Cybersecurity News Headlines Update on January 09, 2021

SolarWinds: Federal Judiciary Electronic Records Possibly Breached. The Administrative Offices of the US Courts is “adding new security procedures to protect highly sensitive confidential documents filed with the courts” following a possible compromise of its Case Management/Electronic Case Files (CM/ECF) system. The Judiciary is auditing the system along with the Department of Homeland Security (DHS). Read more in:

• Judiciary Addresses Cybersecurity Breach: Extra Safeguards to Protect Sensitive Court Records
• Sealed U.S. Court Records Exposed in SolarWinds Breach
• US Judiciary adds safeguards after potential breach in SolarWinds hack
• Federal courts are latest apparent victim of SolarWinds hack
• Federal judiciary likely compromised as part of SolarWinds hack
• U.S. Courts Records System Breached in SolarWinds Hack

SolarWinds: DoJ eMail Accounts Breached. The US Department of Justice (DoJ) says that the hackers behind the SolarWinds supply chain attack breached the department’s Office 365 environment and compromised more than 3,000 email accounts. The DoJ Office of the Chief Information Officer (OCIO) detected malicious activity in late December 2020. Read more in:

• Department of Justice Statement on Solarwinds Update
• DOJ says it was hit by SolarWinds hackers
• Justice Department confirms breach as part of SolarWinds hack, says emails were accessed
• Justice Department confirms SolarWinds hackers accessed Department emails
• DoJ says SolarWinds hackers breached its Office 365 system and read email
• SolarWinds fallout: DOJ says hackers accessed its Microsoft O365 email server
• SolarWinds hackers had access to over 3,000 US DOJ email accounts

SolarWinds: FBI, NSA, ODNI, and CISA Point Finger at Russia. In a joint statement, the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and The National Security Agency (NSA) wrote, “an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.” Read more in:

• Joint Statement By The Federal Bureau of Investigation (FBI), The Cybersecurity And Infrastructure Security Agency (CISA), The Office Of The Director Of National Intelligence (ODNI), And The National Security Agency (NSA)
• Bucking Trump, NSA and FBI say Russia was “likely” behind SolarWinds hack
• US government formally blames Russia for SolarWinds hack
• Feds Pinpoint Russia as ‘Likely’ Culprit Behind SolarWinds Attack

SolarWinds: CISA Guidance Update Requires Agencies to Conduct Forensic Analysis. The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its SolarWinds guidance. The January 6, 2021, “supplemental guidance v3 requires (1) agencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19, and Monday, January 25, 2021.” Read more in:

• Supplemental Guidance v3
• CISA updates guidance on SolarWinds compromise
• CISA Issues Updated Remediation Guidance to Feds for SolarWinds Hack

Hackney Data Stolen, Leaked in Ransomware Attack. The ransomware operators responsible for an attack against the network of the Hackney council in London, UK have leaked stolen data. The ransomware attack occurred in October 2020. The council’s services are still “significantly disrupted.” The stolen information has reportedly been posted on the dark web. Read more in: Months after this ‘serious’ cyber-attack, stolen data has been leaked online by hackers

Ransomware Hits Minnesota Lake Region Healthcare Network. Lake Region Healthcare (LRHC) in Minnesota was the victim of a ransomware attack in late December 2020. The attack prompted LRHC to initiate HER downtime procedures. In a public statement, LRHC said they “are providing most of [their] services as usual by operating largely off alternative systems.” Read more in:

• Minnesota’s Lake Region Healthcare Recovering From Ransomware Attack
• Public Statement: Update from LRH CEO Kent Mattson about Ransomware Attack

House Passes FedRAMP Bill. The US House of Representatives has passed a bill that codifies the Federal Risk and Authorization Management Program, or FedRAMP. The FedRAMP Authorization Act also establishes an advisory committee “to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities.” Read more in:

• House OKs Bill to Codify FedRAMP, Create Federal Cloud Advisory Panel
• House passes FedRAMP bill
• House Passes Bill to Codify and Revamp FedRAMP
• FedRAMP Authorization Act (PDF)

Fired Healthcare Exec Sentenced to Prison for Sabotaging PPE Distribution. A former employee of Georgia-based Stradis Healthcare has pleaded guilty to computer intrusion for tampering with the company’s computer systems. Christopher Dobbins used a secret account he had created to gain access to the Stradis network where he altered and deleted data, hobbling the company’s efforts to distribute personal protective equipment (PPE) in spring 2020. Dobbins has been sentenced to one year in prison. Read more in:

• Disgruntled former VP hacks company, disrupts PPE supply, earns jail term
• Fired Healthcare Exec Stalls Critical PPE Shipment for Months
• Medical Equipment Packaging Company Hacker Sentenced

Nissan Source Code Possibly Exposed. Source code for Nissan North America mobile apps and diagnostic tools may have been exposed due to an improperly configured Git server. Nissan says it has secured the server. Read more in:

• Nissan source code leaked online after Git repo misconfiguration
• Nissan investigated source code exposure, says it plugged leak

NSA Guidance Urges Updating Outdated TLS Protocols. The US National Security Agency (NSA) has issued guidance urging system administrators to replace obsolete Transport Layer Security (TLS) protocols with updated versions. The guidance offers strategies for detecting obsolete TLS instances (TLS 1.0 and 1.1 as well as SL 2.0 and 3.0) and for replacing them with newer versions with strong encryption and authentication (TLS 1.2 and 1.3). Read more in:

• Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations (PDF)
• NSA Urges SysAdmins to Replace Obsolete TLS Protocols
• NSA shares guidance, tools to mitigate weak encryption protocols
• NSA Urges Federal Stakeholders to Update Obsolete TLS Configurations

Legislators’ Computers Left Unattended When They Were Evacuated. When people stormed the US Capitol building on Wednesday, legislators’ computers were left unattended. One senator has reported that a laptop was stolen from his office. It has not been determined what information the computer contains. Read more in:

• U.S. senator says Capitol building rioters made off with laptop
• Capitol Riot Opens Congress to Potential IT Compromise
• Rioters Had Physical Access to Lawmakers’ Computers. How Bad Is That?
• Post-Riot, the Capitol Hill IT Staff Faces a Security Mess

SolarWinds: Attack May Have Started Earlier and is Looking Worse. More details about the SolarWinds supply chain attack are coming to light. It is now believed that at least 250 US government agencies and private businesses were affected. US Senator Mark Warner (D-Virginia), who serves as Vice-Chair of the Senate Intelligence Committee said that the attackers may have begun even earlier than March/April 2020. Warner also noted that “if FireEye had not come forward, I’m not sure we would be fully aware of [the attack] to this day.” Read more in:

• SolarWinds: The more we learn, the worse it looks
• SolarWinds mess that flared in the holidays: Biz confirms malware targeted crocked Orion product
• As Understanding of Russian Hacking Grows, So Does Alarm
• SolarWinds hack may be much worse than originally feared
• Cyber attack on U.S. government may have started earlier than initially thought – U.S. senator

SolarWinds: Hackers Accessed Microsoft Source Code. Microsoft says that the hackers behind the SolarWinds supply chain attack accessed Microsoft source code repositories. Microsoft said that the hackers did not alter the code because the compromised account they used to access the repositories had read-only permission. Microsoft is not concerned that the source code was viewed. In a December 31 blog post, the MSRC Team writes, “We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.” Read more in:

• Microsoft Internal Solorigate Investigation Update
• SolarWinds hackers accessed Microsoft source code
• SolarWinds Attackers Accessed, But Did Not Modify, Microsoft Source Code

SolarWinds: CISA Updates Guidance – Update SolarWinds Orion Now. The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its guidance regarding the SolarWinds supply chain attack. The update comes in response to the discovery of a new vulnerability in SolarWinds Orion – an authentication bypass flaw in the SolarWinds Orion API. Government agencies were instructed to update their SolarWinds Orion platforms to version 2020.2.1HF2 by the end of 2020. Agencies unable to update by the deadline were instructed to take all their Orion systems offline. Read more in:

• SolarWinds Orion API authentication bypass allows remote command execution
• Emergency Directive 21-01 – Supplemental Guidance v2 – Mitigate SolarWinds Orion Code Compromise
• CISA updates SolarWinds guidance, tells US govt agencies to update right away

TransLink Ransomware Update: Most Systems are Still Down. Vancouver, BC, transportation agency TransLink says that as of January 4, most of its IT systems are still unavailable a month after they suffered a ransomware attack. Employees have been receiving pay advances rather than their regular paychecks. TransLink has acknowledged that the ransomware operators also compromised employee data. Read more in:

• TransLink confirms ransomware data theft, still restoring systems
• Some transit employees tighten belts after payroll hit by TransLink ransomware attack

Zyxel Releases Fixes for Hardcoded Backdoor. Researchers from Eye Control discovered an undocumented user account with administrative rights hardcoded in the firmware of Zyxel firewall and AP controller devices. The account can be accessed via SSH or web interface. Eye Control reported the vulnerability to Zyxel in late November. Zyxel has released updated firmware for affected devices. Read more in:

• Hackers are exploiting a backdoor built into Zyxel devices. Are you patched?
• Hardcoded Credentials Expose Zyxel Firewalls and WLAN Controllers to Remote Attacks
• Secret backdoor discovered in Zyxel firewalls and AP controllers
• Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways
• ZLD v4.60 Revoke and WK48 Firmware release
• Zyxel security advisory for hardcoded credential vulnerability
• Undocumented user account in Zyxel products (CVE-2020-29583)

T-Mobile Discloses Fourth Breach in Three Years. T-Mobile has disclosed a data breach that exposed some customers’ call-related information. This is the fourth breach T-Mobile has acknowledged in the past three years. T-Mobile did not provide specifics about the attack, except to say its “cybersecurity team recently discovered and shut down malicious, unauthorized access to some” customer proprietary network information (CPNI). Read more in:

• T-Mobile: Breach exposed call information for some customers
• T-Mobile Faces Yet Another Data Breach
• T-Mobile discloses its fourth data breach in three years
• Notice of Security Incident

FBI: Smart Home Devices are Being Hijacked for Swatting Attacks. The FBI has released a public service announcement warning that vulnerable smart home security devices are being hijacked by attackers to use in swatting attacks. By hijacking devices with voice and camera features, the attackers can watch the arrival of law enforcement teams and interact with them. The FBI’s announcement urges people “to use complex, unique passwords and enable two-factor authentication to help protect against “swatting” attacks.” Read more in:

• Recent Swatting Attacks Targeting Residents With Camera and Voice-Capable Smart Devices
• FBI Warn Hackers are Using Hijacked Home Security Devices for ‘Swatting’
• FBI: Home Surveillance Devices Hacked to Record Swatting Attacks
• FBI Warns Of Swatting Attacks Targeting Smart Home Devices

Kawasaki Aerospace Company Discloses Breach, Reports of Phony Recruiting eMails. Japanese aerospace company Kawasaki Heavy Industries has disclosed that its network was hit by a data breach in June 2020. Kawasaki says that intruders may have accessed customer data. Separately, Kawasaki has warned that it has received reports of phony emails pretending to be from recruiters from Kawasaki heavy Industries Group in the US. Read more in:

• Japanese Aerospace Firm Kawasaki Warns of Data Breach
• Kawasaki Heavy Industries reports data breach as attackers found with year-long network access
• Notice Regarding Fraudulent Emails Pretending to be Recruiters from Kawasaki Heavy Industries Group

Ticketmaster to Pay $10M Fine for Hacking Competitor. Ticketmaster has agreed to pay a $10 million fine for accessing a competitor’s computer systems without authorization. A Ticketmaster employee who formerly worked at the rival company retained access credentials, which were used to snoop on that company’s activity with the intent of stealing business. Read more in:

• Ticketmaster admits it hacked rival company before it went out of business
• Ticketmaster Coughs Up $10 Million Fine After Hacking Rival Business
• Ticketmaster fined $10 million after staff hacked competitor to ‘choke off’ presale ticket business
• Ticketmaster fined $10 million for breaking into rival’s systems
• Ticketmaster pays $10M fine to settle charges of using stolen passwords to spy on rival company
• Ticketmaster Pays $10 Million Criminal Fine for Intrusions into Competitor’s Computer Systems

Citrix Offers Feature Enhancement to Block DDoS Amplification Attacks. Citrix has released an enhancement to prevent the Datagram Transport Layer Security (DTLS) feature in its ADC and Gateway devices from being used to amplify distributed denial-of-service (DDoS) attacks. Reports emerged last month about attacks taking advantage of vulnerable devices. Read more in:

• Citrix adds NetScaler ADC setting to block recent DDoS attacks
• Threat Advisory – DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway

Bye-bye, Flash. Adobe Flash Player reached end-of-life status as of January 1, 2021. Windows users have begun receiving alerts from Adobe urging them to uninstall Flash. Adobe will block Flash from running as of January 12, 2021. Chrome 88 and Firefox 85, both scheduled for release this month, will remove support for Flash. Microsoft plans to release an update for Windows 10 that will permanently remove Flash. An optional Windows 10 update, released in October 2020, removes Flash Player that was installed by Windows in Internet Explorer, Edge, and Chrome; users who installed Flash Player manually can remove it using Adobe’s uninstall instructions. Read more in:

• Adobe Flash: It’s finally over (well, almost)
• Adobe Flash Player is officially dead tomorrow
• Adobe now shows alerts in Windows 10 to uninstall Flash Player
• Uninstall Flash Player | Windows

Apex Laboratory Patient Data Stolen. New York-based medical testing company Apex Laboratory has disclosed that the operators responsible for a July 2020 ransomware attack against the company’s network stole patient data. The compromised information includes patient names, dates of birth, test results, and in some cases, Social Security numbers. Read more in:

• Apex Laboratory Says Patient Data Stolen in Ransomware Attack
• Notice of Data Event