This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
318 Comments
Tomi Engdahl says:
Google Docs used for Office 365 credential phishing https://www.kaspersky.com/blog/office-365-phishing-via-gdocs/39828/
Since the onset of the COVID-19 pandemic, many companies have moved much of their workflows online and learned to use new collaboration tools. In particular, Microsofts Office 365 suite has seen a lot more use and, to no ones surprise, phishing now increasingly targets those user accounts. Scammers have been resorting to all sorts of tricks to get business users to enter their passwords on a website made to look like Microsofts sign-in page. Here is another phishing scheme that makes use of Google services.
Tomi Engdahl says:
Popular routers found vulnerable to hacker attacks https://www.welivesecurity.com/2021/05/07/popular-routers-vulnerable-hacker-attacks/
Millions of Brits use Wi-Fi routers that contain various security flaws and may put them at risk of cyberattacks, an investigation by British consumer watchdog Which? has found. Together with Red Maple Technologies, Which? looked at 13 commonly used older router models offered by various British internet service providers (ISPs) and found that over half of them didnt meet the security standards of today..
The main issues affecting routers suplied by ISPs such as Virgin, EE, Sky, TalkTalk, and Vodafone were weak default passwords, local network vulnerabilities, and the lack of firmware updates to patch security loopholes.
Tomi Engdahl says:
Kiero OP-huijaustekstari muuttui näin pankkihyökkäys toimii https://www.is.fi/digitoday/tietoturva/art-2000007963272.html
Suomalaisille lähetetään jälleen huijaustekstiviestejä OP:n nimissä.
Tuoreessa tekstiviestissä on linkki, joka johtaa pankkitunnuksia kalastelevalle sivulle. Viestin teksti on seuraava:. Varotoimenpiteenä korttisi on estetty. Vahvista henkilöllisyytesi aktivoidaksesi kortti uudelleen. Tekstiä seuraa huijaussivulle vievä osoite.. Huijaus on osoitetta lukuun ottamatta identtinen alkuviikosta nähdyn kanssa.
Linkin takana oleva verkkosivu muistuttaa suuresti OP:n sivuja.
Tomi Engdahl says:
Google will make you use two-step verification to login https://www.theregister.com/2021/05/07/google_password_purge/
Google has marked World Password Day by declaring “passwords are the single biggest threat to your online security,” and announcing plans to automatically add multi-step authentication to its users’ accounts.
A mere eight years after Intel began promoting World Password Day as a way to raise awareness about the importance of strong passwords, Google is ready to wipe them from memory.
Tomi Engdahl says:
Largest U.S. pipeline shuts down operations after ransomware attack https://www.bleepingcomputer.com/news/security/largest-us-pipeline-shuts-down-operations-after-ransomware-attack/
Colonial Pipeline, the largest fuel pipeline in the United States, has shut down operations after suffering what is reported to be a ransomware attack. Colonial Pipeline transports refined petroleum products between refineries located in the Gulf Coast and markets throughout the southern and eastern United States. The company transports 2.5 million barrels per day through its 5,500 mile pipeline and provides 45% of all fuel consumed on the East Coast.. Also:
https://threatpost.com/pipeline-crippled-ransomware/165963/.
https://www.zdnet.com/article/colonial-pipeline-cyberattack-shuts-down-pipeline-that-supplies-45-of-east-coasts-fuel/
Tomi Engdahl says:
Colonial Hackers Stole Data Thursday Ahead of Shutdown https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown
The hackers who caused Colonial Pipeline to shut down the biggest U.S.
gasoline pipeline on Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, according to people familiar with the matter. The intruders, who are part of a cybercrime gang called DarkSide, took nearly 100 gigabytes of data out of the Alpharetta, Georgia-based companys network in just two hours on Thursday, two people involved in Colonials investigation said.
Tomi Engdahl says:
Amazon Fake Reviews Scam Exposed in Data Breach https://www.safetydetectives.com/blog/amazon-reviews-leak-report/
The SafetyDetectives cybersecurity team uncovered an open ElasticSearch database exposing an organized fake reviews scam affecting Amazon. The server contained a treasure trove of direct messages between Amazon vendors and customers willing to provide fake reviews in exchange for free products. In total, 13,124,962 of these records (or 7 GB of data) have been exposed in the breach, potentially implicating more than 200,000 people in unethical activities.
Tomi Engdahl says:
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html
Since April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques, and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security patches were made available.
Tomi Engdahl says:
Colonial Pipeline Struggles to Restart After Ransomware Attack
https://www.securityweek.com/colonial-pipeline-struggles-restart-after-ransomware-attack
Operators of the Colonial Pipeline are struggling to get fuel flowing at normal capacity after a cyberattack forced a shutdown of distribution system, the largest refined products pipeline in the United States.
The Colonial Pipeline Company was the victim of a ransomware attack that triggered the company to halt all pipeline operations on Friday.
The company said Sunday evening that it was developing a system restart plan, but that some smaller lateral lines between terminals and delivery points are now operational.
Colonial’s mainlines (Lines 1, 2, 3 and 4) remain offline as of Sunday night.
“We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations,” the company said in a statement.
Not without warning
The incident comes just days after the U.S. National Security Agency (NSA) released a cybersecurity advisory focusing on the security of OT systems, particularly in terms of connectivity to IT systems.
Last year, the NSA and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert urging critical infrastructure operators to take immediate measures to reduce the exposure of OT systems to cyberattacks.
In 2019, an audit from the Government Accountability Office (GAO) showed that the U.S. Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) needed to address weaknesses in the management of key aspects of its pipeline security program.
Cyberattack Forces Shutdown of Major U.S. Pipeline
https://www.securityweek.com/cyberattack-forces-shutdown-major-us-pipeline
A cyberattack has forced an operational shutdown of the Colonial Pipeline, the largest refined products pipeline in the United States.
The Colonial Pipeline Company said late Friday that it was the victim of a cyberattack, sparking the company to proactively take certain systems offline and temporarily halt all pipeline operations. The company said the attack had impacted some of its IT systems, but did not say if any of its operational technology (OT) systems were directly impacted.
Colonial said in an update Saturday that the incident does involve ransomware.
The Colonial Pipeline is the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily through a pipeline system that spans more than 5,500 miles between Houston, Texas and Linden, New Jersey.
In 2014, several natural gas pipeline operators in the United States were affected by a cyberattack that hit a third-party communications system, but the incident did impact operational technology.
Following a review in how the TSA manages its pipeline security program, the GAO made a series of recommendations in December 2018 to address discovered weaknesses, which include updating pipeline security guidelines, planning for workforce needs, assessing pipeline risks, and monitoring program performance.
Back in 2012, the Department of Homeland Security (DHS) warned that malicious actors had been targeting the natural gas industry.
Tomi Engdahl says:
US-UK Gov Warning: SolarWinds Attackers Add Open-Source PenTest Tool to Arsenal
https://www.securityweek.com/us-uk-gov-warning-solarwinds-attackers-add-open-source-pentest-tool-arsenal
Agencies in the United States and the United Kingdom on Friday published a joint report providing more details on the activities of the Russian cyberspy group that is believed to be behind the attack on IT management company SolarWinds. The report reveals that the hackers started using the open-source adversary simulation framework Sliver after some of their operations were exposed.
The FBI, NSA, CISA and the UK’s NCSC say the Russian threat actor tracked as APT29 (aka the Dukes, Cozy Bear and Yttrium) was behind the SolarWinds attack, which resulted in hundreds of organizations having their systems breached through malicious updates served from compromised SolarWinds systems.
Tomi Engdahl says:
TsuNAME Vulnerability Can Be Exploited for DDoS Attacks on DNS Servers
https://www.securityweek.com/tsuname-vulnerability-can-be-exploited-ddos-attacks-dns-servers
Some DNS resolvers are affected by a vulnerability that can be exploited to launch distributed denial-of-service (DDoS) attacks against authoritative DNS servers, a group of researchers warned this week.
The flaw, dubbed TsuNAME, was discovered by researchers at SIDN Labs (the R&D team of the registry for .nl domains), InternetNZ (the registry for .nz domains), and the Information Science Institute at the University of Southern California.
Impacted organizations have been notified and given 90 days to take action before the vulnerability was disclosed. Google and Cisco, both of which provide widely used DNS services, have deployed patches for TsuNAME, but the researchers believe many servers are still vulnerable to attacks.
An attacker can abuse recursive resolvers affected by TsuNAME to send a large volume of queries to targeted authoritative servers, such as the ones of TLD operators.
TsuNAME occurs on servers where there is cyclic dependency, a configuration error caused by the NS records for two zones pointing to each other.
Tomi Engdahl says:
Wall Street Journal:
Colonial Pipeline, which carries 45% of fuel consumed on the US East Coast, says it halted operations due to a ransomware attack — Colonial Pipeline carries roughly 45% of gasoline and diesel fuel consumed on the East Coast — The main pipeline carrying gasoline and diesel fuel …
https://www.wsj.com/articles/cyberattack-forces-closure-of-largest-u-s-refined-fuel-pipeline-11620479737?mod=djemalertNEWS
Bloomberg:
Sources: cybercrime gang DarkSide, which caused Colonial Pipeline to halt operations, stole and encrypted ~100GB of data on Thursday before demanding a ransom — – Attackers stole nearly 100GB of data in two hours on Thursday — Theft followed by locking of computers and ransom demand
https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown
Tomi Engdahl says:
Cyber Warfare Is the New Oil Embargo
https://www.bloomberg.com/opinion/articles/2021-05-08/colonial-pipeline-cyberattack-reveals-vulnerability-of-energy-networks
An attack on a major U.S. oil artery hammers home that energy security in the 21st century means more than energy independence. Networks are both vital and vulnerable.
Almost 40 years on, our interconnectedness is even more pronounced, but you don’t need the Bomb to unravel vital networks. The proverbial 400-pound hacker tapping away in bed is our post-modern ICBM. This weekend’s shutdown of the Colonial Pipeline, a major oil artery linking the Gulf Coast to East Coast markets, doesn’t spell Armageddon, of course. Provided the situation is resolved quickly, disruption to energy markets should be as minimal as when shutdowns occurred in 2016. Certainly, cars were not lining up to stockpile gas in my corner of New York on Saturday.
One wonders if there would have been more alarm if, instead of “major pipeline shut down by cyberattack,” the headline instead was “OPEC+ announces oil embargo against U.S.” We still tend to think about energy security in that way: bogeymen blocking foreign fuel supplies best countered by pursuing “independence” or even “dominance.” But no amount of Permian oil helps drivers in New York if the pipeline between them is held hostage by ransomware. While there are more questions than answers at this point about what happened to Colonial, this is the first observation: Having your own energy supply provides some security, but if your thinking stops there, you’re stuck in the 1970s. Texas’ recent energy crisis didn’t reflect a lack of energy per se but a complex (and sometimes self-reinforcing) cascade of breakdowns in the network of equipment providing it.
Even with the benefit of higher domestic oil and gas production, the importance — and vulnerability — of energy networks is becoming more of a crucial issue in the 21st century.
That security angle might conceivably provide a means for President Joe Biden to win over some skeptics. We may argue about what exactly constitutes “infrastructure,” but the need to protect whatever we build against attack is just common sense. The need for investment in protecting pipeline systems and charging networks alike against cyberattack could provide scope for agreement. On the other hand, there is at least as much potential for any prolonged Colonial outage, and associated pump-price increases, to reinforce positions fixated on expanding fossil-fuel supply on one side and those advocating renewables — especially distributed assets — on the other. Apart from anything else, infrastructure is outrage.
Possibly the only thing that would suppress this natural urge to blame the other side of the aisle would be the emergence of credible evidence that a foreign state was behind the attack. If so, it would represent a significant escalation. Americans can apparently live with bad actors messing with our election systems, but woe betide the foreign agent tying a knot in the gas pump. The situation is a little like the old paradigm of mutually assured destruction that “Threads” dramatized. Every major power knows there is the potential to knock out an adversary’s power grid or some other vital network, but the consequences of such an attack — ranging from inconvenience to mass fatalities — keep such impulses in check.
If some other state actor has crossed that line, the U.S. reaction is likely to be significant, risking further escalation when the president is already framing his infrastructure and climate policies in terms of great-power competition. As of now, it seems as if Colonial is the victim of a ransomware attack. But while that suggests some private criminal enterprise at work, the lines between mere cybercrime and outright cyber warfare are very fuzzy in terms of who is carrying out work for whom and how information gets shared, with North Korea being a prime example. Meanwhile, the latest threat assessment from the Office of the Director of National Intelligence, published a month ago, warns specifically that “Russia continues to target critical infrastructure,” with its cyber capabilities, including “industrial control systems.”
The best-case scenario is that some online crook has overreached. Even then, the implication of what’s possible should generate a ton of fallout.
Tomi Engdahl says:
Tanker Traders Jockey For Position As Colonial Pipeline Fights Hackers For A Third Day
https://gcaptain.com/tanker-traders-colonial-pipeline-hack/
The ocean-going tanker Pacific Jasper that had been taking gasoline toward the U.S. Gulf stopped on its voyage and is now stationed east of the Bahamas. If the halt is prolonged, the fuel is likely to fetch higher premiums in the New York Harbor area.
By Sheela Tobben and Jeffrey Bair (Bloomberg) –Fuel suppliers are growing increasingly nervous about the possibility of gasoline and diesel shortages across the eastern U.S. almost two days after a cyberattack knocked out the massive Colonial pipeline.
The attack comes just as the nation’s energy industry is preparing to meet stronger fuel demand from summer travel. Americans are once again commuting to the office, planning major travel for the first time and booking flights. A prolonged disruption along the pipeline system threatens to send average U.S. gasoline prices above $3 a gallon for the first time since October 2014, further stoking fears of inflation as commodity prices rally worldwide and oil market laggard jet fuel is set to see a 30% demand surge.
With little to no clarity over when the system will return, traders are seeking vessels to deliver gasoline that would have otherwise been shipped on the Colonial system
Colonial halted all operations on its system late Friday after suffering a ransomware attack that affected some of its IT systems.
Colonial is just the latest example of critical infrastructure being targeted by ransomware. Hackers are increasingly attempting to infiltrate essential services such as electric grids and hospitals. The escalating threats prompted the White House to respond last month with a plan to increase security at utilities and their suppliers. Pipelines are a specific concern because of the central role they play in the U.S. economy.
The White House pulled together an inter-agency task force to address the breach, including exploring options for lessening its impact, according to an official. President Joe Biden can invoke an array of emergency powers to ensure supplies keep flowing to big cities and airports along the East Coast.
Tomi Engdahl says:
When someone else’s cybersecurity failure becomes a problem for lots of people.
Hacked Fuel Pipeline Vows to Restore Service by End of Week
https://finance.yahoo.com/news/u-fuel-sellers-scramble-alternatives-014304375.html
North America’s biggest petroleum pipeline pledged to restore deliveries of gasoline and other fuels to the eastern U.S. by the end of the week after a cyberattack halted shipments.
Colonial Pipeline said segments of its Texas-to-New Jersey line are being brought back online in steps, easing some concerns that fuel shortages could threaten major population centers up and down the U.S. East Coast. The question now is whether regional inventories held in storage tanks are enough to satisfy demand while Colonial works on resuming operations.
The conduit has been shut down since late Friday, prompting frenzied moves by traders and retailers to secure alternative supplies. On Monday, the Federal Bureau of Investigation said it’s looking into the disruption.
Emergency shipments of gasoline and diesel from Texas already are on the way to Atlanta and other southeast cities via trucks, and at least one Gulf Coast refinery began trimming output amid expectations that supplies will begin backing up in the nation’s oil-refining nexus.
Although the attack on the Colonial system is “unprecedented,” the conduit ought to be back in service in three to five days, Amrita Sen, co-founder of consultant Energy Aspects Ltd., told Bloomberg TV just hours before the pipeline company announced it’s end-of-week target.
Tankers Booked
Prior to Colonial’s Monday statement, traders were seeking vessels to deliver fuel to coastal terminals. Four vessels were provisionally chartered to send diesel or gasoline from Europe to the U.S. Atlantic Coast, according to Danish oil-product tanker company Torm A/S.
Tomi Engdahl says:
Colonial Pipeline aims to be “substantially” back online by end of week
https://www.axios.com/colonial-pipeline-hack-fbi-darkside-b9bce545-c37e-4377-ad35-4c280ce04460.html
The FBI confirmed in a statement Monday that a professional cybercriminal group called DarkSide was responsible for a ransomware attack on the Colonial Pipeline network, which provides roughly 45% of the fuel used on the East Coast.
The latest: Colonial said in a statement at 12:25pm ET on Monday that segments of the pipeline are being brought back online in a “stepwise fashion,” with the goal of “substantially restoring operational service by the end of the week.”
Worth noting: Neuberger would not answer whether Colonial has paid a ransom, telling reporters that they are a private company and that the White House will defer those “very difficult” decisions to them. She added that the administration has not offered Colonial any further advice.
The big picture: Colonial is the largest refined fuel pipeline network in the country, transporting over 100 million gallons per day. It has been out of operation since Friday as a result of the hack, raising fears of a surge in fuel prices.
Tomi Engdahl says:
$3 A Gallon Gas? Here’s Why A Cyberattack On A Pipeline Company Has Experts Worried Prices Will Stay High
https://www.forbes.com/sites/melissaholzberg/2021/05/10/3-a-gallon-gas-heres-why-a-cyberattack-on-a-pipeline-company-has-experts-worried-prices-will-stay-high/
U.S. gas prices neared $3 per gallon Monday morning while the country’s largest pipeline remains shutdown due to a cyberattack on Friday, and some experts warn a prolonged shutdown will hit consumers at the pump.
Tomi Engdahl says:
Eamon Javers / CNBC:
DarkSide, the group behind the pipeline attack, claims it wants to make money, not cause “problems for society”, and it’ll add “moderation” to picking targets — – A hacker group called DarkSide is behind the cyberattack on Colonial Pipeline that shut down a major oil pipeline over the weekend.
Here’s the hacking group responsible for the Colonial Pipeline shutdown
Published Mon, May 10 20219:25 AM EDTUpdated Mon, May 10 202112:27 PM EDT
https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsible-for-colonial-pipeline-shutdown.html
A hacker group called DarkSide is behind the cyberattack on Colonial Pipeline that shut down a major oil pipeline over the weekend.
DarkSide makes ransomware hacking tools, but only largely goes after for-profit companies from English-speaking countries.
The DarkSide hacker gang that is responsible for the devastating Colonial Pipeline attack this weekend is a relatively new group, but cybersecurity analysts already know enough about them to determine just how dangerous they are.
According to Boston-based Cybereason, DarkSide is an organized group of hackers set up along the “ransomware as a service” business model, meaning the DarkSide hackers develop and market ransomware hacking tools, and sell them to other criminals who then carry out attacks. Think of it as the evil twin of a Silicon Valley software start-up.
Bloomberg first reported that DarkSide may be involved in the attack on Colonial Pipeline. The FBI confirmed Monday that DarkSide was behind the attack.
On Monday, Cybereason provided CNBC with a new statement from DarkSide’s website that appears to address the Colonial Pipeline shutdown.
Under a heading, “About the latest news,” DarkSide claimed it’s not political and only wants to make money without causing problems for society.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the statement said. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Cybereason reports that DarkSide has a perverse desire to appear ethical, even posting its own code of conduct for its customers telling them who and what targets are acceptable to attack. Protected organizations not to be harmed include hospitals, hospices, schools, universities, nonprofit organizations, and government agencies. Also apparently protected are entities based in former Soviet countries. Fair game, then, are all for-profit companies in English speaking countries.
Tomi Engdahl says:
Wall Street Journal:
Colonial Pipeline, which carries 45% of fuel consumed on the US East Coast, says it halted operations due to a ransomware attack — Colonial Pipeline carries roughly 45% of gasoline and diesel fuel consumed on the East Coast — The main pipeline carrying gasoline and diesel fuel …
U.S. Pipeline Cyberattack Forces Closure
Colonial Pipeline carries roughly 45% of gasoline and diesel fuel consumed on the East Coast
https://www.wsj.com/articles/cyberattack-forces-closure-of-largest-u-s-refined-fuel-pipeline-11620479737?mod=djemalertNEWS
Tomi Engdahl says:
Dustin Volz / Wall Street Journal:
Colonial Pipeline says it is working on “substantially restoring operational service by the end of the week”; FBI confirms DarkSide was behind the attack — DarkSide, a ransomware organization believed to be based in Eastern Europe, says it has no connection to foreign governments
U.S. Blames Criminal Group in Colonial Pipeline Hack
DarkSide, a ransomware organization believed to be based in Eastern Europe, says it has no connection to foreign governments
https://www.wsj.com/articles/fbi-suspects-criminal-group-with-ties-to-eastern-europe-in-pipeline-hack-11620664720?mod=djemalertNEWS
A criminal gang believed to be based in Eastern Europe was involved in the hack that has led to the shutdown of the main pipeline supplying gasoline and diesel fuel to the U.S. East Coast, U.S. officials said Monday, as President Biden and others decried the ransomware attack that was used as a growing global problem.
The organization, known as DarkSide, is a relatively new hacking group that Western security researchers say is likely based in Eastern Europe, possibly in Russia. The organization created the malicious computer code that resulted in the shutdown, officials said.
“The FBI confirms that the DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” an Federal Bureau of Investigation spokesman said Monday. “We continue to work with the company and our government partners on the investigation.”
Mr. Biden and others said the Russian government didn’t appear to have a hand in the attack, but he criticized Moscow for tolerating criminal hackers within its borders.
“So far, there is no evidence from our intelligence people that Russia is involved,” Mr. Biden said. “Although there is some evidence that the actors’ ransomware is in Russia. They have some responsibility to deal with this.”
Anne Neuberger, deputy national security adviser for cyber and emerging technology, said during a separate White House press briefing that officials believed that DarkSide was a criminal group and confirmed that Colonial shut down its networks before the ransomware infected any of its operational control systems.
Tomi Engdahl says:
Apple AirTag Spills Its Secrets
https://hackaday.com/2021/05/10/apple-airtag-spills-its-secrets/
The Apple AirTag is a $29 Bluetooth beacon that sticks onto your stuff and helps you find locate it when lost. It’s more than just a beeper though, the idea is that it can be silently spotted by any iDevice — almost like a crowd-sourced mesh network — and its owner alerted of its position wherever they are in the world.
There are so many questions about its privacy implications despite Apple’s reassurances, so naturally it has been of great interest to those who research such things. First among those working on it to gain control of its nRF52832 microcontroller is [Stacksmashing], who used a glitching technique whereby the chip’s internal power supply is interrupted with precise timing, to bypass the internally enabled protection of its debug port. The firmware has been dumped, and of course a tag has been repurposed for the far more worthwhile application of Rickrolling Bluetooth snoopers.
Tomi Engdahl says:
Bloomberg:
Sources: cybercrime gang DarkSide, which caused Colonial Pipeline to halt operations, stole and encrypted ~100GB of data on Thursday before demanding a ransom
Colonial Hackers Stole Data Thursday Ahead of Shutdown
https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown
The hackers who caused Colonial Pipeline to shut down the biggest U.S. gasoline pipeline on Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, according to people familiar with the matter.
The intruders, who are part of a cybercrime gang called DarkSide, took nearly 100 gigabytes of data out of the Alpharetta, Georgia-based company’s network in just two hours on Thursday, two people involved in Colonial’s investigation said.
The move was part of a double-extortion scheme that is one of the group’s hallmarks. Colonial was threatened that the stolen data would be leaked to the internet while the information that was encrypted by the hackers on computers inside the network would remain locked unless it paid a ransom, said the people, who asked not to be identified because the information isn’t public.
Tomi Engdahl says:
José Adorno / 9to5Mac:
A German security researcher claims he was able to break into the microcontroller of Apple’s AirTag, allowing him to modify its NFC URL
AirTag hacked for the first time by security researcher [Video]
https://9to5mac.com/2021/05/09/airtag-hacked-for-the-first-time-by-security-researcher-video/
Tomi Engdahl says:
DDoS attacks in Q1 2021
https://securelist.com/ddos-attacks-in-q1-2021/102166/
Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency. Another active bot focused on Android devices with the ADB (Android Debug Bridge) debug interface. The botnet was dubbed Matryosh (from the Russian word matryoshka nesting doll) due to the multi-step process for obtaining the C&C address.
Tomi Engdahl says:
US and Australia warn of escalating Avaddon ransomware attacks https://www.bleepingcomputer.com/news/security/us-and-australia-warn-of-escalating-avaddon-ransomware-attacks/
The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) are warning of an ongoing Avaddon ransomware campaign targeting organizations from an extensive array of sectors in the US and worldwide. The FBI said in a TLP:GREEN flash alert last week that Avaddon ransomware affiliates are trying to breach the networks of manufacturing, healthcare, and other private sector organizations around the world.
Tomi Engdahl says:
Over 25% Of Tor Exit Relays Spied On Users’ Dark Web Activities https://thehackernews.com/2021/05/over-25-of-tor-exit-relays-are-spying.html
An unknown threat actor managed to control more than 27% of the entire Tor network exit capacity in early February 2021, a new study on the dark web infrastructure revealed. “The entity attacking Tor users is actively exploiting tor users since over a year and expanded the scale of their attacks to a new record level,” an independent security researcher who goes by the name nusenu said in a write-up published on Sunday. “The average exit fraction this entity controlled was above 14% throughout the past 12 months.”
Tomi Engdahl says:
Pipeline cyberattack comes after years of government warnings https://therecord.media/pipeline-cyberattack-comes-after-years-of-government-warnings/
Government authorities and watchdogs have warned for years that U.S.
pipelines are vulnerable to cyberattacks that could potentially disrupt operationsand an attack against a major U.S. gasoline and jet fuel pipeline on Friday threatens to show how bad these incidents can be. Colonial Pipeline Company said yesterday that it had shut down
5,500 miles of pipeline supplying the East Coast with fuel in an effort to contain a breach of its computer networks. Earlier in the day the company said network issues were causing disruptions in its pipeline system, which were later blamed on ransomware.
Tomi Engdahl says:
DarkSide ransomware will now vet targets after pipeline cyberattack https://www.bleepingcomputer.com/news/security/darkside-ransomware-will-now-vet-targets-after-pipeline-cyberattack/
The DarkSide ransomware gang posted a new “press release” today stating that they are apolitical and will vet all targets before they are attacked. Last week, the ransomware gang encrypted the network for the Colonial Pipeline, the largest fuel pipeline in the United States.. Due to the attack, Colonial shut down its network and the fuel pipeline while recovering from the cyberattack.
Tomi Engdahl says:
City of Tulsa Struck by Ransomware Attack https://hotforsecurity.bitdefender.com/blog/city-of-tulsa-struck-by-ransomware-attack-25798.html
Tulsa, Oklahoma, is reportedly the latest in a long line of American cities to have fallen victim to a ransomware attack. The attack, which occurred on Friday evening, caused the citys IT security teams to shut down many of Tulas internal systems over the weekend out of an abundance of caution while they worked around the clock at the weekend in an attempt to restore operations from backups.
Tomi Engdahl says:
Koulujen it-palveluihin iski hyökkäysaalto Wilmalle järeämmät suojaukset
https://www.tivi.fi/uutiset/koulujen-it-palveluihin-iski-hyokkaysaalto-wilmalle-jareammat-suojaukset/9f24e4c3-d865-49b1-9715-534bc9a2ce01
Huhtikuussa koulujen etäkäyttöpalveluihin tehdyt palvelunestohyökkäykset lisääntyivät ja monimutkaistuivat tekotavaltaan. Opetusalan verkkopalveluita vastaan on tehty huhtikuussa poikkeuksellisen paljon palvelunestohyökkäyksiä.
Liikenne-ja viestintäviraston Traficomin Kyberturvallisuuskeskuksesta vahvistetaan Tiville, että puolet huhtikuussa saaduista ilmoituksista koski opetusalan eri palveluja.. Kyberturvallisuuskeskuksen tietoturva-asiantuntija Matias Mesiä kertoo, että opetuksen etäkäyttöalustoja koskevia ilmoituksia on tullut huhtikuussa kourallinen.
Tomi Engdahl says:
Thousands of Tor exit nodes attacked cryptocurrency users over the past year https://therecord.media/thousands-of-tor-exit-nodes-attacked-cryptocurrency-users-over-the-past-year/
For more than 16 months, a threat actor has been seen adding malicious servers to the Tor network in order to intercept traffic and perform SSL stripping attacks on users accessing cryptocurrency-related sites.
The attacks, which began in January 2020, consisted of adding servers to the Tor network and marking them as exit relays, which are the servers through which traffic leaves the Tor network to re-enter the public internet after being anonymized.
Tomi Engdahl says:
US declares emergency after ransomware shuts oil pipeline that pumps
100 million gallons a day
https://www.theregister.com/2021/05/10/colonial_pipeline_ransomware/
Oil transport by road allowed after Colonial Pipeline goes down, operator says recovery is under way but offers no recovery date. One of the USAs largest oil pipelines has been shut by ransomware, leading the nation’s Federal Motor Carrier Safety Administration to issue a regional emergency declaration permitting the transport of fuel by road. The Colonial Pipeline says it carries 100 million gallons a day of refined fuels between Houston, Texas, and New York Harbor, or 45 percent of all fuel needed on the USAs East Coast. The pipeline carries fuel for cars and trucks, jet fuel, and heating oil.. Myös
Yle: Kyberhyökkäys polttoaineen jakeluverkkoon Yhdysvalloissa nostanee bensan hintaa, FBI nimesi hyökkääjäksi Darksiden tämä iskusta nyt tiedetään. https://yle.fi/uutiset/3-11923478
Tomi Engdahl says:
US fuel pipeline hackers ‘didn’t mean to create problems’
https://www.bbc.com/news/business-57050690
A cyber-criminal gang that took a major US fuel pipeline offline over the weekend has acknowledged the incident in a public statement.
“Our goal is to make money and not creating problems for society,” DarkSide wrote on its website.
The US issued emergency legislation on Sunday after Colonial Pipeline was hit by a ransomware cyber-attack.
The pipeline carries 2.5 million barrels a day – 45% of the East Coast’s supply of diesel, petrol and jet fuel.
On Monday, the FBI officially confirmed that DarkSide was responsible for compromising Colonial Pipeline’s networks, saying that it was continuing to work with the firm and other government agencies on the investigation.
A number of cyber-security researchers, including firms contacted by the BBC, have speculated that the cyber-criminal gang could be Russian, as their software avoids encrypting any computer systems where the language is set as Russian.
Mr Biden said that the US government was concerned about this aspect of the cyber-attack.
“I’m gonna be meeting with President Putin and so far there is no evidence, based on our intelligence people, that Russia is involved,” he said.
Tomi Engdahl says:
https://www.securityweek.com/colonial-pipeline-targets-recovery-ransomware-attack-end-week
Tomi Engdahl says:
Eamon Javers / CNBC:
DarkSide, the group behind the pipeline attack, claims it wants to make money, not cause “problems for society”, and it’ll add “moderation” to picking targets — – A hacker group called DarkSide is behind the cyberattack on Colonial Pipeline that shut down a major oil pipeline over the weekend.
https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsible-for-colonial-pipeline-shutdown.html
Tomi Engdahl says:
‘We are apolitical, we do not participate in geopolitics’
Colonial Pipeline hackers apologize, promise to ransom less controversial targets in future
‘We are apolitical, we do not participate in geopolitics’
https://www.theverge.com/2021/5/10/22428996/colonial-pipeline-ransomware-attack-apology-investigation
Tomi Engdahl says:
7 States Experience Gas Shortages From Pipeline Outage — But Experts Warn Against Panic Buying
https://www.forbes.com/sites/melissaholzberg/2021/05/11/7-states-experience-gas-shortages-from-pipeline-outage—but-experts-warn-against-panic-buying/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie
At least seven states across the Southeast U.S. are experiencing gas shortages Tuesday, and the national average gas price creeped toward $3 a gallon, as the Colonial Pipeline Company works to restore its fuel pipeline system, but some experts warn panic buying gasoline could be exacerbating the problem and the fuel supply should remain intact through this week.
States including Georgia, North Carolina, Virginia, and Florida were experiencing gas shortages Tuesday, days after Colonial Pipeline—which is responsible for transporting 45% of the East Coast’s gasoline—experienced a cyber attack that forced it offline Friday.
As of Tuesday morning, 3.7% of gas stations in Georgia, 5.4% of stations in North Carolina and 7.5% of gas stations in Virginia didn’t have fuel, according to GasBuddy analyst Patrick De Haan (GasBuddy is a gas station-finding app that tracks local fuel prices).
“It is true that if the pipeline remains out of service into the early part of next week, roughly Tuesday or so, that some gas stations may run low on gasoline,” De Haan told the Atlanta Journal-Constitution. “Tank farms that take the gasoline from the pipeline are likely starting to see supply run low, so it is vital that motorists do not overwhelm the system by filling their tanks.”
The FBI concluded Monday the cyber-hacking group “DarkSide” was responsible for the ransomware attack on Colonial. President Joe Biden said the U.S. would “prosecute” those responsible, and said there was no evidence that Russian officials were behind the attack, but Russia may “have some responsibility” because the ransomware may have originated in Russia.
Tomi Engdahl says:
Ransomware gang releases DC police records
https://thehill.com/policy/national-security/552873-ransomware-gang-releases-dc-police-records
A group of ransomware hackers have leaked internal police files from Washington, D.C.’s Metropolitan Police Department (MPD), releasing officers’ personal information including psychological evaluations, credit history and Social Security numbers.
Vice reports that the cyber criminal group behind the leak is called Babuk, who claimed the monetary offer the department made to prevent the leak was not enough.
Hackers Leak Personal Data of Washington DC Police Officers
https://www.vice.com/en/article/wx5deq/hackers-leak-personal-data-of-washington-dc-police-officers
The ransomware gang Babuk released the personal details of several Metropolitan Police Department officers—essentially a full dox—in an attempt to extort the department into paying a ransom to stop further leaks.
Tomi Engdahl says:
US fuel pipeline hackers ‘didn’t mean to create problems’
https://www.bbc.com/news/business-57050690
On Monday, the FBI officially confirmed that DarkSide was responsible for compromising Colonial Pipeline’s networks, saying that it was continuing to work with the firm and other government agencies on the investigation.
During a speech about the economy at the White House on Monday, US President Joe Biden said that he was being “personally briefed” on the situation with the pipeline each day.
Tomi Engdahl says:
A Closer Look at the DarkSide Ransomware Gang https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Heres a closer look at the DarkSide cybercrime gang, as seen through their negotiations with a recent U.S. victim that earns $15 billion in annual revenue.
Tomi Engdahl says:
Adobe fixes Reader zero-day vulnerability exploited in the wild https://www.bleepingcomputer.com/news/security/adobe-fixes-reader-zero-day-vulnerability-exploited-in-the-wild/
Adobe has released a massive Patch Tuesday security update release that fixes vulnerabilities in twelve different applications, including one actively exploited vulnerability Adobe Reader. The updated applications include Adobe Experience Manager, Adobe InDesign, Adobe Illustrator, Adobe InCopy, Adobe Genuine Service, Adobe Acrobat and Reader, Magento, Adobe Creative Cloud Desktop Application, Adobe Media Encoder, dobe After Effects, Adobe Medium, and Adobe Animate.. Also:
https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/
Tomi Engdahl says:
Companies 5 Million Personal identifiable information records detected on an AWS service due to misconception of users https://blog.checkpoint.com/2021/05/11/companies-5-million-personal-identifiable-information-records-detected-on-an-aws-service-due-to-misconception-of-users/
CPR was able to detect personal records in Amazon Web Services (AWS).
By analyzing and enumerating public AWS Systems Manager (SSM) documents, CPR retrieved over five million personally identifiable information records and credit card transactions of companies, including a global sportswear manufacturer. AWS Systems Manager provides the ability to automate operational tasks across AWS resources by creating SSM documents. An SSM document defines the actions that Systems Manager performs on their managed instances. Due to an increased rate of cloud migrations and deployments, CPR analyzed SSM documents and found a trend of misconceptions on the parameters of what should be shared within such documents.
Tomi Engdahl says:
Fake Chrome App Anchors Rapidly Worming Smish Cyberattack https://threatpost.com/fake-chrome-app-worming-smish-cyberattack/166038/
A new Android malware that impersonates the Google Chrome app has spread to hundreds of thousands of people in the last few weeks, according to researchers. The fake app is being used as part of a sophisticated hybrid cyberattack campaign that also uses mobile phishing to steal credentials. According to researchers at Pradeo, the attack starts with a basic smishing gambit: Targets receive an SMS text asking them to pay custom fees to release a package delivery. If they fall for it and click, a message comes up asking them to update the Chrome app.
Tomi Engdahl says:
Ransomware attack on healthcare admin company CaptureRx exposes multiple providers across United States https://www.zdnet.com/article/ransomware-attack-on-healthcare-admin-company-capturerx-exposes-multiple-providers-across-united-states/
Multiple healthcare providers across the United States are reporting being impacted by a ransomware attack on CaptureRx, a San Antonio-based company providing drug-related administrative services.
At least three healthcare-related institutions — including UPMC Cole and UPMC Wellsboro in Pennsylvania, Lourdes Hospital and Faxton St.
Luke’s Healthcare in New York, Gifford Health Care in Randolph, Vermont and a number of Thrifty Drug Stores — have reportedly had the health information of customers or patients exposed and stolen in the breach.
Tomi Engdahl says:
Öljyputken hakkerointi nostaa esiin kyberturvan merkityksen Öljyteollisuus jäljessä kyberhyökkäysten torjunnassa
https://www.kauppalehti.fi/uutiset/oljyputken-hakkerointi-nostaa-esiin-kyberturvan-merkityksen-oljyteollisuus-jaljessa-kyberhyokkaysten-torjunnassa/d65cf0ab-dc3f-4e41-9537-095a11e29841
Haavoittuvainen infrastruktuuri tarjoaa iskun paikkoja sekä rikollisille että vieraille valtioille. Yhdysvalloissa kyberhyökkäyksen kohteeksi joutunut öljyputki on aiheuttanut reaktioita markkinoilla ja huolta keskeisen infrastruktuurin toimintavarmuudesta. Polttoaineiden saatavuuden pelätään heikkenevän, mikäli lähes 9 000 kilometriä pitkän öljyputken sulku kestää alkuviikon yli. Ulkopoliittisen instituutin johtajan Mika Aaltolan mukaan sulun pitkittyminen voisi johtaa jopa öljyntuotannon rajoittamiseen Meksikonlahdella.
Tomi Engdahl says:
Recommendations Following the Colonial Pipeline Cyber Attack https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/
On May 7th, public reporting emerged about Colonial Pipeline operations being impacted by a ransomware incident in their IT environment, and then operators temporarily halted OT operations as a precaution. Like any pipeline, Dragos would expect Colonial Pipeline to have so many dependencies between their control and SCADA systems into their business systems that it becomes hard to reasonably delineate and separate. With this in mind, out of an abundance of caution, halting operations becomes the safest choice.
Tomi Engdahl says:
Adobe: Windows Users Hit by PDF Reader Zero-Day
https://www.securityweek.com/adobe-windows-users-hit-pdf-reader-zero-day
Tomi Engdahl says:
https://www.securityweek.com/sap-patches-high-severity-flaws-business-one-netweaver-products
Tomi Engdahl says:
Charlie Osborne / ZDNet:
GitHub adds security key support for SSH Git operations, as it continues its plan to remove password support for Git operations later this year — Support has been added to bolster defense against account compromise. — GitHub has announced support for security keys to prevent account compromise in SSH Git operations.
GitHub shifts away from passwords with security key support for SSH Git operations
Support has been added to bolster defense against account compromise.
https://www.zdnet.com/article/github-shifts-away-from-passwords-with-security-key-support-for-ssh-git-operations/
GitHub has announced support for security keys to prevent account compromise in SSH Git operations.
When you add a security key to SSH operations, you can use these devices to protect you and your account from accidental exposure, account hijacking, or malware, GitHub security engineer Kevin Jones said in a blog post on May 10.
Security keys, including the YubiKey, Thetis Fido U2F Security Key, and Google Titan Security Keys, are physical, portable dongles that implement an additional layer of security to your online services and accounts.
Tomi Engdahl says:
A Closer Look at the DarkSide Ransomware Gang
https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
The FBI confirmed this week that a relatively new ransomware group known as DarkSide is responsible for an attack that caused Colonial Pipeline to shut down 5,550 miles of pipe, stranding countless barrels of gasoline, diesel and jet fuel on the Gulf Coast. Here’s a closer look at the DarkSide cybercrime gang, as seen through their negotiations with a recent U.S. victim that earns $15 billion in annual revenue.