Daily NCSC-FI news followup 2020-12-16

SunBurst: the next level of stealth

blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth SolarWinds compromise exploited through sophistication and patience. ReversingLabs’ research into the anatomy of this supply chain attack unveiled conclusive details showing that Orion software build and code signing infrastructure was compromised. The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed and delivered through the existing software patch release management system. While this type of attack on the software supply chain is by no means novel, what is different this time is the level of stealth the attackers used to remain undetected for as long as possible. The attackers blended in with the affected code base, mimicking the software developers’ coding style and naming standards. This was consistently demonstrated through a significant number of functions they added to turn Orion software into a backdoor for any organization that uses it.

Venäläiset hakkerit murtautuivat Yhdysvaltojen valtiollisiin järjestelmiin mittavassa operaatiossa CIA:n entinen johtaja: “Ehkä vahingollisin isku koko Yhdysvaltain kyberhistoriassa”

yle.fi/uutiset/3-11701640 Yhdysvaltojen mukaan iskun takana on venäläinen hakkeriryhmä CozyBear, joka toimii Venäjän ulkomaantiedustelupalvelun alaisuudessa. – Hyökkäyksen kesto ja laajuus tekevät tästä ehkä vahingollisimman iskun koko Yhdysvaltain kyberhistoriassa, Yhdysvaltain tiedustelupalvelu CIA:n entinen johtaja John Brennan kommentoi tiistaina televisiokanava CNN:lle.

SolarWinds said no other products were compromised in recent hack

www.zdnet.com/article/solarwinds-said-no-other-products-were-compromised-in-recent-hack/ SolarWinds has released today updates that “replaces the compromised component” in its Orion platform.

Microsoft and industry partners seize key domain used in SolarWinds hack

www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/ By seizing the domain, Microsoft and its partners hope to identify all victims, but are also preventing attackers from escalating intrusions in currently infected networks. also:


SolarFlare Release: Password Dumper for SolarWinds Orion

malicious.link/post/2020/solarflare-release-password-dumper-for-solarwinds-orion/ I’m releasing this tool after a lot of thought surrounding the SolarWinds/FireEye breach. It’s been in development since 2015. The reason I developed SolarFlare in the first place was to assist in my Red Team engagements. The main reason to release the tool publicly, right now, is so businesses can identify one facet of the possible severity of this breach, using a simple command-line tool they can run on their own SolarWinds Orion machines. SolarFlare can help identify the accounts that may have been compromised during this breach.

Ensuring customers are protected from Solorigate

www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/ […] Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running. We also realize this is a server product running in customer environments, so it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices.

HPE discloses critical zero-day in server management software

www.bleepingcomputer.com/news/security/hpe-discloses-critical-zero-day-in-server-management-software/ Hewlett Packard Enterprise (HPE) has disclosed a zero-day bug in the latest versions of its proprietary HPE Systems Insight Manager (SIM) software for Windows and Linux. While security updates are not yet available for this remote code execution (RCE) vulnerability, HPE has provided Windows mitigation info and is working on addressing the zero-day.

Firefox Patches Critical Mystery Bug, Also Impacting Google Chrome

threatpost.com/firefox-patches-critical-mystery-bug-also-impacting-google-chrome/162294/ Mozilla Foundation releases Firefox 84 browser, fixing several flaws and delivering performance gains and Apple processor support.

Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor

news.sophos.com/en-us/2020/12/16/systembc/ A commodity malware backdoor, SystemBC has evolved into a Tor proxy and remote control tool favored by actors behind the latest high-profile ransomware campaigns. Over the past few months, we have continued to detect hundreds of attempted SystemBC deployments worldwide. SystemBC was used in recent Ryuk and Egregor attacks investigated by Sophos MTR’s Rapid Response team, often used in combination with post-exploitation tools such as Cobalt Strike. In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.

Emulated mobile devices used to steal millions from US, EU banks

www.bleepingcomputer.com/news/security/emulated-mobile-devices-used-to-steal-millions-from-us-eu-banks/ Threat actors behind an ongoing worldwide mobile banking fraud campaign were able to steal millions from multiple US and EU banks, needing just a few days for each attack. To do that, the attackers used huge emulator farms that helped them access thousands of hacked accounts (compromised after phishing or malware attacks) using spoofed mobile devices. also:


Your ship comms app is ‘secured’ with a Flash interface, doesn’t sanitise SQL inputs and leaks user data, you say?

www.theregister.com/2020/12/16/dualog_communications_suite_cves/ A software suite intended to let merchant ships’ crews digitally communicate with the world ashore was riddled with security vulnerabilities including undocumented admin accounts with hardcoded passwords and widespread use of Adobe Flash. also:


Data hacking at UiT: – Very serious

www.nrk.no/tromsogfinnmark/datainnbrudd-pa-uit-_-norges-arktiske-universitet-1.15291427 UiT Norway’s Arctic University has been exposed to a data breach. – We take this very seriously, says director Jrgen Fossland.

Gmail hit by a second outage within a single day

www.bleepingcomputer.com/news/google/gmail-hit-by-a-second-outage-within-a-single-day/ Gmail is suffering its second outage in 24 hours, with users able to access their email but unable to send to other Gmail users or are experiencing unexpected behavior.

E-Commerce Skimming is the New POS Malware

securityintelligence.com/posts/e-commerce-skimming-the-new-pos-malware/ X-Force data indicates incidents involving e-commerce threats have increased nearly 400% since 2018.

Lookout Discovers New Spyware Used by Sextortionists to Blackmail iOS and Android Users

blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail The Lookout Threat Intelligence team has discovered a new mobile app threat targeting iOS and Android users in Chinese speaking countries, Korea and Japan. The spyware, which we have named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device. The types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail.

You might be interested in …

Daily NCSC-FI news followup 2021-01-02

The Week in Ransomware – January 1st 2021 – New Year Edition www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-1st-2021-new-year-edition/ This holiday edition cover the latest ransomware news from the past two weeks, including known ransomware attacks and law enforcement takedowns. Over the past two weeks, we have seen ransomware attacks on scent and flavor designed Symrise, FreePBX developer Sangoma, trucking giant […]

Read More

Daily NCSC-FI news followup 2021-08-08

Australian govt warns of escalating LockBit ransomware attacks www.bleepingcomputer.com/news/security/australian-govt-warns-of-escalating-lockbit-ransomware-attacks/ The Australian Cyber Security Centre (ACSC) warns of an increase of LockBit 2.0 ransomware attacks against Australian organizations starting July 2021. According to the agency, LockBit victims also report threats of having data stolen during the attacks leaked online, a known and popular tactic among ransomware […]

Read More

Daily NCSC-FI news followup 2021-02-16

France Ties Russia’s Sandworm to a Multiyear Hacking Spree www.wired.com/story/sandworm-centreon-russia-hack/ A French security agency warns that the destructively minded group has exploited an IT monitoring tool from Centreon.. Centreon writes in its statement that “this is not a supply chain type attack and no parallel with other attacks of this type can be made in […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.