Cyber security news April 2021

This posting is here to collect cyber security news in April 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

260 Comments

  1. Tomi Engdahl says:

    Katie Canales / Insider:
    Report: hackers scraped data of 500M LinkedIn users and posted it for sale online; LinkedIn confirms the dataset includes publicly viewable info from its site — – Personal data from 500 million LinkedIn users has been scraped and is reportedly for sale on a hacking forum.

    Hackers scraped data from 500 million LinkedIn users — about two-thirds of the platform’s userbase — and have posted it for sale online
    https://www.businessinsider.com/linkedin-data-scraped-500-million-users-for-sale-online-2021-4?op=1&scrolla=5eb6d68b7fedc32c19ef33b4&r=US&IR=T

    Reply
  2. Tomi Engdahl says:

    There’s Another Facebook Phone Number Database Online
    https://www.vice.com/en/article/qj8dj5/facebook-phone-number-data-breach-telegram-bot

    Analysis by Motherboard and a security researcher indicate the database is separate from the recently reported cache of 500 million accounts.

    An online tool lets customers pay to unmask the phone numbers of Facebook users that liked a specific Page, and the underlying dataset appears to be separate from the 500 million account database that made headlines this week, signifying another data breach or large scale scraping of Facebook users’ data, Motherboard has found.

    Reply
  3. Tomi Engdahl says:

    In #LinkedIn’s case, the data is way more personal and sensitive than it was in #Facebook’s case last week.

    2 scraped LinkedIn databases with 500m and 827m records sold online
    https://www.hackread.com/linkedin-scraped-databases-sold-online/

    Although, none of the databases contain LinkedIn users’ passwords; the data in the records is enough for cybercriminals to carry out a number of attacks including SIM Swapping, identity scams, phishing, and SMSishing, etc.

    Just last week, a hacker leaked over 533 million Facebook users’ data that was collected from the social media giant using the web data scraping technique. Now, two different threat actors are selling LinkedIn data compiled as a result of data scraping as well.

    It is worth noting that both databases are being sold on the same hacker forum. One of the sellers is offering 7 LinkedIn databases which, when merged together, makes 827 million users’ records. The price for all databases together is

    the database with 827 million records includes the following:

    Job title
    Full names
    Company name
    Company website
    Email addresses
    LinkedIn profile links
    Job start date
    City
    State
    Country
    Zipcode
    Addresses
    Fax numbers
    Phone numbers
    Number of connections

    Second LinkedIn database
    According to a sample dataset shared by CyberNews, the LinkedIn profile owners’ data leaked in this data breach includes:

    Usernames
    Full names
    Account IDs
    Email addresses
    Gender details
    Phone numbers
    Workplace information
    Social media account links.

    Reply
  4. Tomi Engdahl says:

    Texas Man Tried to Blow Up the Internet
    Federal Investigators allege that a Texas man wanted to use C-4 to blow up around 70% of the internet.
    https://www.vice.com/en/article/93y9q3/texas-man-tried-to-blow-up-the-internet?utm_source=vicenewsfacebook

    FBI agents in Texas have arrested Seth Aaron Pendley for an alleged plot to blow up an Amazon data center in Virginia with the goal of taking down the internet.

    “Mr. Pendley allegedly told the undercover he planned to attack web servers that he believed provided services to the FBI, CIA, and other federal agencies,” the DOJ said in a press release. “He said he hoped to bring down ‘the oligarchy’ currently in power in the United States.”

    Pendley’s plan, if it had worked, would not have knocked out around 70% of the internet. “The AWS data places are almost all centrally located,” he said, according to the criminal complaint against him. “They are fucking MASSIVE. I haven’t got all the details worked out.”

    An Illustrated Field Guide To Urban Internet Infrastructure, told VICE in 2019. “Whether it actually destroyed or erased any information seems pretty unlikely because there are enough data centers—and data is distributed enough and backed up enough—that in theory that probably would not be a major concern.”

    Reply
  5. Tomi Engdahl says:

    There’s Another Facebook Phone Number Database Online
    Analysis by Motherboard and a security researcher indicate the database is separate from the recently reported cache of 500 million accounts.
    https://www.vice.com/en/article/qj8dj5/facebook-phone-number-data-breach-telegram-bot

    Reply
  6. Tomi Engdahl says:

    Cisco has stated that it does not plan to patch three different small business router models and one VPN firewall device, despite critical vulnerabilities found in each. The SOHO router models contain a bug that is rated 9.8/10 in severity, and could allow unauthenticated remote users to attack targeted equipment and gain elevated privileges. The three Cisco router models have allegedly reached end of life and will not be fixed, according to a recent statement made by Cisco.
    https://www.oodaloop.com/briefs/2021/04/09/zero-day-bug-impacts-problem-plagued-cisco-soho-routers/

    Reply
  7. Tomi Engdahl says:

    2 scraped LinkedIn databases with 500m and 827m records sold online
    https://www.hackread.com/linkedin-scraped-databases-sold-online/

    Reply
  8. Tomi Engdahl says:

    Here’s how to tell if your Facebook account was one of the half billion that were breached
    https://6abc.com/facebook-breach-2021-check-data-leak-have-i-been-pwned/10495474/

    Reply
  9. Tomi Engdahl says:

    Texas Man Tried to Blow Up the Internet
    Federal Investigators allege that a Texas man wanted to use C-4 to blow up around 70% of the internet.
    https://www.vice.com/en/article/93y9q3/texas-man-tried-to-blow-up-the-internet

    Reply
  10. Tomi Engdahl says:

    Clubhouse data leak: 1.3 million user records leaked online for free
    https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free-online/

    So far, it seems like it’s been the worst week of the year for social media platforms in terms of data leaks, with Clubhouse seemingly joining the fray.

    Days after scraped data from more than a billion Facebook and LinkedIn profiles, collectively speaking, was put for sale online, it looks like now it’s Clubhouse’s turn. The upstart platform seems to have experienced the same fate, with an SQL database containing 1.3 million Clubhouse user records leaked for free on a popular hacker forum.

    https://cybernews.com/personal-data-leak-check/

    Reply
  11. Tomi Engdahl says:

    A nuclear facility in Iran was hit by a “terrorist act” a day after it unveiled new advanced uranium centrifuges, a top nuclear official says. He did not say who was to blame but urged the international community to deal with nuclear terrorism. Israeli media suggest the incident was a result of an Israeli cyber attack. Last year, a fire broke out at the Natanz underground facility, which the authorities alleged was the result of cyber sabotage.

    The latest incident comes as diplomatic efforts to revive a 2015 nuclear deal – abandoned by the US under the Trump administration in 2018 – have resumed.

    On Saturday, Iran’s President Hassan Rouhani inaugurated new centrifuges at the Natanz site, which is key to the country’s uranium enrichment programme, in a ceremony broadcast live on television.

    Iran nuclear: ‘Terrorist act’ at underground Natanz facility
    https://www.bbc.com/news/world-middle-east-56708778

    A nuclear facility in Iran was hit by a “terrorist act” a day after it unveiled new advanced uranium centrifuges, a top nuclear official says.

    Israeli media suggest the incident was a result of an Israeli cyber attack.

    Last year, a fire broke out at the Natanz underground facility, which the authorities alleged was the result of cyber sabotage.

    Mr Kamalvandi did not provide further details but told Iran’s Fars news agency there there had been “no casualties or leaks”.

    Later state TV read out a statement by AEOI head Ali Akbar Salehi, in which he described the incident as “sabotage” and “nuclear terrorism”.

    Reply
  12. Tomi Engdahl says:

    Ellen Nakashima / Washington Post:
    Sources: Biden admin to announce the nominations of ex-NSA deputy director Chris Inglis as first national cyber director and Jen Easterly as CISA head on Monday — The Biden administration plans on Monday to name a former senior National Security Agency official as the first national cyber director …
    Biden administration plans to name former senior NSA officials to White House cyber position and head of CISA
    https://www.washingtonpost.com/national-security/former-senior-nsa-officials-named-to-white-house-cyber-position-and-head-of-dhs-cyber-agency/2021/04/11/b9d408cc-9b2d-11eb-8005-bffc3a39f6d3_story.html

    The Biden administration plans on Monday to name a former senior National Security Agency official as the first national cyber director and another former NSA official to head the Department of Homeland Security’s cybersecurity agency.

    The nomination of former NSA deputy director John C. “Chris” Inglis ends months of speculation about whom the Biden administration would appoint to the White House position, and comes after bipartisan pressure from lawmakers to fill the job they created in legislation that passed in December.

    The administration also plans to nominate Jen Easterly, a former NSA intelligence officer who helped stand up U.S. Cyber Command more than a decade ago, to head the Cybersecurity and Infrastructure Security Agency

    Both nominees, who are highly regarded in cyber policy circles, are expected to face smooth confirmations.

    The moves come as the administration is grappling with the response to two major cyber events — one a Russian cyberespionage campaign known as SolarWinds that compromised nine federal agencies and about 100 private companies, and the other a Chinese hack of Microsoft Exchange servers that hit the private sector.

    Reply
  13. Tomi Engdahl says:

    CISA Releases Tool to Detect Microsoft 365 Compromise
    https://www.securityweek.com/cisa-releases-tool-detect-microsoft-365-compromise

    The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help with the detection of potential compromise within Microsoft Azure and Microsoft 365 environments.

    Dubbed Aviary, the new tool is a dashboard that makes it easy to visualize and analyze output from Sparrow, the compromise detection tool that was released in December 2020.

    Built by CISA to help with the detection of malicious activity related to SolarWinds compromise, Sparrow can be used by network defenders to hunt for potential malicious activity within Microsoft Azure Active Directory (AD), Microsoft 365 (M365), and Office 365 (O365) environments.

    Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments.
    https://github.com/cisagov/sparrow/releases

    Reply
  14. Tomi Engdahl says:

    Iran Calls Natanz Atomic Site Blackout ‘Nuclear Terrorism’
    https://www.securityweek.com/iran-calls-natanz-atomic-site-blackout-nuclear-terrorism

    Iran on Sunday described a blackout at its underground Natanz atomic facility an act of “nuclear terrorism,” raising regional tensions as world powers and Tehran continue to negotiate over its tattered nuclear deal.

    While there was no immediate claim of responsibility, suspicion fell immediately on Israel, where its media nearly uniformly reported a devastating cyberattack orchestrated by the country caused the blackout.

    If Israel was responsible, it further heightens tensions between the two nations, already engaged in a shadow conflict across the wider Middle East.

    Details remained few about what happened early Sunday morning at the facility, which initially was described as a blackout caused by the electrical grid feeding its above-ground workshops and underground enrichment halls.

    Ali Akbar Salehi, the American-educated head of the Atomic Energy Organization of Iran, who once served as the country’s foreign minister, offered what appeared to be the harshest comments of his long career, which included the assassination of nuclear scientists a decade ago. Iran blames Israel for those killings as well.

    He pledged to “seriously improve” his nation’s nuclear technology while working to lift international sanctions.

    The IAEA, the United Nations’ body that monitors Tehran’s atomic program, earlier said it was aware of media reports about the incident at Natanz and had spoken with Iranian officials about it. The agency did not elaborate.

    However, Natanz has been targeted by sabotage in the past. The Stuxnet computer virus, discovered in 2010 and widely believed to be a joint U.S.-Israeli creation, once disrupted and destroyed Iranian centrifuges at Natanz amid an earlier period of Western fears about Tehran’s program.

    Natanz suffered a mysterious explosion at its advanced centrifuge assembly plant in July that authorities later described as sabotage. Iran now is rebuilding that facility deep inside a nearby mountain

    “It’s hard for me to believe it’s a coincidence,” Yoel Guzansky, a senior fellow at Tel Aviv’s Institute for National Security Studies, said of Sunday’s blackout. “If it’s not a coincidence, and that’s a big if, someone is trying to send a message that ‘we can limit Iran’s advance and we have red lines.’”

    It also sends a message that Iran’s most sensitive nuclear site is “penetrable,” he added.

    Reply
  15. Tomi Engdahl says:

    Kyle Wiggers / VentureBeat:
    Nvidia announces Morpheus, an AI-powered cloud-native app framework to help cybersecurity providers detect and prevent breaches in real-time, now in preview

    Nvidia announces Morpheus, an AI-powered app framework for cybersecurity
    https://venturebeat.com/2021/04/12/nvidia-announces-morpheus-an-ai-powered-app-framework-for-cybersecurity/

    During its GTC 2021 virtual keynote this morning, Nvidia announced Morpheus, a “cloud-native” app framework aimed at providing cybersecurity partners with AI skills that can be used to detect and mitigate cybersecurity attacks. Using machine learning, Morpheus identifies, captures, and acts on threats and anomalies, including leaks of sensitive data, phishing attempts, and malware.

    Morpheus is available in preview from today, and developers can apply for early access on Nvidia’s landing page.

    Reflecting the pace of adoption, the AI in cybersecurity market will reach $38.2 billion in value by 2026, Markets and Markets projects. That’s up from $8.8 billion in 2019, representing a compound annual growth rate of around 23.3%. Just last week, a study from MIT Technology Review Insights and Darktrace found that 96% of execs at large enterprises are considering adopting “defensive AI” against cyberattacks.

    Reply
  16. Tomi Engdahl says:

    Clubhouse data leak: 1.3 million scraped user records leaked online for free
    https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free-online/

    So far, it seems like it’s been the worst week of the year for social media platforms in terms of data leaks, with Clubhouse seemingly joining the fray.

    Reply
  17. Tomi Engdahl says:

    Combined with the recent leak of half a billion phone numbers of FB users, this should be fun.

    “A nasty new surprise for WhatsApp’s 2 billion users today, with the discovery of an alarming security risk. Using just your phone number, a remote attacker can easily deactivate WhatsApp on your phone and then stop you getting back in. Even two-factor authentication will not stop this. Here’s how the attack works…”

    Sudden New Warning Will Surprise Millions Of WhatsApp Users
    https://www.forbes.com/sites/zakdoffman/2021/04/10/shock-new-warning-for-millions-of-whatsapp-users-on-apple-iphone-and-google-android-phones/?sh=626604417585

    This shouldn’t happen. It shouldn’t be possible. Not with a platform used by 2 billion people. Not this easily. When researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned they could kill WhatsApp on my phone, blocking me from my own account using just my phone number, I was doubtful. But they were right.

    “This is yet another worrying hack,” warns ESET’s Jake Moore, “one that could impact millions of users who could potentially be targeted with this attack. With so many people relying on WhatsApp as their primary communication tool for social and work purposes, it is alarming at what ease this can occur.”

    Now, let’s start with the first weakness. Anyone can install WhatsApp on a phone and enter your number on the verification screen. You will then receive texts and calls from WhatsApp with the six-digit code. You will also see a WhatsApp app notification, telling you that a code has been requested, warning you not to share it.

    So, to be very clear. WhatsApp has received an email referencing your phone number. They have no way of knowing whether this is really from you. There are no follow-up questions to confirm your ownership of the number. But an automated process has been triggered, without your knowledge, and your account will now be deactivated.

    An hour or so later, and suddenly WhatsApp stops working on your phone and you see an alarming notification: “Your phone number is no longer registered with WhatsApp on this phone,” it says. “This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.” This deactivation appears to be automated, using keywords to trigger actions.

    Clearly, the combination of this verification architecture, the SMS/code limits and the automated, keyword-based actions triggered by incoming emails is open to abuse. There is no sophistication to this attack—that’s the real issue here and WhatsApp should address it immediately. There are many reasons why it might be advantageous to block someone from their go-to messenger. It shouldn’t be this easy. And this should not work when 2FA is enabled, as was the case on this “victim’s” app.

    According to Moore, this vulnerability has flagged another serious WhatsApp issue. “There is no way of opting out of being discovered on WhatsApp,” he warns. “Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy focused would help protect users from this, as well as forcing people to implement a two-step verification PIN.”

    Reply
  18. Tomi Engdahl says:

    Sudden New Warning Will Surprise Millions Of WhatsApp Users
    https://archive.ph/KjCb2

    Reply
  19. Tomi Engdahl says:

    The bomb dot com

    FBI arrest Texas man for attempting to blow up ‘the internet’ with C-4
    By Katie Wickens 12 hours ago
    https://www.pcgamer.com/man-tries-to-blow-up-internet/

    He believed the single data center he was targeting contained “about 70 percent of the internet.”

    Seth Aaron Pendley of Texas appeared in court this weekend after being apprehended by the FBI for conspiring to blow up the internet. *Checks notes* no, that is what it says. The idea was to take down an Amazon Web Services (AWS) data centre in order to free the USA from “the oligarchy” that he believes to be currently controlling his beloved country.

    Reply
  20. Tomi Engdahl says:

    Israel appears to confirm it carried out cyberattack on Iran nuclear
    facility
    https://www.theguardian.com/world/2021/apr/11/israel-appears-confirm-cyberattack-iran-nuclear-facility
    Israel appeared to confirm claims that it was behind a cyber-attack on
    Irans main nuclear facility on Sunday, which Tehrans nuclear energy
    chief described as an act of terrorism that warranted a response
    against its perpetrators.

    Reply
  21. Tomi Engdahl says:

    Sisä-Suomen poliisilaitoksella on tutkittavana useita
    WhatsApp-sovelluksen kaappauksia
    https://poliisi.fi/-/sisa-suomen-poliisilaitoksella-on-tutkittavana-useita-whatsapp-sovelluksen-kaappauksia
    Useat henkilöt ovat ilmoittaneet poliisille tapauksista, joissa oma
    WhatsApp-tili on kaapattu.. Selvitysten perusteella WhatsApp-tili
    kaapataan siten, että tuttu yhteystieto pyytää asianomistajan
    toimittamaan kiireellisesti 6-numeroisen koodin, joka lähetetään
    asianomistajan puhelimeen.

    Reply
  22. Tomi Engdahl says:

    Dutch supermarkets run out of cheese after ransomware attack
    https://www.bleepingcomputer.com/news/security/dutch-supermarkets-run-out-of-cheese-after-ransomware-attack/
    A ransomware attack against conditioned warehousing and transportation
    provider Bakker Logistiek has caused a cheese shortage in Dutch
    supermarkets.

    Reply
  23. Tomi Engdahl says:

    Updates on Microsoft Exchange Server Vulnerabilities
    https://us-cert.cisa.gov/ncas/current-activity/2021/04/12/updates-microsoft-exchange-server-vulnerabilities
    CISA has added two new Malware Analysis Reports (MARs) to Alert
    AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.

    Reply
  24. Tomi Engdahl says:

    IcedID Circulates Via Web Forms, Google URLs
    https://threatpost.com/icedid-web-forms-google-urls/165347/
    Attackers are filling out and submitting web-based contact us forms,
    thus evading email spam filters.

    Reply
  25. Tomi Engdahl says:

    Pulse Secure VPN users can’t login due to expired certificate
    https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-users-cant-login-due-to-expired-certificate/
    Users worldwide cannot connect to Pulse Secure VPN devices after a
    code signing certificate used to digitally sign and verify software
    components has expired.

    Reply
  26. Tomi Engdahl says:

    Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised
    https://www.zdnet.com/article/critical-security-alert-if-you-havent-patched-this-two-year-old-vpn-vulnerability-assume-your-network-is-compromised/

    Hundreds of organisations that haven’t applied a Fortinet VPN security update released in 2019 should assume that cyber criminals are trying to take advantage, NCSC warns.

    Reply
  27. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Data of 21M ParkMobile customers, including emails and license plate numbers, is up for sale; ParkMobile had disclosed a cybersecurity incident on March 26 — Someone is selling account information for 21 million customers of ParkMobile, a mobile parking app that’s popular in North America.

    ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users
    https://krebsonsecurity.com/2021/04/parkmobile-breach-exposes-license-plate-data-mobile-numbers-of-21m-users/

    Someone is selling account information for 21 million customers of ParkMobile, a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.

    Asked about the sales thread, Atlanta-based ParkMobile said the company published a notification on Mar. 26 about “a cybersecurity incident linked to a vulnerability in a third-party software that we use.”

    “In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident,” the notice reads. “Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time.”

    The statement continues: “Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.”

    Asked for clarification on what the attackers did access, ParkMobile confirmed it included basic account information – license plate numbers, and if provided, email addresses and/or phone numbers, and vehicle nickname.

    “In a small percentage of cases, there may be mailing addresses,”

    ParkMobile doesn’t store user passwords, but rather it stores the output of a fairly robust one-way password hashing algorithm called bcrypt, which is far more resource-intensive and expensive to crack than common alternatives like MD5. The database stolen from ParkMobile and put up for sale includes each user’s bcrypt hash.

    “You are correct that bcrypt hashed and salted passwords were obtained,” Perkins said when asked about the screenshot in the database sales thread.

    “Note, we do not keep the salt values in our system,”

    Reply
  28. Tomi Engdahl says:

    Released: April 2021 Exchange Server Security Updates
    https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617
    Vulnerabilities addressed in the April 2021 security updates were
    responsibly reported to Microsoft by a security partner. Although we
    are not aware of any active exploits in the wild, our recommendation
    is to install these updates immediately to protect your environment.

    Reply
  29. Tomi Engdahl says:

    RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers
    https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html
    An Indian security researcher has publicly published a
    proof-of-concept (PoC) exploit code for a newly discovered flaw
    impacting Google Chrome and other Chromium-based browsers like
    Microsoft Edge, Opera, and Brave.. While Google has addressed the
    issue in the latest version of V8, it’s yet to make its way to the
    stable channel, thereby leaving the browsers vulnerable to attacks.

    Reply
  30. Tomi Engdahl says:

    Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used
    in the wild
    https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/
    While analyzing the CVE-2021-1732 exploit originally discovered by the
    DBAPPSecurity Threat Intelligence Center and used by the BITTER APT
    group, we discovered another zero-day exploit we believe is linked to
    the same actor.

    Reply
  31. Tomi Engdahl says:

    CS:GO, Valve Source games vulnerable to hacking using Steam invites
    https://www.bleepingcomputer.com/news/security/cs-go-valve-source-games-vulnerable-to-hacking-using-steam-invites/
    A group of security researchers known as the Secret Club took to
    Twitter to report a remote code execution bug in the Source 3D game
    engine developed by Valve and used for building games with tens of
    millions of unique players.

    Reply
  32. Tomi Engdahl says:

    FBI Agents Secretly Deleted Web Shells From Hacked Microsoft Exchange Servers
    https://www.securityweek.com/fbi-agents-secretly-deleted-web-shells-hacked-microsoft-exchange-servers

    FBI agents executed a court-authorized cyber operation to delete malicious web shells from hundreds of previously hacked Microsoft Exchange servers in the United States, unbeknownst to their owners, the U.S. Department of Justice (DoJ) said Tuesday.

    After a wave of major in-the-wild zero-day attacks against Exchange Server installations that occurred globally in January, savvy organizations scrambled to lock down vulnerable Microsoft email servers and remove web shells that were installed by attackers.

    In early attacks observed by Microsoft, attackers were able to exploit a series of vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

    Unfortunately, many organizations were not able to patch systems and/or remove associated malware that was installed.

    In what appears to be the first known operation of its kind, the FBI “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”

    According to court documents, FBI agents removed the web shells by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).

    “Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells,” the DoJ explained.

    Reply
  33. Tomi Engdahl says:

    MS Patch Tuesday: NSA Reports New Critical Exchange Flaws
    https://www.securityweek.com/ms-patch-tuesday-nsa-reports-new-critical-exchange-flaws

    Just weeks after a wave of major in-the-wild zero-day attacks against Exchange Server installations globally, Microsoft is raising a fresh alarm for four new critical security flaws that expose businesses to remote code execution attacks.

    The four new Exchange Server vulnerabilities were fixed as part of this month’s Patch Tuesday bundle and because of the severity of these issues, Microsoft has joined with the U.S. National Security Agency (NSA) to urge the immediate deployment of the new fixes.

    The NSA is credited with reporting two of the four Exchange Vulnerabilities — CVE-2021-28480 and CVE-2021-28481 – and the agency is warning that exploitation “could allow persistent access and control of enterprise networks.”

    [ SEE: Microsoft Exchange Server Zero-Days Under Attack ]

    The two NSA-discovered bugs carry a CVSS score of 9.8 because of the risk of pre-auth code execution attacks without user interaction. TippingPoint’s ZDI believes these bugs may be wormable between Exchange servers.

    “Considering the source, and considering these bugs also receive Microsoft’s highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible,” ZDI added.

    Reply
  34. Tomi Engdahl says:

    FBI nuked web shells from hacked Exchange Servers without telling owners
    https://www.bleepingcomputer.com/news/security/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners/

    A court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers’ owners.

    On March 2nd, Microsoft released a series of Microsoft Exchange security updates for vulnerabilities actively exploited by a hacking group known as HAFNIUM.

    vulnerabilities are collectively known as ProxyLogon and were used by threat actors in January and February to install web shells on compromised Exchange servers. These web shells provided remote access to the servers where threat actors used them to exfiltrate email and accounts credentials.

    Over the following weeks, government agencies released guidance, and Microsoft released a variety of scripts and tools to help victims determine if they had been compromised and remove web shells.

    Simultaneously, other threat actors began using the Microsoft Exchange vulnerabilities to install ransomware, cryptominers, and further web shells.

    FBI uses search warrant to remove web shells
    In a Department of Justice press release published today, the FBI states they used a search warrant to access the still-compromised Exchange servers, copy the web shell as evidence, and then remove the web shell from the server.

    The FBI requested this warrant because they believed that the owners of the still-compromised web servers did not have the technical ability to remove them on their own and that the shells posed a significant risk to the victim.

    Reply
  35. Tomi Engdahl says:

    The FBI is remotely hacking hundreds of computers to protect them from Hafnium
    They went inside unprotected computers to remove the threat
    https://www.theverge.com/2021/4/13/22382821/fbi-doj-hafnium-remote-access-removal-hack

    In what’s believed to be an unprecedented move, the FBI is trying to protect hundreds of computers infected by the Hafnium hack by hacking them itself, using the original hackers’ own tools (via TechCrunch).

    The hack, which affected tens of thousands of Microsoft Exchange Server customers around the world and triggered a “whole of government response” from the White House, reportedly left a number of backdoors that could let any number of hackers right into those systems again. Now, the FBI has taken advantage of this by using those same web shells / backdoors to remotely delete themselves, an operation that the agency is calling a success.

    “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” explains the US Justice Department.

    It’ll be interesting to see if this sets a precedent for future responses to major hacks like Hafnium. While I’m personally undecided, it’s easy to argue that the FBI is doing the world a service by removing a threat like this — while Microsoft may have been painfully slow with its initial response, Microsoft Exchange Server customers have also now had well over a month to patch their own servers after several critical alerts. I wonder how many customers will be angry, and how many grateful that the FBI, not some other hacker, took advantage of the open door. We know that critical-but-local government infrastructure often has egregious security practices, most recently resulting in two local drinking water supplies being tampered with.
    The FBI says that thousands of systems were patched by their owners before it began its remote Hafnium backdoor removal operation, and that it only removed “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”

    “Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” reads a statement from Assistant Attorney General John C. Demers, with the Justice Department’s National Security Division.

    Reply
  36. Tomi Engdahl says:

    Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits
    https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html
    Google on Tuesday released a new version of Chrome web-browsing
    software for Windows, Mac, and Linux with patches for two newly
    discovered security vulnerabilities for both of which it says exploits
    exist in the wild, allowing attackers to engage in active
    exploitation.. see also
    https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/

    Reply
  37. Tomi Engdahl says:

    FBI blasts away web shells on US servers in wake of Exchange
    vulnerabilities
    https://www.zdnet.com/article/fbi-blasts-away-web-shells-on-us-servers-in-wake-of-exchange-vulnerabilities/
    Feds turn into cyberfirefighters and hose down the web shell bonfire
    raging on hundreds of unpatched Exchange servers.

    CISA gives federal agencies until Friday to patch Exchange servers
    https://www.bleepingcomputer.com/news/security/cisa-gives-federal-agencies-until-friday-to-patch-exchange-servers/
    The US Cybersecurity and Infrastructure Security Agency (CISA) has
    ordered federal agencies to install newly released Microsoft Exchange
    security updates by Friday.

    Reply
  38. Tomi Engdahl says:

    Threat Actors Targeting Cybersecurity Researchers
    https://us-cert.cisa.gov/ncas/current-activity/2021/04/14/threat-actors-targeting-cybersecurity-researchers
    Google and Microsoft recently published reports on advanced persistent
    threat (APT) actors targeting cybersecurity researchers. The APT
    actors are using fake social media profiles and legitimate-looking
    websites to lure security researchers into visiting malicious websites
    to steal information, including exploits and zero-day vulnerabilities.

    100,000 Google Sites Used to Install SolarMarket RAT
    https://threatpost.com/google-sites-solarmarket-rat/165396/
    Search-engine optimization (SEO) tactics direct users searching for
    common business forms such as invoices, receipts or other templates to
    hacker-controlled Google-hosted domains.

    Reply
  39. Tomi Engdahl says:

    An Update: The COVID-19 Vaccines Global Cold Chain Continues to Be a
    Target
    https://securityintelligence.com/posts/covid-19-vaccine-global-cold-chain-security/
    In December 2020, IBM Security X-Force released a research blog
    disclosing that the COVID-19 cold chain an integral part of
    delivering and storing COVID-19 vaccines at safe temperatures was
    targeted by cyber adversaries.. After that first report, we recently
    discovered an additional 50 files tied to spear-phishing emails that
    targeted 44 companies in 14 countries in Europe, North America, South
    America, Africa and Asia.

    Reply
  40. Tomi Engdahl says:

    Cyber criminals are installing cryptojacking malware on unpatched
    Microsoft Exchange servers
    https://www.zdnet.com/article/free-money-cyber-criminals-are-installing-cryptojacking-malware-on-unpatched-microsoft-exchange-servers/
    Cyber criminals are targeting vulnerable [published in March]
    Microsoft Exchange servers with cryptocurrency mining malware in a
    campaign designed to secretly use the processing power of compromised
    systems to make money.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*