of sodium
    hydroxide, also known as lye, a caustic chemical, as part of the water
    treatment process.

    Reply
  30. Tomi Engdahl says:

    Singtel Suffers Zero-Day Cyberattack, Damage Unknown
    https://threatpost.com/singtel-zero-day-cyberattack/163938/
    The Tier 1 telecom giant was caught up in a coordinated, wide-ranging
    attack using unpatched security bugs in the Accellion legacy
    file-transfer platform.

    Military, Nuclear Entities Under Target By Novel Android Malware
    https://threatpost.com/military-nuclear-entities-under-target-by-novel-android-malware/163830/
    The two malware families have sophisticated capabilities to exfiltrate
    SMS messages, WhatsApp messaging content and geolocation.

    Reply
  31. Tomi Engdahl says:

    Microsoft is seeing a big spike in Web shell use
    https://arstechnica.com/information-technology/2021/02/microsoft-is-seeing-a-big-spike-in-web-shell-use/
    Spike shows just how useful and hard to detect these simple programs
    can be.

    Reply
  32. Tomi Engdahl says:

    Malvertising campaign on PornHub and other top adult brands exposes
    users to tech support scams
    https://blog.malwarebytes.com/cybercrime/2021/02/malvertising-campaign-on-top-adult-brands-exposes-users-to-tech-support-scams/
    Threat actors involved in tech support scams have been running a
    browser locker campaign from November 2020 until February 2021 on the
    worlds largest adult platforms including PornHub.

    Reply
  33. Tomi Engdahl says:

    Who is to blame for the malicious Barcode Scanner that got on the
    Google Play store?
    https://blog.malwarebytes.com/android/2021/02/who-is-to-blame-for-the-malicious-barcode-scanner-that-got-on-the-google-play-store/
    In our last blog, Barcode Scanner app on Google Play infects 10
    million users with one update, we wrote about a barcode scanner found
    on the Google Play store that was infected with
    Android/Trojan.HiddenAds.AdQR.. All initial signs led us to believe
    that LavaBird LTD was the developer of this malware, but since then, a
    representative from LavaBird reached out to us. They claimed it was
    not them who was responsible for uploading malicious versions of
    Barcode Scanner, package name com.qrcodescanner.barcodescanner, but an
    account named The space team.

    Reply
  34. Tomi Engdahl says:

    Supermicro spy chips, the sequel: It really, really happened, and with
    bad BIOS and more, insists Bloomberg
    https://www.theregister.com/2021/02/12/supermicro_bloomberg_spying/
    Server maker says latest article is ‘a mishmash of disparate
    allegations’

    Reply
  35. Tomi Engdahl says:

    A Windows Defender vulnerability lurked undetected for 12 years
    https://arstechnica.com/information-technology/2021/02/a-windows-defender-vulnerability-lurked-undetected-for-12-years/
    Microsoft patched the bug in its A/V program after researchers spotted
    it last fall.

    Reply
  36. Tomi Engdahl says:

    Sandworm intrusion set campaign targeting Centreon systems
    https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-005/
    ANSSI has been informed of an intrusion campaign targeting the
    monitoring software Centreon distributed by the French company
    CENTREON which resulted in the breach of several French entities.. see
    full report
    http://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf

    Reply
  37. Tomi Engdahl says:

    Microsoft: SolarWinds attack took more than 1,000 engineers to create
    https://www.zdnet.com/article/microsoft-solarwinds-attack-took-more-than-1000-engineers-to-create/
    The months-long hacking campaign that affected US government agencies
    and cybersecurity vendors was “the largest and most sophisticated
    attack the world has ever seen,” Microsoft president Brad Smith has
    said, and involved a vast number of developers.. Microsoft, which was
    also breached by the bad Orion update, assigned 500 engineers to
    investigate the attack said Smith, but the (most likely Russia-backed)
    team behind the attack had more than double the engineering resources.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*