Cybersecurity News Headlines Update on February 27, 2021

US Federal Reserve Outage. The US Federal Reserve Bank experienced an outage on Wednesday, February 24 that affected multiple services, including the Federal Reserve’s Account Services, Central Bank, Check 21, Check Adjustments, FedACH, FedCash, FedLine Advantage, FedLine Command, FedLine Direct, FedLine Web, Fedwire Funds, Fedwire Securities and National Settlement Services. The issue was determined to be an operational error and was largely resolved on Wednesday afternoon. Read more in:

TD Bank Outage on Wednesday, February 24. On Wednesday, February 24, TD Back experienced an outage that prevented customers from accessing bank accounts online, using ATMs, or checking balances by phone. Systems displayed a message saying that that “due to planned maintenance activity, access is temporarily down.” Services were restored Wednesday evening, but deposits made that day had not yet been credited to accounts. TD Bank has not provided additional information about the outage. Read more in: TD Bank suffered systemwide banking outage, services now recovered

ThreatNeedle Backdoor Malware Targets Defense Contractors. Kaspersky security researchers have detailed how North Korean hackers use backdoor malware known as ThreatNeedle to steal sensitive information from defense contractors in 12 countries. The hackers from the Lazarus group gained access to targeted networks through spear phishing campaigns. Kaspersky notes that the hackers “overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server.” Read more in:

Cybersecurity Authorities: Hackers are Exploiting Flaws in Accellion’s FTA. The US Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities in Australia, New Zealand, Singapore, and the UK have issued a joint alert warning that threat actors are exploiting vulnerabilities in Accellion’s File Transfer Appliance (FTA). The advisory includes indicators of compromise (IoC) and recommended mitigations. In related stories, two more organizations have acknowledged that they were victims of these attacks: Transport for New South Wales in Australia and Canadian aircraft manufacturer Bombardier. Read more in:

NurseryCam Company Gets Security Help from NCSC. The UK’s National Cyber Security Centre (NCSC) is helping FootfallCam Ltd secure its NurseryCam service. Last week, NurseryCam was forced to temporarily suspend services after a data breach exposed account details of 12,000 users. Footfall operates the NurseryCam service, which allows parents to register accounts and watch their children at daycare centers. Read more in:

Firefox 86 Includes Total Cookie Protection. With the release of Firefox 86, Mozilla has introduced a feature that “confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site.” Known as Total Cookie Protection, the feature is part of the browser’s Enhanced Tracking Protection strict mode. Read more in:

Senate Intelligence Committee Hearing on SolarWinds. At a US Senate Intelligence Committee Hearing regarding the SolarWinds supply chain attack, Microsoft President Brad Smith and FireEye CEO Kevin Mandia called for requiring private sector companies to disclose cyber incidents. SolarWinds CEO Sudhakar Ramakrishna said that communicating with a single government agency equipped to share incident information would streamline the process. The SolarWinds hackers used Amazon’s cloud computing services to disguise their activity; Amazon declined to send a representative to the hearing. The GovInfosecurity story notes that the hearing “raised four key issues: how Amazon Web Services may have been used to host malicious infrastructure; why the attackers conducted a “dry run”; what the true motives were for the attack, which apparently was waged by Russian hackers; how the incident could lead to better cyberthreat and intelligence information sharing.” (Please note that the WSJ story is behind a paywall.) Read more in:

China’s Version of Flash is Also Downloading Adware. Because so much of China’s IT ecosystem relies on Flash, Adobe has allowed a single Chinese company to distribute Flash in that country. (Flash reached its official end-of-life in January 2021.) A security company recently reported alerts associated with the version of Flash being distributed in China. Analysts found that when users downloaded Flash, it was installed along with another file that caused a new browser window to open and display sites with lots of ads. Read more in: Flash version distributed in China after EOL is installing adware

Canadian Aircraft Manufacturer Bombardier Discloses Data Breach. Canadian aircraft manufacturer Bombardier has disclosed a data breach after hackers posted stolen files on the dark web. The threat actors gained access to the information “by exploiting a vulnerability affecting a third-party file-transfer application,” according to a statement from the company. The files include “personal and other confidential information relating to employees, customers and suppliers.” Read more in:

Botnet Uses Blockchain to Maintain Persistence. Researchers at Akamai have discovered that a botnet being used to mine cryptocurrency is now using blockchain to facilitate infected machines’ communications with the command-and-control server. In the event that the regular command-and-control server is sinkholed, the infected machines search for the IP address of a backup server that is encoded in the Bitcoin blockchain. Read more in:

Ransomware Attack Hits Finnish IT Company TietoEVRY. Finnish IT services provider TietoEVRY was forced to disconnect services to 25 clients after its network was hit with a ransomware attack. TietoEVRY has contacted authorities and is investigating the incident. Read more in:

China Used Malicious Firefox Extension to Spy on Tibetan Organizations. Using a malicious Firefox extension, state-sponsored Chinese hackers targeted Tibetan organizations. Researchers from Proofpoint say that the extension allows the hackers to take control of Gmail accounts, including receiving notifications, reading and deleting messages, and sending emails. It also gives hackers access to certain Firefox functions. Read more in:

Silver Sparrow Malware Has Infected 30,000 macOS Devices. Malware that targets Apple’s macOS has been found on 30,000 mac computers, but it is unclear what the malware, dubbed Silver Sparrow, is supposed to do. Once an hour, the infected machines check a control server for commands, but researchers have not seen evidence of a payload. There are two versions of the malware; one that targets x86-based machines and a second that targets both x86-based and M1-based machines. Read more in:

Chinese Hackers Built Clone of NSA Hacking Tool in 2014. Researchers at security firm Check Point have disclosed evidence that a Chinese hacking group managed to obtain and use an NSA hacking tool. The tool, which was developed by the Equation Group, is called EpMe and is used to gain elevated privileges. Using EpMe code from 2013, the Chinese hackers developed a clone in 2014 and used it from 2015 until March 2017, when Microsoft patched the vulnerability the tool exploited. Read more in:

Underwriters Laboratories Hit with Ransomware. Underwriters Laboratories (UL) has shut down its IT systems following a ransomware attack. The incident occurred on February 13; devices in UL’s data center were encrypted. UL shut down all systems to prevent the malware from spreading. The organization is reportedly restoring its systems from backups and does not intent to pay the ransom. Read more in: Underwriters Laboratories (UL) certification giant hit by ransomware

Payment Processor AFTS Hit With Ransomware. Ransomware operators targeted Seattle-based payment processor, AFTS, and stole files before encrypting the company’s IT system. Automatic Funds Transfer Services (AFTS) is used by government agencies and other organizations across the US to process payments and verify addresses. AFTS customers include the California DMV and numerous other municipalities and agencies in California and Washington. The California Department of Motor vehicles has notified residents of the breach. Read more in:

Georgetown County, SC, Government Still Recovering from Ransomware. A month after a ransomware attack took control of its IT system, Georgetown County, South Carolina, is still working to repair its systems. The county did not pay the demanded ransom. Roughly half of employees now have access to their county email accounts. Read more in: South Carolina County Rebuilds Network After Hacking

FBI Warns of Telephony Denial of Service Attacks Affecting First Responders. A public service announcement (PSA) from the US Federal Bureau of Investigation (FBI) warns that first responder systems are vulnerable to Telephony Denial of Service (TDoS) attacks, which consumes resources at call centers and prevent true emergency calls from getting through. The attacks have been targeting Public Safety Answering Points (PSAPs), which are call hubs for connecting callers to emergency services. The PSA recommends finding out how to contact emergency services in the event of a 911 outage, having non-emergency numbers on hand. Read more in:

Lakehead University Extends Winter Break Due to Cyberattack. Lakehead University in Canada has extended its winter study break through February 26 due to a cyberattack. The incident forced the school to prevent access to its servers. The attack targeted Lakehead’s file share servers. Users who kept sensitive information, including access credentials, on the file share servers are being advised to change their passwords. Read more in:

Accellion Breach: Possible Threat Actors Identified. Researchers at FireEye have linked attacks exploiting vulnerabilities in Accellion’s File Transfer Appliance (FTA) to a cybercrime group identified as FIN11. The threat actors exploited four unpatched vulnerabilities in the legacy software to install a web shell known as DEWMODE, which was used to download files from FTA appliances. Victims of the attacks include Singtel, the Reserve Bank of New Zealand, and Kroger Supermarkets. Read more in:

Microsoft Flaw Fixed in February Had Been Exploited Since Summer 2020. One of the vulnerabilities that Microsoft fixed in its February 2021 Patch Tuesday release has been exploited in the wild since the summer of 2020. The high-severity privilege elevation issue can be exploited “by triggering a use-after-free condition in the win32k.sys core kernel component.” Read more in: Recently fixed Windows zero-day actively exploited since mid-2020

Buggy Software is Causing Problems for Arizona Prison System. Software used by the Arizona State Department of Corrections is riddled with problems. Bugs in the system have placed inmates in cells with people they should not have contact with, have failed to keep inmates’ medications with them when inmates are transferred to a new unit, and they have failed to identify inmates who qualify for programs to reduce their sentences, keeping inmates incarcerated past their release dates. People working on the system knew there were problems and urged the department not to take it live, but their concerns went unheeded because the department had already spent so much money on the project. Rather than fix the software, Department of Connections employees are solving the problems manually. Read more in:

NIST Updates Smart Grid Framework. The US National Institute of Standards and Technology (NIST) has released an updated version of its smart grid framework. The NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 4.0, “includes updates to the Smart Grid Conceptual Model, introduces new Communication Pathways Scenarios and an Ontology for the smart grid, provides guidance on cybersecurity practices and tools, and develops the concept of an Interoperability Profile to facilitate testing and certification to improve smart grid interoperability and functionality.” Read more in:

NurseryCam Suspends Service After Hack. NurseryCam, a system that allows parents to watch their children while they are at nursery school, has temporarily suspended its operations to improve its security. Last week, NurseryCam account credentials were accessed and posted online. The NurseryCam service has been used by roughly 40 nurseries in the UK. Read more in:

SolarWinds: Neuberger White House Briefing. At a White House briefing on Wednesday, February 17, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, said that the Biden administration is working on an executive action to help agencies respond to the SolarWinds supply chain attack. Nine federal agencies and 100 private companies are known to have been affected by the attack; that number is likely to grow. Read more in:

SolarWinds: Microsoft Says Attackers Accessed Source Code. In a blog published on Thursday, February 18, Microsoft says that the hackers behind the SolarWinds supply chain attack accessed code repositories for “a small subset of Azure components (subsets of service, security, identity), a small subset of Intune components, and a small subset of Exchange components.” In some cases, the attackers downloaded source code. Read more in:

Malware Targeting Apple M1 Processors. Researchers have detected two malware strains that target Apple’s new M1 processors. The M1 system-on-a-chip (SoC) was launched late last year and is used in the most recent generations of MacBook Air, MacBook Pro, and Mac mini devices. Read more in:

Microsoft Replaces Two Windows 10 Servicing Stack Updates. Microsoft has pulled two problematic Windows 10 servicing stack updates (SSUs) and replaced them with new ones. KB4601392 has been replaced by KB5001078, and KB4601390 has been replaced with KB5001079. Read more in:

US DoJ Indicts Three Alleged Hackers Linked to North Korean APT Group. The US Department of Justice (DoJ) has unsealed an indictment charging three North Korean individuals in connection with cyberattacks conducted over more than six years. The individuals were allegedly involved in the 2014 attack against Sony Pictures, the deployment of the WannaCry malware in 2017, and stealing $200 million from banks, ATMs, and cryptocurrency organizations. The individuals charged are believed to be part of a hacking group known as Lazarus, Hidden Cobra, or APT38. Read more in:

Following Credential-Stuffing Attack, RIPE NCC Internet Registry Urges Users to Adopt 2FA. The RIPE Network Coordination Center (RIPE NCC) is urging users to enable two-factor authentication (2FA). IN a notice on its website, RIPE NCC writes, “Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime.” RIPE NCC is a not-for-profit regional Internet registry for Europe, the Middle East, and the former USSR. The organization is headquartered in Amsterdam. Read more in:

Virginia Privacy Law. The Virginia Consumer Data Protection Act received overwhelming support in both the Virginia House and Senate; it is now headed to the governor’s desk. If it is signed into law, the bill would apply to companies that “conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.“ Read more in:

Critical Vulnerabilities in Ninja Forms WordPress Plugin. Four critical flaws in the Ninja Forms WordPress plugin could be exploited to intercept email, take control of vulnerable websites, and redirect administrators to malicious sites. The plugin is installed on more than one million WordPress sites. Users are urges to update to Ninja Forms version 3.4.34.1 or newer. Read more in:

Health IT Security News Roundup. Incidents covered in Health IT Security’s weekly breach roundup include an 18-month long data leak due to third-party software at Sutter Buttes Imaging in California; a January ransomware attack against Granite Wellness Centers, also in California; an employee email account breach at Grand River Medical Group in Iowa; and a data breach at Texas Spine Consultants. Read more in:

WatchDog Cryptojacking Campaign Started in January 2019. Researchers from Palo Alto Network’s Unit 42 have uncovered an ongoing cryptojacking campaign that has been active for more than two years. The WatchDog campaign mines for Monero cryptocurrency; it has compromised nearly 500 Windows and Linux devices. Read more in:

Hackers Targeted an Obsolete Version of Centreon Software to Infiltrate IT Providers’ Networks. For the past several years, hackers have been targeting vulnerable instances of Centreon monitoring software to gain access to IT providers’ networks. Centreon says that the attackers exploited “an obsolete open source version (v2.5.2), which has been unsupported for 5 years.” French cybersecurity watchdog ANSSI says the attacks bear similarities to those conducted by the Sandworm APT group. Read more in: