SolarWinds: Domain Seized and Used as Kill Switch. Microsoft and a group of other tech companies have seized and sinkholed a malicious domain that was being used as a command-and-control server to communicate with networks infected through the SolarWinds supply chain attack. The domain has been refigured so that in some cases, it acts as a kill switch, preventing the SUNBURST malware that was distributed through the compromised SolarWinds software update system from operating. Read more in:
- Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’
- Microsoft and industry partners seize key domain used in SolarWinds hack
- FireEye Identifies Killswitch for SolarWinds Malware as Victims Scramble to Respond
- FireEye, Microsoft create kill switch for SolarWinds backdoor
- FireEye, Microsoft find ‘killswitch’ to hamper SolarWinds-related malware
- Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach
- Microsoft to quarantine SolarWinds apps linked to recent hack
SolarWinds: More Victims Emerge. FireEye and the US Treasury Department were among the first organizations to acknowledge that their networks were infiltrated by hackers through the SolarWinds supply chain breach. More companies and government agencies have now come forward to disclose that their networks were also affected by the breach. Additional victims now include the US Energy Department and National Nuclear Security Administration, the Federal Energy Regulatory Commission (FERC), The US State Department, Microsoft, Cisco, and Intel. Read more in:
- Nuclear weapons agency breached amid massive cyber onslaught
- SolarWinds hack that breached gov networks poses a “grave risk” to the nation
- Microsoft confirms it was also breached in recent SolarWinds supply chain hack
- SolarWinds Supply Chain Hit: Victims Include Cisco, Intel
- SolarWinds: The Hunt to Figure Out Who Was Breached
- Pentagon, State Department among agencies hacked: report
- Federal Agencies, Think Tank Targeted in Russian Hacking Spree
SolarWinds: National Security Council Invokes Cybersecurity Emergency Process. The SolarWinds supply chain breach has prompted the US National Security Council (NSC) to invoke a cybersecurity emergency process established under the Obama administration. PPD-41established a Unified Coordination Group to serve as “the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts, as appropriate.” Read more in:
- Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI)
- White House activates cyber emergency response under Obama-era directive
- NSC invokes 2016 directive to respond to SolarWinds hack
- Presidential Policy Directive — United States Cyber Incident Coordination
SolarWinds: APT Actors May Have Used Multiple Attack Vectors. The attackers behind the SolarWinds supply chain attack may have used other attack vectors to infiltrate targeted networks. The US Cybersecurity and Infrastructure Security Agency (CISA) is investigating “evidence of additional access vectors, other than the SolarWinds Orion platform.” Read more in:
- Federal investigators find evidence of previously unknown tactics used to penetrate government networks
- Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
- CISA: Hackers breached US govt using more than SolarWinds backdoor
- Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing ‘Grave Risk’
- CISA: SolarWinds Is Not the Only Way Hackers Got Into Networks
- Microsoft says it found malicious software in its systems
SolarWinds: Major Investors Sold Stock Days Before Breach was Disclosed. Two major SolarWinds investors sold $280 million worth of stock just days before the breach of the company’s software update system was disclosed. SolarWinds stock price dropped more than 20 percent in the days following the disclosure. The large transaction shortly before the announcement of the breach is likely to prompt an investigation from the Securities and Exchange Commission (SEC). The investors have issued a joint statement saying they were not aware of the breach when they sold the stock. Read more in:
- Investors in breached software firm SolarWinds traded $280 million in stock days before hack was revealed
- SolarWinds’ shares drop 22 per cent. But what’s this? $286m in stock sales just before hack announced?
- Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales
GitHub to Move Away from Passwords for Git Operations Authentication. GitHub is planning to switch from password-based to token-based authentication for Git operations. The change will not apply to logging into accounts. The scheme will be tested in Summer 2021, and as of August 13, 2021, GitHub “will no longer accept account passwords when authenticating Git operations on GitHub.com.” Read more in:
- Token authentication requirements for Git operations
- Passwords begone: GitHub will ban them next year for authenticating Git operations
Flaws Discovered in Maritime Communications Suite. Researchers from Pen Test Partners found numerous vulnerabilities in the Dualog Connection Suite, which ships use for communications – including email, file transfers, and Internet access – while at sea. The flaws include undocumented admin accounts with hardcoded passwords, SQL injection, and Flash-based two-factor authentication conducted in a Flash0-based, client-side app. Read more in:
- Serious Vulnerabilities in Dualog Connection Suite
- Your ship comms app is ‘secured’ with a Flash interface, doesn’t sanitise SQL inputs and leaks user data, you say?
Fix Available for WordPress Contact Form 7 Plugin Vulnerability. The developers of the Contact Form 7 WordPress plugin have released a fix to address a critical unrestricted file upload vulnerability. The plugin is installed on more than 5 million WordPress sites. Users are urged to update to Contact Form 7 version 5.3.2. Read more in: WordPress plugin with 5 million installs has a critical vulnerability
FBI Issues DoppelPaymer Warning. The FBI has issued a Private Industry Notification (PIN – TLP: White) warning of DoppelPaymer ransomware attacks against organizations operating critical infrastructure, such as healthcare, emergency services, and education. The PIN warns that the DoppelPaymer ransomware operators have called victims to coerce them into paying the demands, and have also threatened to release stolen data if they were not paid. Read more in:
- DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services (PDF)
- FBI Warns of DoppelPaymer Ransomware Targeting Critical Infrastructure
Trend Micro Releases Fixes for Flaws in Web Gateway. Trend Micro has released an update to address six vulnerabilities in its InterScan Web Security Virtual Appliance. Some of the flaws could be exploited to take control of vulnerable appliances. The flaws were first reported to TrendMicro in the summer of 2019, but they were not all patched until late November 2020. Read more in:
- Trend Micro Patches Serious Flaws in Product Used by Companies, Governments
- SECURITY BULLETIN: December 2020 Security Bulletin for Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2
- Multiple critical vulnerabilities in Trend Micro InterScan Web Security Virtual Appliance (IWSVA)
Prison Sentence for Healthcare.gov Data Theft and Abuse. A US District Judge in Louisiana has sentenced Colbi Trent Defiore to three-and-a-half years in prison for stealing and abusing patient data from Healthcare.gov. Defiore previously pleaded guilty to “intentionally accessing a protected computer in excess of authorization for the purpose of commercial advantage and private financial gain, and in furtherance of the commission of a felony.” Defiore worked as a seasonal employee for a company that supported the Centers for Medicare & Medicaid Services (CMS). He used the stolen data to apply for credit cards and loans, resulting in nearly $600,000 in damages. Read more in:
- Healthcare.gov Data Thief Jailed
- Carriere, MS Man Sentenced to 42 Months Imprisonment for Stealing Personal Identifying Information of More Than 8,000 Healthcare.Gov Customers and Causing $587,000 in Losses
Critical Cross-site Scripting Vulnerability in F5 BIG-IP. F5 has warned of several security issues, including a critical cross-site scripting vulnerability, that affect its BIG-IP products. Users are urged to upgrade to versions 13.1.3.5, 14.1.2.8, 15.1.1, or 16.0.1. Read more in:
- F5 warns over ‘critical’ XSS flaw in BIG-IP
- K42696541: F5 TMUI XSS vulnerability CVE-2020-5948
- CVE-2020-5948 Detail
FireEye Discloses Theft of Red Team Tools. FireEye has acknowledged that it was “attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.” The attacker appears to have accessed FireEye Red team tools, which the company uses to assess the security of customers’ systems. FireEye is investigating the incident in cooperation with the FBI, Microsoft, “and other key partners.” Read more in:
- FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
- One of The Biggest Cybersecurity Companies In The World Just Got Hacked
- Nation-State Hackers Breached FireEye, Stole Its Red Team Tools
- FireEye, one of the world’s largest security firms, discloses security breach
- Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools
- Russia’s FireEye Hack Is a Statement—but Not a Catastrophe
- FireEye hacked, red team tools stolen
- Premiere security firm FireEye says it was breached by nation-state hackers
- FireEye Cyberattack Compromises Red-Team Security Tools
- FireEye reveals that it was hacked by a nation state APT group
EU Medicines Agency Hit with COVID-19-related Cyberattack. The European Medicines Agency is investigating a cyberattack against its network. The organization is in the process of reviewing two COVID-19 vaccines for use in the EU. According to a joint statement from Pfizer and BioNTech, “documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, [have] been unlawfully accessed.” Read more in:
- Statement Regarding Cyber Attack on European Medicines Agency
- EU agency in charge of COVID-19 vaccine approval says it was hacked
- EU Medicines Agency hacked, BioNTech-Pfizer coronavirus vaccine paperwork stolen, probe launched
- COVID-19 vaccine data has been unlawfully accessed in hack of EU regulator
- Pfizer COVID-19 vaccine documents accessed in EMA cyberattack
- Pfizer, BioNTech COVID-19 Vaccine Data Breached in EU Regulator Hack
- Hackers breach European agency to access BioNTech, Pfizer COVID-19 vaccine files
- Cyberattack on the European Medicines Agency
Healthcare Breach Roundup: GBMC, Georgia Dentistry Practice, Tufts Health Plan. As of Wednesday, December 9, GMBC Health was still operating under electronic health record (EHR) downtime procedures following a ransomware attack over the weekend. A Georgia dentistry practice suffered a ransomware attack, earlier this year and have recently notified patients.; The Tufts Health Plan notified more than 60,000 members that their personal information had been compromised in a security incident at a third-party entity that provides vision benefits. Read more in: Ransomware Attack on Maryland’s GBMC Health Spurs EHR Downtime
Foxconn Discloses Ransomware Attack. Electronics manufacturer Foxconn has acknowledged that the network at a facility in Mexico was hit with ransomware in late November. The ransomware operators also stole data. Read more in:
- Foxconn electronics giant hit by ransomware, $34 million ransom
- Apple Manufacturer Foxconn Confirms Cyberattack
- Foxconn says internet connection back to normal after ransomware attacks
Payment Processor TSYS Suffers Ransomware Attack. Data stolen from payment processor TSYS has been posted online. The files were stolen during a ransomware attack that affected TSYS’s systems earlier this month. TSYS said that the attack affected “systems that support certain corporate back office functions of a legacy TSYS merchant business.” Read more in: Payment Processing Giant TSYS: Ransomware Incident “Immaterial” to Company
Microsoft December Patch Tuesday. Microsoft’s final patch Tuesday release for 2020 includes fixes for 58 security issues in a variety of products, including Windows, Edge, Office, Exchange Server, and Visual Studio. Nine of the vulnerabilities are deemed critical. Read more in:
- December 2020 Security Updates
- Patch Tuesday, Good Riddance 2020 Edition
- Microsoft December 2020 Patch Tuesday fixes 58 vulnerabilities
- Patch Tuesday brings bug fixes for OpenSSL, IBM, SAP, Kubernetes, Adobe, and Red Hat. And Microsoft, of course
- Patch Tuesday fixes 9 critical flaws, but Microsoft Teams vulnerability a bigger concern
Amnesia:33 Vulnerabilities Affect Multiple TCP/IP Libraries. Researchers at Forescout have detected a group of vulnerabilities in open source TCP/IP libraries that are used in the firmware of products sold by more than 150 vendors. The vulnerabilities, which have been given the name Amnesia:33, affect the uIP, FNET, picoTCP, and Nut/NetTCP/IP stacks. The flaws could be exploited to execute code remotely, cause denial-of-service conditions, leak information, and conduct DNS cache poisoning attacks. Read more in:
- Amnesia:33
- Critical Flaws in Millions of IoT Devices May Never Get Fixed
- Amnesia:33 vulnerabilities impact millions of smart and industrial devices
- Amnesia-33 vulnerabilities affect 158 vendors, millions of devices
Adobe’s December Patch Tuesday Includes Last Update for Flash. Adobe’s scheduled patch release for December includes the last ever scheduled update for Flash Player. As of “January 12, 2021, Adobe will block Flash content from running.” Adobe has also released security updates for Lightroom, Prelude, Experience Manager, and Acrobat and Reader. Read more in:
- Recent bulletins and advisories
- Adobe to block Flash content from running on January 12, 2021
- Adobe security update squashes critical vulnerabilities in Lightroom, Prelude
- Adobe fixes critical security vulnerabilities in Lightroom, Prelude
CISA Warns of Vulnerabilities in Certain GE Healthcare Devices. The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory warning of vulnerabilities in GE Healthcare imaging and ultrasound products. The devices have hardcoded default passwords that are used to conduct maintenance. The passwords are not easily changed and are available on the Internet. Customers are advised to contact GE to change the passwords. Read more in:
- ICS Medical Advisory (ICSMA-20-343-01) | GE Healthcare Imaging and Ultrasound Products
- Vulnerability Disclosure regarding Default Passwords in GE Healthcare Products
- Flaws in GE Radiology Medical Device Authentication Pose Patient Data Risk
- GE puts default password in radiology devices, leaving healthcare networks exposed
- Researchers say hardcoded passwords in GE medical imaging devices could put patient data at risk
Vulnerabilities in PageLayer WP Plugin. An update for the PageLayer WordPress plugin addresses two reflected cross-site scripting vulnerabilities that could be exploited to allow malicious code execution leading to site takeover. The PageLayer plugin is installed on more than 200,000 websites. Read more in: Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites
South Korea Ends Government Digital Certificate Authority That Relied on ActiveX. South Korea’s government has made good on its promise to get rid of a government-run digital certificate service that depends on Microsoft’s ActiveX technology. The change is included in South Korea’s new Digital Signature Act, which was passed earlier this year. The majority of the act’s provisions took effect on Thursday, December 10, 2020. Read more in:
- South Korea kills ActiveX-based government digital certificate service
- New era for online ID certifications opens
- South Korea: New Digital Signature Act to Take Effect in December 2020
Another Mirai Suspect Pleads Guilty. A fourth individual has pleaded guilty to charges stemming from their role in the operation of the Mirai botnet, which caused major Internet disruptions in autumn 2016. The attack at the center of this case targeted the Sony PlayStation Network platform; it also affected the Dyn Domain Name System (DNS) provider. Sentencing is scheduled for January 7, 2021. Three other individuals have already pleaded guilty in the case. Read more in: