This posting is here to collect cyber security news in April 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
260 Comments
Tomi Engdahl says:
Turun opetuksen verkkopalveluihin kohdistettu tietomurto pystyttiin
estämään varotoimenpiteenä tulee vaihtaa salasana
https://yle.fi/uutiset/3-11883275
Turun kaupunki on tehnyt viikonloppuna ja maanantaina tapahtuneesta
tietomurrosta rikosilmoituksen.. katso myös
https://www.turku.fi/uutinen/2021-04-14_tietomurto-opetuksen-verkkopalveluihin-turussa
Tomi Engdahl says:
SMASH
https://www.vusec.net/projects/smash/
SMASH is a new JavaScript-based attack that gives the attacker an
arbitrary read and write primitive in the browser. It does not rely on
software vulnerabilities or bugs, but instead takes advantage of the
much harder to mitigate Rowhammer bug in hardware to initiate the
exploit chain.
Tomi Engdahl says:
The FBI wanted to unlock the San Bernardino shooters iPhone. It turned
to a little-known Australian firm.
https://www.washingtonpost.com/technology/2021/04/14/azimuth-san-bernardino-apple-iphone-fbi/
Azimuth unlocked the iPhone at the center of an epic legal battle
between the FBI and Apple. Now, Apple is suing the company co-founded
by one of the hackers behind the unlock.
Tomi Engdahl says:
Months After Hack, US Poised to Announce Sanctions on Russia
https://www.securityweek.com/months-after-hack-us-poised-announce-sanctions-russia
The Biden administration is preparing to announce sanctions in response to a massive Russian hacking campaign that breached vital federal agencies, as well as for election interference, a senior administration official said.
The sanctions, foreshadowed for weeks by the administration, would represent the first retaliatory action announced against the Kremlin for last year’s hack, familiarly known as the SolarWinds breach. In that intrusion, Russian hackers are believed to have infected widely used software with malicious code, enabling them to access the networks of at least nine agencies in what U.S. officials believe was an intelligence gathering operation aimed at mining government secrets.
Tomi Engdahl says:
U.S. imposes sweeping sanctions targeting Russian economy
https://www.axios.com/russia-sanctions-solarwinds-cyber-39561a8d-76c0-46ec-9047-6309153d1382.html
The Biden administration announced it will sanction dozens of Russian officials and entities, expel 10 diplomats from the U.S., and set new restrictions on buying sovereign debt in response to the massive SolarWinds hack of federal agencies and interference in the 2020 election.
Why it matters: The sweeping acts of retaliation are aimed at imposing heavy economic costs on Russia, after years of sanctions that have failed to deter an increasingly aggressive and authoritarian President Vladimir Putin.
Details: The administration formally accused Russia’s Foreign Intelligence Service (SVR) of carrying out the SolarWinds hack, which Microsoft President Brad Smith has called “the largest and most sophisticated attack the world has ever seen.” The intelligence community said it has “high confidence” in the assessment.
FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government
https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/
Today the Biden administration is taking actions to impose costs on Russia for actions by its government and intelligence services against U.S. sovereignty and interests.
Executive Order Targeting the Harmful Foreign Activities of the Russian Government
Further Responses to the SolarWinds Malicious Cyber Activity
Today the United States is formally naming the Russian Foreign Intelligence Service (SVR), also known as APT 29, Cozy Bear, and The Dukes, as the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures. The U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR.
The SVR’s compromise of the SolarWinds software supply chain gave it the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide. The scope of this compromise is a national security and public safety concern. Moreover, it places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident.
Today, the National Security Agency, the Cybersecurity & Infrastructure Security Agency, and the Federal Bureau of Investigation are jointly issuing a cybersecurity advisory, “Russian SVR Targets U.S. and Allied Networks,” that provides specific details on software vulnerabilities that the SVR uses to gain access to victim devices and networks. The advisory also provides specific steps that network defenders can take to identify and defend against the SVR’s malicious cyber activity.
Additionally, the SVR’s compromise of SolarWinds and other companies highlights the risks posed by Russia’s efforts to target companies worldwide through supply chain exploitation. Those efforts should serve as a warning about the risks of using information and communications technology and services (ICTS) supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia. The U.S. government is evaluating whether to take action under Executive Order 13873 to better protect our ICTS supply chain from further exploitation by Russia.
Supporting a Global Cybersecurity Approach
The United States continues to strongly affirm the importance of an open, interoperable, secure, and reliable Internet. Russia’s actions run counter to that goal, which is shared by many of our allies and partners.
First, the United States is bolstering its efforts to promote a framework of responsible state behavior in cyberspace and to cooperate with allies and partners to counter malign cyber activities. We are providing a first-of-its kind course for policymakers worldwide on the policy and technical aspects of publicly attributing cyber incidents, which will be inaugurated this year at the George C. Marshall Center in Garmisch, Germany.
Second, we are reinforcing our commitment to collective security in cyberspace. The Department of Defense is taking steps to incorporate additional allies, including the UK, France, Denmark, and Estonia, into the planning for CYBER FLAG 21-1, which is an exercise designed to improve our defensive capabilities and resiliency in cyberspace. CYBER FLAG 21-1 will build a community of defensive cyber operators and improve overall capability of the United States and allies to identify, synchronize, and respond in unison against simulated malicious cyberspace activities targeting our critical infrastructure and key resources.
Tomi Engdahl says:
The FBI might have gone ahead and fixed your Microsoft email server
The unusual operation highlights the severity of the Exchange vulnerability, which allowed scores of hackers to break into organizations since the beginning of the year.
https://www.nbcnews.com/tech/security/fbi-might-gone-ahead-fixed-microsoft-email-server-rcna680
Tomi Engdahl says:
“Unhackable” MORPHEUS Chip Passes Its First Public Test, DARPA’s FETT Bug Bounty, Unhacked
Calling something “unhackable” doesn’t usually end well, but the University of Michigan’s MORPHEUS chip may prove to be just that.
https://www.hackster.io/news/unhackable-morpheus-chip-passes-its-first-public-test-darpa-s-fett-bug-bounty-unhacked-47df260fc24b
Tomi Engdahl says:
Security Bug Allows Attackers to Brick Kubernetes Clusters
https://threatpost.com/security-bug-brick-kubernetes-clusters/165413/
The vulnerability is triggered when a cloud container pulls a malicious image from a registry.
A vulnerability in one of the Go libraries that Kubernetes is based on could lead to denial of service (DoS) for the CRI-O and Podman container engines.
The bug (CVE-2021-20291) affects the Go library called “containers/storage.” According to Aviv Sasson, the security researcher at Palo Alto’s Unit 42 team who found the flaw, it can be triggered by placing a malicious image inside a registry; the DoS condition is created when that image is pulled from the registry by an unsuspecting user.
“Through this vulnerability, malicious actors could jeopardize any containerized infrastructure that relies on these vulnerable container engines, including Kubernetes and OpenShift,” Sasson said in a Wednesday posting.
CRI-O and Podman are container images, similar to Docker, that are used to perform actions and manage containers in the cloud. The containers/storage library is used by CRI-O and Podman to handle storage and download of container images.
When the vulnerability is triggered, CRI-O fails to pull new images, start any new containers (even if they are already pulled), retrieve local images lists or kill containers,
“An adversary could upload to the registry a malicious layer that aims to exploit the vulnerability and then upload an image that uses numerous layers, including the malicious layer, and by that create a malicious image,” Sasson explained. “Then, when the victim pulls the image from the registry, it will download the malicious layer in that process and the vulnerability will be exploited.”
Once the container engine starts downloading the malicious layer, the end result is a deadlock.
“[This] is a situation in which a lock is acquired and never gets released,” explained Sasson. “This causes a DoS since other threads and processes stop their execution and wait forever for the lock to be released.”
Patches for the bug were issued in version 1.28.1 of containers/storage; CRI-O version v1.20.2; and Podman version 3.1.0. Admins should update as soon as possible.
New Vulnerability Affecting Container Engines CRI-O and Podman (CVE-2021-20291)
https://unit42.paloaltonetworks.com/cve-2021-20291/
Executive Summary
As part of our initiative to improve security in the cloud-native landscape, I conducted a security audit of multiple Go libraries that Kubernetes is based on. In my research, I found CVE-2021-20291 in containers/storage that leads to a Denial of Service (DoS) of the container engines CRI-O and Podman when pulling a malicious image from a registry. Through this vulnerability, malicious actors could jeopardize any containerized infrastructure that relies on these vulnerable container engines, including Kubernetes and OpenShift.
Disclosure Process
We responsibly disclosed the vulnerability on March 10, 2021, and a fix was released on version 1.28.1. Corresponding fixes were released in CRI-O version v1.20.2 and Podman version 3.1.0.
On some platforms, depending on the user settings, the update can be downloaded automatically or it needs to be downloaded manually. We encourage the community to check their software version and update it in case it is not up to date.
We would like to thank the Red Hat security team for their prompt response to this issue and for assigning CVE-2021-20291 for the vulnerability.
Tomi Engdahl says:
Security Bug Allows Attackers to Brick Kubernetes Clusters
https://threatpost.com/security-bug-brick-kubernetes-clusters/165413/
The vulnerability is triggered when a cloud container pulls a malicious image from a registry.
A vulnerability in one of the Go libraries that Kubernetes is based on could lead to denial of service (DoS) for the CRI-O and Podman container engines.
The bug (CVE-2021-20291) affects the Go library called “containers/storage.” According to Aviv Sasson, the security researcher at Palo Alto’s Unit 42 team who found the flaw, it can be triggered by placing a malicious image inside a registry; the DoS condition is created when that image is pulled from the registry by an unsuspecting user.
Tomi Engdahl says:
Domain Name Security Neglected by U.S. Energy Companies: Report
https://www.securityweek.com/domain-name-security-neglected-us-energy-companies-report
A majority of the largest energy companies in the United States appear to have neglected the security of their domain names, according to CSC, a firm that specializes in securing online assets.
The Biden administration is concerned about potentially damaging cyberattacks aimed at the country’s critical infrastructure, and it’s taking steps to help electric utilities, water treatment plants and other industries protect their systems.
Data collected by CSC last week shows that nearly 80 percent of the top U.S. energy organizations are at risk of cyberattacks targeting their DNS and internet domain names. The data covers the 30 biggest U.S. companies (by market capitalization) that produce and deliver energy.
Specifically, CSC found that nearly 80% of energy firms don’t use registry locks, which can prevent domain name hijacking and unauthorized changes to DNS. More than two-thirds of the analyzed domains are registered with consumer-grade registrars instead of enterprise-grade registrars, which typically provide better security.
Tomi Engdahl says:
IBM: 44 Organizations Targeted in Attacks Aimed at COVID-19 Vaccine Cold Chain
https://www.securityweek.com/ibm-44-organizations-targeted-attacks-aimed-covid-19-vaccine-cold-chain
More than 40 organizations have been targeted in a global campaign focused on the COVID-19 vaccine cold chain infrastructure, which handles the distribution of vaccines and their storage at the required temperatures.
Following an initial report in December 2020, IBM Security X-Force now reveals that the number of affected organizations is higher compared to the previous assessment. A total of 44 organizations in 14 countries were targeted.
Operating in Europe, North America, South America, Africa, and Asia, the targeted entities are key organizations involved in the transportation, warehousing, storage, and distribution of COVID-19 vaccines.
Tomi Engdahl says:
NSA: Russian Hackers Exploiting VPN Vulnerabilities – Patch Immediately
https://www.securityweek.com/nsa-russian-hackers-exploiting-vpn-vulnerabilities-patch-immediately
The U.S. government on Thursday warned that Russian APT operators are exploiting five known — and already patched — vulnerabilities in corporate VPN infrastructure products, insisting it is “critically important” to mitigate these issues immediately.
The urgent advisory was issued by the National Security Agency (NSA) to call attention to a quintet of CVEs that are being actively exploited by a threat actor affiliated with Russia’s foreign intelligence service (SVR).
According to the NSA, the five vulnerabilities should be prioritized for patching alongside the newest batch of Exchange Server updates released by Microsoft earlier this week.
Here are the five vulnerabilities that need immediate attention:
CVE-2018-13379 Fortinet FortiGate VPN
CVE-2019-9670 Synacor Zimbra Collaboration Suite (advisory here)
CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
CVE-2019-19781 Citrix Application Delivery Controller and Gateway
CVE-2020-4006 VMware Workspace ONE Access
“Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors,” the NSA said.
Tomi Engdahl says:
US Expels Russian Diplomats, Imposes Sanctions for Hacking
https://www.securityweek.com/us-expels-russian-diplomats-imposes-new-round-sanctions
The Biden administration on Thursday announced the U.S. is expelling 10 Russian diplomats and imposing sanctions against dozens of companies and people, holding the Kremlin accountable for interference in last year’s presidential election and the cyber hacking of federal agencies.
The sweeping measures are meant to punish Russia for actions that U.S. officials say cut to the core of American democracy and to deter future acts by imposing economic costs on Moscow, including by targeting its ability to borrow money.
Sanctions against six Russian companies that support the country’s cyber efforts represent the first retaliatory measures against the Kremlin for the hack familiarly known as the SolarWinds breach. The U.S. on Thursday also explicitly linked the hack to a Russian intelligence agency called the SVR. Though such intelligence-gathering operations are not uncommon, officials said they were determined to act because of the operation’s broad scope and the high cost of the intrusion on private companies.
The U.S. also announced sanctions on 32 individuals and entities accused of attempting to interfere in last year’s presidential election, including by spreading disinformation. U.S. intelligence officials alleged in a declassified report last month that Russian President Vladimir Putin authorized influence operations to help Donald Trump in his unsuccessful bid for reelection as president, though there’s no evidence Russia or anyone else changed votes or manipulated the outcome.
Tomi Engdahl says:
Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched
https://www.securityweek.com/exploit-second-unpatched-chromium-flaw-made-public-just-after-first-patched
A researcher has made public an exploit and details for an unpatched vulnerability affecting Chrome, Edge and other web browsers that are based on the open source Chromium project. This is the second Chromium proof-of-concept (PoC) exploit released this week.
The second exploit was publicly disclosed by a researcher who uses the online moniker Frust and who works for Chinese cybersecurity company Qihoo 360. Frust announced the availability of an exploit for a “zero-day” Chrome vulnerability on Twitter on Wednesday, and a few hours later published a blog post with a technical description of the vulnerability (in Chinese), which actually exists in the Chromium code.
Tomi Engdahl says:
White House formally blames Russian intelligence service SVR for
SolarWinds hack
https://therecord.media/white-house-formally-blames-russian-intelligence-service-svr-for-solarwinds-hack/
In a press release today announcing a broad set of sanctions against
the Russian government, the Biden administration has formally named
the Russian Foreign Intelligence Service, also known as the SVR, as
the perpetrator of the 2020 SolarWinds Orion supply chain attack.. The
White House said that SVRs hacking unit, known as APT 29, Cozy Bear,
or The Dukes, exploited the SolarWinds Orion platform and other
information technology infrastructures as part of a broad-scope cyber
espionage campaign.. see also
https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/.
and https://home.treasury.gov/news/press-releases/jy0127. and
https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise.
and https://www.nato.int/cps/en/natohq/official_texts_183168.htm. and
https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation/
Tomi Engdahl says:
Russian Foreign Intelligence Service Exploiting Five Publicly Known
Vulnerabilities to Compromise U.S. and Allied Networks
https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/
This advisory is being released alongside the U.S. Governments formal
attribution of the SolarWinds supply chain compromise and related
cyber espionage campaign. We are publishing this product to highlight
additional tactics, techniques, and procedures being used by SVR so
that network defenders can take action to mitigate against them. . see
also
https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied.
and https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a
Tomi Engdahl says:
Second Google Chrome zero-day exploit dropped on twitter this week
https://www.bleepingcomputer.com/news/security/second-google-chrome-zero-day-exploit-dropped-on-twitter-this-week/
A second Chromium zero-day remote code execution exploit has been
released on Twitter this week that affects current versions of Google
Chrome, Microsoft Edge, and likely other Chromium-based browsers.
Tomi Engdahl says:
University of Hertfordshire pulls the plug on, well, everything after
cyber attack
https://www.theregister.com/2021/04/15/university_hertfordshire_cyber_attack/
The University of Hertfordshire has fallen victim to a cyber attack
that has resulted in the establishment pulling all its systems offline
to deal with the situation.
Tomi Engdahl says:
Gafgyt Botnet Lifts DDoS Tricks from Mirai
https://threatpost.com/gafgyt-botnet-ddos-mirai/165424/
The IoT-targeted malware has also added new exploits for initial
compromise, for Huawei, Realtek and Dasan GPON devices.
Tomi Engdahl says:
REVEALED: FBI got secretive Australian hacking firm to unlock iPhone of San Bernardino terrorist Farook Malik in 2016 after tense battle with Apple over mass-killer’s privacy
https://www.dailymail.co.uk/news/article-9470543/FBI-got-secretive-Australian-firm-unlock-San-Bernardino-terrorists-iPhone-Apple-battle.html
Tomi Engdahl says:
Major BGP leak disrupts thousands of networks globally
https://www.bleepingcomputer.com/news/security/major-bgp-leak-disrupts-thousands-of-networks-globally/
A large BGP routing leak that occurred last night disrupted the connectivity for thousands of major networks and websites around the world.
Although the BGP routing leak occurred in Vodafone’s autonomous network (AS55410) based in India, it has impacted U.S. companies, including Google, according to sources.
BGP leak causes 13x spike in misdirected traffic
Yesterday, Cisco’s BGPMon spotted a discrepancy in an internet routing system, potentially indicating some BGP hijacking activity taking place
the autonomous system ASN 55410 was seeing a 13 times spike in inbound traffic directed to it.
This occurred from the network mistakenly advertising that it supported over 30,000 BGP prefixes or routes, when it didn’t, causing the internet to flood this network with traffic that was not meant to go through it.
The said autonomous system (AS55410) belongs to Vodafone India Limited.
“This incident only affected traffic for about 10 minutes, but during that time there were likely countless internet connection problems for users around the world.”
BGP is fragile, and any disruptions or anomalies in even a few intermediary systems can have a lasting impact on many.
Tomi Engdahl says:
https://www.theguardian.com/technology/2021/apr/14/fbi-hacks-vulnerable-united-states-computers-to-fix-hack-malicious-malware-microsoft-exchange-software does raise the entirely valid point about where the line should be drawn regarding the authorities preventing further damage.
Tomi Engdahl says:
Rest of World:
Internet blackouts following a military coup have shut down swathes of the online economy in Myanmar, where internet penetration had surged to around 43%
Myanmar’s military coup has pushed its fledgling digital economy to the brink of collapse
https://restofworld.org/2021/myanmars-military-coup-has-pushed-its-fledgling-digital-economy-to-the-brink-of-collapse/
Amid internet blackouts, economic isolation, and massive strikes, a decade of development is unwinding.
Tomi Engdahl says:
NSA: Russian Hackers Exploiting VPN Vulnerabilities – Patch Immediately
https://www.securityweek.com/nsa-russian-hackers-exploiting-vpn-vulnerabilities-patch-immediately
According to the NSA, the five vulnerabilities should be prioritized for patching alongside the newest batch of Exchange Server updates released by Microsoft earlier this week.
Here are the five vulnerabilities that need immediate attention:
CVE-2018-13379 Fortinet FortiGate VPN
CVE-2019-9670 Synacor Zimbra Collaboration Suite (advisory here)
CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN
CVE-2019-19781 Citrix Application Delivery Controller and Gateway
CVE-2020-4006 VMware Workspace ONE Access
“Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors,” the NSA said.
Tomi Engdahl says:
US Expels Russian Diplomats, Imposes Sanctions for Hacking
https://www.securityweek.com/us-expels-russian-diplomats-imposes-new-round-sanctions
The Biden administration on Thursday announced the U.S. is expelling 10 Russian diplomats and imposing sanctions against dozens of companies and people, holding the Kremlin accountable for interference in last year’s presidential election and the cyber hacking of federal agencies.
Sanctions against six Russian companies that support the country’s cyber efforts represent the first retaliatory measures against the Kremlin for the hack familiarly known as the SolarWinds breach. The U.S. on Thursday also explicitly linked the hack to a Russian intelligence agency called the SVR. Though such intelligence-gathering operations are not uncommon, officials said they were determined to act because of the operation’s broad scope and the high cost of the intrusion on private companies.
Tomi Engdahl says:
Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack
https://www.securityweek.com/codecov-bash-uploader-dev-tool-compromised-supply-chain-hack
Tomi Engdahl says:
https://www.securityweek.com/google-broke-australian-law-over-location-data-collection-court
Tomi Engdahl says:
Sanctioned Russian IT Firm Was Partner With Microsoft, IBM
https://www.securityweek.com/sanctioned-russian-it-firm-was-partner-microsoft-ibm
The Treasury Department on Thursday slapped six Russian technology companies with sanctions for supporting Kremlin intelligence agencies engaged in “dangerous and disruptive cyber attacks.”
But only one of them stands out for its international footprint and partnerships with such IT heavyweights as Microsoft and IBM.
That company, Positive Technologies, claims more than 2,000 customers in 30 countries, including major European banks Societe Generale and ING, as well as Samsung, SK Telecom of South Korea and BT, the British telecommunications giant.
Its clients also include the FSB
Tomi Engdahl says:
Vulnerabilities in OpENer Stack Expose Industrial Devices to Attacks
https://www.securityweek.com/vulnerabilities-opener-stack-expose-industrial-devices-attacks
Multiple vulnerabilities in the OpENer stack could be exploited in attacks aimed at supervisory control and data acquisition (SCADA) and other industrial systems that use OpENer.
Maintained by EIPStackGroup and designed for I/O adapter devices, the OpENer EtherNet/IP (ENIP) stack offers support for multiple I/O and explicit connections, implements the ENIP and CIP industrial protocols, and is highly popular among major SCADA vendors.
This week, researchers with industrial cybersecurity firm Claroty disclosed five vulnerabilities in the OpENer stack that could be abused by sending specially crafted ENIP/CIP packets to a vulnerable device.
Fuzzing and PR’ing: How We Found Bugs in a Popular Third-Party EtherNet/IP Protocol Stack
https://www.claroty.com/2021/04/15/blog-research-fuzzing-and-pring/
Tomi Engdahl says:
https://www.securityweek.com/critical-vulnerability-can-allow-attackers-hijack-or-disrupt-juniper-devices
Tomi Engdahl says:
Industry Reactions to FBI Cleaning Up Hacked Exchange Servers: Feedback Friday
https://www.securityweek.com/industry-reactions-fbi-cleaning-hacked-exchange-servers-feedback-friday
Tomi Engdahl says:
More Countries Officially Blame Russia for SolarWinds Attack
https://www.securityweek.com/more-countries-officially-blame-russia-solarwinds-attack
The United Kingdom, Canada, the European Union and NATO have expressed support for the United States in blaming Russia for the cyberattack on IT management company SolarWinds, which impacted organizations worldwide.
The announcements were made the same day that the United States expelled 10 Russian diplomats and sanctioned dozens of companies and people in an attempt to punish Russia, which is believed to have orchestrated last year both interference with the US presidential elections and the SolarWinds breach.
The Biden administration said that the sanctions were meant to send a signal to Kremlin that the US is ready to take action against efforts that undermine “the conduct of free and fair democratic elections and democratic institutions in the United States and its allies and partners,” or those that “facilitate malicious cyber activities against the United States and its allies and partners.”
Tomi Engdahl says:
Ryuk ransomware operation updates hacking techniques
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-operation-updates-hacking-techniques/
Recent attacks from Ryuk ransomware operators show that the actors
have a new preference when it comes to gaining initial access to the
victim network. The trend observed in attacks this year reveals a
predilection towards targeting hosts with remote desktop connections
exposed on the public internet.
Tomi Engdahl says:
Discord Nitro gift codes now demanded as ransomware payments
https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/
In a novel approach to ransom demands, a new ransomware calling itself
‘NitroRansomware’ encrypts victim’s files and then demands a Discord
Nitro gift code to decrypt files. While Discord is free, they offer a
Nitro subscription add-on for $9.99 per month that provides additional
perks, such as larger uploads, HD video streaming, enhanced emojis,
and the ability to boost your favorite server, so its users enjoy
extra functionality as well.
Tomi Engdahl says:
Combating Sleeper Threats With MTTD
https://securityintelligence.com/articles/sleeper-threats-mean-time-to-detect/
During the SolarWinds Orion supply chain compromise, threat actors
lurked in the victim’s network for more than a year. Discovered by
FireEye in December 2020, the earliest traces of a modified SolarWinds
Orion go back as early as October 2019. Although these early versions
did not contain the malicious backdoor (this was added in March 2020),
it means attackers were able to remain hidden for a long time.
Tomi Engdahl says:
SolarWinds hack affected six EU agencies
https://therecord.media/solarwinds-hack-affected-six-eu-agencies/
Six European Union institutions were hacked part of the SolarWinds
supply chain attack, a top EU administration official said this week.
CERT-EU officials said that only 14 EU institutions ran a version of
the SolarWinds Orion IT monitoring platform, which was the conduit of
SolarWinds supply chain attack.
Tomi Engdahl says:
Spring cleaning? Don’t forget about your digital footprint
https://www.welivesecurity.com/2021/04/16/spring-cleaning-dont-forget-digital-footprint
You’ve probably heard the phrase “digital footprint” before, but do
you really know what it is? Your social media content, various online
payment transactions, location history, emails sent, messages sent
through instant messaging platforms, and passport usage these are just
some of the data that makes up your digital footprint.
Tomi Engdahl says:
Uncovering and Disclosing a Signature Spoofing Vulnerability in Windows Installer: CVE-2021-26413
https://sec.okta.com/articles/2021/04/uncovering-and-disclosing-signature-spoofing-vulnerability-windows
Tomi Engdahl says:
A Geico Data Breach Let Cyber Fraudsters Steal Customers’ Driver’s License Numbers
https://gizmodo.com/a-geico-data-breach-let-cyber-fraudsters-steal-customer-1846717328
Car insurance giant Geico has quietly disclosed that a recent security breach allowed cyber thieves to steal customers’ driver’s license information right off the company’s website.
The breach was made public Monday after TechCrunch noticed that the company had recently filed a breach notice with the California Attorney General’s Office—as is required by state law.
While it’s not totally clear how big the breach was, the state’s disclosure requirements are pegged to incidents affecting more than 500 state residents.
Geico admits fraudsters stole customers’ driver’s license numbers for months
https://techcrunch.com/2021/04/19/geico-driver-license-numbers-scraped/
Tomi Engdahl says:
Getting a D in class can get you put on Florida sheriff’s secret “future criminal” list. US Congress and Department of Education investigating illegal data-sharing.
Feds investigating Pasco schools giving student data to sheriff
https://www.tampabay.com/investigations/2021/04/19/feds-investigating-pasco-schools-giving-student-data-to-sheriff/
The Department of Education will look into whether the school district violated federal law by sharing personal student information without consent.
Tomi Engdahl says:
SolarWinds Hacking Campaign Puts Microsoft in the Hot Seat
https://www.securityweek.com/solarwinds-hacking-campaign-puts-microsoft-hot-seat
Tomi Engdahl says:
WordPress 5.7.1 Patches XXE Flaw in PHP 8
https://www.securityweek.com/wordpress-571-patches-xxe-flaw-php-8
WordPress has released version 5.7.1 of its popular content management system (CMS), which brings more than 25 bug fixes, including patches for two security vulnerabilities.
One of the patched security flaws is an XML External Entity (XXE) vulnerability in the ID3 library in PHP 8, which is used by WordPress. Tracked as CVE-2021-29447, the vulnerability is considered high severity.
Designed to parse ID3 tags from MP3 audio files, the library did not explicitly disable XML entities in PHP 8, which rendered WordPress 5.7 and older versions vulnerable to XXE attacks via MP3 file uploads.
Tomi Engdahl says:
SolarWinds Fallout: The Feds Have Problems We Don’t Have
https://www.eetimes.com/solarwinds-fallout-the-feds-have-problems-we-dont-have/
All the cybersecurity providers and researchers I’ve spoken to on this beat tell me every single time, no matter the subject of our conversation, “You can’t defend what you can’t see,” “It’s not a question of if you’ll get hacked but when,” and increasingly “Zero-trust is the [only] way to go: never trust, always verify.”
They also always tell me, as do their reports, that the operational technology (OT) systems and even some IT systems of many commercial organizations — including critical infrastructure — are still unprotected or poorly protected, whether from lack of adequate cybersecurity products and services, or inadequate cybersecurity practices. SolarWinds’ less than even basic cybersecurity hygiene, for example — delegating password management to an intern?! — made it easy for attackers to compromise its Orion IT monitoring software.
Unfortunately, much of this is also true for U.S. government agencies, as we all were made painfully aware of in the wake of the SolarWinds epic hack, with nine federal agencies compromised, including the U.S. Department of Justice. With a new administration taking charge, it looks like changes are coming to the federal government’s cybersecurity tools and practices, for its own use as well as for how it helps protect U.S companies. As it turns out, the feds have problems in implementing cybersecurity that the private sector doesn’t have.
The feds have to multitask
The fact that the Federal Government is expected to protect U.S. companies, as well as its own agencies, and also regulate various sectors makes its task more complicated.
“Federal agencies have a huge set of OT and IT issues similar to commercial operations, but in some ways magnified,” Duncan Greatwood, CEO of cybersecurity provider Xage, told EE Times. “For example, the feds are responsible for regulation issues in organizations like NERC and NIST.” A big part of their own OT and IT systems consists of military installations: a single base can contain thousands of PLCs and other OT systems.
Historically, both public and private sectors traditionally focused on defending their networks’ edge, not securing access via the cloud, and assumed that anyone already in the network probably had the right to be there — the opposite of the emerging zero-trust paradigm. This has been especially true for OT networks, and increasingly for expanding Internet of Things (IoT) and Industrial IoT networks.
Although the feds have invested lots of money in cybersecurity, just last month the United States Government Accountability Office’s biannual report listed “ensuring the cybersecurity of the nation” as a high-risk area that’s regressed since 2019, especially for federal agencies. Why? Because risks have increased in both kind and amount, while the capacity to deal with them, action plans, and monitoring of risks have been met only partially.
The report identifies four major cybersecurity challenges on its to-do list:
a comprehensive cybersecurity strategy and effective oversight
securing federal systems
protecting critical infrastructure; and
protecting privacy and sensitive data
Tomi Engdahl says:
Lazarus APT conceals malicious code within BMP image to drop its RAT
https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
Lazarus APT is one of the most sophisticated North Korean Threat
Actors that has been active since at least 2009. This actor is known
to target the U.S., South Korea, Japan and several other countries. In
one of their most recent campaigns Lazarus used a complex targeted
phishing attack against security researchers.
Tomi Engdahl says:
Malware That Spreads Via Xcode Projects Now Targeting Apple’s M1-based
Macs
https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.html
A Mac malware campaign targeting Xcode developers has been retooled to
add support for Apple’s new M1 chips and expand its features to steal
confidential information from cryptocurrency apps.
Tomi Engdahl says:
Malvertisers hacked 120 ad servers to load malicious ads
https://therecord.media/malvertisers-hacked-120-ad-servers-to-load-malicious-ads/
A malvertising operation known under the codename of Tag Barnakle has
breached more than 120 ad servers over the past year and inserted
malicious code into legitimate ads that redirected website visitors to
sites promoting scams and malware.
Tomi Engdahl says:
Cryptoscam with fake mining equipment
https://www.kaspersky.com/blog/cryptoscam-fake-antminer/39398/
How fake sellers are stealing bitcoins from buyers of sought-after
mining equipment. Rising cryptocurrency prices have led to an increase
in demand for mining equipment, but COVID-19 restrictions have led to
a drop in supply. As a result, the world is witnessing another
shortage of powerful video cards and cryptomining equipment, with
months-long wait times for new deliveries. Cybercriminals, as always,
are looking to capitalize on the crisis.
Tomi Engdahl says:
Codecov hackers breached hundreds of restricted customer sites: sources
https://mobile.reuters.com/article/amp/idUSKBN2C62XI?__twitter_impression=true
Hackers who tampered with a software development tool from a company called Codecov used that program to gain restricted access to hundreds of networks belonging to the San Francisco firm’s customers, investigators told Reuters.
The attackers used automation to rapidly copy those credentials and raid additional resources, the investigators said, expanding the breach beyond the initial disclosure by Codecov on Thursday.
Tomi Engdahl says:
Catalin Cimpanu / The Record:
REvil ransomware gang claims to have breached Apple contractor Quanta Computer and is threatening to leak Apple product schematics unless a ransom is paid
Ransomware gang tries to extort Apple hours ahead of Spring Loaded event
https://therecord.media/ransomware-gang-tries-to-extort-apple-hours-ahead-of-spring-loaded-event/
The operators of the REvil ransomware are demanding that Apple pay a ransom demand to avoid having confidential information leaked on the dark web.
The REvil crew claims it came into possession of Apple product data after breaching Quanta Computer, a Taiwanese company that is the biggest laptop manufacturer in the world and which is also one of the companies that assemble official Apple products based on pre-supplied product designs and schematics.
The REvil gang posted 21 screenshots depicting Macbook schematics and threatened to publish new data every day until Apple or Quanta paid the ransom demand.
Furthermore, the ransomware gang also hinted that the data of other companies might also be leaked online.
“Our team is negotiating the sale of large quantities of confidential drawings and gigabytes of personal data with several major brands,” the REvil operators wrote. “We recommend that Apple buy back the available data by May 1.”
Tomi Engdahl says:
Reuters:
FireEye and networking company Pulse Secure say two China-linked hacking groups used a flaw in its VPN devices to target customers in the US defense industry — At least two groups of China-linked hackers have spent months using a previously undisclosed vulnerability in American networking devices …
China-linked hackers used VPN flaw to target U.S. defense industry -researchers
https://www.reuters.com/technology/china-linked-hackers-used-pulse-secure-flaw-target-us-defense-industry-2021-04-20/
At least two groups of China-linked hackers have spent months using a previously undisclosed vulnerability in American virtual private networking devices to spy on the U.S. defense industry, researchers and the devices’ manufacturer said Tuesday.
Utah-based IT company Ivanti said in a statement the hackers took advantage of the flaw in its Pulse Connect Secure suite to break into the systems of “a very limited number of customers.”
Ivanti said that while mitigations were in place, a fix for the issue would be unavailable until early May.
https://blog.pulsesecure.net/pulse-connect-secure-security-update/