Cybersecurity News Headlines Update on January 20, 2021

Stolen COVID Data Were Altered Before They Were Leaked. The hackers who stole COVID-19-related data from the European Medicines Agency (EMA) altered it before posting it on the dark web. The data pertain to the BNT162b2 vaccine, which was jointly developed by Pfizer and BioNTech. According to EMA’s most recent update on the cyberattack, “some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines.” Amsterdam-based EMA evaluates applications for medicines to be marketed in the European Union. Read more in:

FBI Warns About Vishing. The FBI has issued a TLP: WHITE Private Industry Notification (PIN) warning that cyber threat actors are using Voice over Internet Protocol (VoIP) platforms to contact employees at companies around the world and try to trick them into visiting a webpage that harvests their personal data. The threat actors have used the account credentials they collect to access companies’ networks. The FBI’s recommended mitigations include implementing multi-factor authentication, a least-privilege policy, network segmentation, and providing admins with two accounts: one for system changes and another for email, generating reports, and deploying updates. Read more in:

Apache Velocity XSS Vulnerability. Apache was notified of a cross-site scripting vulnerability in its Velocity Java-based template engine in October 2020; a publicly visible fix was posted to GitHub in early November, but Apache Velocity Tools has not yet formally disclosed the issue. Read more in: Undisclosed Apache Velocity XSS vulnerability impacts GOV sites

Scottish Environment Protection Agency Suffers Ransomware Attack. The Scottish Environment Protection Agency (SEPA) has acknowledged that its network was infected with ransomware; the agency says it does not intend to pay the ransomware operators’ demand. The attack began in late December 2020. The attackers have reportedly stolen more than 1GB of data. The attack has affected SEPA’s “contact center, internal systems, processes, and internal communications.” SEPA’s critical services, including monitoring and flood forecasting and warning, are operational. Read more in:

Singapore’s Financial Institutions Get Updated Cyber Defense Guidelines. The Monetary Authority of Singapore (MAS) has revised its Technology Risk Management Guidelines to include directing financial institutions to ensure that third-party service providers are adequately securing data. The guidelines also call for increased security controls and strong risk mitigation for cloud technologies and APIs. Read more in:

Multiple Vulnerabilities in FiberHome Routers’ Firmware. Numerous vulnerabilities, including at least 28 backdoor accounts, have been found in the firmware of FiberHome FTTH ONT routers. The routers are used mainly in South America and Southeast Asia. The researcher who detected the vulnerabilities also noted that the devices’ firewall is active on the IPv4 interface, but not on the IPv6 interface. Read more in:

Feedback Prompts Bugtraq to Reverse Decision to Shut Down. On January 15, the Bugtraq mailing list announced it would be shutting down on January 31, 2021. Bugtraq was established in November 1993. A day later, Bugtraq wrote, “based on the feedback we’ve received both from the community-at-large and internally, we’ve decided to keep the Bugtraq list running.” Read more in:

Microsoft Zerologon Flaw Enforcement Phase Begins February 9. Organizations that have not yet patched the Microsoft Zerologon vulnerability are being urged to do so before February 9, 2021. As of that date, Microsoft “will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices.” Microsoft released a fix for the Zerologon vulnerability in its August 2020. In September 2020, the US Department of Homeland Security (DHS) issued an emergency directive instructing agencies to patch systems against the flaw. Read more in:

OpenWRT Breach. A hacker breached an admin account on the OpenWRT forum. The account was protected by a password but did not have two-factor authentication implemented. According to an OpenWRT security notice, “the intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum.” All forum passwords have been reset and API keys have been flushed. The breach occurred on Saturday, January 16. Read more in:

$5.1M Fine for HIPAA Violation. Excellus Health Plan has agreed to pay a $5.1 million fine to the US Department of Health and Human Services (HHS) Office for Civil Rights for violations of the Health Insurance Portability and Accountability Act (HIPAA). The hackers breached the Excellus network in December 2013 and maintained access until at least mid-May 2015. The breach exposed the personally identifiable information of more than 9.3 million patients. The exposed data included names, bank account information, and clinical treatment information. Excellus filed a breach report in September 2015. Read more in:

CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments. The US Cybersecurity and Infrastructure Security Agency (CISA) has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services, after becoming aware of cyber-attacks leveraging weaknesses in cloud security services. Threat actors are leveraging phishing and other techniques to exploit poor cyber hygiene practices and misconfigurations in cloud services. CISA has listed steps organizations can take to improve their cloud security posture. Read more in:

NSA Warns Enterprises Not to Use Third-Party DNS Resolvers. The US National Security Agency (NSA) has released recommendations for enterprises to securely adopt encrypted DNS. The document “explain[s] the benefits and risks of adopting the encrypted domain name system (DNS) protocol, DNS over HTTPs (DoH), in enterprise environments.” The NSA recommends against using third-party DNS resolvers to “ensure proper use of essential enterprise security controls, facilitate access to local network resources, and protect internal network information.” Read more in:

Microsoft Patch Tuesday Includes Fix for Actively Exploited Microsoft Defender Flaw. Microsoft has released fixes for 83 security issues in its software, including Windows, Edge, Office, SQL Server, and Azure. Ten of the flaws are rated critical. One of the flaws fixed was disclosed prior to the monthly security update, and one of the flaws is being actively exploited: a remote code execution vulnerability that affects Microsoft Defender. Read more in:

Adobe Patch Tuesday – High Priority. Adobe has released security updates to address seven critical vulnerabilities in Photoshop, Illustrator, Animate, Bridge, and other products. As of Tuesday, January 12, Adobe is blocking Flash content. Users are being urged to uninstall the software, which is no longer supported. Read more in:

Cisco Updates Include Fix for Serious Vulnerability in CMX and 70 Other High-Severity Flaws. Cisco has released fixes for nearly 70 high-severity flaws in a variety of products. One of the most serious vulnerabilities affects Cisco Connected Mobile Experiences (CMX); it could be exploited to “allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.” Cisco has also released fixes for vulnerabilities in its RV routers, but it is not releasing updates for older RV routers that have reached end-of-life (EOL). The devices in question, which include Cisco Small Business RV110W, RV130, RV130W, and RV215W systems, reached EOL in 2017 and 2018, and paid extended support contracts expired on December 1, 2020. Cisco is urging customers using older versions of its RV routers to upgrade to newer, actively supported models. Read more in:

Proposed Rulemaking Would Require Financial Institutions to Report Cybersecurity Incidents Within 36 Hours. US federal financial regulatory agencies have proposed a rule that would require financial institutions to report cybersecurity events to financial regulators “no later than 36 hours after the banking organization believes in good faith that the incident occurred.” The US The Office of the Comptroller of the Currency, Treasury, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation (FDIC) published the proposed rulemaking in the Federal Register on January 12, 2021; comment will be accepted through April 12, 2021. Read more in:

International Effort Leads to DarkMarket Server Takedown and Arrest of Alleged Operator. An international law enforcement operation involving Europol and agencies in Germany, Australia, Denmark, Moldova, Ukraine, the UK, and the US has taken down the DarkMarket illegal online marketplace. The alleged operator of the marketplace, an Australian citizen living in Germany, has been arrested. Authorities also seized more than 20 associated servers in Moldova and Ukraine. Read more in:

SolarWinds: Third Malware Tool Discovered. SolarWinds and CrowdStrike have disclosed information about yet another piece of malware that helped enable the supply chain attack. Dubbed Sunspot, the malware is designed “to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.” Read more in:

Apple Will Remove Feature that Let its Apps Bypass Security Measures. In October 2020, Mac researchers noticed a feature in a beta version of macOS 11.2 that allowed Apple apps to bypass socket firewalls and virtual private networks. Dubbed the ContentFilterExclusionList, the feature permitted roughly 50 Apple programs to access the Internet without going through the Network Extension Framework, which was established to allow the monitoring and filtering of network traffic. Researchers noted that exploiting the ContentFilterExclusionList is trivial. The second beta version of macOS 11.2 will not include that feature. Read more in: Apple nixes feature that let its apps skip VPNs and firewalls, after criticism from researchers

Stolen COVID-19 Data Leaked. Hackers who stole COVID-19 vaccine and medicine data from the European Medicines Agency (EMA) late last year have posted the information online. Law enforcement authorities are investigating. Read more in:

Mimecast Says Hackers Stole Digital Certificate. In a January 12 blog post, eMail security provider Mimecast says, “Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor.” The issue affects approximately 10 percent of Mimecast’s customer base. Mimecast has asked affected customers “to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate” Mimecast has made available. Both the methods and the targets of the attack bear similarities to the SolarWinds supply chain attack. Read more in:

Update Available to Fix Critical Flaw in Orbit Fox by ThemeIsle WordPress Plugin. A critical authenticated privilege elevation flaw in the Orbit Fox by ThemeIsle WordPress plugin could be exploited to take control of vulnerable websites. An update for the plugin is available. It also addresses a medium-severity stored cross-site scripting vulnerability that could be exploited to inject malicious JavaScript into websites. The plugin has been installed on more than 400,000 WordPress sites. Users are urged to update to Orbit Fox by ThemeIsle version 2.10.3. Read more in:

SolarWinds Hires Krebs and Stamos; FBI Investigating JetBrains as Possible Victim. SolarWinds has hired Christopher Krebs, former head of the US Cybersecurity and Infrastructure Security Agency (CISA) and Alex Stamos, former Facebook CISO, to help manage the aftermath of the discovery of the supply-chain attack affecting the SolarWinds Orion management tool. In a related story, the FBI is investigating the possibility that Czech software company JetBrains may have been a victim of the SolarWinds attack as well. Read more in:

SolarWinds CEO Shares New Information About the Attack. In a blog post, SolarWinds CEO Sudhakar Ramakrishna writes, “We believe we have found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the SUNBURST malicious code into builds of our Orion Platform software.” Ramakrishna adds that they are sharing the information because “we believe that sharing this information openly will help the industry guard against similar attacks in the future and create safer environments for customers.” Read more in:

FBI Issues Egregor Ransomware Advisory. The FBI has released a Private Industry Notification (TLP: white) warning of an increased threat to businesses from the Egregor ransomware operators. The notification describes Egregor’s ransomware-as-a-service operation model and suggests mitigations organizations can apply. Read more in:

Hacker Involved in JP Morgan Chase Data Theft is Sentenced to 12 Years in Prison. A US federal judge in New York has sentenced Andrei Tyurin to 12 years in prison for numerous offenses, including computer intrusion, wire fraud, and bank fraud. Tyurin and three accomplices hacked major US financial institutions, brokerages, and other companies. They stole personal information of more than 80 million JP Morgan Chase customers. Tyurin has been in US custody since was extradited from the country of Georgia in September 2018. Read more in:

Major Browsers Updated to Fix Hijacking Bugs. The developers of the Firefox, Chrome, and Edge browsers are urging users to update to the newest versions to protect their systems from hijacking. Firefox users should update to the browsers’ most recent versions to fix a critical use-after-free vulnerability. Chrome and Edge users should update their browsers to fix an out-of-bounds write vulnerability. The Chrome and Edge updates also address a dozen other security issues. Read more in:

UK High Court Says Intelligence Agencies May Not Use Bulk Hacking. The UK High Court has ruled that authorities may not use bulk equipment interference warrants, also known as general warrants, to gather information about millions of people at once while conducting surveillance. The practice raises privacy concerns, as sensitive information of innocent people gets captured when authorities cast a broad net. The High Court’s ruling strikes down a 2016 ruling by the Investigatory Powers Tribunal, which allowed that a single warrant could be used by the likes of GCHQ, MI5, and MI6 to conduct mass surveillance. Read more in:

Two People Sentenced for Data Theft from UK Roadside Assistance Organization. Two people have received suspended sentences for their roles in the theft of data from UK emergency roadside assistance company RAC. Kim Doyle, an RAC employee, sold customer data to William Shaw, who is the director of an accident claims management company. Doyle received an eight-month suspended sentence; Williams received a two-year suspended sentence. Read more in:

Bitdefender Releases DarkSide Ransomware Decryption Tool. Romanian security company Bitdefender has released a free decryption tool for victims of the DarkSide ransomware. DarkSide first appeared late last summer; it uses a ransomware-as-a-service operating model. Read more in:

macOS Cryptomining Malware Variant is Hard to Analyze. A new variant of malware that is being used to mine cryptocurrency on macOS computers is proving difficult to analyze. The malware’s “payloads are exported as run-only AppleScript files, which makes decompiling them” complicated. OSAMiner has been around since at least 2015. Read more in:

Reserve Bank of New Zealand is Investigating a Data Breach. The Reserve Bank of New Zealand is investigating a security breach of a third-party file-sharing service provider. The bank disclosed the incident on Sunday, January 10, noting that “a third party file sharing service used by the Reserve Bank to share and store some sensitive information, has been illegally accessed.” The Reserve Bank uses the system to share information outside its organization. Read more in:

Civil Liberties Groups Ask US Supreme Court to Hear Case Regarding Personal Device Passcodes. The American Civil Liberties Union (ACLU) is asking the US Supreme Court to hear a case involving the question of whether or not passcodes for privately owned mobile devices are protected under the Fifth Amendment. The ACLU, along with along with the Electronic Frontier Foundation (EFF), has filed a petition for a writ of certiorari to the Supreme Court in the case of Robert Andrews v. the State of New Jersey. Andrews is a Newark, NJ, sherriff’s officer who refused to provide police with passcodes for two iPhones. (Please note that the WSJ story is behind a paywall.) Read more in:

Ubiquiti Networks Urges Customers to Change Passwords. Ubiquiti Networks has notified customers of a data breach that affected servers containing user profile information for the company’s account.ui.com web portal. The site allows customers to manage devices remotely. Ubiquiti encouraged customers to change their passwords. Read more in:

It looks like you are using an adblocker.