This posting is here to collect cyber security news in February 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
310 Comments
Tomi Engdahl says:
Valkohattuhakkeri paljasti suomalaisten suosimat salasanat älä
missään nimessä käytä mitään tältä listalta
https://www.is.fi/digitoday/tietoturva/art-2000007804375.html
Suomalaisten salasanat ovat saaneet kansainvälistä väriä kahdessa
vuodessa.
Tomi Engdahl says:
270 addresses are responsible for 55% of all cryptocurrency money
laundering
https://www.zdnet.com/article/270-addresses-are-responsible-for-55-of-all-cryptocurrency-money-laundering/
Most cryptocurrency money laundering is concentrated in a few online
services, opening the door for law enforcement actions.
Tomi Engdahl says:
Google Chrome, Microsoft Edge getting this Intel security feature
https://www.bleepingcomputer.com/news/security/google-chrome-microsoft-edge-getting-this-intel-security-feature/
Chromium-based browsers such as Microsoft Edge and Google Chrome will
soon support the Intel CET security feature to prevent a wide range of
vulnerabilities.
Tomi Engdahl says:
22-vuotias kiukustui asumisyksikön sääntöihin tilasi nettihyökkäyksen
ja jumitti järjestelmän
https://www.is.fi/digitoday/tietoturva/art-2000007804798.html
Vastaajan mielestä asumisyksikkö rajoitti kavereiden menemisiä liikaa.
Tomi Engdahl says:
U.S. Gov Warning on Water Supply Hack: Get Rid of Windows 7
https://www.securityweek.com/us-gov-warning-water-supply-hack-get-rid-windows-7
On the heels of last week’s lye-poisoning attack against a small water plant in Florida, the U.S. government’s cybersecurity agency is pleading with critical infrastructure defenders to rip-and-replace Windows 7 from their networks as a matter of urgency.
The government’s latest appeal, issued via a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), comes amidst reports that the remote hack of the water plant near Tampa Bay was being blamed on poor password hygiene and attacks on systems running Microsoft’s out-of-service Windows 7 operating system. In addition to running Windows 7 on computers at the plant, all devices used the same password for remote access.
Tomi Engdahl says:
Many SolarWinds Customers Failed to Secure Systems Following Hack
https://www.securityweek.com/many-solarwinds-customers-failed-secure-systems-following-hack
Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach, according to RiskRecon, a Mastercard company that specializes in risk assessment.
Threat actors believed to be backed by Russia breached Texas-based IT management firm SolarWinds and used that access to deliver a piece of malware named Sunburst to roughly 18,000 customers who had been using the company’s Orion monitoring product. A few hundred victims that presented an interest to the hackers received other payloads that provided deeper access into their environments.
A second, apparently unrelated threat group believed to be operating out of China also targeted SolarWinds, delivering a piece of malware named Supernova. The delivery of Supernova required access to the targeted network and involved exploitation of a zero-day vulnerability in Orion, which SolarWinds patched shortly after its existence came to light.
Tomi Engdahl says:
Sandworm Hackers Hit French Monitoring Software Vendor Centreon
https://www.securityweek.com/sandworm-hackers-hit-french-monitoring-software-vendor-centreon
Russia-Linked Threat Group Caught Deploying Backdoors on Linux Servers in an Attack That Triggers New Conversations on Software Supply Chain Security
The French National Agency for the Security of Information Systems (ANSSI) is publicly blaming the notorious Sandworm APT group for a series of long-term hacking attacks against multiple IT and web hosting shops in Europe.
According to a technical advisory released by ANSSI, the data breaches date back to 2017 and include the eyebrow-raising compromise of Centreon, an IT monitoring software provider widely embedded throughout government organizations in France.
The agency did not say if the Centreon compromise was part of a supply-chain attack but the decision to publicly identify the Sandworm attackers triggers new conversations about the group’s previous software supply chain targeting in high-profile APT attacks.
Documented research has linked the Sandworm team to a government-backed Russian APT group linked to separate attacks against Ukraine targets in 2015 and 2017, and the 2018 cyberattack on the Winter Olympics opening ceremony.
Tomi Engdahl says:
https://hackaday.com/2021/02/09/cyberattack-on-florida-citys-water-supply/
Tomi Engdahl says:
https://www.zdnet.com/article/open-source-google-wants-new-rules-for-developers-working-on-critical-projects/
Tomi Engdahl says:
Google Moves Away From Diet of ‘Cookies’ to Track Users
https://www.securityweek.com/google-moves-away-diet-cookies-track-users
Tomi Engdahl says:
https://www.securityweek.com/solarwinds-product-vulnerabilities-allow-hackers-take-full-control-systems
Tomi Engdahl says:
https://www.securityweek.com/recent-sudo-vulnerability-affects-apple-cisco-products
Tomi Engdahl says:
https://www.securityweek.com/siemens-releases-patches-prevent-remote-takeover-simatic-hmi-panels
Tomi Engdahl says:
A Swiss Army Knife for Industrial Operations Protection
https://www.securityweek.com/swiss-army-knife-industrial-operations-protection
Tomi Engdahl says:
Sudon haavoittuvuus mahdollistaa Unix-järjestelmissä käyttöoikeuksien korottamisen
https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_5/21
Tomi Engdahl says:
Kia Motors America experiences massive IT outage across the US
https://www.bleepingcomputer.com/news/security/kia-motors-america-experiences-massive-it-outage-across-the-us/
Kia Motors USA is experiencing a nationwide outage affecting IT
servers, self-payment phone services, dealer platforms, and phone
support.. One Twitter user shared that they could not pick up their
car due to a ransomware attack taking down Kia’s systems.
Tomi Engdahl says:
Malvertisers exploited browser zero-day to redirect users to scams
https://www.bleepingcomputer.com/news/security/malvertisers-exploited-browser-zero-day-to-redirect-users-to-scams/
The ScamClub malvertising group used a zero-day vulnerability in the
WebKit web browser engine to push payloads that redirected to gift
card scams.
Tomi Engdahl says:
LähiTapiola päästi hakkerit käymään konttorillaan turvakamerasta
löytyi ikävä haavoittuvuus
https://www.tivi.fi/uutiset/tv/e46db25d-4b6f-459b-96b5-065bc4fced8f
Järjestyksessään 11. Hack Day toteutettiin koronarajoitusten
puitteissa.
Tomi Engdahl says:
Bluetooth Overlay Skimmer That Blocks Chip
https://krebsonsecurity.com/2021/02/bluetooth-overlay-skimmer-that-blocks-chip/
I was interested to hear from a reader working security for a retail
chain in the United States who recently found Bluetooth-enabled
skimming devices placed over top of payment card terminals at several
stores. Interestingly, these skimmers interfered with the terminals
ability to read chip-based cards, forcing customers to swipe the
stripe instead.
Tomi Engdahl says:
Wall Street Journal:
A hacker claims to have stolen and posted files from global law firm Jones Day on the dark web; Jones Day says a file-sharing company it used was compromised — Firm disputes network breach, says its file-transfer company was compromised — A hacker claims to have stolen files belonging …
Hacker Claims to Have Stolen Files Belonging to Prominent Law Firm Jones Day
Firm disputes network breach, says its file-transfer company was compromised
https://www.wsj.com/articles/hacker-claims-to-have-stolen-files-belonging-to-prominent-law-firm-jones-day-11613514532?mod=djemalertNEWS
Tomi Engdahl says:
Three New Vulnerabilities Patched in OpenSSL
https://www.securityweek.com/three-new-vulnerabilities-patched-openssl
The OpenSSL Project on Tuesday announced the availability of patches for three vulnerabilities, including two that can be exploited for denial-of-service (DoS) attacks and one related to incorrect SSLv2 rollback protection.
The most serious of the vulnerabilities, with a severity rating of moderate, is CVE-2021-23841, a NULL pointer dereference issue that can result in a crash and a DoS condition. The security hole is related to a function (X509_issuer_and_serial_hash) that is never called directly by OpenSSL itself, which means it only impacts applications that use the function directly with certificates obtained from untrusted sources.
The flaw was reported to OpenSSL developers by Google Project Zero researcher Tavis Ormandy and it has been patched with the release of OpenSSL 1.1.1j. Versions 1.1.1i and earlier are impacted.
OpenSSL 1.1.1j also fixes a low-severity integer overflow issue that can also lead to a crash. The bug, tracked as CVE-2021-23840, was identified by Paul Kehrer.
Tomi Engdahl says:
WebKit Zero-Day Vulnerability Exploited in Malvertising Operation
https://www.securityweek.com/webkit-zero-day-vulnerability-exploited-malvertising-operation
A malvertising operation observed last year by advertising cybersecurity company Confiant exploited what turned out to be a zero-day vulnerability in the WebKit browser engine.
Confiant researchers discovered the security hole while analyzing a campaign carried out by a threat actor they call ScamClub. The group has been around for several years, launching malvertising attacks designed to redirect users to a wide range of scam websites promising prizes.
ScamClub specializes in high-volume operations — even if most of their payloads are blocked, a large number still reach users.
Tomi Engdahl says:
Facebook Announces Payout Guidelines for Bug Bounty Program
https://www.securityweek.com/facebook-announces-payout-guidelines-bug-bounty-program
Facebook on Tuesday announced several new features for its bug bounty program, including an educational resource and payout guidelines.
The payout guidelines provide insight into the process used by the company to determine rewards for certain vulnerability categories. Specifically, it provides information on the maximum bounty for each category and describes the mitigating factors that can result in a lower reward.
Payment guidelines are currently available for page admin vulnerabilities, for which the top bounty is $5,000, server-side request forgery (SSRF), with a maximum reward of $40,000, and bugs in mobile apps, for which the bounty is capped at $45,000.
https://www.facebook.com/whitehat/payout_guidelines
Tomi Engdahl says:
WFH Security Tech Still Sucks for Some of Us
https://www.eetimes.com/wfh-security-tech-still-sucks-for-some-of-us/
Last summer I discovered just how bad work-from-home (WFH) tech can be for remote workers during our five-plus-weeks hotel stays. My husband and I were forced to evacuate, fleeing one of the devastating wildfires that hit California and destroyed tens of thousands of homes and millions of mostly forested acres.
You might think by now that’s all behind us, and we’re “back to normal.” It’s not and we aren’t. Since we’re still in a drought and hot, dry high winds picked up residual embers from the CZU fires, there were some local wildfires in January. In our area, the outages they produced in power, internet and water lasted “only” for several days.
Tomi Engdahl says:
Poliisi varoittaa erittäin vahingollisista huijaustekstiviesteistä
älä klikkaa linkkiä
https://www.is.fi/digitoday/tietoturva/art-2000007808031.html
Poliisi ohjeistaa olemaan tarkkana tulevien tekstiviestien ja etenkin
niiden sisältämien linkkien kanssa.. katso myös
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/saitko-tekstiviestin-postin-nimissa-varothan-viesti-voi-olla-huijaus
Tomi Engdahl says:
Alert (AA21-048A) – AppleJeus: Analysis of North Koreas Cryptocurrency
Malware
https://us-cert.cisa.gov/ncas/alerts/aa21-048a
This joint advisory is the result of analytic efforts among the
Federal Bureau of Investigation (FBI), the Cybersecurity and
Infrastructure Security Agency (CISA), and the Department of Treasury
(Treasury) to highlight the cyber threat to cryptocurrency posed by
North Korea, formally known as the Democratic Peoples Republic of
Korea (DPRK), and provide mitigation recommendations.. Lazarus
Groupwhich these agencies attribute to North Korean state-sponsored
advanced persistent threat (APT) actorsis targeting individuals and
companies, including cryptocurrency exchanges and financial service
companies, through the dissemination of cryptocurrency trading
applications that have been modified to include malware that
facilitates theft of cryptocurrency.. see also
https://us-cert.cisa.gov/ncas/current-activity/2021/02/17/north-korean-malicious-cyber-activity-applejeus.
see also
https://www.zdnet.com/article/us-charges-two-more-members-of-the-lazarus-north-korean-hacking-group/
Tomi Engdahl says:
Attacks targeting IT firms stir concern, controversy
https://www.welivesecurity.com/2021/02/17/attacks-targeting-it-firms-stir-concern-controversy/
The Exaramel backdoor, discovered by ESET in 2018, resurfaces in a
campaign hitting companies that use an outdated version of a popular
IT monitoring tool. see also
https://www.centreon.com/en/company/newsroom/press-releases/centreon-provides-clarification-following-the-publication-of-the-anssi-report/
Tomi Engdahl says:
Malware Is Now Targeting Apples New M1 Processor
https://www.wired.com/story/apple-m1-malware/
Two distinct strains of malware have already adjusted to the new
silicon just months after its debut.
Tomi Engdahl says:
Kia Motors America suffers ransomware attack, $20 million ransom
https://www.bleepingcomputer.com/news/security/kia-motors-america-suffers-ransomware-attack-20-million-ransom/
Kia Motors America has suffered a ransomware attack by the
DoppelPaymer gang, demanding $20 million for a decryptor and not to
leak stolen data.
Tomi Engdahl says:
Masslogger Swipes Microsoft Outlook, Google Chrome Credentials
https://threatpost.com/masslogger-microsoft-outlook-google-chrome/164011/
A new version of the Masslogger trojan has been targeting Windows
users now using a compiled HTML (CHM) file format to start the
infection chain.
Tomi Engdahl says:
Hosting provider phishing
https://www.kaspersky.com/blog/hosting-provider-phishing-web-page/38783/
How, and why, cybercriminals attack accounts on hosting provider
sites.
Tomi Engdahl says:
Dutch police post ‘friendly’ warnings on hacking forums
https://www.zdnet.com/article/dutch-police-post-friendly-warnings-on-hacking-forums/
Dutch police: “Hosting criminal infrastructure in The Netherlands is a
lost cause.”
Tomi Engdahl says:
Varo Steam-huijareita älä vastaa koskaan tällaisiin viesteihin
https://www.is.fi/digitoday/esports/art-2000007808398.html
Steam-palvelussa yritetään muun muassa huijata skinejä eli
virtuaaliesineitä käyttäjiltä.
Tomi Engdahl says:
Researchers Unmask Hackers Behind APOMacroSploit Malware Builder
https://thehackernews.com/2021/02/researchers-unmask-hackers-behind.html
Cybersecurity researchers have disclosed a new kind of Office malware
distributed as part of a malicious email campaign that targeted more
than 80 customers worldwide in an attempt to control victim machines
and steal information remotely.
túi lọc bụi says:
This article is very quality from the content to the image, you continue to share more about these wonderful content, thank you and respect you so much.
Tomi Engdahl says:
U.S. authorities are still working to unravel the full scope of the likely Russian hack that gave the “sophisticated” actor behind the breach complete access to files and email from at least nine government agencies and about 100 private companies, the top White House cybersecurity official said Wednesday.
https://www.securityweek.com/us-still-unraveling-%E2%80%98sophisticated%E2%80%99-hack-9-gov%E2%80%99t-agencies
Tomi Engdahl says:
Three New Vulnerabilities Patched in OpenSSL
https://www.securityweek.com/three-new-vulnerabilities-patched-openssl
The OpenSSL Project on Tuesday announced the availability of patches for three vulnerabilities, including two that can be exploited for denial-of-service (DoS) attacks and one related to incorrect SSLv2 rollback protection.
The most serious of the vulnerabilities, with a severity rating of moderate, is CVE-2021-23841, a NULL pointer dereference issue that can result in a crash and a DoS condition. The security hole is related to a function (X509_issuer_and_serial_hash) that is never called directly by OpenSSL itself, which means it only impacts applications that use the function directly with certificates obtained from untrusted sources.
The flaw was reported to OpenSSL developers by Google Project Zero researcher Tavis Ormandy and it has been patched with the release of OpenSSL 1.1.1j. Versions 1.1.1i and earlier are impacted.
OpenSSL 1.1.1j also fixes a low-severity integer overflow issue that can also lead to a crash. The bug, tracked as CVE-2021-23840, was identified by Paul Kehrer.
Another low-severity issue, CVE-2021-23839, was reported to the OpenSSL Project by researchers at cybersecurity firm Trustwave, who discovered that servers using OpenSSL 1.0.2 are vulnerable to SSL version rollback attacks. However, an attack can only be launched against certain configurations and OpenSSL 1.1.1 is not impacted.
CVE-2021-23839 has been patched in version 1.0.2y. However, OpenSSL 1.0.2 is no longer supported so the update is only available to premium support customers.
Tomi Engdahl says:
Digital Warfare: Myanmar’s Cyber Crackdown Explained
https://www.securityweek.com/digital-warfare-myanmars-cyber-crackdown-explained
Tomi Engdahl says:
Cybercriminals Leak Files Allegedly Stolen From Law Firm Jones Day
https://www.securityweek.com/cybercriminals-leak-files-allegedly-stolen-law-firm-jones-day
A group of cybercriminals known for ransomware attacks has started leaking files allegedly stolen from Jones Day, a major U.S.-based law firm that has represented former president Donald Trump, including in his attempts to overturn the results of the recent election.
The cybercriminals behind the ransomware operation known as Clop (Cl0p) have been known to encrypt files on compromised systems, as well as stealing files from the victim and threatening to leak them unless a ransom is paid.
Tomi Engdahl says:
Information Posted Online After N Carolina Ransomware Attack
https://www.securityweek.com/information-posted-online-after-n-carolina-ransomware-attack
An investigation into a ransomware attack on a North Carolina county’s computer network showed personal information posted for sale on the “dark web,” the county said.
Tomi Engdahl says:
U.S. Charges North Korean Hackers Over $1.3 Billion Bank Heists
https://www.securityweek.com/us-charges-north-korean-hackers-over-13-billion-bank-heists
Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe
The U.S. Justice Department on Wednesday announced the indictment of three North Korean military intelligence officials linked to high-profile cyber-attacks that included the theft of $1.3 billion in money and crypto-currency from organizations around the world.
The indictment alleges the trio was part of a “wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks” against companies and crypto-currency exchanges around the world.
The DOJ described the scope of the North Korean hacking operation as “extensive and long-running”.
Tomi Engdahl says:
Florida Water Supply Attacked by a Hacker, and how Infrastructure is Vulnerable
https://www.electropages.com/blog/2021/02/florida-water-supply-attacked-hacker-and-how-infrastructure-vulnerable?utm_campaign=2021-02-17-Latest-Product-News&utm_source=newsletter&utm_medium=email&utm_term=article&utm_content=Florida+Water+Supply+Attacked+by+a+Hacker%2C+and+how+Infrastructure+is+Vulnerable
Recently, county police in Florida announced in a press statement of a hacking attack against the Oldsmar’s water treatment system. What happened in the incident, what other examples of infrastructure attacks exist, and should infrastructure be connected to networks?
Tomi Engdahl says:
Microsoft admits some Azure, Exchange, Intune source code snaffled in SolarWinds schemozzle
We’ll be fine, says Redmond security crew. No word on whether you will be too once crims analyse their haul
https://www.theregister.com/2021/02/19/microsoft_source_code/
Microsoft has admitted that as a result of installing backdoored SolarWinds tools in some parts of its corporate network, portions of its source code was obtained and exfiltrated by parties unknown.
In a final public update on Thursday detailing its internal investigation into “Solarigate,” Redmond’s security team said it detected the “viewing of a file in a source repository” in late November, and attempts to do so again “into early January 2021, when the attempts stopped.”
“There was no case where all repositories related to any single product or service was accessed,” the update advises, adding: “There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search.”
But some source code was accessed and downloaded. “For a small number of repositories, there was additional access, including in some cases, downloading component source code,” the update states.
Microsoft has described those repositories as follows:
A small subset of Azure components (subsets of service, security, identity)
A small subset of Intune components
A small subset of Exchange components
Tomi Engdahl says:
Microsoft: SolarWinds attack took more than 1,000 engineers to create
Microsoft reckons that the huge attack on security vendors and more took the combined power of at least 1,000 engineers to create.
https://www.zdnet.com/article/microsoft-solarwinds-attack-took-more-than-1000-engineers-to-create/#ftag=CAD-03-10abf5f
The months-long hacking campaign that affected US government agencies and cybersecurity vendors was “the largest and most sophisticated attack the world has ever seen,” Microsoft president Brad Smith has said, and involved a vast number of developers.
The attack, disclosed by security firm FireEye and Microsoft in December, may have impacted as many as 18,000 organizations as a result of the Sunburst (or Solorigate) malware planted inside SolarWinds’s Orion network management software.
“While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy,” Smith said after disclosing the attacks.
He said this was an attack “on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
Smith highlighted to 60 Minutes that the attackers re-wrote just 4,032 lines of code within Orion, which consists of millions of lines of code.
Kevin Mandia, CEO of FireEye, also discussed how the attackers set off an alarm but only after the attackers had successfully enrolled a second smartphone connected to a FireEye employee’s account for its two-factor authentication system. Employees need that two-factor code to remotely sign into the company’s VPN.
Tomi Engdahl says:
Want to keep Flash on your system? Tough luck! (It’s useless anyway)
Microsoft Starts Automatically Removing Flash From Windows
Adobe Flash is dead and Microsoft wants all traces of it deleted.
https://uk.pcmag.com/operating-systems/131798/microsoft-starts-automatically-removing-flash-from-windows
Tomi Engdahl says:
Microsoft Internal Solorigate Investigation Final Update
https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/
We have now completed our internal investigation into the activity of
the actor and want to share our findings, which confirm that we found
no evidence of access to production services or customer data. The
investigation also found no indications that our systems at Microsoft
were used to attack others.. For a small number of repositories, there
was additional access, including in some cases, downloading component
source code. These repositories contained code for:. a small subset of
Azure components (subsets of service, security, identity). a small
subset of Intune components. a small subset of Exchange components
Tomi Engdahl says:
SolarWinds attack hit 100 companies and took months of planning, says
White House
https://www.zdnet.com/article/solarwinds-attack-hit-100-companies-and-took-months-of-planning-says-white-house/
The White House warns SolarWinds attack was more than espionage
because the private sector targets could lead to follow-up attacks.
Tomi Engdahl says:
Exploit Details Emerge for Unpatched Microsoft Bug
https://threatpost.com/exploit-details-unpatched-microsoft-bug/164083/
A malicious website or malicious ad can trigger an exploit for the IE
zero-day bug, opening the door for data theft and code execution, new
analysis notes.
Tomi Engdahl says:
Windows and Linux servers targeted by new WatchDog botnet for almost
two years
https://www.zdnet.com/article/windows-and-linux-servers-targeted-by-new-watchdog-botnet-for-almost-two-years/
WatchDog botnet uses exploits to take over servers and mine
cryptocurrency.
Tomi Engdahl says:
Ninja Forms WordPress Plugin Bug Opens Websites to Hacks
https://threatpost.com/ninja-forms-wordpress-plugin-hacks/164042/
The popular plugin is installed on more than 1 million websites, and
has four flaws that allow various kinds of serious attacks, including
site takeover and email hijacking.