Cybersecurity News Headlines Update on February 10, 2021

Hacker Tampered With Chemical Processes Controls at Florida Water Treatment Plant. On February 5, a hacker altered the amount of sodium hydroxide (lye) added to the water supply for Oldsmar, Florida, from 100 ppm to 11,100 ppm. “According to the county’s sheriff, the hacker gained access via an unnamed remote software program that allows employees to troubleshoot IT problems. The same program also includes some screen-monitoring capabilities. As a result, the operator who first noticed the intrusion initially suspected the remote access belonged to another worker.” A plant operator noticed the change and reversed it before the tainted water entered the municipality’s water supply. Officials have disabled the remote access system. FBI and Secret Service are investigating. Read more in:

• Hacker Tried to Poison Florida City’s Water Supply, Police Say
• A Hacker Tried to Poison a Florida City’s Water Supply, Officials Say
• Computer intruder tried to poison Florida city’s drinking water with lye
• Hacker breached Florida water facility to alter sodium hydroxide level, police say
• Security gaps in operational tech exposed with hacker attempt to poison Florida city water

Ransomware Hits Brazilian Utility Companies. Networks at two Brazilian utility companies have been hit with ransomware attacks. The ransomware operators stole and leaked data from at least one of the companies; that information includes network access credentials and engineering plans. While both Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel) have had to temporarily suspend some administrative operations, the attacks had no impact on the companies’ ability to provide power. Read more in:

• Eletrobras, Copel energy companies hit by ransomware attacks
• Ransomware Attacks Hit Major Utilities

Google Launches Open Source Vulnerability Website. Google has launched the Open Source Vulnerabilities website, “a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.” Google is also starting a conversation about open source project security, proposing “a framework for shifting the discussion around vulnerabilities in open source.” Read more in:

• Google: Our new tool makes open-source security bugs easier to spot
• Database for open source vulnerabilities
• Open source: Google wants new rules for developers working on ‘critical’ projects
• Google pitches security standards for ‘critical’ open-source projects
• Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source

German Authorities Seize Bitcoin Wallet Worth $60M, But Don’t Have the Password. Authorities in Germany have seized a bitcoin wallet that contains more than 50 million euros ($60 million) worth of the cryptocurrency, but the owner of the wallet has refused to disclose the password. That individual served more than two years in prison for hijacking other people’s computers to mine the bitcoin. If authorities ever manage to gain access to the wallet, the bitcoin will be sold, and the proceeds given to the state treasury. Read more in:

• Police seize $60 million of bitcoin! Now, where’s the password?
• Cops can’t access $60M in seized bitcoin—fraudster won’t give password

SitePoint Data Breach. Web-development resource website SitePoint has disclosed a 2020 data breach in which the attackers stole a customer database which was eventually leaked online. Compromised information includes names, email addresses, hashed passwords, usernames, and IP addresses. Some SitePoint users say they have received spam that is likely related to the breach. Read more in:

• SitePoint hacked: Hashed, salted passwords pinched from web dev learning site via GitHub tool pwnage
• Webdev tutorials site SitePoint discloses data breach
• SitePoint discloses data breach after stolen info used in attacks

Google Patches Chrome Zero-day. Google has fixed a heap overflow memory corruption vulnerability in the V8 JavaScript engine. The flaw is being actively exploited. Users are urged to update to Chrome 88.0.4324.150 for Windows, macOS, and Linux, which was released to the stable channel last week. Read more in:

• Google Chrome Zero-Day Afflicts Windows, Mac Users
• Google patches an actively exploited Chrome zero-day
• Chrome zero-day bug that is actively being abused by bad folks affects Edge, Vivaldi, and other Chromium-tinged browsers
• Stable Channel Update for Desktop

NextGen Gallery WP Plugin Vulnerabilities Fixed in Update. The publisher NextGen Gallery plugin for WordPress has released an updated version to address two cross-site request forgery vulnerabilities. The flaws could be exploited to take control of vulnerable websites. NextGen Gallery has more than 800,000 installations. Users should upgrade to version 3.5.0 or newer. Read more in:

• Severe Vulnerabilities Patched in NextGen Gallery Affect over 800,000 WordPress Sites
• Critical WordPress Plugin Flaw Allows Site Takeover
• Critical vulnerability fixed in WordPress plugin with 800K installs

Stolen Healthcare Data Leaked. Ransomware operators have leaked large quantities of data stolen during attacks against Florida-based Leon Medical Centers and Nocona General Hospital in Texas. The attack against Leon Medical Centers took place in November 2020; it is not clear when data were stolen from Nocona General Hospital. Read more in:

• Conti ransomware gang tied to latest attacks on hospitals in Florida and Texas
• Hackers Dump More Health Data, as Feds Share Ransomware Factsheet
• Ransomware: What It Is & What To Do About It (PDF)

NIST Issues Guidance on Protecting Controlled Unclassified Information. The US National Institute of Standards and Technology (NIST) has released SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The publication offers advice for “recommendations for enhanced security requirements to provide additional protection for Controlled Unclassified Information (CUI) in nonfederal systems and organizations when such information is associated with critical programs or high value assets.” Read more in:

• NIST offers tools to defend against nation state cyber threats
• New guidelines from NIST on how to avoid cyberattacks from a nation-state
• Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (with abstract)
• Enhanced Security Requirements for Protecting Controlled Unclassified Information | A Supplement to NIST Special Publication 800-171 (PDF)

FERC Proposed Rulemaking: Cybersecurity Incentives for Electric Companies. Proposed rulemaking from the Federal Energy Regulatory Commission (FERC) would offer incentives for electric companies to implement cybersecurity improvements that exceed the minimum requirements as established by the National Institute of Standards and Technology (NIST). FERC is accepting comments on the proposal until April 6, 2012. Read more in:

• FERC proposes incentives for electric companies to improve cybersecurity
• Cybersecurity Incentives | A Proposed Rule by the Federal Energy Regulatory Commission on 02/05/2021
• Framework for Improving Critical Infrastructure Cybersecurity – April 2018 (PDF)

Android Barcode Scanner App Got a Malicious Update in December. Late last year, Android users began reporting that ads were opening on their default browsers for no detectable reason. Investigation revealed that the source of the ads was a barcode scanning app that had been available in Google Play for years. A December 4, 2020 update to Lavabird Ltd.’s Barcode Scanner appears to have turned the app malicious. Google has removed the app from the store. Read more in:

• With one update, this malicious Android app hijacked millions of devices
• Barcode scan app amassed millions of downloads before weird update starting popping open webpages…
• Barcode Scanner app on Google Play infects 10 million users with one update

SolarWinds Hackers Had Access to eMail System for Months. According to a report in the Wall Street Journal (subscription required), the threat actors behind the SolarWinds supply-chain attack likely had access to SolarWinds email system for nearly a year. In an interview, SolarWinds CEO Sudhakar Ramakrishna said that the attackers had access to SolarWinds email accounts in December 2019. (Please note that the WSJ story is behind a paywall.) Read more in:

• Hackers had access to SolarWinds email system for months: report
• Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says (paywall)

SolarWinds Patches Three New Vulnerabilities. SolarWinds has released fixes for three serious security issues. Two of the flaws affect SolarWinds Orion User Device Tracker; the third affects SolarWinds Serv-U FTP for Windows. The flaws were detected by a researcher at Trustwave who notified SolarWinds in late December. SolarWinds released fixes for the flaws in an update last week. Read more in:

• SolarWinds patches vulnerabilities that could allow full system control
• SolarWinds patches three newly discovered software vulnerabilities
• More patches for SolarWinds Orion after researchers find flaw allowing low-priv users to execute code, among others
• Three new SolarWinds vulnerabilities found and patched
• SolarWinds Orion Bug Allows Easy Remote-Code Execution and Takeover
• Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities

Sudo Vulnerability Affects macOS. A vulnerability recently detected in LINUX Sudo has been found to also affect the most recent version of macOS, Big Sur 11.2. The heap overflow bug could be exploited to gain elevated privileges. No fix is currently available for macOS 11.2. Read more in:

• Recent root-giving Sudo bug also impacts macOS
• Latest macOS Big Sur also has SUDO root privilege escalation flaw

Claim: in-toto Cybersecurity System Might Have Helped Prevent SolarWinds Attack. The academic developers of a cybersecurity system protocol funded by the US government claim their approach might have been able to prevent or diminish the severity of the SolarWinds supply-chain attack. The system, called in-toto, “is designed to ensure the integrity of a software product from initiation to end-user installation. It does so by making it transparent to the user what steps were performed, by whom and in what order. As a result, with some guidance from the group creating the software, in-toto allows the user to verify if a step in the supply chain was intended to be performed, and if the step was performed by the right actor.” The US government has never required its vendors to use in-toto. Read more in:

• The U.S. Spent $2.2 Million on a Cybersecurity System That Wasn’t Implemented — and Might Have Stopped a Major Hack
• What is in-toto?
• A framework to secure the integrity of software supply chains

Better Patches Could Reduce the Number of Zero-days. Maddie Stone, a Google security researcher, told an audience at the USENIX Enigma 2021 virtual conference that more than one-third of the 24 zero-day vulnerabilities Google’s Project Zero team found last year were variants of other security issues that had already been disclosed or had been incompletely patched. In a blog post, Stone writes, “If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit 0-days.” Read more in:

• Déjà vu-lnerability | A Year in Review of 0-days Exploited In-The-Wild in 2020
• 0day “In the Wild”
• Patch Imperfect: Software Fixes Failing to Shut Out Attackers
• Google: Proper patching would have prevented 25% of all zero-days found in 2020
• Rubbish software security patches responsible for a quarter of zero-days last year
• Bad patching practices are a breeding ground for zero-day exploits, Google warns
• Making 0-Day Hard is Still Hard

StormShield Discloses Security Incident. French cybersecurity company StormShield has disclosed that it “detected a security incident that resulted in an unauthorized access to a technical portal used … by our customers and partners for the management of their support tickets on our products.” The intruders also appear to have stolen some StormShield Network Security source code. StormShield has notified affected customers and has contacted authorities regarding the incident. Read more in:

• Security Incident concerning Stormshield
• Incident de Sécurité chez Stormshield (in French)
• Security firm Stormshield discloses data breach, theft of source code
• Hackers steal StormShield firewall source code in data breach

Ransomware Operators are Targeting Industrial Goods and Services. According to data gathered by Digital Shadows, ransomware operators targeted organizations in the industrial goods and services sector more than any other; it accounts for 29 percent of reported ransomware attacks. The three next most-targeted sectors – construction, technology, and retail – account for nine, eight, and seven percent of reported ransomware attacks. Read more in:

• Ransomware gangs now have industrial targets in their sights. That raises the stakes for everyone
• Ransomware: Analyzing The Data From 2020

SonicWall Firmware Patch. SonicWall has released a firmware patch to address critical vulnerabilities in SMA 100 series 10.x code that are being actively exploited. The issues are fixed in the SMA 100 series firmware 10.2.0.5-29sv update. Read more in:

• SonicWall issues firmware patch after attackers exploited critical bugs
• SonicWall fixes actively exploited SMA 100 zero-day vulnerability
• SonicWall issues patch for firmware zero-day used to attack the company and its customers
• Urgent Patch Available For SMA 100 Series 10.X Firmware Zero-Day Vulnerability [Updated Feb. 3, 2 P.M. CST]

Kobalos Malware Targets High-Performance Computing Networks. A small piece of backdoor malware is targeting high-performance computing clusters. Dubbed Kobalos by researchers at ESET, the “malware gives access to the file system of the compromised host and enables access to a remote terminal, giving the attackers the ability to run arbitrary commands.” ESET surmised that the systems infected with Kobalos are specifically targeted because they belong to high-profile organizations. Read more in:

• Kobalos – A complex Linux threat to high performance computing infrastructure
• A Wild Kobalos Appears | Tricksy Linux malware goes after HPCs (PDF)
• High-performance computers are under siege by a newly discovered backdoor
• Tiny Kobalos Malware Bedevils Supercomputers to Steal Logins

Cisco Releases Fixes for Vulnerabilities Affecting Some VPN Routers. Cisco has released updates to address for multiple vulnerabilities in its small-business VPN routers models RV160, RV160W, RV260, RV260P, and RV260W running firmware releases prior to 1.0.01.02. The flaws exist in the routers’ web-based management interface. Read more in:

• Cisco fixes critical code execution bugs in SMB VPN routers
• Critical Cisco Flaws Open VPN Routers Up to RCE Attacks
• Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities

Wordfence: Remove Contact Form 7 Style WordPress Plugin. Wordfence is warning of an unpatched Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability affecting the Contact Form 7 Style WordPress plugin. (Contact Form 7 Style is an add-on to the Content Form 7 plugin.) The plugin’s developer has been contacted several times but has not responded. WordFence “strongly recommends deactivating and removing this plugin and finding a replacement as it no longer appears to be maintained by its developer.” Read more in: Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style

IBM Announces Grant Program to Help Schools with Ransomware Protection. IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from IBM’s Service Corps Program will “help [the selected schools] proactively prepare for and respond to cyberattacks.” Read more in:

• IBM plans grant program to help schools fend off ransomware
• IBM rolls out $3M grant program for schools to defend against cyberattacks
• IBM Introduces $3 Million in Cybersecurity Grants for Public Schools in United States as Attacks on Education Grow

Threat Actors Behind SolarWinds Used Multiple Attack Vectors. The acting director of the US Cybersecurity and Infrastructure Security Agency (CISA) says that “significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds.” The threat actors multiple attack vectors. (Please note that the WSJ story is behind a paywall.) Read more in:

• CISA Says Many Victims of SolarWinds Hackers Had No Direct Link to SolarWinds
• Does SolarWinds change the rules in offensive cyber? Experts say no, but offer alternatives
• As SolarWinds spooks tech firms into rechecking code, some won’t like what they find
• SolarWinds attack is not an outlier, but a moment of reckoning for security industry, says Microsoft exec
• Suspected Russian Hack Extends Far Beyond SolarWinds Software, Investigators Say (paywall)
• 30% of “SolarWinds hack” victims didn’t actually use SolarWinds

SolarWinds: US Federal Judiciary Sets New Requirements for Filing Sensitive Documents. The SolarWinds supply chain attack affected the US court system’s electronic files, prompting the federal Judiciary to adopt “new security procedures to protect highly sensitive confidential documents filed with the courts.” US courts have been instructed to issue standing or general orders that “highly sensitive court documents (HSDs) filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed HSDs will not be uploaded to” the Judiciary’s Case Management/Electronic Case Files system. Read more in:

• Russian hack brings changes, uncertainty to US court system
• US court system ditches electronic filing, goes paper-only for sensitive documents following SolarWinds hack
• Judiciary Addresses Cybersecurity Breach: Extra Safeguards to Protect Sensitive Court Records

Microsoft Provides More Information About Attacks Targeting Researchers. Microsoft is sharing additional information about the North Korean hacking campaign targeting cybersecurity researchers. Google’s Threat Analysis Group released an initial warning about the campaign last week. In a January 28 blog post, Microsoft’s Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team write that over the past months, they have “detected cyberattacks targeting security researchers by an actor we track as ZINC.” The ZINC threat group has ties to the Lazarus Group. Microsoft’s report provides additional technical information about the threat actors’ use of Visual Studio as an attack vector. The campaign presently appears to be targeting only researchers who are using Windows. Read more in:

• ZINC attacks against security researchers
• Lazarus Affiliate ‘ZINC’ Blamed for Campaign Against Security Researcher

SonicWall Zero-day is Being Exploited in the Wild. SonicWall says that threat actors are exploiting a critical, unpatched vulnerability in one of the company’s firewalls. The flaw affects SonicWall Secure Mobile Access 100 series firmware version 10.x. SonicWall is in the process of developing a patch for the vulnerability and expects to make it available by the end of the day on Tuesday, February 2. The company has listed mitigation that could be implemented until the fix is available. Read more in:

• Urgent Security Notice: SonicWall Confirms SMA 100 Series 10. X Zero-Day Vulnerability [Feb. 1, 2 P.M. CST]
• SonicWall zero-day exploited in the wild
• SonicWall SMA 100 zero-day exploit actively used in the wild
• Hackers are exploiting a critical zeroday in firewalls from SonicWall

NoxPlayer Software Update Mechanism Compromised in Supply-Chain Attack. Researchers from Eset say that the NoxPlayer Android emulator was hit with a supply chain attack. The attackers compromised the BigNox software distribution system and sent malicious updates. The malware is installing surveillance software on users’ computers. While NoxPlayer has a reported 150 million users around the world, the attackers appear to be targeting only a very small number of users, all located in Asia. Read more in:

• New supply chain attack uses poisoned updates to infect gamers’ computers
• Alleged Gaming Software Supply-Chain Attack Installs Spyware
• Hacker group inserted malware in NoxPlayer Android emulator
• Android emulator supply-chain attack targets gamers with malware
• Operation NightScout: Supply-chain attack targets online gaming in Asia

UK Research and Innovation Discloses Ransomware Attack. UK Research and Innovation (UKRI), a UK government organization that manages research grants for UK organizations, has acknowledged that its network was hit with a ransomware attack. UKRI disclosed the incident on January 28. The attack affected a Brussels-based UK Research Office (UKRO) portal, and an extranet was known as the BBSRC extranet; both have been taken offline. UKRI has reported the incident to authorities. Read more in:

• UKRI response to IT incident
• UK Research and Innovation suffers ransomware attack
• Ransomware attack takes out UK Research and Innovation’s Brussels networking office
• UK Research and Innovation (UKRI) suffers ransomware attack

FonixCrypter Ransomware Group Shuts Down Operations, Releases Master Decryption Key. Operators of the Fonix ransomware say they will cease operations and have made a decryption tool and the decryption key available so its victims can regain access to their data. The tool is what the operators have used to decrypt files as proof that they really can be decrypted, but it might not be useful to decrypt large quantities of data. The master decryption key could be used to build a more efficient decryptor. Read more in:

• Fonix ransomware shuts down and releases master decryption key
• FonixCrypter ransomware gang releases master decryption key
• Fonix Ransomware Master RSA Key (Spub.key & Spriv.key) and Sample Decryptor

US Legislators Want NSA to Answer Questions About 2012 Juniper Networks Supply Chain Attack. US legislators are seeking answers from the National Security Agency (NSA) about a 2012 supply-chain attack that affected Juniper Networks. A statement released by Senator Ron Wyden’s (D-Oregon) office notes, “In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers. Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor and that the hackers modified the key to this backdoor.” A letter dated January 28, 2021, and signed by 10 US legislators asks the NSA to describe the actions it took “to protect itself, the Department of Defense, and the US government from future software supply chain attacks.” Renewed interest in the older case was prompted by the SolarWinds supply chain attack that came to light in December 2020. Read more in:

• SolarWinds Hack Prompts Congress to Put NSA in Encryption Hot Seat
• After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case
• Lawmakers press NSA for answers about Juniper hack from 2015
• Lawmakers Ask NSA About Its Role in Juniper Backdoor Discovered in 2015
• Wyden and Booker Question NSA Response Following Supply Chain Hacks of SolarWinds And Juniper Networks
• Letter to NSA Director (PDF)

Libgcrypt Developers Patch Critical Vulnerability. A critical heap overflow vulnerability in the Libgcrypt open-source cryptographic library and GNU Privacy Guard module could be exploited to write arbitrary data and execute code. The flaw affects Libgcrypt 1.9.0, which was released in mid-January. Developers have addressed the vulnerability in Libgcrypt 1.9.1. Read more in:

• Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code
• Libgcrypt developers release urgent update to tackle severe vulnerability
• Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble
• [Announce] [Security fix] Libgcrypt 1.9.1 released

NITRO Open Source Library Flaws Fixed. At least two vulnerabilities detected in the NITRO open source library could be exploited to allow remote code execution. The NITRO library is used by the US Department of Defense (DoD) and intelligence agencies to store, share, and send digital images taken by satellites. Researchers at GRIMM defected the flaws; they are working with the Cybersecurity and Infrastructure Security Agency (CISA) to make sure affected organizations are aware of the issue. The vendor has issued fixes for all the vulnerabilities. Read more in:

• Flaws in open source library used by DoD, IC for satellite imagery could lead to system takeovers
• grimm-co / NotQuite0DayFriday | Resolve “NITRO Issues”

WordPress Popup Builder Plugin Users Urged to Update to Fix Vulnerabilities. Vulnerabilities in the Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter plugin could be exploited to send newsletters, and delete or add newsletter subscribers. The plugin is installed on 200,000 WordPress sites. The vulnerability affects Popup Builder versions 3.71 and earlier. The issue is fixed in version 3.72 and the most recent version is 3.73. Read more in:

• WordPress Pop-Up Builder Plugin Flaw Plagues 200K Sites
• Multiple Vulnerabilities In WordPress Plugin Popup Builder

Vulnerabilities in Fuji Electric ICS Products. Five vulnerabilities affecting industrial control system products from Fuji Electric could be exploited to execute code. The flaws are not remotely exploitable. The vulnerabilities affect Fuji Electric’s Tellus Lite V-Simulator and V-Server Lite. The company recommends upgrading to version 4.0.10.0. Read more in:

• Industrial Gear at Risk from Fuji Code-Execution Bugs
• ICS Advisory (ICSA-21-026-01) Fuji Electric Tellus Lite V-Simulator and V-Server Lite