Cyber security news March 2021

This posting is here to collect cyber security news in March 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

342 Comments

  1. Tomi Engdahl says:

    Supermicro, Pulse Secure Respond to Trickbot’s Ability to Target Firmware
    https://www.securityweek.com/supermicro-pulse-secure-respond-trickbots-ability-target-firmware

    Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware.

    Reply
  2. Tomi Engdahl says:

    Thousands of Mobile Apps Expose Data via Misconfigured Cloud Containers
    https://www.securityweek.com/thousands-mobile-apps-expose-data-misconfigured-cloud-containers

    Thousands of mobile applications expose user data through insecurely implemented cloud containers, according to a new report from security vendor Zimperium.

    The issue, the company notes, is rooted in the fact that many developers tend to overlook the security of cloud containers during the development process.

    Cloud services help resolve the issue of storage space on mobile devices, and developers have numerous such solutions to choose from, some of the most popular being Amazon Web Services, Microsoft’s Azure, Google Storage, and Firebase, among others.

    “All of these services allow you to easily store data and make it accessible to your apps. But, herein lies the risk, the ease of use of these services also makes it easy for the developer to misconfigure access policies – – potentially allowing anyone to access and in some cases even alter data,” Zimperium notes.

    Unsecured Cloud Configurations Exposing Information in Thousands of Mobile Apps
    https://blog.zimperium.com/unsecured-cloud-configurations-exposing-information-in-thousands-of-mobile-apps/

    Reply
  3. Tomi Engdahl says:

    Casting a Wide Intrusion Net: Dozens Burned With Single Hack
    https://www.securityweek.com/casting-wide-intrusion-net-dozens-burned-single-hack

    The SolarWinds hacking campaign blamed on Russian spies and the “grave threat” it poses to U.S. national security are widely known. A very different — and no less alarming — coordinated series of intrusions also detected in December has gotten considerably less public attention.

    Nimble, highly skilled criminal hackers believed to operate out of Eastern Europe hacked dozens of companies and government agencies on at least four continents by breaking into a single product they all used.

    The victims include New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, the high-powered U.S. law firm Jones Day — whose clients include former President Donald Trump — the rail freight company CSX and the Kroger supermarket and pharmacy chain. Also hit was Washington state’s auditor’s office, where the personal data of up to 1.3 million people gathered for an investigation into unemployment fraud was potentially exposed.

    Reply
  4. Tomi Engdahl says:

    F1 Team Williams Unveils New Car After Hackers Foil Launch
    https://www.securityweek.com/f1-team-williams-unveils-new-car-after-hackers-foil-launch

    The Williams team presented its new Formula One car on Friday — after hackers foiled plans for an “augmented reality” launch — revealing a livery inspired by its “all-conquering cars of the 1980s and 1990s.”

    The British team enters its first full season under the ownership of US-based investment firm Dorilton Capital.

    The FW43B car has “a dramatic new visual identity sporting a livery inspired by Williams’ all-conquering cars of the 1980s and 1990s, combining blue, white and yellow accents.”

    Williams had planned to reveal the car via an augmented reality app but scrapped it “because the app was hacked prior to launch.”

    Reply
  5. Tomi Engdahl says:

    Gab, a haven for pro-Trump conspiracy theories, has been hacked again
    A failure to purge authentication tokens taken in the first breach leads to a second one.
    https://arstechnica.com/information-technology/2021/03/gab-a-haven-for-pro-trump-conspiracy-theories-has-been-hacked-again/

    Reply
  6. Tomi Engdahl says:

    William Turton / Bloomberg:
    Hackers say they breached Verkada, accessing feeds and archives of 150K surveillance cameras inside clinics, police precincts, jails, schools, Tesla facilities — – Hacker group says it wanted to show prevalence of surveillance — Video footage was captured from Sequoia-backed startup Verkada

    Cybersecurity
    Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals
    https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams

    Hacker group says it wanted to show prevalence of surveillance
    Video footage was captured from Sequoia-backed startup Verkada

    A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.

    Companies whose footage was exposed include carmaker Tesla Inc. and software provider Cloudflare Inc. In addition, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. The hackers say they also have access to the full video archive of all Verkada customers.

    In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s public-facing website in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.”

    Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line. The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.

    The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into

    Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”

    “We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada spokesperson said in a statement. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”

    A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions, said the person, who requested anonymity to discuss an ongoing investigation.

    “This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.

    The hackers say they were able to access live feeds and archived video, in some cases including audio, of interviews between police officers and criminal suspects, all in the high-definition resolution known as 4K.

    Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.

    The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. After Bloomberg contacted Verkada, the hackers lost access to the video feeds and archives, Kottmann said.

    Reply
  7. Tomi Engdahl says:

    Kelly Sheridan / Dark Reading:
    Linux Foundation debuts the Sigstore initiative, which aims to improve open source software supply chain security, and includes members like Google and Red Hat

    https://www.darkreading.com/application-security/linux-foundation-debuts-sigstore-project-for-software-signing/d/d-id/1340360

    Reply
  8. Tomi Engdahl says:

    FireEye CEO: Reckless Microsoft Hack Unusual for China
    https://www.securityweek.com/fireeye-ceo-reckless-microsoft-hack-unusual-china

    Cyber sleuths have already blamed China for a hack that exposed tens of thousands of servers running its Exchange email program to potential hacks. The CEO of a prominent cybersecurity firm says it now seems clear China also unleashed an indiscriminate, automated second wave of hacking that opened the way for ransomware and other cyberattacks.

    The second wave, which began Feb. 26, is highly uncharacteristic of Beijing’s elite cyber spies and far exceeds the norms of espionage, said Kevin Mandia of FireEye. In its massive scale it diverges radically from the highly targeted nature of the original hack, which was detected in January.

    “You never want to see a modern nation like China that has an offense capability — that they usually control with discipline — suddenly hit potentially a hundred thousand systems,” Mandia said Tuesday in an interview with The Associated Press.

    Reply
  9. Tomi Engdahl says:

    Microsoft Ships Massive Security Patch Bundle
    https://www.securityweek.com/microsoft-ships-massive-security-patch-bundle

    It’s raining patches in the Microsoft Windows ecosystem.

    The Redmond, Wash. software giant on Tuesday dropped a mega-batch of security updates with patches for a whopping 89 documented vulnerabilities, including one used in zero-day attacks against some in the white-hat hacker community.

    This month’s Patch Tuesday whopper comes just one week after Microsoft scrambled out emergency fixes to provide cover for in-the-wild nation-state attacks targeting Exchange Server installations.

    Microsoft has blamed those attacks on Chinese cyber-espionage actors operating from leased VPS (virtual private servers) in the United States. The APT group has hit tens of thousands of organizations around the world, including targeted sectors like defense contractors, policy think tanks, and NGOs.

    Reply
  10. Tomi Engdahl says:

    Third French Hospital Hit by Cyberattack
    https://www.securityweek.com/third-french-hospital-hit-cyberattack

    A hospital in southwest France has seen some of its IT systems paralysed by a “ransomware” cyberattack, its management said Tuesday, the third such incident in the last month.

    The 320-bed facility in Oloron-Sainte-Marie near the Pyrenees mountains was hit by the attack on Monday, with screens displaying a demand in English for $50,000 in Bitcoin.

    Hospital workers have had to revert to working with pens and paper, since digital patient records are not available.

    The management system, used to monitor medicine stocks and other supplies, has also been affected at a time when the hospital is taking part in vaccination efforts against Covid-19.

    “We might get our systems back in 48 hours or in three months,” hospital director Frederic Lecenne told local newspaper La Republique des Pyrenees.

    Reply
  11. Tomi Engdahl says:

    Apple Patches Remote Code Execution Bug in WebKit
    https://www.securityweek.com/apple-patches-remote-code-execution-bug-webkit

    Apple on Monday released patches for a vulnerability in WebKit that could allow attackers to execute code remotely on affected devices.

    Tracked as CVE-2021-1844 and co-reported by Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research, the flaw was addressed with software updates for macOS, iOS, watchOS, and Safari.

    To exploit the vulnerability, an attacker would simply need to craft a webpage containing malicious code, and then lure the victim into accessing that webpage, which would trigger the execution of code onto the victim’s machine.

    Reply
  12. Tomi Engdahl says:

    Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild
    https://www.securityweek.com/vulnerability-allows-complete-wordpress-site-takeover-exploited-wild

    A critical vulnerability identified in The Plus Addons for Elementor WordPress plugin could be exploited to gain administrative privileges to a website. The zero-day has been exploited in the wild, the Wordfence team at WordPress security company Defiant warns.

    With more than 30,000 installations to date, The Plus Addons for Elementor is a premium plugin that has been designed to add several widgets to be used with the popular WordPress website builder Elementor.

    The identified issue, Wordfence explains, resides in one of the added widgets, which provides the ability to insert user login and registration forms to Elementor pages.

    Because the functionality is not properly configured, an attacker can create a new administrative user account on the vulnerable site, or even to log in as an existing administrative user, the researchers reveal.

    Reply
  13. Tomi Engdahl says:

    Siemens Releases Several Advisories for Vulnerabilities in Third-Party Components
    https://www.securityweek.com/siemens-releases-several-advisories-vulnerabilities-third-party-components

    Siemens on Tuesday published 12 new security advisories to inform customers about nearly two dozen vulnerabilities affecting its products.

    Half of the new advisories cover vulnerabilities in third-party components. One of these advisories is related to AMNESIA:33, a collection of vulnerabilities discovered recently in open source TCP/IP stacks. Siemens has been publishing advisories to describe the impact of these flaws on its products, and the latest advisory focuses on the impact of two AMNESIA:33 denial-of-service (DoS) flaws on SENTRON 3VA and PAC Meter products.

    Two advisories are related to NUMBER:JACK, a set of TCP/IP stack vulnerabilities that were discovered even more recently. The advisories describe the impact of some NUMBER:JACK issues, ones that allow session hijacking, on the SIMATIC MV400 optical readers and PLUSCONTROL products used in the energy sector.

    Siemens also informed customers that its SIMATIC NET CM 1542-1 and SCALANCE SC600 devices are affected by a DoS vulnerability that exists in libcurl, a multiprotocol file transfer library.

    Reply
  14. Tomi Engdahl says:

    GitHub Informs Users of ‘Potentially Serious’ Authentication Bug
    https://www.securityweek.com/github-informs-users-potentially-serious-authentication-bug

    GitHub on Monday informed users that it had discovered what it described as an “extremely rare, but potentially serious” security bug related to how some authenticated sessions were handled.

    The Microsoft-owned software development platform said the issue was discovered on March 2 and an initial patch was rolled out on March 5. A second patch was released on March 8 and on the evening of the same day the company decided to invalidate all authenticated sessions to completely eliminate the possibility of exploitation.

    The vulnerability, which GitHub said existed at various times between February 8 and March 5, was caused by a race condition that in extremely rare circumstances resulted in a user’s session being routed to the browser of a different authenticated user, providing this second user with a valid and authenticated session cookie for the first user’s account.

    “It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” noted Mike Hanley, GitHub’s recently appointed chief security officer. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.”

    Reply
  15. Tomi Engdahl says:

    Flaws in Apple Location Tracking System Could Lead to User Identification
    https://www.securityweek.com/flaws-apple-location-tracking-system-could-lead-user-identification

    Vulnerabilities identified in offline finding (OF) — Apple’s proprietary crowd-sourced location tracking system — could be abused for user identification, researchers said in a report released this month.

    Reply
  16. Tomi Engdahl says:

    Dangerous Malware Dropper Found in 9 Utility Apps on Googles Play
    Store
    https://blog.checkpoint.com/2021/03/09/dangerous-malware-dropper-found-in-9-utility-apps-on-googles-play-store/
    Check Point Research (CPR) recently discovered a new dropper spreading
    via the Google Play store. The dropper, dubbed Clast82, has the
    ability to avoid detection by Google Play Protect, complete the
    evaluation period successfully, and change the payload dropped from a
    non-malicious payload to the AlienBot Banker and MRAT. The AlienBot
    malware family is a Malware-as-a-Service (MaaS) for Android devices
    that allows a remote attacker to inject malicious code into legitimate
    financial applications.

    https://etn.fi/index.php/13-news/11861-google-playsta-loytyi-vakava-dropper-haittaohjelma

    Reply
  17. Tomi Engdahl says:

    Fortinet Addresses Latest Microsoft Exchange Server Exploits
    https://www.fortinet.com/blog/threat-research/fortinet-addresses-latest-microsoft-exchange-server-exploits
    As many as 30,000 businesses and government agencies across the US
    have been targeted by an aggressive hacking campaign that exploits
    vulnerabilities in versions of Microsoft Exchange Server, with some
    experts claiming that hundreds of thousands of Exchange Servers have
    been exploited worldwide. Microsoft is attributing these exploits to a
    cyber espionage organization known as HAFNIUM, operating out of
    mainland China. Microsoft Exchange Server is used by millions of
    organizations for email and calendar, as well as a collaboration
    solution.

    Serious Security: Webshells explained in the aftermath of HAFNIUM
    attacks
    https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-explained-in-the-aftermath-of-hafnium-attacks/
    The cybersecurity meganews of the week, of course, is anything to do
    with HAFNIUM. (To be clear, were going to write it as Hafnium from now
    on, as Microsoft does in its top-level incident disclosure document,
    so that it doesnt look as though were shouting all the time.).
    Strictly speaking, Hafnium is the name that Microsoft uses to denote a
    specific gang of cybercriminals, allegedly operating out China via
    cloud services in the US.

    Reply
  18. Tomi Engdahl says:

    Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch
    and Jenkins Vulnerabilities
    https://blog.netlab.360.com/threat-alert-z0miner-is-spreading-quickly-by-exploiting-elasticsearch-and-jenkins-vulnerabilities/
    In recent months, with the huge rise of Bitcoin and Monroe, various
    mining botnet have kicked into high gear, and our BotMon system
    detects dozens of mining Botnet attacks pretty much every day, most of
    them are old families, some just changed their wallets or propagation
    methods, and z0Miner is one of them. z0Miner is a malicious mining
    family that became active last year and has been publicly analyzed by
    the Tencent Security Team. z0Miner was initially active when it
    exploited the Weblogic unauthorized remote command execution
    vulnerability for propagation.

    Reply
  19. Tomi Engdahl says:

    Remediating Microsoft Exchange Vulnerabilities
    https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities
    On March 2, 2021, Microsoft released out-of-band security updates to
    address vulnerabilities affecting Microsoft Exchange Server products.
    On March 3, after CISA and partners observed active exploitation of
    vulnerabilities, CISA issued Emergency Directive 21-02: Mitigate
    Microsoft Exchange On-Premises Product Vulnerabilities and Alert
    AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.

    Reply
  20. Tomi Engdahl says:

    SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group
    https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group
    In late 2020, Secureworks® Counter Threat Unit (CTU) researchers
    observed a threat actor exploiting an internet-facing SolarWinds
    server to deploy the SUPERNOVA web shell. Additional analysis revealed
    similarities to intrusion activity identified on the same network
    earlier in 2020, suggesting the two intrusions are linked. CTU
    researchers attribute the intrusions to the SPIRAL threat group.
    Characteristics of the activity suggest the group is based in China.

    Reply
  21. Tomi Engdahl says:

    Kiinalaiset vakoilijat iskivät Suomeen tieto­murtojen sarjassa yksi
    yhdistävä seikka
    https://www.is.fi/digitoday/tietoturva/art-2000007849827.html
    Maailmanlaajuisen Microsoft Exchange -sähköpostipalvelimiin tehdyn
    hyökkäyksen seuraukset Suomessa alkavat vähitellen hahmottua.
    Liikenne- ja viestintävirasto Traficomin alainen
    Kyberturvallisuuskeskus antoi hyökkäyksestä harvinaisen punaisen
    varoituksen. Keskus painotti varoituksessaan hyvin suorasanaisesti,
    että jos organisaatiossa on käytetty tai käytetään
    Exchange-palvelinta, tulee oletuksena olla että murto on hyvin
    todennäköisesti tapahtunut.

    Reply
  22. Tomi Engdahl says:

    Teinejä kosiskellaan valkohattuhakkereiksi kampanja alkoi
    https://www.tivi.fi/uutiset/tv/35f162e5-b47e-41da-90e5-331a72d767e5
    Nyt alkaneessa Generation Z Hack -haasteessa nuoria kannustetaan
    mukaan valkohattuhaastekampanjaan, jossa he pääsevät kehittämään
    hakkerointitaitoja turvallisessa ympäristössä. Haaste on suunnattu
    13-18 -vuotiaille hakkereille. Ilmoittautumisessa ei kuitenkaan
    käytetä vahvaa tunnistautumista, joten periaatteessa kuka tahansa
    pääsee halutessaan mukaan. Vanhempien osallistujien on kuitenkaan
    turha elätä toiveita palkkioiden saamisesta.

    Reply
  23. Tomi Engdahl says:

    European Banking Authority restores email service in wake of Microsoft
    Exchange hack
    https://www.theregister.com/2021/03/09/eba_exchange_breach/
    The European Banking Authority (EBA) has confirmed it is another
    victim on the list of organisations affected by vulnerabilities in
    Microsoft Exchange. The EBA hurriedly pulled its email servers offline
    over the weekend as it realised that it was among the ranks of those
    hit by flaws in Microsoft Exchange being targeted by miscreants..
    While worries about personal data held in emails were a factor in the
    move, by Monday the authority was feeling confident that the data
    leaks stopped with its email servers and that no additional
    information extraction had occurred.

    Microsoft Exchange Server Attack Escalation Prompts Patching Panic
    https://www.darkreading.com/attacks-breaches/microsoft-exchange-server-attack-escalation-prompts-patching-panic/d/d-id/1340349
    US government officials weigh in on the attacks and malicious
    activity, which researchers believe may be the work of multiple
    groups. The critical Exchange Server vulnerabilities patched last week
    by Microsoft are being weaponized in widespread attacks against
    organizations worldwide. Attacks have escalated over the past two
    weeks, prompting responses from US government and the security
    community

    Reply
  24. Tomi Engdahl says:

    A ‘Blockchain Bandit’ Is Guessing Private Keys and Scoring Millions
    The larger lesson of an ongoing Ethereum crime spree: Be careful about who’s generating your cryptocurrency keys.
    https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/

    “You have a thief here that amassed this fortune and then lost it all when the market crashed.
    ADRIAN BEDNAREK, INDEPENDENT SECURITY EVALUATORS

    Reply
  25. Tomi Engdahl says:

    Russia says it’s restricting use of Twitter over failure to remove banned content
    https://www.reuters.com/article/idUSR4N2KN028

    Reply
  26. Tomi Engdahl says:

    OVH Data Center Fire Darkens Popular Sites Worldwide
    Fire at an OVH Data Center in Europe takes down thousands of sites, including WP Rocket and Imagify
    https://www.searchenginejournal.com/ovh-data-center-fire-darkens-thousands-of-sites-worldwide/398485/

    OVH Datacenter in France was engulfed in flames, taking down thousands of sites and businesses including popular plugins WP Rocket and Imagify. A multitude of businesses are tweeting updates to their clients.

    OVH issued a status announcement on their cloud server support page:

    “We are currently facing a major incident in our DataCenter of Strasbourg with a fire declared in the building SBG2.
    Firefighters were immediately on the scene but could not control the fire in SBG2.

    The whole site has been isolated, which impacts all our services on SBG1, SBG2, SBG3 and SBG4. If your production is in Strasbourg, we recommend to activate your Disaster Recovery Plan.

    Reply
  27. Tomi Engdahl says:

    “Fire is over. Firefighters continue to cool the buildings with the water.
    We don’t have the access to the site. That is why SBG1, SBG3, SBG4 won’t be restarted today.”
    https://www.searchenginejournal.com/ovh-data-center-fire-darkens-thousands-of-sites-worldwide/398485/

    Reply
  28. Tomi Engdahl says:

    Fire destroys OVHCloud’s SBG2 data center in Strasbourg
    SBG1 also badly damaged, SBG3 and SBG4 are safe but won’t restart today
    https://www.datacenterdynamics.com/en/news/fire-destroys-ovhclouds-sbg2-data-center-strasbourg/

    OVHcloud’s SBG2 data center in Strasbourg has been destroyed by a fire which also damaged SBG1. No one was hurt in the fire, but all four data centers on the site will be closed today.

    The fire broke out just after midnight, on Wednesday morning, and took six hours to bring under control, with more than 100 firefighters at the scene. The five-story, 500 sq m SBG2 data center was destroyed, while SBG1 was seriously damaged. SBG3 and SBG4 were protected by the firefighters. The site is currently off-limits on Wednesday morning, and none of the data centers on the site will restart today

    The fire spread to two other buildings, damaging one other data center on the site. “A part of SBG1 is destroyed,”

    OVHcloud had three staff on site, all of whom are unharmed.

    A Franco-German pump boat, Europa 1, carrying a German crew, helped put out the fire, taking water directly from the Rhine.

    The fire came just two days after OVHcloud announced it is taking the first steps toward an IPO, floating on the Paris stock market according to Reuters.

    Reply
  29. Tomi Engdahl says:

    Supernova malware clues link Chinese threat group Spiral to SolarWinds server hacks
    Updated: SolarWinds servers are being exploited to deploy the malicious .NET web shell.
    https://www.zdnet.com/article/supernova-malware-clues-link-chinese-threat-group-spiral-to-solarwinds-hacks/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    Reply
  30. Tomi Engdahl says:

    Warning the World of a Ticking Time Bomb
    https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/
    On Mar. 5, KrebsOnSecurity broke the news that at least 30,000
    organizations and hundreds of thousands globally had been hacked. The
    same sources who shared those figures say the victim list has grown
    considerably since then, with many victims compromised by multiple
    cybercrime groups. Security experts are now trying to alert and assist
    these victims before malicious hackers launch what many refer to with
    a mix of dread and anticipation as Stage 2, when the bad guys revisit
    all these hacked servers and seed them with ransomware or else
    additional hacking tools for crawling even deeper into victim
    networks.

    Reply
  31. Tomi Engdahl says:

    Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails,
    Hospitals
    https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams
    A group of hackers say they breached a massive trove of
    security-camera data collected by Silicon Valley startup Verkada Inc.,
    gaining access to live feeds of 150,000 surveillance cameras inside
    hospitals, companies, police departments, prisons and schools.
    Companies whose footage was exposed include carmaker Tesla Inc. and
    software provider Cloudflare Inc. In addition, hackers were able to
    view video from inside womens health clinics, psychiatric hospitals
    and the offices of Verkada itself.

    Reply
  32. Tomi Engdahl says:

    OVH cloud datacenter destroyed by fire
    https://blog.malwarebytes.com/malwarebytes-news/2021/03/ovh-cloud-datacenter-destroyed-by-fire/
    A fire in one of the OVH datacenters has destroyed one datacenter and
    knocked two others offline. It took 100 firefighters and 43 fire
    trucks to fight the fire in the five-story building. Even though the
    fire department was quick to respond, and the fire was brought under
    control relatively quickly, the impact has been big. In a press
    statement OVH promised to communicate as transparently as possible on
    the progress of our analyses and the implementation of solutions..
    Also:
    https://www.bleepingcomputer.com/news/technology/ovh-data-center-burns-down-knocking-major-sites-offline/.
    https://www.datacenterdynamics.com/en/news/fire-destroys-ovhclouds-sbg2-data-center-strasbourg/

    Reply
  33. Tomi Engdahl says:

    Exchange servers under siege from at least 10 APT groups
    https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
    ESET Research has found LuckyMouse, Tick, Winnti Group, and Calypso,
    among others, are likely using the recent Microsoft Exchange
    vulnerabilities to compromise email servers all around the world. On
    2021-03-02, Microsoft released out-of-band patches for Microsoft
    Exchange Server 2013, 2016 and 2019. These security updates fixed a
    pre-authentication remote code execution (RCE) vulnerability chain
    (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
    that allows an attacker to take over any reachable Exchange server,
    without even knowing any valid account credentials. We have already
    detected webshells on more than 5,000 email servers as of the time of
    writing, and according to public sources, several important
    organizations, such as the European Banking Authority, suffered from
    this attack.

    Reply
  34. Tomi Engdahl says:

    Ryuk ransomware hits 700 Spanish government labor agency offices
    https://www.bleepingcomputer.com/news/security/ryuk-ransomware-hits-700-spanish-government-labor-agency-offices/
    The systems of SEPE, the Spanish government agency for labor, were
    taken down following a ransomware attack that hit more than 700 agency
    offices across Spain. “Currently, work is being done with the
    objective of restoring priority services as soon as possible, among
    which is the portal of the State Public Employment Service and then
    gradually other services to citizens, companies, benefit and
    employment offices,” an announcement on the agency’s website reads.

    Reply
  35. Tomi Engdahl says:

    FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server
    https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/fbi-cisa-joint-advisory-compromise-microsoft-exchange-server
    CISA and the Federal Bureau of Investigation (FBI) have released a
    Joint Cybersecurity Advisory (CSA) to address recently disclosed
    vulnerabilities in Microsoft Exchange Server. CISA and FBI assess that
    adversaries could exploit these vulnerabilities to compromise
    networks, steal information, encrypt data for ransom, or even execute
    a destructive attack.

    Reply
  36. Tomi Engdahl says:

    Windowsin oletusselaimissa vakava haavoittuvuus päivitä heti
    https://www.tivi.fi/uutiset/tv/61267ef1-7e3d-4ec9-ba30-f37f32df14cb
    Kyberturvallisuuskeskus tiedottaa Internet Explorer- ja Edge
    - -selaimista löytyneestä haavoittuvuudesta, joka voi johtaa
    muistikorruptioon. Selaimet ovat Windows-käyttöjärjestelmän
    oletusselaimia. Haavoittuvuuden avulla hyökkääjät voivat suorittaa
    mielivaltaisia komentoja käyttäjän koneella ja hankkia
    luottamuksellista tietoa. Microsoft julkaisi maaliskuun 2021
    päivityskoosteessa Edge- ja Internet Explorer -selaimiin (versiot 9 ja
    11) korjaavia päivityksiä, joilla haavoittuvuus korjataan.. Also:
    https://arstechnica.com/gadgets/2021/03/microsoft-patches-critical-0day-that-north-korea-used-to-target-researchers/

    Reply
  37. Tomi Engdahl says:

    Guidance on Remediating Networks Affected by the SolarWinds and Active
    Directory/M365 Compromise
    https://us-cert.cisa.gov/ncas/current-activity/2021/03/09/guidance-remediating-networks-affected-solarwinds-and-active
    Since December 2020, CISA has been responding to a significant
    cybersecurity incident involving an advanced persistent threat (APT)
    actor targeting networks of multiple U.S. government agencies,
    critical infrastructure entities, and private sector organizations.
    The APT actor added malicious code to multiple versions of the
    SolarWinds Orion platform and leveraged itas well as other techniques,
    includingfor initial access to enterprise networks. After gaining
    persistent, invasive access to select organizations enterprise
    networks, the APT actor targeted their federated identity solutions
    and their Active Directory/M365 environments.

    Reply
  38. Tomi Engdahl says:

    Cyberattackers Exploiting Critical WordPress Plugin Bug
    https://threatpost.com/cyberattackers-exploiting-critical-wordpress-plugin-bug/164663/
    The security hole in the Plus Addons for Elementor plugin was used in
    active zero-day attacks prior to a patch being issued. The Plus Addons
    for Elementor plugin for WordPress has a critical security
    vulnerability that attackers can exploit to quickly, easily and
    remotely take over a website. First reported as a zero-day bug,
    researchers said its being actively attacked in the wild. The plugin,
    which has more than 30,000 active installations according to its
    developer, allows site owners to create various user-facing widgets
    for their websites, including user logins and registration forms that
    can be added to an Elementor page. Elementor is a site-building tool
    for WordPress.

    Reply
  39. Tomi Engdahl says:

    Analyzing Attacks Against Microsoft Exchange Server With China Chopper
    Webshells
    https://unit42.paloaltonetworks.com/china-chopper-webshell/
    Microsoft recently released patches for a number of zero-day Microsoft
    Exchange Server vulnerabilities that are actively being exploited in
    the wild by HAFNIUM, a suspected state-sponsored group operating out
    of China. We provide an overview of the China Chopper webshell, a
    backdoor which has been observed being dropped in these attacks. We
    also analyze incidental artifacts, such as metadata, created by the
    attacks themselves, which allow us to collect information and better
    understand the nature and methodology of the attackers.

    Reply
  40. Tomi Engdahl says:

    European Police Pounce After Cracking Crime Chat Network
    https://www.securityweek.com/european-police-pounce-after-cracking-crime-chat-network

    Police said Wednesday they had arrested at least 80 people and carried out hundreds of raids in two European countries after shutting down an encrypted phone network used by organised crime groups.

    Belgian, Dutch and French police said they hacked into the SKY ECC network, allowing them to look “over the shoulders” of suspects as they communicated with customised devices to plot drug deals and murders.

    “During an action day on Tuesday, large numbers as well as numerous house searches and seizures were made in Belgium and the Netherlands,” Europol and its judicial twin agency Eurojust, said in a statement.

    In France, law officials have identified some 2,000 users of SKY ECC “allowing for procedures to be opened relating to large-scale drug operations and attacks on people,” the Paris prosecutor said.

    “The network we are dealing with seems to be almost exclusively used by large-scale criminals.”

    Reply
  41. Tomi Engdahl says:

    Ax Sharma / BleepingComputer:
    Data center operator OVH says a fire destroyed some of its sites in France, affecting cyber threat intelligence company Bad Packets, game maker Rust, and others — In a major unprecedented incident, data centers of OVH located in Strasbourg, France have been destroyed by fire.

    OVH data center burns down knocking major sites offline
    https://www.bleepingcomputer.com/news/technology/ovh-data-center-burns-down-knocking-major-sites-offline/

    In a major unprecedented incident, data centers of OVH located in Strasbourg, France have been destroyed by fire.

    OVH is the largest hosting provider in Europe and the third-largest in the world. The cloud computing company provides VPS, dedicated servers, and other web services.

    Customers are being advised by the company to enact their disaster recovery plans after the fire has rendered multiple data centers unserviceable, impacting websites around the world.

    Fire destroys Strasbourg data centers

    OVH, the world’s third-largest and Europe’s largest hosting provider has been impacted by a disaster.

    Its French data centers, SBG1, SBG2, SBG3, and SBG4 located in Strasbourgh were shut down to contain the damage from a fire that started in SBG2.

    Major sites knocked offline, more expected

    As a result of this incident major customers of OVH state their web services are inaccessible.

    The list of impacted clients includes cyber threat intelligence company Bad Packets, provider of free chess server Lichess.org, videogame maker Rust, cryptocurrency exchange Deribit’s blog and docs sites, telecom company AFR-IX, encryption utility VeraCrypt, news outlet eeNews Europe, the art building complex Centre Pompidou, and many others.

    Deribit has clarified to BleepingComputer that the outage only impacted their docs and blog sites and that the exchange was never down.

    Although according to the OVH founder and chairman Octave Klaba, the fire has been contained as of early hours of March 10th, 2021, services are expected to remain unavailable at least for today.

    “Fire is over. Firefighters continue to cool the buildings with the water.”

    “We don’t have the access to the site. That is why SBG1, SBG3, SBG4 won’t be restarted today,” said Klaba.

    Customers should immediately bring into effect their disaster recovery plans as OVH is working on restoring its services.

    Reply
  42. Tomi Engdahl says:

    Bloomberg:
    Three former employees say that 100+ employees at Verkada could view the camera feeds of its thousands of customers via widely used super admin accounts — – Former employee said issue was raised with Verkada executives — Hackers gained access to 150,000 customer camera feeds

    Verkada Workers Had Extensive Access to Private Customer Cameras
    https://www.bloomberg.com/news/articles/2021-03-11/verkada-workers-had-extensive-access-to-private-customer-cameras

    Former employee said issue was raised with Verkada executives
    Hackers gained access to 150,000 customer camera feeds

    More than 100 employees at security camera startup Verkada Inc. could peer through the cameras of its thousands of customers, including global corporations, schools and police departments, according to three former employees aware of the company’s security protocols.

    Verkada was breached on Monday, when hackers gained access to what’s known as a “Super Admin” account that allowed them to see all of the live feeds and archived videos of Verkada’s customers, Bloomberg reported. With access to 150,000 cameras, the hackers were able to see inside Tesla Inc., as well as watch police interviews and witness hospital employees tackling a patient.

    The use of Super Admin accounts within Verkada was so widespread that it extended even to sales staff and interns, two of the employees said. “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” said one former senior-level employee, who asked not to be identified discussing private information.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*