Cyber security news March 2021

This posting is here to collect cyber security news in March 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

342 Comments

  1. Tomi Engdahl says:

    Judge rules Google has to face lawsuit that claims it tracks users even in Incognito mode
    The plaintiffs allege Google collects personal data even if users put privacy controls in place
    https://www.theverge.com/2021/3/13/22329240/judge-rules-google-5-billion-lawsuit-tracking-chrome-incognito-privacy

    Reply
  2. Tomi Engdahl says:

    Exchange servers first compromised by Chinese hackers hit with ransomware
    As if Exchange users didn’t already have enough to worry about, they have this.
    https://arstechnica.com/gadgets/2021/03/ransomware-gangs-hijack-7000-exchange-servers-first-hit-by-chinese-hackers/?utm_social-type=owned&utm_source=facebook&utm_brand=ars&utm_medium=social

    Reply
  3. Tomi Engdahl says:

    How Quickly Are We Patching Microsoft Exchange Servers?
    https://blog.paloaltonetworks.com/2021/03/patching-microsoft-exchange-servers/
    Fifteen years ago, if you accidentally exposed a device on the
    Internet, it might go unnoticed by attackers for months or even years.
    Things are different today – attackers scrutinize your attack surface
    daily. With open source software anyone can download, an attacker can
    communicate with every public-facing IP address in IPv4 space in
    hours. Any unpatched system, misconfiguration or accidental exposure
    is likely to be discovered very quickly. The internet is tiny.

    HAFNIUM, China Chopper and ASP.NET Runtime
    https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/
    The China Chopper server-side ASPX web shell is extremely small and
    typically, the entire thing is just one line. There are multiple
    versions of this web shell for executing code in different languages
    such as ASP, ASPX, PHP, JSP, and CFM. In this blog, we will cover the
    JScript version; however, they all are very similar aside from the
    language used.

    Reply
  4. Tomi Engdahl says:

    Microsoft Exchange server exploitation: how to detect, mitigate, and
    stay calm
    https://redcanary.com/blog/microsoft-exchange-attacks/
    Red Canary Intel is tracking multiple activity clusters exploiting
    vulnerable Microsoft Exchange servers to drop web shells, including
    one we’ve dubbed “Sapphire Pigeon.”

    Verkossa on käynnissä hiljainen katastrofi “kymmeniä tai satoja
    Vastaamon tyyppisiä tietomurtoja”
    https://www.is.fi/digitoday/tietoturva/art-2000007861992.html
    ProxyLogon-nimellä tunnettu, Microsoftin sähköpostipalvelimiin
    kohdistuva tietomurto on laaja, ja tietoa varastetaan koko ajan.
    Suomalaisten mahdollisuudet vastata uhkaan vaihtelevat.

    Reply
  5. Tomi Engdahl says:

    Telia Inmics-Nebula sulki yrittäjien sähköposteja katko kestänyt jo
    yli 4 päivää
    https://www.tivi.fi/uutiset/tv/32465f1b-8d6d-47df-a01c-9d943517f284
    Päiväkausia kestävä katkos sähköpostin toiminnassa voi tehdä olon
    tukalaksi. Tukalaa on nyt joillakin Telia Inmics-Nebulan
    yritysasiakkailla.

    Reply
  6. Tomi Engdahl says:

    Phishing sites now detect virtual machines to bypass detection
    https://www.bleepingcomputer.com/news/security/phishing-sites-now-detect-virtual-machines-to-bypass-detection/
    Phishing sites are now using JavaScript to evade detection by checking
    whether a visitor is browsing the site from a virtual machine or
    headless device.

    Reply
  7. Tomi Engdahl says:

    Haluatko lisätä tietoturvaa helposti? Näin kaksivaiheinen
    tunnistautuminen tapahtuu helpoimmin
    https://www.kauppalehti.fi/uutiset/haluatko-lisata-tietoturvaa-helposti-nain-kaksivaiheinen-tunnistautuminen-tapahtuu-helpoimmin/c7e1ef81-e46a-422d-885b-8bf82f3a9c8b
    Osaatko pitää tietosi turvassa verkossa? Käyttäjätilin turvallisuutta
    voi helposti lisätä kaksivaiheisella tunnistuksella. [TILAAJILLE]

    Reply
  8. Tomi Engdahl says:

    Microsoft 365 outage knocks down Teams, Exchange Online
    https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-knocks-down-teams-exchange-online/
    A Microsoft 365 outage is preventing users from logging into Microsoft
    Teams, Exchange Online, Forms, Xbox Live, and Yammer.. Based on
    reports from users, this appears to be a worldwide outage.

    Reply
  9. Tomi Engdahl says:

    Joseph Cox / VICE:
    Hacker paid a company called Sakari $16 to reroute a reporter’s texts and used SMS 2FA to break into his accounts, showing the need for regulation of SMS tools — A gaping flaw in SMS lets hackers take over phone numbers in minutes,by simply paying a company to reroute text messages. — Joseph Cox

    A Hacker Got All My Texts for $16
    A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.
    https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber

    Reply
  10. Tomi Engdahl says:

    ‘We have seen no indication of compromise of the Nifty Gateway platform’

    Hackers stole NFTs from Nifty Gateway users
    ‘We have seen no indication of compromise of the Nifty Gateway platform’
    https://www.theverge.com/2021/3/15/22331818/nifty-gateway-hack-steal-nfts-credit-card

    Over the weekend, some users of NFT marketplace Nifty Gateway said hackers stole digital artwork worth thousands of dollars from their accounts. Some people who were hacked also said their credit cards on file were used to purchase additional NFTs, also costing thousands of dollars, which were then transferred away to a hacker’s account.

    Nifty Gateway confirmed in a statement to The Verge that some accounts without two-factor authentication had been hacked and that it has been in touch with those affected, but it said it has not seen evidence that its platform was breached. Nifty Giveaway suggests the hackers may have successfully reused login credentials that leaked from other services.

    Over the past few weeks, many NFTs have suddenly become high-value assets; Grimes sold a series of 10 digital artworks for around $6 million, for example, and digital artist Beeple sold an NFT for $69 million at Christie’s. So it’s unfortunately not altogether surprising that NFT platforms have become targets for hackers looking to steal the digital artworks or take credit card information to buy more.

    WHAT’S AN NFT?
    NFTs allow you to buy and sell ownership of unique digital items and keep track of who owns them using the blockchain. NFT stands for “non-fungible token,” and it can technically contain anything digital, including drawings, animated GIFs, songs, or items in video games. An NFT can either be one-of-a-kind, like a real-life painting, or one copy of many, like trading cards, but the blockchain keeps track of who has ownership of the file.

    NFTs have been making headlines lately, some selling for millions of dollars, with high-profile memes like Nyan Cat and the “deal with it” sunglasses being put up for auction. There’s also a lot of discussion about the massive electricity use and environmental impacts of NFTs. If you (understandably) still have questions, you can read through our NFT FAQ.

    Reply
  11. Tomi Engdahl says:

    One-Click Microsoft Exchange On-Premises Mitigation Tool March 2021
    https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/
    Microsoft has released a new, one-click mitigation tool, Microsoft
    Exchange On-Premises Mitigation Tool to help customers who do not have
    dedicated security or IT teams to apply these security updates. We
    have tested this tool across Exchange Server 2013, 2016, and 2019
    deployments. This new tool is designed as an interim mitigation for
    customers who are unfamiliar with the patch/update process or who have
    not yet applied the on-premises Exchange security update.

    The Microsoft Exchange hacks: How they started and where we are
    https://www.bleepingcomputer.com/news/security/the-microsoft-exchange-hacks-how-they-started-and-where-we-are/
    With patches released and proof-of-concept (PoC) exploit code
    surfacing online, thousands of Microsoft Exchange servers worldwide
    continue to remain vulnerable and the number of attacks is still at a
    worrying level.

    Reply
  12. Tomi Engdahl says:

    McAfee Defender’s Blog: Operation Dianxun
    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-dianxun
    In a recent report the McAfee Advanced Threat Research (ATR) Strategic
    Intelligence team disclosed an espionage campaign, targeting
    telecommunication companies, named Operation Diànxn. The tactics,
    techniques and procedures (TTPs) used in the attack are like those
    observed in earlier campaigns publicly attributed to the threat actors
    RedDelta and Mustang Panda. Most probably this threat is targeting
    people working in the telecommunications industry and has been used
    for espionage purposes to access sensitive data and to spy on
    companies related to 5G technology.

    Reply
  13. Tomi Engdahl says:

    New Mirai Variant Targeting Network Security Devices
    https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
    The attacks are still ongoing at the time of this writing. Upon
    successful exploitation, the attackers try to download a malicious
    shell script, which contains further infection behaviors such as
    downloading and executing Mirai variants and brute-forcers.

    Reply
  14. Tomi Engdahl says:

    Microsoft’s latest cloud authentication outage: What went wrong
    https://www.zdnet.com/article/microsofts-latest-cloud-authentication-outage-what-went-wrong/
    Microsoft is saying a ‘rotation of keys’ that handle authentication
    was to blame for a roughly 14-hour Azure outage that took down Office
    365, Dynamics 365, Xbox Live and other Microsoft services on March
    15.. also: https://status.azure.com/en-us/status/history/

    Reply
  15. Tomi Engdahl says:

    Top 10 Cloud Malware Threats
    https://www.intezer.com/blog/cloud-security/top-10-cloud-malware-threats/
    For a long time Linux has not been seen as a serious target of threat
    actors. This operating system makes up such a small percentage of the
    desktop market share compared to Windows, it’s no surprise why threat
    actors would focus most of their attention on attacking Windows
    endpoints. Times are quickly changing though as the next major
    battleground moves from traditional on-premise Windows endpoints to
    Linux-based servers and containers in the cloud. For perspective 90%
    of the public cloud runs Linux. Attackers are taking note. Some have
    started to write new malware from scratch exclusively for Linux, while
    others are adapting their existing Windows malware to target Linux.

    Reply
  16. Tomi Engdahl says:

    Magecart Attackers Save Stolen Credit-Card Data in.JPG File
    https://threatpost.com/magecart-attackers-stolen-data-jpg/164815/
    Magecart attackers have found a new way to hide their nefarious online
    activity by saving data they’ve skimmed from credit cards online in
    a.JPG file on a website they’ve injected with malicious code. “The
    creative use of the fake.JPG allows an attacker to conceal and store
    harvested credit card details for future use without gaining too much
    attention from the website owner, ” he wrote.

    Reply
  17. Tomi Engdahl says:

    Russia Threatens to Block Twitter in a Month
    https://www.securityweek.com/russia-threatens-block-twitter-month

    Russian authorities said Tuesday they would block Twitter in a month if it doesn’t take steps to remove banned content, a move that escalates the Russian government’s drawn-out standoff with social media platforms that have played a major role in amplifying dissent in Russia.

    Russia’s state communications watchdog, Roskomnadzor, last week announced it was slowing down the speed of uploading photos and videos to Twitter over its alleged failure to remove content encouraging suicide among children and information about drugs and child pornography.

    The agency said Twitter has failed to remove more than 3,000 posts with banned content, including more than 2,500 posts encouraging suicide among minors. The platform responded by emphasizing its policy of zero tolerance for child sexual exploitation, promotion of suicide and drug sales.

    Reply
  18. Tomi Engdahl says:

    Danny Palmer / ZDNet:
    McAfee researchers detail a Chinese cyberespionage campaign targeting at least 23 telcos in the US, Europe, and SE Asia to steal data, including for 5G tech — Cybersecurity researchers at McAfee detail an ongoing cyber espionage campaign which is targeting telecoms companies around the world.

    Hackers are targeting telecoms companies to steal 5G secrets
    https://www.zdnet.com/article/hackers-are-targeting-telecoms-companies-to-steal-5g-secrets/

    Cybersecurity researchers at McAfee detail an ongoing cyber-espionage campaign that is targeting telecoms companies around the world.

    Reply
  19. Tomi Engdahl says:

    Microsoft’s latest cloud authentication outage: What went wrong
    https://www.zdnet.com/article/microsofts-latest-cloud-authentication-outage-what-went-wrong/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    Microsoft is saying a ‘rotation of keys’ that handle authentication was to blame for a roughly 14-hour Azure outage that took down Office 365, Dynamics 365, Xbox Live and other Microsoft services on March 15.

    Microsoft’s preliminary analysis of the incident, published March 16, indicated that “an error occurred in the rotation of keys used to support Azure AD’s use of OpenID, and other, Identity standard protocols for cryptographic signing operations,” according to the findings published to its Azure Status History page.
    https://status.azure.com/en-us/status/history/

    Reply
  20. Tomi Engdahl says:

    Microsoft Exchange Server: These quarterly updates include fixes for
    security flaws
    https://www.zdnet.com/article/microsoft-exchange-server-these-quarterly-updates-include-fixes-for-security-flaws/
    Microsoft has released its March 2021 quarterly cumulative updates for
    Exchange Server 2016 and Exchange Server 2019, which include the
    security updates to address critical flaws that are currently under
    attack.. also:
    https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-quarterly-exchange-updates/ba-p/2205283

    Reply
  21. Tomi Engdahl says:

    PYSA Ransomware Pillages Education Sector, Feds Warn
    https://threatpost.com/pysa-ransomware-education-feds-warn/164832/
    A major spike of attacks against higher ed, K-12 and seminaries in
    March has prompted the FBI to issue a special alert. In a “Flash”
    alert to the cybersecurity community issued on Tuesday, the Feds said
    that PYSA has been seen in attacks on schools in 12 U.S. states and in
    the United Kingdom in March alone.

    Reply
  22. Tomi Engdahl says:

    Mastermind of 2020′s top celebrity Twitter hack sentenced to 3 years
    https://www.hackread.com/twitter-hack-mastermind-jailed-2020-celebrity-hack/
    Graham Ivan Clark, the mastermind of the high-profile Twitter hack
    leading to the Bitcoin scam on July 15th, 2020 has been sentenced to 3
    years in prison. Clark was arrested on July 31st, 2020 from Tampa,
    Florida when he was 17 and charged with multiple counts of organized
    fraud, communications fraud, fraudulent use of personal information,
    and accessing computer or electronic device without authority.

    US Teen ‘Mastermind’ in Epic Twitter Hack Sentenced to Prison
    https://www.securityweek.com/florida-teen-sentenced-hack-celebrity-twitter-accounts

    A Florida teenager accused of masterminding a Twitter hack of celebrity accounts in a crypto currency scheme has been sentenced to three years in juvenile prison in a plea agreement, officials said.

    State prosecutors announced the deal Tuesday in the case of Graham Ivan Clark, 18, described as the mastermind of the July 2020 “Bit-Con” worldwide hack of Twitter accounts of Elon Musk, Bill Gates, Barack Obama, Joe Biden and others.

    Hillsborough County State Attorney Andrew Warren said Clark, who was 17 when he was charged, would serve three years in a juvenile prison followed by three years probation, the maximum allowed under Florida’s Youthful Offender Act.

    If Clark violates his probation, he will face a minimum 10-year sentence in adult prison.

    Reply
  23. Tomi Engdahl says:

    Mimecast Says SolarWinds Hackers Stole Source Code
    https://www.securityweek.com/mimecast-says-solarwinds-hackers-stole-source-code

    Email security company Mimecast on Tuesday said it completed its forensic investigation into the impact of the SolarWinds supply chain attack, and revealed that the threat actor managed to steal some source code.

    Mimecast was one of the several cybersecurity companies to confirm being targeted by the hackers who breached the systems of IT management solutions provider SolarWinds.

    Reply
  24. Tomi Engdahl says:

    New Mirai Variant Leverages 10 Vulnerabilities to Hijack IoT Devices
    https://www.securityweek.com/new-mirai-variant-leverages-10-vulnerabilities-hijack-iot-devices

    Over the past month, a variant of the Mirai botnet was observed targeting new security vulnerabilities within hours after they had been disclosed publicly, researchers with Palo Alto Networks reveal.

    Around since 2016, Mirai has had its source code leaked online, which resulted in tens of variants being released over the years, each with its own targeting capabilities.

    What makes the variant tracked by Palo Alto Networks stand out in the crowd is the fact that, within a four-week timeframe, it started exploiting several vulnerabilities that have been disclosed this year.

    On February 23, the Mirai variant was observed targeting CVE-2021-27561 and CVE-2021-27562, two vulnerabilities in the Yealink DM (Device Management) platform that had been disclosed the very same day.

    Impacting Yealink DM version 3.6.0.20 and older, the flaws (pre-auth SSRF and command injection, respectively) exist because user-provided data is not properly filtered and could be exploited to execute arbitrary commands as root, without authentication.

    On March 3, Palo Alto Networks’ security researchers noticed that the same samples were also using an exploit for CVE-2021-22502, a critical (CVSS score of 9.8) remote code execution vulnerability in Micro Focus Operations Bridge Reporter.

    Exploitable without authentication, the security bug exists because a user-supplied string isn’t properly validated when the Token parameter provided to the LogonResource endpoint is handled, allowing an attacker to execute code as root.

    Ten days later, on March 13, the samples also incorporated an exploit targeting CVE-2020-26919, a critical vulnerability (CVSS score 9.8) affecting NETGEAR JGS516PE business-grade gigabit switches. The bug is described as “lack of access control at the function level.”

    In September 2020, Netgear published an advisory for this vulnerability, advising customers to update the firmware on their devices.

    Other vulnerabilities being exploited in these attacks include a SonicWall SSL-VPN bug referred to as VisualDoor, CVE-2020-25506 (D-Link DNS-320 firewall), CVE-2020-26919 (Netgear ProSAFE Plus), and CVE-2019-19356 (Netis WF2419 wireless router). Three other security issues are also being exploited, but they haven’t been identified yet.

    Reply
  25. Tomi Engdahl says:

    “End of the road. Nothing to do, and no hope of things getting better”?

    “Expert” hackers used 11 zerodays to infect Windows, iOS, and Android users
    The breadth and abundance of exploits for unknown vulnerabilities sets group apart.
    https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/

    A team of advanced hackers exploited no fewer than 11 zeroday vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.

    Using novel exploitation and obfuscation techniques, a mastery of a wide range of vulnerability types, and a complex delivery infrastructure, the group exploited four zerodays in February 2020. The hackers’ ability to chain together multiple exploits that compromised fully patched Windows and Android devices led members of Google’s Project Zero and Threat Analysis Group to call the group “highly sophisticated.”

    Not over yet

    Reply
  26. Tomi Engdahl says:

    Sean Coughlan / BBC:
    London police warn students about using Sci-Hub, calling the self-described “pirate” site for research papers “a threat to their personal information and data” — Police have warned students in the UK against using a website that they say lets users “illegally access” millions of scientific research papers.

    Police warn students to avoid science website
    https://www.bbc.com/news/education-56462390

    Police have warned students in the UK against using a website that they say lets users “illegally access” millions of scientific research papers.

    The City of London police’s Intellectual Property Crime Unit says using the Sci-Hub website could “pose a threat” to students’ personal data.

    The police are concerned that users of the “Russia-based website” could have information taken and misused online.

    The Sci-Hub website says it “removes all barriers” to science.

    It offers open access to more than 85 million scientific papers and claims that copyright laws should be abolished and that such material should be “knowledge to all”.

    It describes itself as “the first pirate website in the world to provide mass and public access to tens of millions of research papers”.

    University ‘threat’

    But Max Bruce, the City of London police’s cyber protection officer, has urged universities to block the website on their networks because of the “threat posed by Sci-Hub to both the university and its students”.

    “If you’re tricked into revealing your log-in credentials, whether it’s through the use of fake emails or malware, we know that Sci-Hub will then use those details to compromise your university’s computer network in order to steal research papers,” he said.

    The City of London Police, which is the national lead for fraud, has warned that students studying online at home might be vulnerable.

    ‘Access to research’

    The police warning says scientific papers could have been obtained by a “variety of malicious means, such as the use of phishing emails to trick university staff and students into divulging their login credentials”.

    But the Sci-Hub website has previously told the BBC that it provides students with access to research papers for which the subscriptions are “very expensive”.

    Reply
  27. Tomi Engdahl says:

    Catalin Cimpanu / The Record:
    Verkada security camera hacker has been charged in the US for hacking into 100+ of the world’s biggest companies since 2019 and leaking proprietary data online
    More: U.S. Department of Justice, The Verge, Forbes, HackRead, Dark Reading, infosecurity-magazine.com, PCMag, Gizmodo, New York Post, San Francisco Business Journal, The Hacker News, and Silicon Republic

    Verkada hacker charged in the US for hacking more than 100 companies
    https://therecord.media/verkada-hacker-charged-in-the-us-for-hacking-more-than-100-companies/

    The US Department of Justice has charged today a Swiss national for hacking into more than 100 companies and leaking proprietary data online on their personal website.

    The hacker, Till (more commonly known as Tillie) Kottmann, 21, of Lucerne, Switzerland, is also the individual who breached cloud-based surveillance firm Verkada earlier this month and leaked security camera footage from some of its customers —including streams from companies like Tesla, Cloudflare, Okta, but also jails, schools, and hospitals.

    But according to court documents published by the DOJ today, the charges predate Kottmann’s Verkada hack and pertain to the Swiss hacktivist’s activity dating back to 2019, when they began scouring the internet for misconfigured source code repositories owned by major corporations and government organizations.

    Reply
  28. Tomi Engdahl says:

    U.S. charges 21-year-old Swiss “hacktivist” for security-camera theft and leaks
    https://www.cbsnews.com/news/till-kottmann-verkada-hack-charged-identity-theft-computer-intrusion/

    The Justice Department has charged a Swiss hacker with computer intrusion and identity theft, just over a week after the hacker took credit for helping to break into the online systems of a U.S. security-camera startup. An indictment against 21-year-old Till Kottmann was brought Thursday by a grand jury in the Seattle-based Western District of Washington.

    Reply
  29. Tomi Engdahl says:

    Catalin Cimpanu / The Record:
    REvil ransomware gang says it had breached Acer, sharing leaked images of internal docs on the dark web, and is demanding $50M; Acer says it is investigating — Taiwanese computer maker Acer has suffered a ransomware attack over the past weekend at the hands of the REvil ransomware gang …

    Ransomware gang demands $50 million from computer maker Acer
    https://therecord.media/ransomware-gang-demands-50-million-from-computer-maker-acer/

    Taiwanese computer maker Acer has suffered a ransomware attack over the past weekend at the hands of the REvil ransomware gang, which is now demanding a whopping $50 million ransom payment to decrypt the company’s computers and not leak its data on the dark web.

    The attack has not disrupted production systems but only hit the company’s back-office network. The security breach was not deemed disruptive enough to prevent or delay the computer maker from announcing its Q4 2020 financial results on Wednesday.

    Acer spokespersons have played down the incident when reached out for comment and have avoided confirming it as a ransomware incident.

    Here the ransom demand was clearly visible, a whopping $50 million payment request, which represents the highest ransom demand ever requested by a ransomware group.

    Acer is the sixth-largest personal computer maker in the world, with a market share of roughly 6% of all global sales. The company reported a total revenue of roughly $3 billion in Q4 2020, hence the record-breaking ransom demand.

    Reply
  30. Tomi Engdahl says:

    “Expert” hackers used 11 0-days to infect Windows, iOS, and Android
    users
    https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/
    A team of advanced hackers exploited no fewer than 11 zero-day
    vulnerabilities in a nine-month campaign that used compromised
    websites to infect fully patched devices running Windows, iOS, and
    Android, a Google researcher said. Also:
    https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html

    Reply
  31. Tomi Engdahl says:

    REvil ransomware says they hit Acer, Acer reports “abnormal
    situations”
    https://www.bleepingcomputer.com/news/security/revil-ransomware-says-they-hit-acer-acer-reports-abnormal-situations/
    The REvil ransomware operation claims to have stolen unencrypted data
    after hacking electronics and computer giant Acer.

    Reply
  32. Tomi Engdahl says:

    Russian pleads guilty to Tesla hacking and extortion attempt
    https://www.bleepingcomputer.com/news/security/russian-pleads-guilty-to-tesla-hacking-and-extortion-attempt/
    Russian national Egor Igorevich Kriuchkov has pleaded guilty to
    recruiting a Tesla employee to plant malware designed to steal data
    within the network of Tesla’s Nevada Gigafactory.

    Reply
  33. Tomi Engdahl says:

    Mysterious bug is deleting Microsoft Teams, SharePoint files
    https://www.bleepingcomputer.com/news/microsoft/mysterious-bug-is-deleting-microsoft-teams-sharepoint-files/
    Microsoft SharePoint and Microsoft Teams users report files are
    missing or moved to the Recycle Bin after the recent Azure Active
    Directory outage this week.

    Reply
  34. Tomi Engdahl says:

    CISA releases new SolarWinds malicious activity detection tool
    https://www.bleepingcomputer.com/news/security/cisa-releases-new-solarwinds-malicious-activity-detection-tool/
    The Cybersecurity and Infrastructure Security Agency (CISA) has
    released a new tool to detect post-compromise malicious activity
    associated with the SolarWinds hackers in on-premises enterprise
    environments. CISA Hunt and Incident Response Program (CHIRP), the new
    forensics collection tool, is a Python-based tool that helps detect
    SolarWinds malicious activity IOCs on Windows operating systems. Also:
    https://www.zdnet.com/article/burnt-by-solarwinds-attack-us-releases-tool-for-post-compromise-detection/.
    Also:
    https://us-cert.cisa.gov/ncas/current-activity/2021/03/18/using-chirp-detect-post-compromise-threat-activity-premises

    Reply
  35. Tomi Engdahl says:

    Statement on Microsoft Exchange vulnerabilities
    https://www.enisa.europa.eu/news/enisa-news/statement-on-microsoft-exchange-vulnerabilities
    The EU Agency for Cybersecurity (ENISA) has provided a statement with
    an assessment and advice on Microsoft Exchange vulnerabilities.

    Microsoft Defender Antivirus now automatically mitigates Exchange
    Server vulnerabilities
    https://www.zdnet.com/article/microsoft-defender-antivirus-now-patches-exchange-server-vulnerabilities/
    Mitigation fixes will be applied automatically in a renewed effort by
    Microsoft to contain security incidents caused by the bugs.

    Reply
  36. Tomi Engdahl says:

    Bitcoin-kiristysviestit jatkuvat
    https://poliisi.fi/-/bitcoin-kiristysviestit-jatkuvat
    Hämeen poliisilaitos on saanut tietoonsa jälleen kymmeniä
    yksityishenkilöille lähetettyjä kiristysviestejä, joissa vaaditaan
    vastaanottajaa maksamaan 1450 euron arvosta Bitcoineja kiristäjän
    lompakkoon tai muuten hänestä levitetään arkaluonteista tietoa. Myös:
    https://www.is.fi/digitoday/tietoturva/art-2000007869545.html

    Reply
  37. Tomi Engdahl says:

    Microsoft Releases Exchange On-premises Mitigation Tool
    https://us-cert.cisa.gov/ncas/current-activity/2021/03/16/microsoft-releases-exchange-premises-mitigation-tool
    Microsoft has released the Exchange On-premises Mitigation Tool
    (EOMT.ps1) that can automate portions of both the detection and
    patching process. Microsoft stated the following along with the
    release: “[the tool is intended] to help customers who do not have
    dedicated security or IT teams to apply these security updates.

    Reply
  38. Tomi Engdahl says:

    Polish State Websites Hacked and Used to Spread False Info
    https://www.securityweek.com/polish-state-websites-hacked-and-used-spread-false-info
    Two Polish government websites were hacked Wednesday and used briefly
    to spread false information about a non-existent radioactive threat,
    in what a Polish government official said had the hallmarks of a
    Russian cyberattack.

    Reply
  39. Tomi Engdahl says:

    ~4, 300 publicly reachable servers are posing a new DDoS hazard to the
    Internet
    https://arstechnica.com/gadgets/2021/03/mainstream-ddosers-are-abusing-d-tls-servers-to-up-the-potency-of-attacks/
    DDoS-for-hire services adopt new technique that amplifies attacks 37
    fold. DDoS mitigation provider Netscout said on Wednesday that it has
    observed DDoS-for-hire services adopting a new amplification vector.
    The vector is the Datagram Transport Layer Security, or D/TLS, which
    (as its name suggests) is essentially the Transport Layer Security for
    UDP data packets. The biggest D/TLS-based attacks Netscout has
    observed delivered about 45Gbps of traffic. The people responsible for
    the attack combined it with other amplification vectors to achieve a
    combined size of about 207Gbps.

    Reply
  40. Tomi Engdahl says:

    Flaws in Two Popular WordPress Plugins Affect Over 7 Million Websites
    https://thehackernews.com/2021/03/flaws-in-two-popular-wordpress-plugins.html
    Researchers have disclosed vulnerabilities in multiple WordPress
    plugins that, if successfully exploited, could allow an attacker to
    run arbitrary code and take over a website in certain scenarios. The
    flaws were uncovered in Elementor, a website builder plugin used on
    more than seven million sites, and WP Super Cache, a tool used to
    serve cached pages of a WordPress site.

    Reply
  41. Tomi Engdahl says:

    Hackers are exploiting a server vulnerability with a severity of 9.8
    out of 10
    https://arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/
    As if the mass-exploitation of Exchange servers wasn’t enough, now
    there’s BIG-IP. Last week, F5 disclosed and patched critical BIG-IP
    vulnerabilities that allow hackers to gain complete control of a
    server. Despite a severity rating of 9.8 out of 10, the security flaws
    got overshadowed by a different set of critical vulnerabilities
    Microsoft disclosed and patched in Exchange server a week earlier.
    Also:
    https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html

    Reply
  42. Tomi Engdahl says:

    The Week in Ransomware – March 19th 2021 – Highest ransom ever!
    https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-19th-2021-highest-ransom-ever/
    While the beginning of this week was fairly quiet, it definitely ended
    with a bang as news came out of the largest ransom demand yet.

    Reply
  43. Tomi Engdahl says:

    Finland IDs Hackers Linked to Parliament Spying Attack
    https://www.securityweek.com/finland-ids-hackers-linked-parliament-spying-attack

    Finland’s domestic security agency said Thursday that the cybergroup APT31, which is generally linked to the Chinese government, was likely behind a cyberspying attack on the information systems of the Nordic country’s parliament.

    The Finnish Security and Intelligence Service, known by the abbreviation Supo, said it had “identified a cyber espionage operation targeted in 2020 against parliament with the aim of intruding into parliament’s IT systems.”

    The agency added that “according to Supo intelligence, APT31 was responsible for the attack”. It didn’t mention China by name or the group’s alleged links to the government in Beijing. The statement posted also on the agency’s Twitter site in English.

    Finland’s National Bureau of Investigation, NBI, said late December that it had started an investigation into suspected gross hacking and espionage attacks on the information systems of Eduskunta, the Finnish legislature. Among other things, some lawmakers’ email accounts were compromised.

    Parliament has since upgraded the systems’ security features.

    Reply
  44. Tomi Engdahl says:

    DDoS booters now abuse DTLS servers to amplify attacks
    https://www.bleepingcomputer.com/news/security/ddos-booters-now-abuse-dtls-servers-to-amplify-attacks/
    DDoS-for-hire services are now actively abusing misconfigured or
    out-of-date Datagram Transport Layer Security (D/TLS) servers to
    amplify Distributed Denial of Service (DDoS) attacks.

    Reply
  45. Tomi Engdahl says:

    “Hack everybody you can”: What to know about the massive Microsoft Exchange breach
    https://www.cbsnews.com/news/microsoft-exchange-server-hack-what-to-know/

    Reply
  46. Tomi Engdahl says:

    Cybersecurity researchers on Sunday disclosed multiple critical
    vulnerabilities in remote student monitoring software Netop Vision Pro
    that a malicious attacker could abuse to execute arbitrary code and
    take over Windows computers
    https://thehackernews.com/2021/03/popular-netops-remote-learning-software.html
    “These findings allow for elevation of privileges and ultimately
    remote code execution which could be used by a malicious attacker
    within the same network to gain full control over students’ computers,
    ” the McAfee Labs Advanced Threat Research team said in an analysis.
    Also:
    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/netop-vision-pro-distance-learning-software-is-20-20-in-hindsight/

    Reply
  47. Tomi Engdahl says:

    Energy giant Shell discloses data breach after Accellion hack
    https://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/
    Energy giant Shell has disclosed a data breach after attackers
    compromised the company’s secure file-sharing system powered by
    Accellion’s File Transfer Appliance (FTA).

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*