This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
342 Comments
Tomi Engdahl says:
T-Mobile discloses data breach after SIM swapping attacks
https://www.bleepingcomputer.com/news/security/t-mobile-discloses-data-breach-after-sim-swapping-attacks/
The attackers used an internal T-Mobile application to target up to
400 customers in SIM swap attack attempts, BleepingComputer has
learned. The information accessed by the hackers might have included
customers’ full names, addresses, email addresses, account numbers,
social security numbers (SSNs), account personal identification
numbers (PIN), account security questions and answers, date of .
birth, plan information, and the number of lines subscribed to their
accounts.
Tomi Engdahl says:
Chinese businessman charged with plotting with GE insider to steal
transistor tech secrets
https://www.theregister.com/2021/03/01/china_mosfet_theft/
The FBI alleges that between March 2017 and January 2018, Ng and at
least one co-conspirator a GE engineer of more than seven years
plotted to swipe the blueprints for the transistor, which are
electronic components typically found in industrial equipment and
vehicles that regulate the flow of electricity. The duo planned to use
the stolen trade secrets to set up a competitor in . China, it’s
claimed.
Tomi Engdahl says:
Is Your Browser Extension a Botnet Backdoor?
https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/
A company that rents out access to more than 10 million Web browsers
so that clients can hide their true Internet addresses has built its
network by paying browser extension makers to quietly include its code
in their creations. This story examines the lopsided economics of
extension development, and why installing an extension can be such a
risky proposition.. Infatica seeks out authors with extensions that
have at least 50,000 users. An extension maker who agrees to
incorporate Infaticas computer code can earn anywhere from $15 to $45
each month for every 1,000 active users.
Tomi Engdahl says:
World’s leading dairy group Lactalis hit by cyberattack
https://www.bleepingcomputer.com/news/security/worlds-leading-dairy-group-lactalis-hit-by-cyberattack/
Lactalis (short for Lactalis Group) has 85,000 employees in 51
countries, and it exports dairy products to over 100 countries around
the world.. In a press release published on Friday, Lactalis says that
only a limited number of computers on its network were compromised
during the attack
Tomi Engdahl says:
Spectre exploits in the “wild”
https://dustri.org/b/spectre-exploits-in-the-wild.html
Someone was silly enough to upload a working spectre (CVE-2017-5753)
exploit for Linux (there is also a Windows one with symbols that I
didn’t look at.) on VirusTotal last month, so here is my quick Sunday
afternoon lazy analysis.. In my lab, on a vulnerable Fedora, the
exploit is successfully dumping /etc/shadow in a couple of minutes.
Interestingly, there are checks to detect SMAP and abort if it’s
present. I didn’t manage to understand why the exploit was failing in
its presence.. Also
https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/
“But while Voisin did not want to name the exploit author, several
people were not as shy. Security experts on both Twitter and news
aggregation service HackerNews were quick to spot that the new Spectre
exploit might be a module for CANVAS, a penetration testing tool
developed by Immunity Inc.
Tomi Engdahl says:
China-linked Group RedEcho Targets the Indian Power Sector Amid
Heightened Border Tensions
https://www.recordedfuture.com/redecho-targeting-indian-power-sector/
In this research, we outlined a series of suspected targeted
intrusions against Indias power sector that were observed beginning in
mid-2020. The intrusions were conducted by a China-linked activity
group we track as RedEcho. The group made heavy use of
AXIOMATICASYMPTOTE a term we use to track infrastructure that
comprises ShadowPad C2s, which is shared between several Chinese
threat . activity groups, including APT41/Barium, Tonto team, the
Icefog cluster, KeyBoy, and Tick.. Report at
https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
Tomi Engdahl says:
Chinese hackers target Indian vaccine makers SII, Bharat Biotech, says
security firm
https://www.reuters.com/article/health-coronavirus-india-china-idUSL2N2KZ13L
A Chinese state-backed hacking group has in recent weeks targeted the
IT systems of two Indian vaccine makers whose coronavirus shots are
being used in the countrys immunisation campaign, cyber intelligence
firm Cyfirma told Reuters.
Tomi Engdahl says:
One of the biggest Android VPNs hacked? Data of 21 million users from
3 Android VPNs put for sale online
https://cybernews.com/security/one-of-the-biggest-android-vpns-hacked-data-of-21-million-users-from-3-android-vpns-put-for-sale-online/
A user on a popular hacker forum is selling three databases that
purportedly contain user credentials and device data stolen from three
different Android VPN services SuperVPN, GeckoVPN, and ChatVPN with
21 million user records being sold in total.
Tomi Engdahl says:
Asian Food Distribution Giant JFC International Hit by Ransomware
https://www.securityweek.com/asian-food-distribution-giant-jfc-international-hit-ransomware
JFC International, a major distributor and wholesaler of Asian food products, last week revealed that it was recently targeted in a ransomware attack that disrupted some of its IT systems.
The attack apparently only impacted JFC International’s Europe Group, which said it had notified authorities, employees and business partners about the incident.
Tomi Engdahl says:
https://hackaday.com/2021/02/26/this-week-in-security-mysterious-mac-malware-an-elegant-vmware-rce-and-a-json-mess/
Tomi Engdahl says:
A French security researcher has discovered what appears to be a first fully weaponized exploit for the Spectre bug — a Linux binary that dumps the contents of /etc/shadow
FEATURED
TECHNOLOGY
First Fully Weaponized Spectre Exploit Discovered Online
https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/
A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain.
The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018.
Tomi Engdahl says:
Malaysia Airlines discloses a nine-year-long data breach
https://www.bleepingcomputer.com/news/security/malaysia-airlines-discloses-a-nine-year-long-data-breach/
According to Malaysia Airlines, the breach occurred at a third-party
IT service provider who notified the airline that member data was
exposed between March 2010 and June 2019.
Tomi Engdahl says:
Koulujen Wilma-palveluun saapui viime viikolla viesti, jota tutkii nyt
poliisi lähes jokaisen väärinkäytön taustalla on sama ongelma, sanoo
ohjelmistoyhtiön toimitusjohtaja
https://yle.fi/uutiset/3-11816741?origin=rss
Kaksivaiheinen tunnistautuminen voisi ehkäistä väärinkäytöksiä, mutta
kaikissa kunnissa se ei ole vielä käytössä. Poliisi tutkii palvelussa
lähetettyä pommiuhkausta.
Tomi Engdahl says:
ObliqueRAT returns with new campaign using hijacked websites
https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html
The usage of compromised websites is another attempt at detection
evasion. The adversaries have also introduced steganography as a way
to hide the ObliqueRAT payloads in image files. This technique is
novel to ObliqueRAT’s distribution chain (not observed in the past).
Tomi Engdahl says:
Microsoft Teams Issues Major Blow To Zoom With Game-Changing New
Security Features
https://www.forbes.com/sites/kateoflahertyuk/2021/03/02/microsoft-teams-issues-major-blow-to-zoom-with-game-changing-new-security-features/
In the first release, customers will have the ability to enable
end-to-end encryptionwhich means no one can access video chats,
including Microsoft, and law enforcementfor 1:1 Teams calls for
designated users. Microsoft says it is just the beginning of the E2EE
work to expand to online meetings soon.
Tomi Engdahl says:
Malicious NPM packages target Amazon, Slack with new dependency
attacks
https://www.bleepingcomputer.com/news/security/malicious-npm-packages-target-amazon-slack-with-new-dependency-attacks/
That is until today when open-source security firm Sonatype discovered
malicious packages targeting applications related to Amazon, Zillow,
Lyft, and Slack to steal passwords and open remote shells.. While we
have seen numerous security researchers impersonate Birsan’s work by
creating harmless PoCs to earn bug bounties, we had not seen any
malicious activities.That is until today when open-source security
firm Sonatype discovered malicious packages targeting applications
related to Amazon, Zillow, Lyft, and Slack to steal passwords and open
remote shells.
Tomi Engdahl says:
The Hijacking of Perl.com
https://www.perl.com/article/the-hijacking-of-perl-com/
This part veers into some speculation, and Perl.com wasnt the only
victim. We think that there was a social engineering attack on Network
Solutions, including phony documents and so on. Theres no reason for
Network Solutions to reveal anything to me (again, Im not the injured
party), but I did talk to other domain owners involved and this is the
basic scheme they reported.. John Berryhill provided some forensic
work in Twitter that showed the compromise actually happened in
September. The domain was transferred to the BizCN registrar in
December, but the nameservers were not changed. The domain was
transferred again in January to another registrar, Key Systems, GmbH.
This latency period avoids immediate detection, and bouncing the
domain through a couple registrars . makes the recovery much harder.
Tomi Engdahl says:
Python Package Index nukes 3,653 malicious libraries uploaded soon
after security shortcoming highlighted
https://www.theregister.com/2021/03/02/python_pypi_purges/
Last month, security researcher Alex Birsan demonstrated how easy it
is to take advantage of these systems through a form of typosquatting
that exploited the interplay between public and private package
registries.. The deluge of malicious Python packages over the past
week included unauthorized versions of projects like CuPy, an
implementation of NumPy-compatible multi-dimensional array on CUDA,
Nvidia’s parallel computing platform.
Tomi Engdahl says:
Cyber Attack on the Ministry of Finance of Kosovo
https://exit.al/en/2021/03/01/cyber-attack-on-the-ministry-of-finance-of-kosovo/
The Ministry of Finance in Kosovo was a target of a cyber attack,
Kosovo media reported on Sunday.. It was reported that the cyber
attack took place in the Tax Department.
Tomi Engdahl says:
Far-Right Platform Gab Has Been HackedIncluding Private Data
https://www.wired.com/story/gab-hack-data-breach-ddosecrets/
The transparency group DDoSecrets says it will make the 70 GB of
passwords, private posts, and more available to researchers,
journalists, and social scientists.
Tomi Engdahl says:
https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/
To accomplish this phase of the attack, the operators of Gootloader
must maintain a network of servers hosting hacked, legitimate websites
(we estimate roughly 400 such servers are in operation at any given
time). The example shown above belongs to a legitimate business, a
neonatal medical practice based in Canada. … Google itself indicates
the result is not an ad, and they have known about the . site for
nearly seven years. To the end user, the entire thing looks on the
up-and-up.. In our experience, many of these hacked sites serving the
fake message board are running a well-known content management system,
to which the threat actors make modifications that subtly rewrite how
the contents of the website are presented to certain visitors, based
on characteristics of the individual visitors (including how they
arrive on the hacked site).
Tomi Engdahl says:
https://www.securityweek.com/us-right-wing-platform-gab-acknowledges-it-was-hacked
Tomi Engdahl says:
Universal Health Services Takes $67 Million Hit From Cyberattack
https://www.securityweek.com/universal-health-services-takes-67-million-hit-cyberattack
Healthcare services provider Universal Health Services (UHS) last week revealed that a cyberattack it fell victim to in September 2020 had an estimated financial impact of $67 million.
With more than 400 facilities in the United States, Puerto Rico, and the United Kingdom, UHS has roughly 90,000 employees and has reported close to $11.6 billion in net revenue for last year.
On September 29, the company announced that its operations in the United States were targeted in a cyberattack, which forced it to shut down its IT networks at multiple hospitals in the country.
Within one month after the incident, hospitals were able to resume normal operations, with technology applications restored at acute care and behavioral health hospitals, and re-established connections to all major systems, including electronic medical records, laboratory, and pharmacy systems.
Tomi Engdahl says:
https://www.securityweek.com/new-unc0ver-jailbreak-uses-vulnerability-apple-said-was-exploited
Tomi Engdahl says:
https://www.securityweek.com/microsoft-4-exchange-server-zero-days-under-attack-chinese-apt-group
Tomi Engdahl says:
Hackers Control Perl.com Domain Months Before Hijack
https://www.securityweek.com/hackers-control-perlcom-domain-months-hijack
Tomi Engdahl says:
Google Patches Critical Remote Code Execution Vulnerability in Android
https://www.securityweek.com/google-patches-critical-remote-code-execution-vulnerability-android
Google this week announced the release of patches for 37 vulnerabilities as part of the Android security updates for March 2021, including a fix for a critical flaw in the System component.
Tracked as CVE-2021-0397 and affecting Android 8.1, 9, 10, and 11 releases, the security issue could allow an attacker to execute code remotely on a vulnerable device.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” Google explains.
The bug was addressed as part of the 2021-03-01 security patch level, which also brings patches for nine other issues, including six more in the System component, one affecting Android runtime, and two impacting Framework.
All of these flaws were rated high severity, with their exploitation leading to remote code execution (three bugs), elevation of privilege (five issues), and information disclosure (one vulnerability).
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Review of Gab’s open source code shows that the critical vulnerability that led to its recent breach might have been introduced by a code change made by its CTO — Site executive introduces, then removes, insecure code, then hides the evidence. — Over the weekend, word emerged …
Rookie coding mistake prior to Gab hack came from site’s CTO
Site executive introduces, then removes, insecure code, then hides the evidence.
https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/
Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab’s open source code shows that the critical vulnerability—or at least one very much like it—was introduced by the company’s chief technology officer.
The change, which in the parlance of software development is known as a “git commit,” was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab’s CTO. On Monday, Gab removed the git commit from its website.
The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of “reject” and “filter,” which are API functions that implement a programming idiom that protects against SQL injection attacks.
Developers: Sanitize user input
This idiom allows programmers to compose an SQL query in a safe way that “sanitizes” the inputs that website visitors enter into search boxes and other web fields to ensure that any malicious commands are stripped out before the text is passed to backend servers. In their place, the developer added a call to the Rails function that contains the “find_by_sql” method, which accepts unsanitized inputs directly in a query string. Rails is a widely used website development toolkit.
“Sadly Rails documentation doesn’t warn you about this pitfall, but if you know anything at all about using SQL databases in web applications, you’d have heard of SQL injection, and it’s not hard to come across warnings that find_by_sql method is not safe,” Dmitry Borodaenko, a former production engineer at Facebook who brought the commit to my attention wrote in an email. “It is not 100% confirmed that this is the vulnerability that was used in the Gab data breach, but it definitely could have been, and this code change is reverted in the most recent commit that was present in their GitLab repository before they took it offline.”
Ironically, Fosco in 2012 warned fellow programmers to use parameterized queries to prevent SQL injection vulnerabilities.
Revisionist history
Besides the commit raising questions about Gab’s process for developing secure code, the social media site is also facing criticism for removing the commits from its website. Critics say the move violates terms of the Affero General Public License, which governs Gab’s reuse of Mastodon, an open source software package for hosting social networking platforms.
Critics say the removal violates terms that require forked source code be directly linked from the site. The requirements are intended to provide transparency and to allow other open source developers to benefit from the work of their peers at Gab.
Gab had long provided commits at https://code.gab.com/. Then, on Monday, the site suddenly removed all commits—including the ones that created and then fixed the critical SQL injection vulnerability. In their place, Gab provided source code in the form of a Zip archive file that was protected by the password “JesusChristIsKingTrumpWonTheElection” (minus the quotation marks).
Tomi Engdahl says:
SolarWinds security fiasco may have started with simple password blunders
https://www.zdnet.com/article/solarwinds-security-fiasco-may-have-started-with-simple-password-blunders/
UPDATED: Many things came together to crack SolarWinds, but it may all have started with that classic mistake of leaking a lousy password. A SolarWinds third-party, public relations spokesperson, however, claims that the password incident had nothing to do with the major security breach.
Tomi Engdahl says:
VPNs begin to lose their relevance, even as they remain difficult to shed
https://www.scmagazine.com/home/security-news/network-security/vpns-still-dominate-post-covid-but-businesses-are-sniffing-for-alternatives/
Virtual private networks have been around for decades, but the past year forced many organizations to expand their use to keep up with growing telework trends. In response, criminal and state-backed hacking groups stepped up their own exploitation of the technology as well.
A recent report from Zscaler found that VPNs are still overwhelmingly popular: 93% of companies surveyed reported that they have used them in some capacity. The flip side of that coin is a similarly broad recognition of the dangers and tradeoffs involved, with 94% saying they are also aware of the security risks associated with using VPNs and two-thirds (67%) acknowledging that they are considering alternative options for secure remote access.
That concern may be warranted, as Digital Shadows research released last month found that criminal hackers who specialize in gaining and selling initial access into victim networks exploited the technological changes brought on by the global pandemic.
Tomi Engdahl says:
Since most organizations still treat a host connecting from VPNs as a trusted source, it allows them the kind of broad network access that can be used to facilitate lateral movement, infect corporate hosts or encrypt data. The reality is that while they fulfill a desperately needed business function, few have the resources and knowhow to implement VPNs safely at scale across their employees.
https://www.scmagazine.com/home/security-news/network-security/vpns-still-dominate-post-covid-but-businesses-are-sniffing-for-alternatives/
Many of these risks can be mitigated through common security practices, such as multi-factor authentication, access control policies, checking the patching levels of hosts, keeping an eye out for agents or applications that may be piggybacking in, scanning for endpoint vulnerabilities, and segmenting corporate networks (although even this last approach can be circumvented by skilled hackers).
However, for some businesses the problem is largely about a lack of resources, said Moulin.
“Many lack the skilled cybersecurity workforce and tools required to properly implement VPNs and to continuously monitor activities for threats.”
Tomi Engdahl says:
China’s ‘Sharp Eyes’ Program Aims to Surveil 100% of Public Space
The program turns neighbors into agents of the surveillance state
https://onezero.medium.com/chinas-sharp-eyes-program-aims-to-surveil-100-of-public-space-ddc22d63e015
Tomi Engdahl says:
The Pentagon Fears That Deadly Microwave Weapons Are Undetectable
https://www.forbes.com/sites/michaelpeck/2021/03/02/the-pentagon-fears-that-deadly-microwave-weapons-are-undetectable/
When U.S. diplomats began mysteriously falling ill in Havana in 2016, scientists were perplexed by the cause. Until they realized that the cause was probably a microwave weapon that bathed the target in deadly radiation.
Yet because radio-frequency weapons are largely unknown and untested, soldiers may not even know they are under attack. “Without known patterns of RF injury to guide diagnosis, it will be difficult to differentiate RF injury from other common sources of illness and injury such as heat stroke,” according to the DHA research solicitation. “This ambiguous symptomology is aggravated by the transient nature of RF energy. Without a sensor it is possible that no residual evidence of RF attack will be available.”
Tomi Engdahl says:
What hacking attacks can teach us about defending networks
A hacker’s attack on a water treatment facility has lessons for every organisation
https://www.zdnet.com/article/what-hacking-attacks-can-teach-us-about-defending-networks/
Tomi Engdahl says:
Recovering from the SolarWinds hack could take 18 months
The head of the agency leading US efforts to fix a Russian hacking attack says rebuilding will take a very long time.
https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/
Tomi Engdahl says:
https://techcrunch.com/2021/03/02/microsoft-says-china-backed-hackers-are-exploiting-exchange-zero-days/
Tomi Engdahl says:
https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html?m=1
Tomi Engdahl says:
https://www.computerweekly.com/news/252472525/Huge-rise-in-rogue-banking-apps-driving-fraud-attacks
Tomi Engdahl says:
Scandic-hotelliketjuun tehtiin tietomurto viime viikolla – ”Täytyy kyllä myöntää, että hirvittää”
Janiko Kemppi3.3.202107:02TIETOTURVAHAKKERITIT-JÄRJESTELMÄT
Scandic-hotelliketjun asiakkaiden tietoja oli vuotanut ulkopuoliselle taholle verkkohyökkäyksen vuoksi.
https://www.tekniikkatalous.fi/uutiset/scandic-hotelliketjuun-tehtiin-tietomurto-viime-viikolla-taytyy-kylla-myontaa-etta-hirvittaa/84ab6eb2-4462-4d50-b66f-8120d6698865
Tomi Engdahl says:
Scandic-hotelliketju tietomurron kohteena – asiakkaiden tiedot vaarassa
Torstai 25.2.2021 klo 18:03
Scandic-hotelliketjun asiakkaiden tietoja on vuotanut ulkopuoliselle taholle verkkohyökkäyksen vuoksi.
https://www.iltalehti.fi/digiuutiset/a/2708e15b-e9ee-460f-83ad-49518b85a290
Scandic on lähestynyt asiakkaitaan viesteillä, joissa kerrotaan, että heidän tietojaan on päässyt vuotamaan verkkohyökkäyksen vuoksi.
Iltalehti sai tiedon tietomurrosta lukijan yhteydenoton kautta. Lukija kertoo hänelle saapuneesta sähköpostiviestistä, jossa hotelliketju kertoo tietoja vuotaneen.
Scandicilta vahvistetaan Iltalehdelle, että verkkohyökkäys on tapahtunut.
– Scandicin IT-tietoturvaosasto on havainnut petosyrityksen kanta-asiakasohjelmaa vastaan, joka koski pientä määrää jäseniä. Suomalaisia jäseniä ei ole ollut petosyrityksen kohteena. IT-osastomme havaitsi petosyrityksen helmikuun puolivälissä, Scandicin tiedotuksesta kerrotaan tarkentamatta asiakkaiden määriä, joiden tiedot ovat vuotaneet.
Petosyrityksissä rikolliset ovat yrittäneet hankkia lahjakortteja asiakkaiden ansaitsemilla jäsenpisteillä.
– Petosyrityksen tekijä on pyrkinyt ostamaan lahjakortteja pisteshopista jäsenien pisteillä. Tekijällä ei ole ollut pääsyä arkaluontoisiin tietoihin, kuten salattuihin luottokorttitietoihin. Petosyrityksen tekijä on voinut saada selville harvojen jäsenien tietoja kuten nimen ja tilaushistorian. Olemme olleet yhteydessä näihin jäseniin.
– Kanta-asiakasohjelmaan kohdistuneet hyökkäykset ovat tulleet usealta ulkomaiselta IP-osoitteelta, joissa robotteja on käytetty salasanojen selvittämiseen ja kirjautumiseen rajoitettuun määrään jäsenprofiileja.
Tomi Engdahl says:
A bug in the West Bengal government’s mass coronavirus testing website exposed the lab test results of residents who took COVID-19 tests. https://tcrn.ch/3bV4W4e
Tomi Engdahl says:
HAFNIUM targeting Exchange Servers with 0-day exploits
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Microsoft has detected multiple 0-day exploits being used to attack
on-premises versions of Microsoft Exchange Server in limited and
targeted attacks. In the attacks observed, the threat actor used these
vulnerabilities to access on-premises Exchange servers which enabled
access to email accounts, and allowed installation of additional
malware to facilitate long-term access to victim environments.. Also
https://us-cert.cisa.gov/ncas/alerts/aa21-062a. Also
https://cyber.dhs.gov/ed/21-02/
Tomi Engdahl says:
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day
Microsoft Exchange Vulnerabilities
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
Following the discovery of CVE-2021-26855, Volexity continued to
monitor the threat actor and work with additional impacted
organizations. During the course of multiple incident response
efforts, Volexity identified that the attacker had managed to chain
the SSRF vulnerability with another that allows remote code execution
(RCE) on the targeted Exchange servers. In all cases of RCE, Volexity
has . observed the attacker writing webshells (ASPX files) to disk and
conducting further operations to dump credentials, add user accounts,
steal copies of the Active Directory database (NTDS.DIT), and move
laterally to other systems and environments.. Also
https://twitter.com/ESETresearch/status/1366862948057178115
Tomi Engdahl says:
Qualys hit with ransomware: Customer invoices leaked on extortionists’
Tor blog
https://www.theregister.com/2021/03/03/qualys_ransomware_clop_gang/
Infosec outfit Qualys, its cloud-based vuln detection tech, and its
SSL server test webpage, have seemingly fallen victim to a ransomware
attack.
Tomi Engdahl says:
It’s not easy being green: EV HTTPS cert seller Sectigo questions
Chrome’s logic in burying EV HTTPS cert info
https://www.theregister.com/2021/03/03/sectigo_google_certificates/
Google all but hid these extra details in a Chrome update a couple of
years ago, arguing that netizens couldn’t care less if a site is
protected by an EV or a vanilla HTTPS cert it won’t stop them putting
in their credit card number or password. Others in the industry have
questioned the usefulness of EV certs.
Tomi Engdahl says:
Rookie coding mistake prior to Gab hack came from sites CTO
https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/
Besides questions about secure coding and license compliance, the Gab
git commits also appear to show company developers struggling to fix
their vulnerable code. The image below shows someone using the
username developer trying unsuccessfully to fully fix the code
containing the SQL injection vulnerability.
Tomi Engdahl says:
Not all cybercriminals are sophisticated
https://www.welivesecurity.com/2021/03/03/not-all-cybercriminals-are-sophisticated/
Some perpetrators of online crime and fraud dont use advanced methods
to profit at the expense of unsuspecting victims and to avoid getting
caught. … But surely no one would send a stolen laptop to the
High-Tech Crime Unit at a police station?! Sophisticated? I thought
this required more digging.
Tomi Engdahl says:
Eugene Kaspersky says cyber-crooks coined it during COVID and will
take a break to spend their loot
https://www.theregister.com/2021/03/03/eugene_kaspersky_post_covid_security_predictions/
Kaspersky Lab CEO Eugene Kaspersky has suggested that the end of the
COVID-19 pandemic will bring a slowdown in cyber-crime.. Speaking
yesterday at the Kaspersky-sponsored Asia Pacific Online Policy Forum,
the CEO said: “If the pandemic goes away, criminals will go away and
on vacation. He added that one reason for the slowdown would be taking
time to spend all the money they stole during the pandemic, and that a
return to robbery-as-usual can be expected a few months later.. [A]
counter-argument asserted that as workers return to offices, risky
behaviour like falling for phishing emails will follow. He described
cyber-criminals as opportunists who will take advantage of changes in
group behavior and called for a renewed emphasis on security training
and education.. At the onset of the forum, Kaspersky said COVID-19 has
seen new entrants to the online crime industry.. More junior criminals
are joining cyberspace, said Kaspersky …
Tomi Engdahl says:
The Ursnif banking Trojan has hit over 100 Italian banks
https://blog.avast.com/ursnif-victim-data
On analyzing the information, our researchers found information that
could be used to help protect past and current victims of Ursnif.
Specifically we found usernames, passwords, credit card, banking and
payment information that appears to have been stolen from Ursnif
victims by the malware operators. We saw evidence of over 100 Italian
banks targeted in the information we obtained. We also saw . over
1,700 stolen credentials for a single payment processor.
Tomi Engdahl says:
Oxfam Australia data incident: update
https://media.oxfam.org.au/2021/03/oxfam-australia-data-incident-update-2/
Following an independent IT forensic investigation, Oxfam Australia
announced today that it has found that supporters information on one
of its databases was unlawfully accessed by an external party on 20
January 2021.. Given the nature of the information accessed, there may
be risks relating to scam communications via unsolicited emails, phone
calls or text messages.