Cyber security news March 2021

This posting is here to collect cyber security news in March 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

342 Comments

  1. Tomi Engdahl says:

    T-Mobile discloses data breach after SIM swapping attacks
    https://www.bleepingcomputer.com/news/security/t-mobile-discloses-data-breach-after-sim-swapping-attacks/
    The attackers used an internal T-Mobile application to target up to
    400 customers in SIM swap attack attempts, BleepingComputer has
    learned. The information accessed by the hackers might have included
    customers’ full names, addresses, email addresses, account numbers,
    social security numbers (SSNs), account personal identification
    numbers (PIN), account security questions and answers, date of .
    birth, plan information, and the number of lines subscribed to their
    accounts.

    Reply
  2. Tomi Engdahl says:

    Chinese businessman charged with plotting with GE insider to steal
    transistor tech secrets
    https://www.theregister.com/2021/03/01/china_mosfet_theft/
    The FBI alleges that between March 2017 and January 2018, Ng and at
    least one co-conspirator a GE engineer of more than seven years
    plotted to swipe the blueprints for the transistor, which are
    electronic components typically found in industrial equipment and
    vehicles that regulate the flow of electricity. The duo planned to use
    the stolen trade secrets to set up a competitor in . China, it’s
    claimed.

    Reply
  3. Tomi Engdahl says:

    Is Your Browser Extension a Botnet Backdoor?
    https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/
    A company that rents out access to more than 10 million Web browsers
    so that clients can hide their true Internet addresses has built its
    network by paying browser extension makers to quietly include its code
    in their creations. This story examines the lopsided economics of
    extension development, and why installing an extension can be such a
    risky proposition.. Infatica seeks out authors with extensions that
    have at least 50,000 users. An extension maker who agrees to
    incorporate Infaticas computer code can earn anywhere from $15 to $45
    each month for every 1,000 active users.

    Reply
  4. Tomi Engdahl says:

    World’s leading dairy group Lactalis hit by cyberattack
    https://www.bleepingcomputer.com/news/security/worlds-leading-dairy-group-lactalis-hit-by-cyberattack/
    Lactalis (short for Lactalis Group) has 85,000 employees in 51
    countries, and it exports dairy products to over 100 countries around
    the world.. In a press release published on Friday, Lactalis says that
    only a limited number of computers on its network were compromised
    during the attack

    Reply
  5. Tomi Engdahl says:

    Spectre exploits in the “wild”
    https://dustri.org/b/spectre-exploits-in-the-wild.html
    Someone was silly enough to upload a working spectre (CVE-2017-5753)
    exploit for Linux (there is also a Windows one with symbols that I
    didn’t look at.) on VirusTotal last month, so here is my quick Sunday
    afternoon lazy analysis.. In my lab, on a vulnerable Fedora, the
    exploit is successfully dumping /etc/shadow in a couple of minutes.
    Interestingly, there are checks to detect SMAP and abort if it’s
    present. I didn’t manage to understand why the exploit was failing in
    its presence.. Also
    https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/
    “But while Voisin did not want to name the exploit author, several
    people were not as shy. Security experts on both Twitter and news
    aggregation service HackerNews were quick to spot that the new Spectre
    exploit might be a module for CANVAS, a penetration testing tool
    developed by Immunity Inc.

    Reply
  6. Tomi Engdahl says:

    China-linked Group RedEcho Targets the Indian Power Sector Amid
    Heightened Border Tensions
    https://www.recordedfuture.com/redecho-targeting-indian-power-sector/
    In this research, we outlined a series of suspected targeted
    intrusions against Indias power sector that were observed beginning in
    mid-2020. The intrusions were conducted by a China-linked activity
    group we track as RedEcho. The group made heavy use of
    AXIOMATICASYMPTOTE a term we use to track infrastructure that
    comprises ShadowPad C2s, which is shared between several Chinese
    threat . activity groups, including APT41/Barium, Tonto team, the
    Icefog cluster, KeyBoy, and Tick.. Report at
    https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf

    Reply
  7. Tomi Engdahl says:

    Chinese hackers target Indian vaccine makers SII, Bharat Biotech, says
    security firm
    https://www.reuters.com/article/health-coronavirus-india-china-idUSL2N2KZ13L
    A Chinese state-backed hacking group has in recent weeks targeted the
    IT systems of two Indian vaccine makers whose coronavirus shots are
    being used in the countrys immunisation campaign, cyber intelligence
    firm Cyfirma told Reuters.

    Reply
  8. Tomi Engdahl says:

    One of the biggest Android VPNs hacked? Data of 21 million users from
    3 Android VPNs put for sale online
    https://cybernews.com/security/one-of-the-biggest-android-vpns-hacked-data-of-21-million-users-from-3-android-vpns-put-for-sale-online/
    A user on a popular hacker forum is selling three databases that
    purportedly contain user credentials and device data stolen from three
    different Android VPN services SuperVPN, GeckoVPN, and ChatVPN with
    21 million user records being sold in total.

    Reply
  9. Tomi Engdahl says:

    Asian Food Distribution Giant JFC International Hit by Ransomware
    https://www.securityweek.com/asian-food-distribution-giant-jfc-international-hit-ransomware

    JFC International, a major distributor and wholesaler of Asian food products, last week revealed that it was recently targeted in a ransomware attack that disrupted some of its IT systems.

    The attack apparently only impacted JFC International’s Europe Group, which said it had notified authorities, employees and business partners about the incident.

    Reply
  10. Tomi Engdahl says:

    A French security researcher has discovered what appears to be a first fully weaponized exploit for the Spectre bug — a Linux binary that dumps the contents of /etc/shadow

    FEATURED
    TECHNOLOGY
    First Fully Weaponized Spectre Exploit Discovered Online
    https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/

    A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain.

    The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018.

    Reply
  11. Tomi Engdahl says:

    Malaysia Airlines discloses a nine-year-long data breach
    https://www.bleepingcomputer.com/news/security/malaysia-airlines-discloses-a-nine-year-long-data-breach/
    According to Malaysia Airlines, the breach occurred at a third-party
    IT service provider who notified the airline that member data was
    exposed between March 2010 and June 2019.

    Reply
  12. Tomi Engdahl says:

    Koulujen Wilma-palveluun saapui viime viikolla viesti, jota tutkii nyt
    poliisi lähes jokaisen väärinkäytön taustalla on sama ongelma, sanoo
    ohjelmistoyhtiön toimitusjohtaja
    https://yle.fi/uutiset/3-11816741?origin=rss
    Kaksivaiheinen tunnistautuminen voisi ehkäistä väärinkäytöksiä, mutta
    kaikissa kunnissa se ei ole vielä käytössä. Poliisi tutkii palvelussa
    lähetettyä pommiuhkausta.

    Reply
  13. Tomi Engdahl says:

    ObliqueRAT returns with new campaign using hijacked websites
    https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html
    The usage of compromised websites is another attempt at detection
    evasion. The adversaries have also introduced steganography as a way
    to hide the ObliqueRAT payloads in image files. This technique is
    novel to ObliqueRAT’s distribution chain (not observed in the past).

    Reply
  14. Tomi Engdahl says:

    Microsoft Teams Issues Major Blow To Zoom With Game-Changing New
    Security Features
    https://www.forbes.com/sites/kateoflahertyuk/2021/03/02/microsoft-teams-issues-major-blow-to-zoom-with-game-changing-new-security-features/
    In the first release, customers will have the ability to enable
    end-to-end encryptionwhich means no one can access video chats,
    including Microsoft, and law enforcementfor 1:1 Teams calls for
    designated users. Microsoft says it is just the beginning of the E2EE
    work to expand to online meetings soon.

    Reply
  15. Tomi Engdahl says:

    Malicious NPM packages target Amazon, Slack with new dependency
    attacks
    https://www.bleepingcomputer.com/news/security/malicious-npm-packages-target-amazon-slack-with-new-dependency-attacks/
    That is until today when open-source security firm Sonatype discovered
    malicious packages targeting applications related to Amazon, Zillow,
    Lyft, and Slack to steal passwords and open remote shells.. While we
    have seen numerous security researchers impersonate Birsan’s work by
    creating harmless PoCs to earn bug bounties, we had not seen any
    malicious activities.That is until today when open-source security
    firm Sonatype discovered malicious packages targeting applications
    related to Amazon, Zillow, Lyft, and Slack to steal passwords and open
    remote shells.

    Reply
  16. Tomi Engdahl says:

    The Hijacking of Perl.com
    https://www.perl.com/article/the-hijacking-of-perl-com/
    This part veers into some speculation, and Perl.com wasnt the only
    victim. We think that there was a social engineering attack on Network
    Solutions, including phony documents and so on. Theres no reason for
    Network Solutions to reveal anything to me (again, Im not the injured
    party), but I did talk to other domain owners involved and this is the
    basic scheme they reported.. John Berryhill provided some forensic
    work in Twitter that showed the compromise actually happened in
    September. The domain was transferred to the BizCN registrar in
    December, but the nameservers were not changed. The domain was
    transferred again in January to another registrar, Key Systems, GmbH.
    This latency period avoids immediate detection, and bouncing the
    domain through a couple registrars . makes the recovery much harder.

    Reply
  17. Tomi Engdahl says:

    Python Package Index nukes 3,653 malicious libraries uploaded soon
    after security shortcoming highlighted
    https://www.theregister.com/2021/03/02/python_pypi_purges/
    Last month, security researcher Alex Birsan demonstrated how easy it
    is to take advantage of these systems through a form of typosquatting
    that exploited the interplay between public and private package
    registries.. The deluge of malicious Python packages over the past
    week included unauthorized versions of projects like CuPy, an
    implementation of NumPy-compatible multi-dimensional array on CUDA,
    Nvidia’s parallel computing platform.

    Reply
  18. Tomi Engdahl says:

    Cyber Attack on the Ministry of Finance of Kosovo
    https://exit.al/en/2021/03/01/cyber-attack-on-the-ministry-of-finance-of-kosovo/
    The Ministry of Finance in Kosovo was a target of a cyber attack,
    Kosovo media reported on Sunday.. It was reported that the cyber
    attack took place in the Tax Department.

    Reply
  19. Tomi Engdahl says:

    Far-Right Platform Gab Has Been HackedIncluding Private Data
    https://www.wired.com/story/gab-hack-data-breach-ddosecrets/
    The transparency group DDoSecrets says it will make the 70 GB of
    passwords, private posts, and more available to researchers,
    journalists, and social scientists.

    Reply
  20. Tomi Engdahl says:

    https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/
    To accomplish this phase of the attack, the operators of Gootloader
    must maintain a network of servers hosting hacked, legitimate websites
    (we estimate roughly 400 such servers are in operation at any given
    time). The example shown above belongs to a legitimate business, a
    neonatal medical practice based in Canada. … Google itself indicates
    the result is not an ad, and they have known about the . site for
    nearly seven years. To the end user, the entire thing looks on the
    up-and-up.. In our experience, many of these hacked sites serving the
    fake message board are running a well-known content management system,
    to which the threat actors make modifications that subtly rewrite how
    the contents of the website are presented to certain visitors, based
    on characteristics of the individual visitors (including how they
    arrive on the hacked site).

    Reply
  21. Tomi Engdahl says:

    Universal Health Services Takes $67 Million Hit From Cyberattack
    https://www.securityweek.com/universal-health-services-takes-67-million-hit-cyberattack

    Healthcare services provider Universal Health Services (UHS) last week revealed that a cyberattack it fell victim to in September 2020 had an estimated financial impact of $67 million.

    With more than 400 facilities in the United States, Puerto Rico, and the United Kingdom, UHS has roughly 90,000 employees and has reported close to $11.6 billion in net revenue for last year.

    On September 29, the company announced that its operations in the United States were targeted in a cyberattack, which forced it to shut down its IT networks at multiple hospitals in the country.

    Within one month after the incident, hospitals were able to resume normal operations, with technology applications restored at acute care and behavioral health hospitals, and re-established connections to all major systems, including electronic medical records, laboratory, and pharmacy systems.

    Reply
  22. Tomi Engdahl says:

    Google Patches Critical Remote Code Execution Vulnerability in Android
    https://www.securityweek.com/google-patches-critical-remote-code-execution-vulnerability-android

    Google this week announced the release of patches for 37 vulnerabilities as part of the Android security updates for March 2021, including a fix for a critical flaw in the System component.

    Tracked as CVE-2021-0397 and affecting Android 8.1, 9, 10, and 11 releases, the security issue could allow an attacker to execute code remotely on a vulnerable device.

    “The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” Google explains.

    The bug was addressed as part of the 2021-03-01 security patch level, which also brings patches for nine other issues, including six more in the System component, one affecting Android runtime, and two impacting Framework.

    All of these flaws were rated high severity, with their exploitation leading to remote code execution (three bugs), elevation of privilege (five issues), and information disclosure (one vulnerability).

    Reply
  23. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Review of Gab’s open source code shows that the critical vulnerability that led to its recent breach might have been introduced by a code change made by its CTO — Site executive introduces, then removes, insecure code, then hides the evidence. — Over the weekend, word emerged …

    Rookie coding mistake prior to Gab hack came from site’s CTO
    Site executive introduces, then removes, insecure code, then hides the evidence.
    https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/

    Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab’s open source code shows that the critical vulnerability—or at least one very much like it—was introduced by the company’s chief technology officer.

    The change, which in the parlance of software development is known as a “git commit,” was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab’s CTO. On Monday, Gab removed the git commit from its website.

    The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of “reject” and “filter,” which are API functions that implement a programming idiom that protects against SQL injection attacks.

    Developers: Sanitize user input

    This idiom allows programmers to compose an SQL query in a safe way that “sanitizes” the inputs that website visitors enter into search boxes and other web fields to ensure that any malicious commands are stripped out before the text is passed to backend servers. In their place, the developer added a call to the Rails function that contains the “find_by_sql” method, which accepts unsanitized inputs directly in a query string. Rails is a widely used website development toolkit.

    “Sadly Rails documentation doesn’t warn you about this pitfall, but if you know anything at all about using SQL databases in web applications, you’d have heard of SQL injection, and it’s not hard to come across warnings that find_by_sql method is not safe,” Dmitry Borodaenko, a former production engineer at Facebook who brought the commit to my attention wrote in an email. “It is not 100% confirmed that this is the vulnerability that was used in the Gab data breach, but it definitely could have been, and this code change is reverted in the most recent commit that was present in their GitLab repository before they took it offline.”

    Ironically, Fosco in 2012 warned fellow programmers to use parameterized queries to prevent SQL injection vulnerabilities.

    Revisionist history

    Besides the commit raising questions about Gab’s process for developing secure code, the social media site is also facing criticism for removing the commits from its website. Critics say the move violates terms of the Affero General Public License, which governs Gab’s reuse of Mastodon, an open source software package for hosting social networking platforms.

    Critics say the removal violates terms that require forked source code be directly linked from the site. The requirements are intended to provide transparency and to allow other open source developers to benefit from the work of their peers at Gab.

    Gab had long provided commits at https://code.gab.com/. Then, on Monday, the site suddenly removed all commits—including the ones that created and then fixed the critical SQL injection vulnerability. In their place, Gab provided source code in the form of a Zip archive file that was protected by the password “JesusChristIsKingTrumpWonTheElection” (minus the quotation marks).

    Reply
  24. Tomi Engdahl says:

    SolarWinds security fiasco may have started with simple password blunders
    https://www.zdnet.com/article/solarwinds-security-fiasco-may-have-started-with-simple-password-blunders/

    UPDATED: Many things came together to crack SolarWinds, but it may all have started with that classic mistake of leaking a lousy password. A SolarWinds third-party, public relations spokesperson, however, claims that the password incident had nothing to do with the major security breach.

    Reply
  25. Tomi Engdahl says:

    VPNs begin to lose their relevance, even as they remain difficult to shed
    https://www.scmagazine.com/home/security-news/network-security/vpns-still-dominate-post-covid-but-businesses-are-sniffing-for-alternatives/

    Virtual private networks have been around for decades, but the past year forced many organizations to expand their use to keep up with growing telework trends. In response, criminal and state-backed hacking groups stepped up their own exploitation of the technology as well.

    A recent report from Zscaler found that VPNs are still overwhelmingly popular: 93% of companies surveyed reported that they have used them in some capacity. The flip side of that coin is a similarly broad recognition of the dangers and tradeoffs involved, with 94% saying they are also aware of the security risks associated with using VPNs and two-thirds (67%) acknowledging that they are considering alternative options for secure remote access.

    That concern may be warranted, as Digital Shadows research released last month found that criminal hackers who specialize in gaining and selling initial access into victim networks exploited the technological changes brought on by the global pandemic.

    Reply
  26. Tomi Engdahl says:

    Since most organizations still treat a host connecting from VPNs as a trusted source, it allows them the kind of broad network access that can be used to facilitate lateral movement, infect corporate hosts or encrypt data. The reality is that while they fulfill a desperately needed business function, few have the resources and knowhow to implement VPNs safely at scale across their employees.
    https://www.scmagazine.com/home/security-news/network-security/vpns-still-dominate-post-covid-but-businesses-are-sniffing-for-alternatives/

    Many of these risks can be mitigated through common security practices, such as multi-factor authentication, access control policies, checking the patching levels of hosts, keeping an eye out for agents or applications that may be piggybacking in, scanning for endpoint vulnerabilities, and segmenting corporate networks (although even this last approach can be circumvented by skilled hackers).

    However, for some businesses the problem is largely about a lack of resources, said Moulin.

    “Many lack the skilled cybersecurity workforce and tools required to properly implement VPNs and to continuously monitor activities for threats.”

    Reply
  27. Tomi Engdahl says:

    China’s ‘Sharp Eyes’ Program Aims to Surveil 100% of Public Space
    The program turns neighbors into agents of the surveillance state
    https://onezero.medium.com/chinas-sharp-eyes-program-aims-to-surveil-100-of-public-space-ddc22d63e015

    Reply
  28. Tomi Engdahl says:

    The Pentagon Fears That Deadly Microwave Weapons Are Undetectable
    https://www.forbes.com/sites/michaelpeck/2021/03/02/the-pentagon-fears-that-deadly-microwave-weapons-are-undetectable/

    When U.S. diplomats began mysteriously falling ill in Havana in 2016, scientists were perplexed by the cause. Until they realized that the cause was probably a microwave weapon that bathed the target in deadly radiation.

    Yet because radio-frequency weapons are largely unknown and untested, soldiers may not even know they are under attack. “Without known patterns of RF injury to guide diagnosis, it will be difficult to differentiate RF injury from other common sources of illness and injury such as heat stroke,” according to the DHA research solicitation. “This ambiguous symptomology is aggravated by the transient nature of RF energy. Without a sensor it is possible that no residual evidence of RF attack will be available.”

    Reply
  29. Tomi Engdahl says:

    What hacking attacks can teach us about defending networks
    A hacker’s attack on a water treatment facility has lessons for every organisation
    https://www.zdnet.com/article/what-hacking-attacks-can-teach-us-about-defending-networks/

    Reply
  30. Tomi Engdahl says:

    Recovering from the SolarWinds hack could take 18 months
    The head of the agency leading US efforts to fix a Russian hacking attack says rebuilding will take a very long time.
    https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/

    Reply
  31. Tomi Engdahl says:

    Scandic-hotelliketjuun tehtiin tietomurto viime viikolla – ”Täytyy kyllä myöntää, että hirvittää”
    Janiko Kemppi3.3.202107:02TIETOTURVAHAKKERITIT-JÄRJESTELMÄT
    Scandic-hotelliketjun asiakkaiden tietoja oli vuotanut ulkopuoliselle taholle verkkohyökkäyksen vuoksi.
    https://www.tekniikkatalous.fi/uutiset/scandic-hotelliketjuun-tehtiin-tietomurto-viime-viikolla-taytyy-kylla-myontaa-etta-hirvittaa/84ab6eb2-4462-4d50-b66f-8120d6698865

    Reply
  32. Tomi Engdahl says:

    Scandic-hotelliketju tietomurron kohteena – asiakkaiden tiedot vaarassa
    Torstai 25.2.2021 klo 18:03
    Scandic-hotelliketjun asiakkaiden tietoja on vuotanut ulkopuoliselle taholle verkkohyökkäyksen vuoksi.
    https://www.iltalehti.fi/digiuutiset/a/2708e15b-e9ee-460f-83ad-49518b85a290

    Scandic on lähestynyt asiakkaitaan viesteillä, joissa kerrotaan, että heidän tietojaan on päässyt vuotamaan verkkohyökkäyksen vuoksi.

    Iltalehti sai tiedon tietomurrosta lukijan yhteydenoton kautta. Lukija kertoo hänelle saapuneesta sähköpostiviestistä, jossa hotelliketju kertoo tietoja vuotaneen.

    Scandicilta vahvistetaan Iltalehdelle, että verkkohyökkäys on tapahtunut.

    – Scandicin IT-tietoturvaosasto on havainnut petosyrityksen kanta-asiakasohjelmaa vastaan, joka koski pientä määrää jäseniä. Suomalaisia jäseniä ei ole ollut petosyrityksen kohteena. IT-osastomme havaitsi petosyrityksen helmikuun puolivälissä, Scandicin tiedotuksesta kerrotaan tarkentamatta asiakkaiden määriä, joiden tiedot ovat vuotaneet.

    Petosyrityksissä rikolliset ovat yrittäneet hankkia lahjakortteja asiakkaiden ansaitsemilla jäsenpisteillä.

    – Petosyrityksen tekijä on pyrkinyt ostamaan lahjakortteja pisteshopista jäsenien pisteillä. Tekijällä ei ole ollut pääsyä arkaluontoisiin tietoihin, kuten salattuihin luottokorttitietoihin. Petosyrityksen tekijä on voinut saada selville harvojen jäsenien tietoja kuten nimen ja tilaushistorian. Olemme olleet yhteydessä näihin jäseniin.

    – Kanta-asiakasohjelmaan kohdistuneet hyökkäykset ovat tulleet usealta ulkomaiselta IP-osoitteelta, joissa robotteja on käytetty salasanojen selvittämiseen ja kirjautumiseen rajoitettuun määrään jäsenprofiileja.

    Reply
  33. Tomi Engdahl says:

    A bug in the West Bengal government’s mass coronavirus testing website exposed the lab test results of residents who took COVID-19 tests. https://tcrn.ch/3bV4W4e

    Reply
  34. Tomi Engdahl says:

    HAFNIUM targeting Exchange Servers with 0-day exploits
    https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
    Microsoft has detected multiple 0-day exploits being used to attack
    on-premises versions of Microsoft Exchange Server in limited and
    targeted attacks. In the attacks observed, the threat actor used these
    vulnerabilities to access on-premises Exchange servers which enabled
    access to email accounts, and allowed installation of additional
    malware to facilitate long-term access to victim environments.. Also
    https://us-cert.cisa.gov/ncas/alerts/aa21-062a. Also
    https://cyber.dhs.gov/ed/21-02/

    Reply
  35. Tomi Engdahl says:

    Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day
    Microsoft Exchange Vulnerabilities
    https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
    Following the discovery of CVE-2021-26855, Volexity continued to
    monitor the threat actor and work with additional impacted
    organizations. During the course of multiple incident response
    efforts, Volexity identified that the attacker had managed to chain
    the SSRF vulnerability with another that allows remote code execution
    (RCE) on the targeted Exchange servers. In all cases of RCE, Volexity
    has . observed the attacker writing webshells (ASPX files) to disk and
    conducting further operations to dump credentials, add user accounts,
    steal copies of the Active Directory database (NTDS.DIT), and move
    laterally to other systems and environments.. Also
    https://twitter.com/ESETresearch/status/1366862948057178115

    Reply
  36. Tomi Engdahl says:

    Qualys hit with ransomware: Customer invoices leaked on extortionists’
    Tor blog
    https://www.theregister.com/2021/03/03/qualys_ransomware_clop_gang/
    Infosec outfit Qualys, its cloud-based vuln detection tech, and its
    SSL server test webpage, have seemingly fallen victim to a ransomware
    attack.

    Reply
  37. Tomi Engdahl says:

    It’s not easy being green: EV HTTPS cert seller Sectigo questions
    Chrome’s logic in burying EV HTTPS cert info
    https://www.theregister.com/2021/03/03/sectigo_google_certificates/
    Google all but hid these extra details in a Chrome update a couple of
    years ago, arguing that netizens couldn’t care less if a site is
    protected by an EV or a vanilla HTTPS cert it won’t stop them putting
    in their credit card number or password. Others in the industry have
    questioned the usefulness of EV certs.

    Reply
  38. Tomi Engdahl says:

    Rookie coding mistake prior to Gab hack came from sites CTO
    https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/
    Besides questions about secure coding and license compliance, the Gab
    git commits also appear to show company developers struggling to fix
    their vulnerable code. The image below shows someone using the
    username developer trying unsuccessfully to fully fix the code
    containing the SQL injection vulnerability.

    Reply
  39. Tomi Engdahl says:

    Not all cybercriminals are sophisticated
    https://www.welivesecurity.com/2021/03/03/not-all-cybercriminals-are-sophisticated/
    Some perpetrators of online crime and fraud dont use advanced methods
    to profit at the expense of unsuspecting victims and to avoid getting
    caught. … But surely no one would send a stolen laptop to the
    High-Tech Crime Unit at a police station?! Sophisticated? I thought
    this required more digging.

    Reply
  40. Tomi Engdahl says:

    Eugene Kaspersky says cyber-crooks coined it during COVID and will
    take a break to spend their loot
    https://www.theregister.com/2021/03/03/eugene_kaspersky_post_covid_security_predictions/
    Kaspersky Lab CEO Eugene Kaspersky has suggested that the end of the
    COVID-19 pandemic will bring a slowdown in cyber-crime.. Speaking
    yesterday at the Kaspersky-sponsored Asia Pacific Online Policy Forum,
    the CEO said: “If the pandemic goes away, criminals will go away and
    on vacation. He added that one reason for the slowdown would be taking
    time to spend all the money they stole during the pandemic, and that a
    return to robbery-as-usual can be expected a few months later.. [A]
    counter-argument asserted that as workers return to offices, risky
    behaviour like falling for phishing emails will follow. He described
    cyber-criminals as opportunists who will take advantage of changes in
    group behavior and called for a renewed emphasis on security training
    and education.. At the onset of the forum, Kaspersky said COVID-19 has
    seen new entrants to the online crime industry.. More junior criminals
    are joining cyberspace, said Kaspersky …

    Reply
  41. Tomi Engdahl says:

    The Ursnif banking Trojan has hit over 100 Italian banks
    https://blog.avast.com/ursnif-victim-data
    On analyzing the information, our researchers found information that
    could be used to help protect past and current victims of Ursnif.
    Specifically we found usernames, passwords, credit card, banking and
    payment information that appears to have been stolen from Ursnif
    victims by the malware operators. We saw evidence of over 100 Italian
    banks targeted in the information we obtained. We also saw . over
    1,700 stolen credentials for a single payment processor.

    Reply
  42. Tomi Engdahl says:

    Oxfam Australia data incident: update
    https://media.oxfam.org.au/2021/03/oxfam-australia-data-incident-update-2/
    Following an independent IT forensic investigation, Oxfam Australia
    announced today that it has found that supporters information on one
    of its databases was unlawfully accessed by an external party on 20
    January 2021.. Given the nature of the information accessed, there may
    be risks relating to scam communications via unsolicited emails, phone
    calls or text messages.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*