SunBurst: the next level of stealth
blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth SolarWinds compromise exploited through sophistication and patience. ReversingLabs’ research into the anatomy of this supply chain attack unveiled conclusive details showing that Orion software build and code signing infrastructure was compromised. The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed and delivered through the existing software patch release management system. While this type of attack on the software supply chain is by no means novel, what is different this time is the level of stealth the attackers used to remain undetected for as long as possible. The attackers blended in with the affected code base, mimicking the software developers’ coding style and naming standards. This was consistently demonstrated through a significant number of functions they added to turn Orion software into a backdoor for any organization that uses it.
Venäläiset hakkerit murtautuivat Yhdysvaltojen valtiollisiin järjestelmiin mittavassa operaatiossa CIA:n entinen johtaja: “Ehkä vahingollisin isku koko Yhdysvaltain kyberhistoriassa”
yle.fi/uutiset/3-11701640 Yhdysvaltojen mukaan iskun takana on venäläinen hakkeriryhmä CozyBear, joka toimii Venäjän ulkomaantiedustelupalvelun alaisuudessa. – Hyökkäyksen kesto ja laajuus tekevät tästä ehkä vahingollisimman iskun koko Yhdysvaltain kyberhistoriassa, Yhdysvaltain tiedustelupalvelu CIA:n entinen johtaja John Brennan kommentoi tiistaina televisiokanava CNN:lle.
SolarWinds said no other products were compromised in recent hack
www.zdnet.com/article/solarwinds-said-no-other-products-were-compromised-in-recent-hack/ SolarWinds has released today updates that “replaces the compromised component” in its Orion platform.
Microsoft and industry partners seize key domain used in SolarWinds hack
www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/ By seizing the domain, Microsoft and its partners hope to identify all victims, but are also preventing attackers from escalating intrusions in currently infected networks. also:
SolarFlare Release: Password Dumper for SolarWinds Orion
malicious.link/post/2020/solarflare-release-password-dumper-for-solarwinds-orion/ I’m releasing this tool after a lot of thought surrounding the SolarWinds/FireEye breach. It’s been in development since 2015. The reason I developed SolarFlare in the first place was to assist in my Red Team engagements. The main reason to release the tool publicly, right now, is so businesses can identify one facet of the possible severity of this breach, using a simple command-line tool they can run on their own SolarWinds Orion machines. SolarFlare can help identify the accounts that may have been compromised during this breach.
Ensuring customers are protected from Solorigate
www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/ […] Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running. We also realize this is a server product running in customer environments, so it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices.
HPE discloses critical zero-day in server management software
www.bleepingcomputer.com/news/security/hpe-discloses-critical-zero-day-in-server-management-software/ Hewlett Packard Enterprise (HPE) has disclosed a zero-day bug in the latest versions of its proprietary HPE Systems Insight Manager (SIM) software for Windows and Linux. While security updates are not yet available for this remote code execution (RCE) vulnerability, HPE has provided Windows mitigation info and is working on addressing the zero-day.
Firefox Patches Critical Mystery Bug, Also Impacting Google Chrome
threatpost.com/firefox-patches-critical-mystery-bug-also-impacting-google-chrome/162294/ Mozilla Foundation releases Firefox 84 browser, fixing several flaws and delivering performance gains and Apple processor support.
Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
news.sophos.com/en-us/2020/12/16/systembc/ A commodity malware backdoor, SystemBC has evolved into a Tor proxy and remote control tool favored by actors behind the latest high-profile ransomware campaigns. Over the past few months, we have continued to detect hundreds of attempted SystemBC deployments worldwide. SystemBC was used in recent Ryuk and Egregor attacks investigated by Sophos MTR’s Rapid Response team, often used in combination with post-exploitation tools such as Cobalt Strike. In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.
Emulated mobile devices used to steal millions from US, EU banks
www.bleepingcomputer.com/news/security/emulated-mobile-devices-used-to-steal-millions-from-us-eu-banks/ Threat actors behind an ongoing worldwide mobile banking fraud campaign were able to steal millions from multiple US and EU banks, needing just a few days for each attack. To do that, the attackers used huge emulator farms that helped them access thousands of hacked accounts (compromised after phishing or malware attacks) using spoofed mobile devices. also:
Your ship comms app is ‘secured’ with a Flash interface, doesn’t sanitise SQL inputs and leaks user data, you say?
www.theregister.com/2020/12/16/dualog_communications_suite_cves/ A software suite intended to let merchant ships’ crews digitally communicate with the world ashore was riddled with security vulnerabilities including undocumented admin accounts with hardcoded passwords and widespread use of Adobe Flash. also:
Data hacking at UiT: – Very serious
www.nrk.no/tromsogfinnmark/datainnbrudd-pa-uit-_-norges-arktiske-universitet-1.15291427 UiT Norway’s Arctic University has been exposed to a data breach. – We take this very seriously, says director Jrgen Fossland.
Gmail hit by a second outage within a single day
www.bleepingcomputer.com/news/google/gmail-hit-by-a-second-outage-within-a-single-day/ Gmail is suffering its second outage in 24 hours, with users able to access their email but unable to send to other Gmail users or are experiencing unexpected behavior.
E-Commerce Skimming is the New POS Malware
securityintelligence.com/posts/e-commerce-skimming-the-new-pos-malware/ X-Force data indicates incidents involving e-commerce threats have increased nearly 400% since 2018.
Lookout Discovers New Spyware Used by Sextortionists to Blackmail iOS and Android Users
blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail The Lookout Threat Intelligence team has discovered a new mobile app threat targeting iOS and Android users in Chinese speaking countries, Korea and Japan. The spyware, which we have named Goontact, targets users of illicit sites, typically offering escort services, and steals personal information from their mobile device. The types of sites used to distribute these malicious apps and the information exfiltrated suggests that the ultimate goal is extortion or blackmail.