Cybersecurity News Headlines Update on January 30, 2021

North Korean Threat Actors Targeting Cybersecurity Researchers. Google’s Threat Analysis Group has detected an ongoing campaign launched by North Korean cyber threat actors against cybersecurity researchers. The threat actors created a blog and Twitter profiles to establish their credibility with the targeted researchers. After gaining their trust, the threat actors ask the researchers if they would like to work together on research projects. If they agree, the hackers send collaboration tools that include malware. Some researchers’ computers were compromised after they visited the hackers’ blog. Read more in:

• New campaign targeting security researchers
• North Korea Targets—and Dupes—a Slew of Cybersecurity Pros
• North Korea hackers use social media to target security researchers
• North Korean Attackers Target Security Researchers via Social Media: Google
• North Korean Hackers Hacked Famous Hackers With Fake Hacking Website, Google Says
• I was targeted by North Korean 0-day hackers using a Visual Studio project, vuln hunter tells El Reg

Apple Releases Unscheduled iOS Update to Fix Zero-days. Apple has released an emergency update for iOS to fix critical flaws that are being actively exploited in the wild. One of the vulnerabilities affects the iOS kernel; the other two affect the WebKit. A race-condition vulnerability affecting the kernel could be exploited to gain elevated privileges. The flaws affecting the WebKit could be exploited to allow arbitrary code execution. The newest versions of the affected operating systems are iOS 14.4 and iPadOS 14.4. Read more in:

• About the security content of iOS 14.4 and iPadOS 14.4
• Apple emits emergency iOS security updates while warning holes may have been exploited in wild by hackers
• Apple Patches Three New iOS Zero-Days
• Apple Patches Three Actively Exploited Zero-Days, Part of iOS Emergency Update

US CYBERCOM and NSA Urge Users to Patch Sudo Vulnerability. The NSA and the US Defense Department’s Cyber Command are both warning of a serious heap buffer overflow in the sudo utility that could be exploited to gain root privileges on vulnerable hosts. The vulnerability was detected by researchers at Qualys; it has been present in sudo since 2011. The issue “affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.” The issue is addressed in in sudo 1.9.5p2. Read more in:

• CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
• Sudo Bug Gives Root Access to Mass Numbers of Linux Systems
• Critical Vulnerability Patched in ‘sudo’ Utility for Unix-Like OSes
• Cyber Command, NSA warn to patch decade-old sudo vulnerability
• New Linux SUDO flaw lets local users gain root privileges
• USCYBERCOM Security Alert
• Buffer overflow in command line unescaping

NetWalker Ransomware Operations Disrupted. Authorities in the US and Bulgaria have seized a server used by NetWalker ransomware operators use to communicate with victims and publish stolen data. They have also seized more than $450,000 in cryptocurrency. A Canadian individual allegedly connected to NetWalker ransomware attacks has been charged in US federal court. Read more in:

• US and Bulgarian authorities disrupt NetWalker ransomware operation
• Arrest, Seizures Tied to Netwalker Ransomware
• NetWalker ransomware investigation yields arrest, big cryptocurrency seizure
• Department of Justice Launches Global Action Against NetWalker Ransomware
• Another Takedown: NetWalker Ransomware Gang Disrupted

Mimecast Says Certificate Compromise Perpetrated by SolarWinds Threat Actors. Mimecast has confirmed that the certificate compromise reported earlier in January was carried out by the same threat actors responsible for the SolarWinds supply chain attack. In a blog post, Mimecast writes, “Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.” Read more in:

• Important Security Update
• Mimecast confirms SolarWinds attackers breached security certificate, ‘potentially exfiltrated’ credentials
• Mimecast Confirms SolarWinds Hackers Breached Company
• Mimecast Confirms SolarWinds Hack as List of Security Vendor Victims Snowball

Stack Overflow Discloses Additional Information About 2019 Breach. Stack Overflow is now providing more details about the 2019 breach that compromised the site’s code and data. On May 12, 2019, Stack Overflow became aware that a new user account had elevated privileges for all sites in the Stack Exchange Network. Their “response was to revoke privileges and to suspend this account and then set in motion a process to identify and audit the actions that led to the event.” They “found that the escalation of privilege was just the tip of the iceberg and the attack had actually resulted in the exfiltration of our source code and the inadvertent exposure of the PII (email, real name, IP addresses) of 184 users of the Stack Exchange Network (all of whom were notified).” The blog post includes a detailed timeline. Read more in:

• A deeper dive into our May 2019 security incident
• Stack Overflow 2019 hack was guided by advice from none other than… Stack Overflow
• Stack Overflow: Here’s what happened when we were hacked back in 2019

WestRock Discloses Ransomware Attack. Atlanta-based packaging company WestRock is dealing with a ransomware attack that affected some of its operational and information technology systems. The attack occurred on Saturday, January 23. Read more in:

• Ransomware Disrupts Operations at Packaging Giant WestRock
• WestRock Company (WRK) CEO Steve Voorhees on Q1 2021 Results – Earnings Call Transcript
• WestRock Reports Ransomware Incident
• WestRock Provides Update on Ransomware Incident

ADT Fixes Vulnerabilities in Home Security Camera. Researchers at Bitdefender have disclosed vulnerabilities in ADT’s LifeShield cameras that could be exploited to eavesdrop on conversations or access live video feeds. The issues affect a certain model of LifeShield DIY HD Video Doorbells, which allow users to answer the door remotely through the LifeShield app. Bitdefender notified ADT prior to disclosing the vulnerabilities; ADT released an automatic update in August 2020. Read more in:

• Cracking the LifeShield: Unauthorized Live-Streaming in your Home (PDF)
• ADT Security Camera Flaws Open Homes to Eavesdropping

NIST Risk-Based Guide on Information Exchange Security. The US National Institute of Standards and Technology (NIST) has released a publication titled Managing the Security of Information Exchanges. The draft document “provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information.” NIST is accepting comments on the document until March 12, 2021. Read more in:

• NIST Shares Risk-Based Guide to Information Exchange Security
• Managing the Security of Information Exchanges
• Managing the Security of Information Exchanges (PDF)

Healthcare-Related Breach Roundup. Health IT Security’s weekly breach round-up includes a cyberattack against the Okanogan County (Washington) government computer system that has affected the county’s Public Health department, and the Einstein Healthcare Network (Philadelphia area) notifying patients of an August 2020 data breach. Read more in: Cyberattack Drives Okanogan County Public Health IT System Offline

Harris County, TX Will Replace Paperless Voting Machines With Machines that Produce a Paper Trail. Harris County, Texas, has signed a contract to purchase voting machines that create a paper audit trail. Harris County has until now been using voting machines that provide no paper records of votes for people voting in-person. Harris County, with 4.7 million residents, is the third most populous county in the US. Read more in: Harris County, Texas, ditches paperless voting machines

USCellular Discloses Data Breach. Mobile network company USCellular has disclosed a data breach that compromised customers’ account information and wireless phone number. USCellular said the incident stemmed from store employees being tricked into downloading malware onto a store computer. The hackers gained access to the company’s CRM system. USCellular believes the attack occurred on January 4, 2021; it was detected two days later. Read more in: USCellular hit by a data breach after hackers access CRM software

SonicWall Internal Systems Breached Through Vulnerabilities in its Own Products. SonicWall has published an urgent security notice noting that its “engineering teams continue their investigation into probable zero-day vulnerabilities with SMA 100 series products.” SonicWall’s internal systems were breached was hacked through zero-day vulnerabilities in its own remote access products. Read more in:

• Urgent Security Notice: NetExtender VPN Client 10.X, SMA 100 Series Vulnerability [Updated Jan. 23, 2021]
• Exclusive: SonicWall Hacked Using 0-Day Bugs In Its Own VPN Product
• SonicWall Probes Attack Using Zero-Days in Own Products
• SonicWall says it was hacked using zero-days in its own products
• SonicWall network attacked via zero day in its secure access solution
• SonicWall firewall maker hacked using zero-day in its VPN device
• SonicWall Says Internal Systems Targeted by Hackers Exploiting Zero-Day Flaws
• SonicWall Investigating Zero-Day Attacks Against Its Products

Cloud Accounts Used to Gain Persistent Access to Aviation and High-Tech Company Networks. According to a report from NCC group and its Fox-IT subsidiary, hackers have been gaining access to networks at high tech and aviation organizations and maintaining dwell times of as long as three years. The hackers appear to have gained initial access to the networks through cloud-based services. Read more in:

• Hackers hijacked cloud accounts of high-tech and aviation firms, hid in systems for years
• Abusing cloud services to fly under the radar

University of South Carolina First Undergraduate College To Make Cybersecurity Graduates Highly Desirable To Employers. The University of South Carolina Aiken is partnering with the SANS Technology Institute to provide the students in the university’s Bachelor of Science program in Applied Computer Science – Cybersecurity the option of completing the 12-credit Undergraduate Certificate in Applied Cybersecurity at SANS.edu as part of the UofSC Aiken cybersecurity degree program. The Certificate provides graduates with three GIAC certifications that, according to recent data, make those students three times as likely to chosen for cybersecurity job interviews than students with the certifications commonly earned by cybersecurity graduates. Read more in:

• UofSC partnership aims to bolster cybersecurity studies
• Undergraduate Cyber Security Certificate Program

US Military Intel Purchases Phone Location Data Instead of Obtaining Warrants. According to an unclassified memo obtained by the New York Times, the US Defense Intelligence Agency (DIA) has been circumventing warrant requirements by obtaining smartphone location data through commercially available databases. A 2018 US Supreme Court ruling requires the government to obtain a warrant prior to obtaining phone location data from telecommunication companies. Read more in:

• Intelligence Analysts Use U.S. Smartphone Location Data Without Warrants, Memo Says
• Military intelligence buys location data instead of getting warrants, memo shows
• DIA uses purchased phone location data without warrants

SEPA Ransomware Update: Stolen Files Leaked. Ransomware operators who launched an attack against Scotland’s Environment Protection Agency (SEPA) have posted files stolen from the agency’s systems. SEPA’s network was hit with ransomware in late December 2020; SEPA refused to pay the demanded ransom. A month later, the agency’s email and other systems remain down; SEPA flood forecasting and warning system are operating. Read more in:

• SEPA Cyber-Attack: Data theft, service delivery and recovery update
• Scottish enviro bods shrug off ransomware gang’s extortion attempt as 4,000 files dumped online, saying it’s nothing big
• Hackers publish thousands of files after government agency refuses to pay ransom
• Ransomware Attackers Publish 4K Private Scottish Gov Agency Files

Vulnerabilities in OPC Network Protocol. Researchers at Claroty have found nine vulnerabilities in implementations of the Open Platform Communications (OPC) network protocol. The vulnerabilities affect products from three vendors: Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell. All three have released fixes for the flaws, which could be exploited to allow remote code execution attacks, to leak data, and to create denial-of-service conditions. Read more in:

• Claroty Finds Critical Flaws in OPC Protocol Implementations
• Critical Vulns Discovered in Vendor Implementations of Key OT Protocol
• Users of IoT products from three major vendors at risk of DDoS attacks, data leaks

Tesla Sues Over Theft of Trade Secrets. Tesla is suing a former employee for allegedly stealing proprietary software code. Alex Khatilov allegedly stole the files and transferred them to his personal Dropbox account within days after he was hired on December 28, 2020. The incident was detected on January 6, 2021. The files were not related to Khatilov’s position at Tesla. The complaint alleges breach of contract and theft of trade secrets. Read more in:

• Tesla sues ex-employee over alleged ‘brazen’ theft of confidential code, files
• Tesla sues a former employee for allegedly taking automation files
• Tesla claims a software engineer stole critical automated software from its WARP Drive system

Australian Securities and Investment Commission Says Server Breached. The Australian Securities and Investment Commission (ASIC) has disclosed that one of its servers was breached. ASIC learned of the incident on January 15, 2021 and says that the breach is “related to Accellion software used by ASIC to transfer files and attachments.” ASIC has disabled access to the compromised server. Earlier this month, the New Zealand Reserve Bank experienced a data breach related to Accellion software. Read more in:

• Accellion cyber incident
• Digital burglars break into the Australian Securities and Investments Commission
• Australia’s securities regulator says server hit by cyber security breach
• Australian securities regulator discloses security breach

Cisco Issues Fix for Cross-site Request Forgery Vulnerability in DNA Center. Cisco has released a fix to address a high-severity flaw affecting its Digital Network Architecture (DNA) Center. The vulnerability could be remotely exploited to launch cross-site request forgery attacks. The issue has been fixed in Cisco DNA Center releases 2.1.1.0, 2.1.2.0, 2.1.2.3, 2.1.2.4, and later. Read more in:

• Cisco DNA Center Bug Opens Enterprises to Remote Attack
• Cisco DNA Center Cross-Site Request Forgery Vulnerability

Crane Manufacturer Palfinger Hit with Cyberattack. Austria-based Palfinger Group, which manufactures hydraulic lifting, loading, and handling systems, says it “is currently the target of an ongoing global cyber attack.” In an alert on its website, Palfinger notes that it “cannot be contacted via e-mail not can it receive or process inquiries, orders, shipments, and invoices.” Customers are advised that, presently, the company can be contacted only by telephone. Read more in:

• Leading crane maker Palfinger hit in global cyberattack
• Cyber Attack at Palfinger Group

Flash Deactivation Halts Chinese Railroad for a Day. A railroad system in northeastern China was disabled for a day earlier this month due to the deactivation of Adobe Flash. Adobe disabled Flash from running after January 12, 2021; China Railway Shenyang uses Flash to plan daily operations. The situation led to a complete shutdown of railway operations in Dalian, Liaoning province on the 12th. On January 13, the railway obtained a version of Flash that did not contain deactivation code and resumed operations. Read more in:

• Deactivation of Flash may have crippled Chinese railroad for a day [Updated]
• Flash Is Dead—but Not Gone

ADT Employee Pleads Guilty to Spying on Customers Through Security Cameras. A former employee of the home security company ADT has pleaded guilty to computer fraud and invasive visual recording for spying on people through their video surveillance systems. Telesforo Aviles added his personal email to the systems’ ADP Pulse accounts, which allowed him to access security cameras. Approximately 200 accounts were affected over a five-year period. During that time, Aviles accessed customer systems nearly 10,000 times. ADT learned of the situation when a customer called to complain about the suspicious email address associated with their account. Read more in:

• ADT technician pleads guilty to spying on customer camera feeds for years
• Rogue CCTV technician spied on hundreds of customers during intimate moments
• Home alarm tech backdoored security cameras to spy on customers having sex
• ADT Tech Hacks Home-Security Cameras to Spy on Women
• Home security technician pleads guilty to spying on women, couples
• ADT Technician Pleads Guilty to Hacking Home Security Footage

SolarWinds: FireEye Offers Remediation Strategies and Auditing Tool. FireEye has published a white paper, Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452, as well as a tool, Mandiant Azure AD Investigator, “for detecting artifacts that may be indicators of UNC2452 and other threat actor activity.” Read more in:

• Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
• Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 (White paper PDF)
• fireeye / Mandiant-Azure-AD-Investigator
• FireEye publishes details of SolarWinds hacking techniques, gives out free tool to detect signs of intrusion
• FireEye releases tool for auditing networks for techniques used by SolarWinds hackers
• Free Auditing Tool Helps Detect SolarWinds Hackers’ Malware

SolarWinds: New “Raindrop” Malware Installs Cobalt Strike. A fourth piece of malware used by the Solar Winds hackers has been detected. Dubbed Raindrop, the malware is a backdoor loader that places Cobalt Strike on targeted systems to allow the attackers to move laterally through the network. While Cobalt Strike is a commercially available penetration testing tool, “threat actors have since figured out how to turn it against networks to spread through an environment, exfiltrate data, deliver malware and more.” Read more in:

• Fourth malware strain discovered in SolarWinds incident
• SolarWinds Malware Arsenal Widens with Raindrop
• New Raindrop Tool Tied to Solarwinds Attackers

SolarWinds: Hackers Hit Malwarebytes. The threat actors behind the SolarWinds Orion supply chain attack have hit systems/the network at Malwarebytes. In a January 19 blog post, Malwarebytes writes, “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.” Malwarebytes does not use SolarWinds products. Read more in:

• Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments
• Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use
• Malwarebytes said it was hacked by the same group who breached SolarWinds
• Security firm Malwarebytes was infected by same hackers who hit SolarWinds
• Malwarebytes Hit by SolarWinds Attackers

SolarWinds: Microsoft Details How Threat Actors Evaded Detection. Researchers from Microsoft’s 365 Defender Research Team, Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC) have published new information about operational security techniques and anti-forensic behavior the SolarWinds attackers used to evade detection. Microsoft’s “goal is to continue empowering the defender community by helping to increase their ability to hunt for the earliest artifacts of compromise and protect their networks from this threat.” Read more in:

• Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
• Microsoft: This is how the sneaky SolarWinds hackers hid their onward attacks for so long
• Microsoft SolarWinds analysis: Attackers hid inside Windows systems by wearing the skins of legit processes
• Microsoft shares how SolarWinds hackers evaded detection
• Microsoft details how SolarWinds hackers hid their espionage

NSA Cybersecurity 2020 Year in Review. The US National Security Agency’s (NSA) Cybersecurity Directorate has published its first Cybersecurity Year in Review. The document “outlines key milestones and mission outcomes achieved during NSA Cybersecurity’s first year.” The NSA Cybersecurity Directorate was established in October 2019 “with a mission to prevent and eradicate cyber actors from systems critical to national security and critical infrastructure, with a focus on the Defense Industrial Base.” Read more in: 2020 Cybersecurity Year in Review (PDF)

Dnsmasq Vulnerabilities. Researchers from “JSOF” have disclosed seven vulnerabilities in dnsmasq open-source DNS forwarding software. The flaws could be exploited to allow DNS cache poisoning and remote code execution. The vulnerabilities are addressed in dnsmasq 2.83. The issues are believed to affect products from at least at least 40 vendors. Read more in:

• DNSpooq – Kaminsky attack is back!
• Dnsmasq, used in only a million or more internet-facing devices globally, patches not-so-secret seven spoofing, hijacking flaws
• Vulnerabilities in Popular DNS Software Allow Poisoning
• DNSpooq Flaws Allow DNS Hijacking of Millions of Devices
• List of DNSpooq vulnerability advisories, patches, and updates
• Dnsmasq is vulnerable to memory corruption and cache poisoning

Malware Found on Some Laptops Provided to UK Schoolchildren. Laptops provided to some British schoolchildren were found to be infected with malware. The laptops were distributed through a government program to help disadvantaged students learn remotely. The computers were infected with malware known as Gamarue (aka Andromeda). The UK’s Department for Education (DfE) told The Register, “We are aware of an issue with a small number of devices and we are investigating as an urgent priority to resolve the matter as soon as possible. DfE IT teams are in touch with those who have reported this issue. We believe this is not widespread.” Read more in:

• Laptops given to British schoolkids came preloaded with malware and talked to Russia when booted
• UK govt gives malware infected laptops to vulnerable students
• Malware found on laptops given out by government

CISA Increasing Effort to Get Ransomware Information to Local Government. The US Cybersecurity and Infrastructure Security Agency (CISA) is ramping up efforts to boost ransomware awareness at the local government level. CISA has created a new page on its website that provides ransomware guidance and resources, including a guidebook CISA published last fall along with the Multi-State Information Sharing and Analysis Center. CISA acting director Brandon Wales announced the awareness campaign in a talk at the US Conference of Mayors virtual winter meeting this week. Wales urged mayors to “Get to know your CISO … [and] get to know the protocols they will put in place to preserve continuity of services.” Read more in:

• Federal cyber agency announces new campaign to fight ransomware attacks
• CISA boosts anti-ransomware messaging for local government
• Ransomware Guidance and Resources
• Ransomware Guide September 2020 (PDF)

Wordfence Offers Free Site Security Audits to US K-12 Public Schools. Wordfence is offering free site cleaning and site security audits to US K-12 public schools that use the WordPress content management system. The organization is also offering those schools a free version of Wordfence that its analysts will configure. Read more in: Announcing Free Site Cleaning & Site Security Audits for K-12 Public Schools

Windows RDP Servers are Being Used to Amplify DDoS Attacks. Distributed denial-of-service (DDoS) attack-for-hire services, also called DDoS Booters or illegal IP Stressers, have been using Windows Remote Desktop Protocol (RDP) servers to amplify their attacks. According to a Netscout advisory, “When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.” Network operators are urged to move RDP servers that provide remote access via UDP behind VPN concentrators; if that is not possible, then RDP via UDP/3389 should be disabled. Read more in:

• Windows Remote Desktop servers now used to amplify DDoS attacks
• Microsoft Remote Desktop Protocol (RDP) Reflection/Amplification DDoS Attack Mitigation Recommendations – January 2021

Belgian Hospital’s Network Hit with Cyberattack. A cyberattack against a Belgian hospital resulted in roughly 20 percent of its servers being encrypted. The attackers app[ear to have used Windows BitLocker software to encrypt the servers. Center Hospitalier de Wallonie Picarde (CHwapi) said that patients arriving through emergency services have been rerouted to other facilities. Read more in:

• Patients Rerouted to Other Hospitals After Cyberattack on Belgian Hospital
• CHwapi hospital hit by Windows BitLocker encryption cyberattack

Amazon Fixes Flaws That Could be Exploited to Take Control of Kindle Accounts. Amazon has fixed a trio of vulnerabilities in its Send to Kindle feature that could have been exploited to take control of Kindle e-Readers, allowing attackers to make purchases in the Kindle store with linked credit cards and to access personal information stores on the devices. To exploit the flaws, a hacker would need to spoof the Kindle owner’s email address, send them a maliciously-crafted ebook, and convince them to click on a link inside that ebook. Read more in: Bugs Allowed Hackers to Hijack Kindle Accounts With Malicious Ebooks