Cybersecurity News Headlines Update on January 30, 2021

North Korean Threat Actors Targeting Cybersecurity Researchers. Google’s Threat Analysis Group has detected an ongoing campaign launched by North Korean cyber threat actors against cybersecurity researchers. The threat actors created a blog and Twitter profiles to establish their credibility with the targeted researchers. After gaining their trust, the threat actors ask the researchers if they would like to work together on research projects. If they agree, the hackers send collaboration tools that include malware. Some researchers’ computers were compromised after they visited the hackers’ blog. Read more in:

International Effort Disrupts Emotet Operations. Law enforcement agencies and judicial systems authorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine have worked together to disrupt functionality of the Emotet malware. The operation took control of Emotet’s command-and-control infrastructure, which comprised hundreds of servers around the world. At least two people have been arrested in Ukraine in connection with the operation. Law enforcement officials in the Netherlands are delivering an Emotet update that will remove it from infected devices on April 25, 2021. Read more in:

Apple Releases Unscheduled iOS Update to Fix Zero-days. Apple has released an emergency update for iOS to fix critical flaws that are being actively exploited in the wild. One of the vulnerabilities affects the iOS kernel; the other two affect the WebKit. A race-condition vulnerability affecting the kernel could be exploited to gain elevated privileges. The flaws affecting the WebKit could be exploited to allow arbitrary code execution. The newest versions of the affected operating systems are iOS 14.4 and iPadOS 14.4. Read more in:

US CYBERCOM and NSA Urge Users to Patch Sudo Vulnerability. The NSA and the US Defense Department’s Cyber Command are both warning of a serious heap buffer overflow in the sudo utility that could be exploited to gain root privileges on vulnerable hosts. The vulnerability was detected by researchers at Qualys; it has been present in sudo since 2011. The issue “affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.” The issue is addressed in in sudo 1.9.5p2. Read more in:

NetWalker Ransomware Operations Disrupted. Authorities in the US and Bulgaria have seized a server used by NetWalker ransomware operators use to communicate with victims and publish stolen data. They have also seized more than $450,000 in cryptocurrency. A Canadian individual allegedly connected to NetWalker ransomware attacks has been charged in US federal court. Read more in:

Mimecast Says Certificate Compromise Perpetrated by SolarWinds Threat Actors. Mimecast has confirmed that the certificate compromise reported earlier in January was carried out by the same threat actors responsible for the SolarWinds supply chain attack. In a blog post, Mimecast writes, “Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes.” Read more in:

Stack Overflow Discloses Additional Information About 2019 Breach. Stack Overflow is now providing more details about the 2019 breach that compromised the site’s code and data. On May 12, 2019, Stack Overflow became aware that a new user account had elevated privileges for all sites in the Stack Exchange Network. Their “response was to revoke privileges and to suspend this account and then set in motion a process to identify and audit the actions that led to the event.” They “found that the escalation of privilege was just the tip of the iceberg and the attack had actually resulted in the exfiltration of our source code and the inadvertent exposure of the PII (email, real name, IP addresses) of 184 users of the Stack Exchange Network (all of whom were notified).” The blog post includes a detailed timeline. Read more in:

WestRock Discloses Ransomware Attack. Atlanta-based packaging company WestRock is dealing with a ransomware attack that affected some of its operational and information technology systems. The attack occurred on Saturday, January 23. Read more in:

ADT Fixes Vulnerabilities in Home Security Camera. Researchers at Bitdefender have disclosed vulnerabilities in ADT’s LifeShield cameras that could be exploited to eavesdrop on conversations or access live video feeds. The issues affect a certain model of LifeShield DIY HD Video Doorbells, which allow users to answer the door remotely through the LifeShield app. Bitdefender notified ADT prior to disclosing the vulnerabilities; ADT released an automatic update in August 2020. Read more in:

NIST Risk-Based Guide on Information Exchange Security. The US National Institute of Standards and Technology (NIST) has released a publication titled Managing the Security of Information Exchanges. The draft document “provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information.” NIST is accepting comments on the document until March 12, 2021. Read more in:

Healthcare-Related Breach Roundup. Health IT Security’s weekly breach round-up includes a cyberattack against the Okanogan County (Washington) government computer system that has affected the county’s Public Health department, and the Einstein Healthcare Network (Philadelphia area) notifying patients of an August 2020 data breach. Read more in: Cyberattack Drives Okanogan County Public Health IT System Offline

Harris County, TX Will Replace Paperless Voting Machines With Machines that Produce a Paper Trail. Harris County, Texas, has signed a contract to purchase voting machines that create a paper audit trail. Harris County has until now been using voting machines that provide no paper records of votes for people voting in-person. Harris County, with 4.7 million residents, is the third most populous county in the US. Read more in: Harris County, Texas, ditches paperless voting machines

USCellular Discloses Data Breach. Mobile network company USCellular has disclosed a data breach that compromised customers’ account information and wireless phone number. USCellular said the incident stemmed from store employees being tricked into downloading malware onto a store computer. The hackers gained access to the company’s CRM system. USCellular believes the attack occurred on January 4, 2021; it was detected two days later. Read more in: USCellular hit by a data breach after hackers access CRM software

SonicWall Internal Systems Breached Through Vulnerabilities in its Own Products. SonicWall has published an urgent security notice noting that its “engineering teams continue their investigation into probable zero-day vulnerabilities with SMA 100 series products.” SonicWall’s internal systems were breached was hacked through zero-day vulnerabilities in its own remote access products. Read more in:

Cloud Accounts Used to Gain Persistent Access to Aviation and High-Tech Company Networks. According to a report from NCC group and its Fox-IT subsidiary, hackers have been gaining access to networks at high tech and aviation organizations and maintaining dwell times of as long as three years. The hackers appear to have gained initial access to the networks through cloud-based services. Read more in:

University of South Carolina First Undergraduate College To Make Cybersecurity Graduates Highly Desirable To Employers. The University of South Carolina Aiken is partnering with the SANS Technology Institute to provide the students in the university’s Bachelor of Science program in Applied Computer Science – Cybersecurity the option of completing the 12-credit Undergraduate Certificate in Applied Cybersecurity at SANS.edu as part of the UofSC Aiken cybersecurity degree program. The Certificate provides graduates with three GIAC certifications that, according to recent data, make those students three times as likely to chosen for cybersecurity job interviews than students with the certifications commonly earned by cybersecurity graduates. Read more in:

US Military Intel Purchases Phone Location Data Instead of Obtaining Warrants. According to an unclassified memo obtained by the New York Times, the US Defense Intelligence Agency (DIA) has been circumventing warrant requirements by obtaining smartphone location data through commercially available databases. A 2018 US Supreme Court ruling requires the government to obtain a warrant prior to obtaining phone location data from telecommunication companies. Read more in:

SEPA Ransomware Update: Stolen Files Leaked. Ransomware operators who launched an attack against Scotland’s Environment Protection Agency (SEPA) have posted files stolen from the agency’s systems. SEPA’s network was hit with ransomware in late December 2020; SEPA refused to pay the demanded ransom. A month later, the agency’s email and other systems remain down; SEPA flood forecasting and warning system are operating. Read more in:

Vulnerabilities in OPC Network Protocol. Researchers at Claroty have found nine vulnerabilities in implementations of the Open Platform Communications (OPC) network protocol. The vulnerabilities affect products from three vendors: Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell. All three have released fixes for the flaws, which could be exploited to allow remote code execution attacks, to leak data, and to create denial-of-service conditions. Read more in:

Tesla Sues Over Theft of Trade Secrets. Tesla is suing a former employee for allegedly stealing proprietary software code. Alex Khatilov allegedly stole the files and transferred them to his personal Dropbox account within days after he was hired on December 28, 2020. The incident was detected on January 6, 2021. The files were not related to Khatilov’s position at Tesla. The complaint alleges breach of contract and theft of trade secrets. Read more in:

Australian Securities and Investment Commission Says Server Breached. The Australian Securities and Investment Commission (ASIC) has disclosed that one of its servers was breached. ASIC learned of the incident on January 15, 2021 and says that the breach is “related to Accellion software used by ASIC to transfer files and attachments.” ASIC has disabled access to the compromised server. Earlier this month, the New Zealand Reserve Bank experienced a data breach related to Accellion software. Read more in:

Cisco Issues Fix for Cross-site Request Forgery Vulnerability in DNA Center. Cisco has released a fix to address a high-severity flaw affecting its Digital Network Architecture (DNA) Center. The vulnerability could be remotely exploited to launch cross-site request forgery attacks. The issue has been fixed in Cisco DNA Center releases 2.1.1.0, 2.1.2.0, 2.1.2.3, 2.1.2.4, and later. Read more in:

Crane Manufacturer Palfinger Hit with Cyberattack. Austria-based Palfinger Group, which manufactures hydraulic lifting, loading, and handling systems, says it “is currently the target of an ongoing global cyber attack.” In an alert on its website, Palfinger notes that it “cannot be contacted via e-mail not can it receive or process inquiries, orders, shipments, and invoices.” Customers are advised that, presently, the company can be contacted only by telephone. Read more in:

Flash Deactivation Halts Chinese Railroad for a Day. A railroad system in northeastern China was disabled for a day earlier this month due to the deactivation of Adobe Flash. Adobe disabled Flash from running after January 12, 2021; China Railway Shenyang uses Flash to plan daily operations. The situation led to a complete shutdown of railway operations in Dalian, Liaoning province on the 12th. On January 13, the railway obtained a version of Flash that did not contain deactivation code and resumed operations. Read more in:

ADT Employee Pleads Guilty to Spying on Customers Through Security Cameras. A former employee of the home security company ADT has pleaded guilty to computer fraud and invasive visual recording for spying on people through their video surveillance systems. Telesforo Aviles added his personal email to the systems’ ADP Pulse accounts, which allowed him to access security cameras. Approximately 200 accounts were affected over a five-year period. During that time, Aviles accessed customer systems nearly 10,000 times. ADT learned of the situation when a customer called to complain about the suspicious email address associated with their account. Read more in:

SolarWinds: FireEye Offers Remediation Strategies and Auditing Tool. FireEye has published a white paper, Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452, as well as a tool, Mandiant Azure AD Investigator, “for detecting artifacts that may be indicators of UNC2452 and other threat actor activity.” Read more in:

SolarWinds: New “Raindrop” Malware Installs Cobalt Strike. A fourth piece of malware used by the Solar Winds hackers has been detected. Dubbed Raindrop, the malware is a backdoor loader that places Cobalt Strike on targeted systems to allow the attackers to move laterally through the network. While Cobalt Strike is a commercially available penetration testing tool, “threat actors have since figured out how to turn it against networks to spread through an environment, exfiltrate data, deliver malware and more.” Read more in:

SolarWinds: Hackers Hit Malwarebytes. The threat actors behind the SolarWinds Orion supply chain attack have hit systems/the network at Malwarebytes. In a January 19 blog post, Malwarebytes writes, “We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.” Malwarebytes does not use SolarWinds products. Read more in:

SolarWinds: Microsoft Details How Threat Actors Evaded Detection. Researchers from Microsoft’s 365 Defender Research Team, Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC) have published new information about operational security techniques and anti-forensic behavior the SolarWinds attackers used to evade detection. Microsoft’s “goal is to continue empowering the defender community by helping to increase their ability to hunt for the earliest artifacts of compromise and protect their networks from this threat.” Read more in:

NSA Cybersecurity 2020 Year in Review. The US National Security Agency’s (NSA) Cybersecurity Directorate has published its first Cybersecurity Year in Review. The document “outlines key milestones and mission outcomes achieved during NSA Cybersecurity’s first year.” The NSA Cybersecurity Directorate was established in October 2019 “with a mission to prevent and eradicate cyber actors from systems critical to national security and critical infrastructure, with a focus on the Defense Industrial Base.” Read more in: 2020 Cybersecurity Year in Review (PDF)

Dnsmasq Vulnerabilities. Researchers from “JSOF” have disclosed seven vulnerabilities in dnsmasq open-source DNS forwarding software. The flaws could be exploited to allow DNS cache poisoning and remote code execution. The vulnerabilities are addressed in dnsmasq 2.83. The issues are believed to affect products from at least at least 40 vendors. Read more in:

Malware Found on Some Laptops Provided to UK Schoolchildren. Laptops provided to some British schoolchildren were found to be infected with malware. The laptops were distributed through a government program to help disadvantaged students learn remotely. The computers were infected with malware known as Gamarue (aka Andromeda). The UK’s Department for Education (DfE) told The Register, “We are aware of an issue with a small number of devices and we are investigating as an urgent priority to resolve the matter as soon as possible. DfE IT teams are in touch with those who have reported this issue. We believe this is not widespread.” Read more in:

CISA Increasing Effort to Get Ransomware Information to Local Government. The US Cybersecurity and Infrastructure Security Agency (CISA) is ramping up efforts to boost ransomware awareness at the local government level. CISA has created a new page on its website that provides ransomware guidance and resources, including a guidebook CISA published last fall along with the Multi-State Information Sharing and Analysis Center. CISA acting director Brandon Wales announced the awareness campaign in a talk at the US Conference of Mayors virtual winter meeting this week. Wales urged mayors to “Get to know your CISO … [and] get to know the protocols they will put in place to preserve continuity of services.” Read more in:

Wordfence Offers Free Site Security Audits to US K-12 Public Schools. Wordfence is offering free site cleaning and site security audits to US K-12 public schools that use the WordPress content management system. The organization is also offering those schools a free version of Wordfence that its analysts will configure. Read more in: Announcing Free Site Cleaning & Site Security Audits for K-12 Public Schools

Windows RDP Servers are Being Used to Amplify DDoS Attacks. Distributed denial-of-service (DDoS) attack-for-hire services, also called DDoS Booters or illegal IP Stressers, have been using Windows Remote Desktop Protocol (RDP) servers to amplify their attacks. According to a Netscout advisory, “When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.” Network operators are urged to move RDP servers that provide remote access via UDP behind VPN concentrators; if that is not possible, then RDP via UDP/3389 should be disabled. Read more in:

Belgian Hospital’s Network Hit with Cyberattack. A cyberattack against a Belgian hospital resulted in roughly 20 percent of its servers being encrypted. The attackers app[ear to have used Windows BitLocker software to encrypt the servers. Center Hospitalier de Wallonie Picarde (CHwapi) said that patients arriving through emergency services have been rerouted to other facilities. Read more in:

Amazon Fixes Flaws That Could be Exploited to Take Control of Kindle Accounts. Amazon has fixed a trio of vulnerabilities in its Send to Kindle feature that could have been exploited to take control of Kindle e-Readers, allowing attackers to make purchases in the Kindle store with linked credit cards and to access personal information stores on the devices. To exploit the flaws, a hacker would need to spoof the Kindle owner’s email address, send them a maliciously-crafted ebook, and convince them to click on a link inside that ebook. Read more in: Bugs Allowed Hackers to Hijack Kindle Accounts With Malicious Ebooks

Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.