Cybersecurity News Headlines Update on December 19, 2020

SolarWinds: Domain Seized and Used as Kill Switch. Microsoft and a group of other tech companies have seized and sinkholed a malicious domain that was being used as a command-and-control server to communicate with networks infected through the SolarWinds supply chain attack. The domain has been refigured so that in some cases, it acts as a kill switch, preventing the SUNBURST malware that was distributed through the compromised SolarWinds software update system from operating. Read more in:

SolarWinds: More Victims Emerge. FireEye and the US Treasury Department were among the first organizations to acknowledge that their networks were infiltrated by hackers through the SolarWinds supply chain breach. More companies and government agencies have now come forward to disclose that their networks were also affected by the breach. Additional victims now include the US Energy Department and National Nuclear Security Administration, the Federal Energy Regulatory Commission (FERC), The US State Department, Microsoft, Cisco, and Intel. Read more in:

SolarWinds: National Security Council Invokes Cybersecurity Emergency Process. The SolarWinds supply chain breach has prompted the US National Security Council (NSC) to invoke a cybersecurity emergency process established under the Obama administration. PPD-41established a Unified Coordination Group to serve as “the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts, as appropriate.” Read more in:

SolarWinds: APT Actors May Have Used Multiple Attack Vectors. The attackers behind the SolarWinds supply chain attack may have used other attack vectors to infiltrate targeted networks. The US Cybersecurity and Infrastructure Security Agency (CISA) is investigating “evidence of additional access vectors, other than the SolarWinds Orion platform.” Read more in:

SolarWinds: Major Investors Sold Stock Days Before Breach was Disclosed. Two major SolarWinds investors sold $280 million worth of stock just days before the breach of the company’s software update system was disclosed. SolarWinds stock price dropped more than 20 percent in the days following the disclosure. The large transaction shortly before the announcement of the breach is likely to prompt an investigation from the Securities and Exchange Commission (SEC). The investors have issued a joint statement saying they were not aware of the breach when they sold the stock. Read more in:

GitHub to Move Away from Passwords for Git Operations Authentication. GitHub is planning to switch from password-based to token-based authentication for Git operations. The change will not apply to logging into accounts. The scheme will be tested in Summer 2021, and as of August 13, 2021, GitHub “will no longer accept account passwords when authenticating Git operations on GitHub.com.” Read more in:

Flaws Discovered in Maritime Communications Suite. Researchers from Pen Test Partners found numerous vulnerabilities in the Dualog Connection Suite, which ships use for communications – including email, file transfers, and Internet access – while at sea. The flaws include undocumented admin accounts with hardcoded passwords, SQL injection, and Flash-based two-factor authentication conducted in a Flash0-based, client-side app. Read more in:

Fix Available for WordPress Contact Form 7 Plugin Vulnerability. The developers of the Contact Form 7 WordPress plugin have released a fix to address a critical unrestricted file upload vulnerability. The plugin is installed on more than 5 million WordPress sites. Users are urged to update to Contact Form 7 version 5.3.2. Read more in: WordPress plugin with 5 million installs has a critical vulnerability

FBI Issues DoppelPaymer Warning. The FBI has issued a Private Industry Notification (PIN – TLP: White) warning of DoppelPaymer ransomware attacks against organizations operating critical infrastructure, such as healthcare, emergency services, and education. The PIN warns that the DoppelPaymer ransomware operators have called victims to coerce them into paying the demands, and have also threatened to release stolen data if they were not paid. Read more in:

Trend Micro Releases Fixes for Flaws in Web Gateway. Trend Micro has released an update to address six vulnerabilities in its InterScan Web Security Virtual Appliance. Some of the flaws could be exploited to take control of vulnerable appliances. The flaws were first reported to TrendMicro in the summer of 2019, but they were not all patched until late November 2020. Read more in:

Prison Sentence for Healthcare.gov Data Theft and Abuse. A US District Judge in Louisiana has sentenced Colbi Trent Defiore to three-and-a-half years in prison for stealing and abusing patient data from Healthcare.gov. Defiore previously pleaded guilty to “intentionally accessing a protected computer in excess of authorization for the purpose of commercial advantage and private financial gain, and in furtherance of the commission of a felony.” Defiore worked as a seasonal employee for a company that supported the Centers for Medicare & Medicaid Services (CMS). He used the stolen data to apply for credit cards and loans, resulting in nearly $600,000 in damages. Read more in:

Critical Cross-site Scripting Vulnerability in F5 BIG-IP. F5 has warned of several security issues, including a critical cross-site scripting vulnerability, that affect its BIG-IP products. Users are urged to upgrade to versions 13.1.3.5, 14.1.2.8, 15.1.1, or 16.0.1. Read more in:

FireEye Discloses Theft of Red Team Tools. FireEye has acknowledged that it was “attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.” The attacker appears to have accessed FireEye Red team tools, which the company uses to assess the security of customers’ systems. FireEye is investigating the incident in cooperation with the FBI, Microsoft, “and other key partners.” Read more in:

EU Medicines Agency Hit with COVID-19-related Cyberattack. The European Medicines Agency is investigating a cyberattack against its network. The organization is in the process of reviewing two COVID-19 vaccines for use in the EU. According to a joint statement from Pfizer and BioNTech, “documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, [have] been unlawfully accessed.” Read more in:

Healthcare Breach Roundup: GBMC, Georgia Dentistry Practice, Tufts Health Plan. As of Wednesday, December 9, GMBC Health was still operating under electronic health record (EHR) downtime procedures following a ransomware attack over the weekend. A Georgia dentistry practice suffered a ransomware attack, earlier this year and have recently notified patients.; The Tufts Health Plan notified more than 60,000 members that their personal information had been compromised in a security incident at a third-party entity that provides vision benefits. Read more in: Ransomware Attack on Maryland’s GBMC Health Spurs EHR Downtime

Foxconn Discloses Ransomware Attack. Electronics manufacturer Foxconn has acknowledged that the network at a facility in Mexico was hit with ransomware in late November. The ransomware operators also stole data. Read more in:

Payment Processor TSYS Suffers Ransomware Attack. Data stolen from payment processor TSYS has been posted online. The files were stolen during a ransomware attack that affected TSYS’s systems earlier this month. TSYS said that the attack affected “systems that support certain corporate back office functions of a legacy TSYS merchant business.” Read more in: Payment Processing Giant TSYS: Ransomware Incident “Immaterial” to Company

Microsoft December Patch Tuesday. Microsoft’s final patch Tuesday release for 2020 includes fixes for 58 security issues in a variety of products, including Windows, Edge, Office, Exchange Server, and Visual Studio. Nine of the vulnerabilities are deemed critical. Read more in:

Amnesia:33 Vulnerabilities Affect Multiple TCP/IP Libraries. Researchers at Forescout have detected a group of vulnerabilities in open source TCP/IP libraries that are used in the firmware of products sold by more than 150 vendors. The vulnerabilities, which have been given the name Amnesia:33, affect the uIP, FNET, picoTCP, and Nut/NetTCP/IP stacks. The flaws could be exploited to execute code remotely, cause denial-of-service conditions, leak information, and conduct DNS cache poisoning attacks. Read more in:

Adobe’s December Patch Tuesday Includes Last Update for Flash. Adobe’s scheduled patch release for December includes the last ever scheduled update for Flash Player. As of “January 12, 2021, Adobe will block Flash content from running.” Adobe has also released security updates for Lightroom, Prelude, Experience Manager, and Acrobat and Reader. Read more in:

CISA Warns of Vulnerabilities in Certain GE Healthcare Devices. The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory warning of vulnerabilities in GE Healthcare imaging and ultrasound products. The devices have hardcoded default passwords that are used to conduct maintenance. The passwords are not easily changed and are available on the Internet. Customers are advised to contact GE to change the passwords. Read more in:

Vulnerabilities in PageLayer WP Plugin. An update for the PageLayer WordPress plugin addresses two reflected cross-site scripting vulnerabilities that could be exploited to allow malicious code execution leading to site takeover. The PageLayer plugin is installed on more than 200,000 websites. Read more in: Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites

South Korea Ends Government Digital Certificate Authority That Relied on ActiveX. South Korea’s government has made good on its promise to get rid of a government-run digital certificate service that depends on Microsoft’s ActiveX technology. The change is included in South Korea’s new Digital Signature Act, which was passed earlier this year. The majority of the act’s provisions took effect on Thursday, December 10, 2020. Read more in:

Another Mirai Suspect Pleads Guilty. A fourth individual has pleaded guilty to charges stemming from their role in the operation of the Mirai botnet, which caused major Internet disruptions in autumn 2016. The attack at the center of this case targeted the Sony PlayStation Network platform; it also affected the Dyn Domain Name System (DNS) provider. Sentencing is scheduled for January 7, 2021. Three other individuals have already pleaded guilty in the case. Read more in: