Cybersecurity News Headlines Update on December 30, 2020

SolarWinds: NERC Advisory. The North American Electric Reliability Corp. (NERC) has issued an advisory noting that the SolarWinds supply chain attack “poses a potential threat” to elements of the power sector. NERC is also asking utilities and other power companies to respond to a list of questions on the level of exposure their systems have to the SolarWinds campaign. Read more in: Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are

SolarWinds: CISA Incident Response Guide. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that federal, state, and local governments, critical infrastructure entities, and private organizations “may need to rebuild all network assets” in the wake of the SolarWinds supply chain attack. CISA urges organizations to determine whether or not they are affected by the SolarWinds issue and if they are, to make response and remediation their top priority. Read more in:

SolarWinds: SUPERNOVA. SolarWinds has updated its security advisory to include information about malware known as SUPERNOVA. Unlike SUNBURST, “SUPERNOVA is not malicious code embedded within the builds of [the SolarWinds] Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.” Read more in:

US Financial Regulators Propose Breach Notification Requirement; Senators Introduce Bill That Would Require Agencies to File Incident Reports. US federal financial regulatory agencies have published a notice of proposed rulemaking “that would require a banking organization to provide its primary federal regulator with prompt notification of any ‘computer-security incident’ that rises to the level of a ‘notification incident.’ The proposed rule would require such notification upon the occurrence of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred.” In a separate story, a bill introduced in the US Senate would require federal agencies that experience cyberattacks that could cause significant harm to national security or agency operations to provide congress with an incident report within seven days of the attacks. Read more in:

Worst Hacks of 2020. The SolarWinds supply chain attack tops two lists of the worst hacks and breaches of 2020. Also included are the Twitter hack, the University Hospital Düsseldorf ransomware attack, and the data theft at Finland’s Vastaamo mental healthcare provider. Read more in:

DHS Warns US Businesses Against Chinese Tech. The US Department of Homeland Security (DHS) has published a Data Security Business Advisory, urging US businesses to avoid using Chinese hardware or digital services. DHS warns that using Chinese technology could expose companies to “theft of trade secrets, of intellectual property, and of other confidential business information; violations of U.S. export control laws; violations of U.S. privacy laws; breaches of contractual provisions and terms of service; security and privacy risks to customers and employees; risk of PRC surveillance and tracking of regime critics; and reputational harm to U.S. businesses.” Read more in:

International Law Enforcement Effort Takes Down VPN Services Used by Criminals. In a coordinated operation, Europol, along with law enforcement agencies from Germany, the Netherlands, France, Switzerland, and the US, have taken down three VPN services that were widely used by criminals to conduct cyberattacks. The three services, insorgorg, safe-inetcom, and safe-inetnet, had been active for more than a decade. Read more in:

Eurojust Becomes Full Partner in SIRIUS Project. Europol and Eurojust have signed a new contribution agreement making Eurojust a full partner in the SIRIUS project, which was “launched by Europol in 2017 … [and which] aims to foster the co-development of practical and innovative tools and solutions for EU law enforcement and judicial authorities that can support internet-based investigations.” Read more in:

Kaspersky: Lazarus Group Hackers are After COVID-19 Intellectual Property. According to a report from Kaspersky, a hacking group with ties to North Korea has been targeting organizations involved in COVID-19 vaccine research and development. The Lazarus Group has broken into networks at a pharmaceutical company and a government health ministry. Kaspersky researchers say the attackers are trying to steal intellectual property. Read more in:

Cyberattack Against Finland’s Parliament Affected MP eMail Accounts. Finland’s Parliament says that a cyberattack targeting its systems compromised email accounts of several Finnish members of parliament (MPs). The incident occurred in autumn 2020 and was detected earlier this month. It bears similarities to an cyberattack against Norway’s Parliament earlier this year. Read more in:

Whirlpool Hit with Ransomware. Home appliance maker Whirlpool was hit by a ransomware attack in November or early December 2020. The attackers stole company data before encrypting files on the company’s network. Whirlpool says that their systems have been fully restored. Read more in: Home appliance giant Whirlpool hit in Nefilim ransomware attack

SolarWinds: An Updated SEC Filing, a Revised CISA Alert, and an NSA Advisory on Authentication Mechanism Abuse. SolarWinds has updated its US Securities and Exchange Commission (SEC) Form 8-K filing to provide additional information about the supply-chain breach. The Cybersecurity and Infrastructure Security Agency (CISA) revised its alert to include information about additional initial access vectors, an updated list of IOCs, and the National Security Agency (NSA)’s advisory about hackers abusing authentication mechanisms. Read more in:

SolarWinds: Victims Include US Treasury Dept., VMware, Cisco. The SolarWinds supply chain attack was used to compromise email accounts at the US Treasury Department. The hackers were able to gain access to the email accounts after taking control of the Treasury Department’s single sign-on cryptographic key. Other victims of the attack include the US Department of Homeland Security, The Department of Energy, VMware, Cisco, and Intel, as well as a hospital, a university, technology and accounting companies, and a ”very, very large” as-yet unnamed telecommunications company. (Please note that the WSJ story is behind a paywall.) Read more in:

SolarWinds: Hackers May Have Conducted a Test Run Last Fall. FireEye’s Kevin Mandia says there is evidence the SolarWinds hackers tried a test run last fall. A code change in the Orion platform in October 2019 “was innocuous code. It was not a backdoor.” Read more in:

Mobile Device Emulator Farms Used in Massive Bank Account Theft. Researchers with IBM Trusteer has “discovered a major mobile banking fraud operation” that drained millions from bank accounts. With “an infrastructure of mobile device emulators to set up thousands of spoofed devices,” the thieves used previously compromised online banking account access credentials to steal funds from bank accounts in the US and the EU. Read more in:

DoJ Seizes Fake COVID Domains. The US Department of Justice (DoJ) has seized domains that were being used to impersonate pharmaceutical companies involved in COVID-19 treatments. The domains, which were spoofing Moderna and Regeneron, were being used to harvest personal information of site visitors. Read more in:

Dell Issues Fixes for Critical Flaws in Wyse ThinOS. Dell has released updates to address a pair of critical vulnerabilities in its Dell Wyse ThinOS. The flaws affect all Dell Wyse Thin Clients running ThinOS versions 8.6 and earlier. The vulnerabilities could be exploited to remotely execute code and access files. Both vulnerabilities received CVSS scores of 10. Researchers at CyberMDX detected the flaws and reported them to Dell in June 2020. Read more in:

iOS “Zero-Click” Exploit Used to Infect Journalists’ Phones. Earlier this year, state-backed attackers placed spyware on 36 personal phones that belonged to Al Jazeera journalists and other employees of the news channel. According to University of Toronto’s Citizen Lab, “[t]he phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage.” Read more in:

Browser Makers Ban Kazakhstan’s Traffic Interception Certificate. Major browser makers have blocked a root certificate that Kazakhstan’s government Is requiring users to install. The certificate allows the Kazakh government to intercept HTTPS traffic; without the certificate, users will be unable to access foreign websites, including Facebook, Twitter, Instagram, and YouTube. Kazakhstan’s government attempted a similar requirement in August 2019. The Kazakh government maintains that the certificate requirement is part of a public/private cybersecurity training exercise. Apple, Microsoft, Google, and Mozilla have all blocked the certificate. Read more in:

Firefox Will Introduce Anti-Tracking Feature Next Year. When Mozilla releases Firefox 85 in January 2021, the browser will include an anti-tracking feature called Network Partitioning. The feature will allow Firefox to store website data like favicon caches, CSS files, and images in partitioned, per-website storage rather than in one pool. This should make it more difficult for users to be tracked across websites. Read more in: Firefox to ship ‘network partitioning’ as a new anti-tracking defense

Crypto Wallet Data Exposed. Information that was stolen from Ledger, a cryptocurrency wallet website, in June 2020 has been leaked on a hacker forum. The information is reportedly being used in phishing attacks. Ledger has been notifying customers via Twitter. Ledger provided information about the breach in a July 2020 blog post. Read more in:

Europol Launches Decryption Platform for Law Enforcement. Europol, along with the European commission, has launched a new decryption platform to help EU law enforcement “decrypt information lawfully obtained in criminal investigations.” The platform is operated by the European Cybercrime Centre (EC3). Read more in:

Trucking Company Recovering from Ransomware Attack. US trucking and freight logistics company Forward Air has acknowledged that its network was hit with ransomware earlier this month. Forward Air made the disclosure in a Form 8-K filing with the US Securities and Exchange Commission (SEC). Forward Air detected the attack on December 15, 2020. Read more in: