Cybersecurity News Headlines Update on February 10, 2021

Hacker Tampered With Chemical Processes Controls at Florida Water Treatment Plant. On February 5, a hacker altered the amount of sodium hydroxide (lye) added to the water supply for Oldsmar, Florida, from 100 ppm to 11,100 ppm. “According to the county’s sheriff, the hacker gained access via an unnamed remote software program that allows employees to troubleshoot IT problems. The same program also includes some screen-monitoring capabilities. As a result, the operator who first noticed the intrusion initially suspected the remote access belonged to another worker.” A plant operator noticed the change and reversed it before the tainted water entered the municipality’s water supply. Officials have disabled the remote access system. FBI and Secret Service are investigating. Read more in:

Ransomware Hits Brazilian Utility Companies. Networks at two Brazilian utility companies have been hit with ransomware attacks. The ransomware operators stole and leaked data from at least one of the companies; that information includes network access credentials and engineering plans. While both Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel) have had to temporarily suspend some administrative operations, the attacks had no impact on the companies’ ability to provide power. Read more in:

Google Launches Open Source Vulnerability Website. Google has launched the Open Source Vulnerabilities website, “a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.” Google is also starting a conversation about open source project security, proposing “a framework for shifting the discussion around vulnerabilities in open source.” Read more in:

German Authorities Seize Bitcoin Wallet Worth $60M, But Don’t Have the Password. Authorities in Germany have seized a bitcoin wallet that contains more than 50 million euros ($60 million) worth of the cryptocurrency, but the owner of the wallet has refused to disclose the password. That individual served more than two years in prison for hijacking other people’s computers to mine the bitcoin. If authorities ever manage to gain access to the wallet, the bitcoin will be sold, and the proceeds given to the state treasury. Read more in:

SitePoint Data Breach. Web-development resource website SitePoint has disclosed a 2020 data breach in which the attackers stole a customer database which was eventually leaked online. Compromised information includes names, email addresses, hashed passwords, usernames, and IP addresses. Some SitePoint users say they have received spam that is likely related to the breach. Read more in:

Google Patches Chrome Zero-day. Google has fixed a heap overflow memory corruption vulnerability in the V8 JavaScript engine. The flaw is being actively exploited. Users are urged to update to Chrome 88.0.4324.150 for Windows, macOS, and Linux, which was released to the stable channel last week. Read more in:

NextGen Gallery WP Plugin Vulnerabilities Fixed in Update. The publisher NextGen Gallery plugin for WordPress has released an updated version to address two cross-site request forgery vulnerabilities. The flaws could be exploited to take control of vulnerable websites. NextGen Gallery has more than 800,000 installations. Users should upgrade to version 3.5.0 or newer. Read more in:

Stolen Healthcare Data Leaked. Ransomware operators have leaked large quantities of data stolen during attacks against Florida-based Leon Medical Centers and Nocona General Hospital in Texas. The attack against Leon Medical Centers took place in November 2020; it is not clear when data were stolen from Nocona General Hospital. Read more in:

NIST Issues Guidance on Protecting Controlled Unclassified Information. The US National Institute of Standards and Technology (NIST) has released SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The publication offers advice for “recommendations for enhanced security requirements to provide additional protection for Controlled Unclassified Information (CUI) in nonfederal systems and organizations when such information is associated with critical programs or high value assets.” Read more in:

FERC Proposed Rulemaking: Cybersecurity Incentives for Electric Companies. Proposed rulemaking from the Federal Energy Regulatory Commission (FERC) would offer incentives for electric companies to implement cybersecurity improvements that exceed the minimum requirements as established by the National Institute of Standards and Technology (NIST). FERC is accepting comments on the proposal until April 6, 2012. Read more in:

Android Barcode Scanner App Got a Malicious Update in December. Late last year, Android users began reporting that ads were opening on their default browsers for no detectable reason. Investigation revealed that the source of the ads was a barcode scanning app that had been available in Google Play for years. A December 4, 2020 update to Lavabird Ltd.’s Barcode Scanner appears to have turned the app malicious. Google has removed the app from the store. Read more in:

SolarWinds Hackers Had Access to eMail System for Months. According to a report in the Wall Street Journal (subscription required), the threat actors behind the SolarWinds supply-chain attack likely had access to SolarWinds email system for nearly a year. In an interview, SolarWinds CEO Sudhakar Ramakrishna said that the attackers had access to SolarWinds email accounts in December 2019. (Please note that the WSJ story is behind a paywall.) Read more in:

SolarWinds Patches Three New Vulnerabilities. SolarWinds has released fixes for three serious security issues. Two of the flaws affect SolarWinds Orion User Device Tracker; the third affects SolarWinds Serv-U FTP for Windows. The flaws were detected by a researcher at Trustwave who notified SolarWinds in late December. SolarWinds released fixes for the flaws in an update last week. Read more in:

Sudo Vulnerability Affects macOS. A vulnerability recently detected in LINUX Sudo has been found to also affect the most recent version of macOS, Big Sur 11.2. The heap overflow bug could be exploited to gain elevated privileges. No fix is currently available for macOS 11.2. Read more in:

Claim: in-toto Cybersecurity System Might Have Helped Prevent SolarWinds Attack. The academic developers of a cybersecurity system protocol funded by the US government claim their approach might have been able to prevent or diminish the severity of the SolarWinds supply-chain attack. The system, called in-toto, “is designed to ensure the integrity of a software product from initiation to end-user installation. It does so by making it transparent to the user what steps were performed, by whom and in what order. As a result, with some guidance from the group creating the software, in-toto allows the user to verify if a step in the supply chain was intended to be performed, and if the step was performed by the right actor.” The US government has never required its vendors to use in-toto. Read more in:

Better Patches Could Reduce the Number of Zero-days. Maddie Stone, a Google security researcher, told an audience at the USENIX Enigma 2021 virtual conference that more than one-third of the 24 zero-day vulnerabilities Google’s Project Zero team found last year were variants of other security issues that had already been disclosed or had been incompletely patched. In a blog post, Stone writes, “If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit 0-days.” Read more in:

StormShield Discloses Security Incident. French cybersecurity company StormShield has disclosed that it “detected a security incident that resulted in an unauthorized access to a technical portal used … by our customers and partners for the management of their support tickets on our products.” The intruders also appear to have stolen some StormShield Network Security source code. StormShield has notified affected customers and has contacted authorities regarding the incident. Read more in:

Ransomware Operators are Targeting Industrial Goods and Services. According to data gathered by Digital Shadows, ransomware operators targeted organizations in the industrial goods and services sector more than any other; it accounts for 29 percent of reported ransomware attacks. The three next most-targeted sectors – construction, technology, and retail – account for nine, eight, and seven percent of reported ransomware attacks. Read more in:

SonicWall Firmware Patch. SonicWall has released a firmware patch to address critical vulnerabilities in SMA 100 series 10.x code that are being actively exploited. The issues are fixed in the SMA 100 series firmware 10.2.0.5-29sv update. Read more in:

Kobalos Malware Targets High-Performance Computing Networks. A small piece of backdoor malware is targeting high-performance computing clusters. Dubbed Kobalos by researchers at ESET, the “malware gives access to the file system of the compromised host and enables access to a remote terminal, giving the attackers the ability to run arbitrary commands.” ESET surmised that the systems infected with Kobalos are specifically targeted because they belong to high-profile organizations. Read more in:

Cisco Releases Fixes for Vulnerabilities Affecting Some VPN Routers. Cisco has released updates to address for multiple vulnerabilities in its small-business VPN routers models RV160, RV160W, RV260, RV260P, and RV260W running firmware releases prior to 1.0.01.02. The flaws exist in the routers’ web-based management interface. Read more in:

Wordfence: Remove Contact Form 7 Style WordPress Plugin. Wordfence is warning of an unpatched Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability affecting the Contact Form 7 Style WordPress plugin. (Contact Form 7 Style is an add-on to the Content Form 7 plugin.) The plugin’s developer has been contacted several times but has not responded. WordFence “strongly recommends deactivating and removing this plugin and finding a replacement as it no longer appears to be maintained by its developer.” Read more in: Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style

IBM Announces Grant Program to Help Schools with Ransomware Protection. IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from IBM’s Service Corps Program will “help [the selected schools] proactively prepare for and respond to cyberattacks.” Read more in:

Threat Actors Behind SolarWinds Used Multiple Attack Vectors. The acting director of the US Cybersecurity and Infrastructure Security Agency (CISA) says that “significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds.” The threat actors multiple attack vectors. (Please note that the WSJ story is behind a paywall.) Read more in:

SolarWinds: US Federal Judiciary Sets New Requirements for Filing Sensitive Documents. The SolarWinds supply chain attack affected the US court system’s electronic files, prompting the federal Judiciary to adopt “new security procedures to protect highly sensitive confidential documents filed with the courts.” US courts have been instructed to issue standing or general orders that “highly sensitive court documents (HSDs) filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed HSDs will not be uploaded to” the Judiciary’s Case Management/Electronic Case Files system. Read more in:

Microsoft Provides More Information About Attacks Targeting Researchers. Microsoft is sharing additional information about the North Korean hacking campaign targeting cybersecurity researchers. Google’s Threat Analysis Group released an initial warning about the campaign last week. In a January 28 blog post, Microsoft’s Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team write that over the past months, they have “detected cyberattacks targeting security researchers by an actor we track as ZINC.” The ZINC threat group has ties to the Lazarus Group. Microsoft’s report provides additional technical information about the threat actors’ use of Visual Studio as an attack vector. The campaign presently appears to be targeting only researchers who are using Windows. Read more in:

SonicWall Zero-day is Being Exploited in the Wild. SonicWall says that threat actors are exploiting a critical, unpatched vulnerability in one of the company’s firewalls. The flaw affects SonicWall Secure Mobile Access 100 series firmware version 10.x. SonicWall is in the process of developing a patch for the vulnerability and expects to make it available by the end of the day on Tuesday, February 2. The company has listed mitigation that could be implemented until the fix is available. Read more in:

NoxPlayer Software Update Mechanism Compromised in Supply-Chain Attack. Researchers from Eset say that the NoxPlayer Android emulator was hit with a supply chain attack. The attackers compromised the BigNox software distribution system and sent malicious updates. The malware is installing surveillance software on users’ computers. While NoxPlayer has a reported 150 million users around the world, the attackers appear to be targeting only a very small number of users, all located in Asia. Read more in:

UK Research and Innovation Discloses Ransomware Attack. UK Research and Innovation (UKRI), a UK government organization that manages research grants for UK organizations, has acknowledged that its network was hit with a ransomware attack. UKRI disclosed the incident on January 28. The attack affected a Brussels-based UK Research Office (UKRO) portal, and an extranet was known as the BBSRC extranet; both have been taken offline. UKRI has reported the incident to authorities. Read more in:

FonixCrypter Ransomware Group Shuts Down Operations, Releases Master Decryption Key. Operators of the Fonix ransomware say they will cease operations and have made a decryption tool and the decryption key available so its victims can regain access to their data. The tool is what the operators have used to decrypt files as proof that they really can be decrypted, but it might not be useful to decrypt large quantities of data. The master decryption key could be used to build a more efficient decryptor. Read more in:


US Legislators Want NSA to Answer Questions About 2012 Juniper Networks Supply Chain Attack. US legislators are seeking answers from the National Security Agency (NSA) about a 2012 supply-chain attack that affected Juniper Networks. A statement released by Senator Ron Wyden’s (D-Oregon) office notes, “In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers. Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor and that the hackers modified the key to this backdoor.” A letter dated January 28, 2021, and signed by 10 US legislators asks the NSA to describe the actions it took “to protect itself, the Department of Defense, and the US government from future software supply chain attacks.” Renewed interest in the older case was prompted by the SolarWinds supply chain attack that came to light in December 2020. Read more in:

Libgcrypt Developers Patch Critical Vulnerability. A critical heap overflow vulnerability in the Libgcrypt open-source cryptographic library and GNU Privacy Guard module could be exploited to write arbitrary data and execute code. The flaw affects Libgcrypt 1.9.0, which was released in mid-January. Developers have addressed the vulnerability in Libgcrypt 1.9.1. Read more in:

NITRO Open Source Library Flaws Fixed. At least two vulnerabilities detected in the NITRO open source library could be exploited to allow remote code execution. The NITRO library is used by the US Department of Defense (DoD) and intelligence agencies to store, share, and send digital images taken by satellites. Researchers at GRIMM defected the flaws; they are working with the Cybersecurity and Infrastructure Security Agency (CISA) to make sure affected organizations are aware of the issue. The vendor has issued fixes for all the vulnerabilities. Read more in:

WordPress Popup Builder Plugin Users Urged to Update to Fix Vulnerabilities. Vulnerabilities in the Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter plugin could be exploited to send newsletters, and delete or add newsletter subscribers. The plugin is installed on 200,000 WordPress sites. The vulnerability affects Popup Builder versions 3.71 and earlier. The issue is fixed in version 3.72 and the most recent version is 3.73. Read more in:

Vulnerabilities in Fuji Electric ICS Products. Five vulnerabilities affecting industrial control system products from Fuji Electric could be exploited to execute code. The flaws are not remotely exploitable. The vulnerabilities affect Fuji Electric’s Tellus Lite V-Simulator and V-Server Lite. The company recommends upgrading to version 4.0.10.0. Read more in:

Published by Lisa Turnbull

, always been a Windows lover since her childhood days. I have always been enthusiastic about emerging technologies, especially Artificial Intelligence (AI), Data Science and Machine Learning. I am working as a freelancer on numerous technical projects.