Cybersecurity News Headlines Update on December 30, 2020

SolarWinds: NERC Advisory. The North American Electric Reliability Corp. (NERC) has issued an advisory noting that the SolarWinds supply chain attack “poses a potential threat” to elements of the power sector. NERC is also asking utilities and other power companies to respond to a list of questions on the level of exposure their systems have to the SolarWinds campaign. Read more in: Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are

SolarWinds: CISA Incident Response Guide. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that federal, state, and local governments, critical infrastructure entities, and private organizations “may need to rebuild all network assets” in the wake of the SolarWinds supply chain attack. CISA urges organizations to determine whether or not they are affected by the SolarWinds issue and if they are, to make response and remediation their top priority. Read more in:

• CISA Insights | What Every Leader Needs to Know About the Ongoing APT Cyber Activity
• What Every Leader Needs to Know About the Ongoing APT Cyber Activity (PDF)
• CISA Warns SolarWinds Incident Response May Be Substantial

SolarWinds: SUPERNOVA. SolarWinds has updated its security advisory to include information about malware known as SUPERNOVA. Unlike SUNBURST, “SUPERNOVA is not malicious code embedded within the builds of [the SolarWinds] Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.” Read more in:

• SolarWinds Security Advisory
• SolarWinds releases updated advisory for new SUPERNOVA malware
• SUPERNOVA: A Novel .NET Webshell
• Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

US Financial Regulators Propose Breach Notification Requirement; Senators Introduce Bill That Would Require Agencies to File Incident Reports. US federal financial regulatory agencies have published a notice of proposed rulemaking “that would require a banking organization to provide its primary federal regulator with prompt notification of any ‘computer-security incident’ that rises to the level of a ‘notification incident.’ The proposed rule would require such notification upon the occurrence of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred.” In a separate story, a bill introduced in the US Senate would require federal agencies that experience cyberattacks that could cause significant harm to national security or agency operations to provide congress with an incident report within seven days of the attacks. Read more in:

• Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (PDF)
• Agencies propose requirement for computer security incident notification
• Senate Bill Would Mandate Timely Reporting of Cyber Attacks

Worst Hacks of 2020. The SolarWinds supply chain attack tops two lists of the worst hacks and breaches of 2020. Also included are the Twitter hack, the University Hospital Düsseldorf ransomware attack, and the data theft at Finland’s Vastaamo mental healthcare provider. Read more in:

• The Worst Hacks of 2020, a Surreal Pandemic Year
• 2020 had its share of memorable hacks and breaches. Here are the top 10

DHS Warns US Businesses Against Chinese Tech. The US Department of Homeland Security (DHS) has published a Data Security Business Advisory, urging US businesses to avoid using Chinese hardware or digital services. DHS warns that using Chinese technology could expose companies to “theft of trade secrets, of intellectual property, and of other confidential business information; violations of U.S. export control laws; violations of U.S. privacy laws; breaches of contractual provisions and terms of service; security and privacy risks to customers and employees; risk of PRC surveillance and tracking of regime critics; and reputational harm to U.S. businesses.” Read more in:

• DHS warns against using Chinese hardware and digital services
• US Department of Homeland Security warns American business not to use Chinese tech or let data behind the Great Firewall
• Data Security Business Advisory: Risks and Considerations for Businesses Using Data Services and Equipment from Firms Linked to the People’s Republic of China (PDF)

International Law Enforcement Effort Takes Down VPN Services Used by Criminals. In a coordinated operation, Europol, along with law enforcement agencies from Germany, the Netherlands, France, Switzerland, and the US, have taken down three VPN services that were widely used by criminals to conduct cyberattacks. The three services, insorgorg, safe-inetcom, and safe-inetnet, had been active for more than a decade. Read more in:

• Law enforcement take down three bulletproof VPN providers
• Cybercriminals’ Favourite VPN Taken Down in Global Action
• U.S. Law Enforcement Joins International Partners to Disrupt a VPN Service Used to Facilitate Criminal Activity

Eurojust Becomes Full Partner in SIRIUS Project. Europol and Eurojust have signed a new contribution agreement making Eurojust a full partner in the SIRIUS project, which was “launched by Europol in 2017 … [and which] aims to foster the co-development of practical and innovative tools and solutions for EU law enforcement and judicial authorities that can support internet-based investigations.” Read more in:

• Europol and Eurojust Sign New Contribution Agreement Expanding Cooperation on the SIRIUS Project
• Europol and Eurojust sign new contribution agreement expanding cooperation on the SIRIUS project

Kaspersky: Lazarus Group Hackers are After COVID-19 Intellectual Property. According to a report from Kaspersky, a hacking group with ties to North Korea has been targeting organizations involved in COVID-19 vaccine research and development. The Lazarus Group has broken into networks at a pharmaceutical company and a government health ministry. Kaspersky researchers say the attackers are trying to steal intellectual property. Read more in:

• Lazarus covets COVID-19-related intelligence
• Lazarus Group Hits COVID-19 Vaccine-Maker in Espionage Attack
• North Korean state hackers breach COVID-19 research entities

Cyberattack Against Finland’s Parliament Affected MP eMail Accounts. Finland’s Parliament says that a cyberattack targeting its systems compromised email accounts of several Finnish members of parliament (MPs). The incident occurred in autumn 2020 and was detected earlier this month. It bears similarities to an cyberattack against Norway’s Parliament earlier this year. Read more in:

• Cyberattack against Parliament of Finland
• Finland says hackers accessed MPs’ emails accounts
• Finnish Parliament attackers hack lawmakers’ email accounts

Whirlpool Hit with Ransomware. Home appliance maker Whirlpool was hit by a ransomware attack in November or early December 2020. The attackers stole company data before encrypting files on the company’s network. Whirlpool says that their systems have been fully restored. Read more in: Home appliance giant Whirlpool hit in Nefilim ransomware attack

SolarWinds: An Updated SEC Filing, a Revised CISA Alert, and an NSA Advisory on Authentication Mechanism Abuse. SolarWinds has updated its US Securities and Exchange Commission (SEC) Form 8-K filing to provide additional information about the supply-chain breach. The Cybersecurity and Infrastructure Security Agency (CISA) revised its alert to include information about additional initial access vectors, an updated list of IOCs, and the National Security Agency (NSA)’s advisory about hackers abusing authentication mechanisms. Read more in:

• Alert (AA20-352A) | Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (revised 12/21/2020)
• Form 8-K | SolarWinds Corporation (PDF)
• Fed Cybersecurity Advisory Alerts to Abuse of Authentication Mechanisms
• NSA warns of hackers forging cloud authentication information
• Detecting Abuse of Authentication Mechanisms (PDF)

SolarWinds: Victims Include US Treasury Dept., VMware, Cisco. The SolarWinds supply chain attack was used to compromise email accounts at the US Treasury Department. The hackers were able to gain access to the email accounts after taking control of the Treasury Department’s single sign-on cryptographic key. Other victims of the attack include the US Department of Homeland Security, The Department of Energy, VMware, Cisco, and Intel, as well as a hospital, a university, technology and accounting companies, and a ”very, very large” as-yet unnamed telecommunications company. (Please note that the WSJ story is behind a paywall.) Read more in:

• ‘Dozens of email accounts’ were hacked at U.S. Treasury -Senator Wyden
• SolarWinds Hack Victims: From Tech Companies to a Hospital and University (paywall)
• VMware latest to confirm breach in SolarWinds hacking campaign
• ‘Very, very large’ telecom organization and Fortune 500 company breached in SolarWinds hack
• Partial lists of organizations infected with Sunburst malware released online

SolarWinds: Hackers May Have Conducted a Test Run Last Fall. FireEye’s Kevin Mandia says there is evidence the SolarWinds hackers tried a test run last fall. A code change in the Orion platform in October 2019 “was innocuous code. It was not a backdoor.” Read more in:

• Cyber exec: 50 orgs ‘genuinely impacted’ by SolarWinds hack
• Hackers last year conducted a ‘dry run’ of SolarWinds breach
• SolarWinds releases known attack timeline but new data suggests hackers may have done a dummy run last year

Mobile Device Emulator Farms Used in Massive Bank Account Theft. Researchers with IBM Trusteer has “discovered a major mobile banking fraud operation” that drained millions from bank accounts. With “an infrastructure of mobile device emulators to set up thousands of spoofed devices,” the thieves used previously compromised online banking account access credentials to steal funds from bank accounts in the US and the EU. Read more in:

• IBM Trusteer Exposes Massive Fraud Operation Facilitated by Evil Mobile Emulator Farms
• “Evil mobile emulator farms” used to steal millions from US and EU banks
• Emulated mobile devices used to steal millions from US, EU banks

DoJ Seizes Fake COVID Domains. The US Department of Justice (DoJ) has seized domains that were being used to impersonate pharmaceutical companies involved in COVID-19 treatments. The domains, which were spoofing Moderna and Regeneron, were being used to harvest personal information of site visitors. Read more in:

• DOJ Seizes Fake Domains Impersonating Moderna, Regeneron
• Maryland U.S. Attorney’s Office Seizes Two Domain Names Purporting to be Websites of Biotechnology Companies Developing Treatments for Covid-19

Dell Issues Fixes for Critical Flaws in Wyse ThinOS. Dell has released updates to address a pair of critical vulnerabilities in its Dell Wyse ThinOS. The flaws affect all Dell Wyse Thin Clients running ThinOS versions 8.6 and earlier. The vulnerabilities could be exploited to remotely execute code and access files. Both vulnerabilities received CVSS scores of 10. Researchers at CyberMDX detected the flaws and reported them to Dell in June 2020. Read more in:

• Critical bugs in Dell Wyse ThinOS allow thin client take over
• Critical Bugs in Dell Wyse Thin Clients Allow Code Execution, Client Takeovers
• Dell Wyse Thin Client scores two perfect 10 security flaws
• Critical Vulnerabilities Expose Dell Wyse Thin Client Devices to Attacks
• CyberMDX Research Team Discovers Vulnerability in Dell Wyse Thin Clients
• DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities.

iOS “Zero-Click” Exploit Used to Infect Journalists’ Phones. Earlier this year, state-backed attackers placed spyware on 36 personal phones that belonged to Al Jazeera journalists and other employees of the news channel. According to University of Toronto’s Citizen Lab, “[t]he phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage.” Read more in:

• The Great iPwn | Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit
• Zero-click iMessage zeroday used to hack the iPhones of 36 journalists
• Zero-click iOS zero-day found deployed against Al Jazeera employees
• Journalists’ Phones Hacked via iMessage Zero-Day Exploit
• Zero-click iPhone exploit, NSO Group spyware used to target Mideast journalists, Citizen Lab says
• Powerful iPhone hack targets dozens of journalists, report says

Browser Makers Ban Kazakhstan’s Traffic Interception Certificate. Major browser makers have blocked a root certificate that Kazakhstan’s government Is requiring users to install. The certificate allows the Kazakh government to intercept HTTPS traffic; without the certificate, users will be unable to access foreign websites, including Facebook, Twitter, Instagram, and YouTube. Kazakhstan’s government attempted a similar requirement in August 2019. The Kazakh government maintains that the certificate requirement is part of a public/private cybersecurity training exercise. Apple, Microsoft, Google, and Mozilla have all blocked the certificate. Read more in:

• Apple, Google, Microsoft, and Mozilla ban Kazakhstan’s MitM HTTPS certificate
• Kazakhstan spies on citizens’ HTTPS traffic; browser-makers fight back

Firefox Will Introduce Anti-Tracking Feature Next Year. When Mozilla releases Firefox 85 in January 2021, the browser will include an anti-tracking feature called Network Partitioning. The feature will allow Firefox to store website data like favicon caches, CSS files, and images in partitioned, per-website storage rather than in one pool. This should make it more difficult for users to be tracked across websites. Read more in: Firefox to ship ‘network partitioning’ as a new anti-tracking defense

Crypto Wallet Data Exposed. Information that was stolen from Ledger, a cryptocurrency wallet website, in June 2020 has been leaked on a hacker forum. The information is reportedly being used in phishing attacks. Ledger has been notifying customers via Twitter. Ledger provided information about the breach in a July 2020 blog post. Read more in:

• Physical addresses of 270K Ledger owners leaked on hacker forum
• Hacker Dumps Crypto Wallet Customer Data; Active Attacks Follow
• Addressing the July 2020 e-commerce and marketing data breach — A Message From Ledger’s Leadership

Europol Launches Decryption Platform for Law Enforcement. Europol, along with the European commission, has launched a new decryption platform to help EU law enforcement “decrypt information lawfully obtained in criminal investigations.” The platform is operated by the European Cybercrime Centre (EC3). Read more in:

• Europol and the European Commission Inaugurate New Decryption Platform to Tackle the Challenge of Encrypted Material for Law Enforcement Investigations
• Europol launches new decryption platform for law enforcement

Trucking Company Recovering from Ransomware Attack. US trucking and freight logistics company Forward Air has acknowledged that its network was hit with ransomware earlier this month. Forward Air made the disclosure in a Form 8-K filing with the US Securities and Exchange Commission (SEC). Forward Air detected the attack on December 15, 2020. Read more in:

• Trucking giant Forward Air hit by new Hades ransomware gang
• Forward Air reveals ransomware attack, warns of revenue hit
• Form 8-K | Forward Air Corporation (PDF)