Cybersecurity News Headlines Update on February 27, 2021

US Federal Reserve Outage. The US Federal Reserve Bank experienced an outage on Wednesday, February 24 that affected multiple services, including the Federal Reserve’s Account Services, Central Bank, Check 21, Check Adjustments, FedACH, FedCash, FedLine Advantage, FedLine Command, FedLine Direct, FedLine Web, Fedwire Funds, Fedwire Securities and National Settlement Services. The issue was determined to be an operational error and was largely resolved on Wednesday afternoon. Read more in:

• Fed glitch shuts down wire transfers, direct deposits, other services
• Federal Reserve nationwide outage impacts US banking system
• Federal Reserve’s Money Transfer Services Suffer Outage
• Service Status

TD Bank Outage on Wednesday, February 24. On Wednesday, February 24, TD Back experienced an outage that prevented customers from accessing bank accounts online, using ATMs, or checking balances by phone. Systems displayed a message saying that that “due to planned maintenance activity, access is temporarily down.” Services were restored Wednesday evening, but deposits made that day had not yet been credited to accounts. TD Bank has not provided additional information about the outage. Read more in: TD Bank suffered systemwide banking outage, services now recovered

ThreatNeedle Backdoor Malware Targets Defense Contractors. Kaspersky security researchers have detailed how North Korean hackers use backdoor malware known as ThreatNeedle to steal sensitive information from defense contractors in 12 countries. The hackers from the Lazarus group gained access to targeted networks through spear phishing campaigns. Kaspersky notes that the hackers “overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server.” Read more in:

• Lazarus targets defense industry with ThreatNeedle
• North Korean hackers target defense industry with custom malware
• ThreatNeedle malware tied to year-long North Korean espionage campaign against global defense industry

Cybersecurity Authorities: Hackers are Exploiting Flaws in Accellion’s FTA. The US Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities in Australia, New Zealand, Singapore, and the UK have issued a joint alert warning that threat actors are exploiting vulnerabilities in Accellion’s File Transfer Appliance (FTA). The advisory includes indicators of compromise (IoC) and recommended mitigations. In related stories, two more organizations have acknowledged that they were victims of these attacks: Transport for New South Wales in Australia and Canadian aircraft manufacturer Bombardier. Read more in:

• Exploitation of Accellion File Transfer Appliance
• Cybersecurity Agencies Warn of Accellion Vulnerability Exploits
• CISA Warns of Accellion FTA Exploit; Centene Among Breach Victims
• Transport for NSW confirms data taken in Accellion breach
• Airplane maker Bombardier data posted on ransomware leak site following FTA hack

NurseryCam Company Gets Security Help from NCSC. The UK’s National Cyber Security Centre (NCSC) is helping FootfallCam Ltd secure its NurseryCam service. Last week, NurseryCam was forced to temporarily suspend services after a data breach exposed account details of 12,000 users. Footfall operates the NurseryCam service, which allows parents to register accounts and watch their children at daycare centers. Read more in:

• UK’s National Cyber Security Centre sidles in to help firm behind hacked NurseryCam product secure itself
• Daycare Webcam Service Exposes 12,000 User Accounts

Firefox 86 Includes Total Cookie Protection. With the release of Firefox 86, Mozilla has introduced a feature that “confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site.” Known as Total Cookie Protection, the feature is part of the browser’s Enhanced Tracking Protection strict mode. Read more in:

• Firefox 86 Introduces Total Cookie Protection
• Mozilla Patches Bugs in Firefox, Now Blocks Cross-Site Cookie Tracking
• Mozilla Firefox keeps cookies kosher with quarantine scheme, 86s third-party cookies in new browser build

Senate Intelligence Committee Hearing on SolarWinds. At a US Senate Intelligence Committee Hearing regarding the SolarWinds supply chain attack, Microsoft President Brad Smith and FireEye CEO Kevin Mandia called for requiring private sector companies to disclose cyber incidents. SolarWinds CEO Sudhakar Ramakrishna said that communicating with a single government agency equipped to share incident information would streamline the process. The SolarWinds hackers used Amazon’s cloud computing services to disguise their activity; Amazon declined to send a representative to the hearing. The GovInfosecurity story notes that the hearing “raised four key issues: how Amazon Web Services may have been used to host malicious infrastructure; why the attackers conducted a “dry run”; what the true motives were for the attack, which apparently was waged by Russian hackers; how the incident could lead to better cyberthreat and intelligence information sharing.” (Please note that the WSJ story is behind a paywall.) Read more in:

• US Senate Select Committee on Intelligence Hearing Video | Tuesday, February 23, 2021
• CEOs, Senators discuss mandating cyber-attack disclosures
• Microsoft president asks Congress to force private-sector orgs to publicly admit when they’ve been hacked
• SolarWinds fallout sparks calls for mandatory incident reporting, repercussions after cyber attacks
• Microsoft, FireEye push for breach reporting rules after SolarWinds hack
• Senate SolarWinds Hearing: 4 Key Issues Raised
• Amazon’s Lack of Public Disclosure on SolarWinds Hack Angers Lawmakers (paywall)
• SolarWinds not the only company used to hack targets, tech execs say at hearing

China’s Version of Flash is Also Downloading Adware. Because so much of China’s IT ecosystem relies on Flash, Adobe has allowed a single Chinese company to distribute Flash in that country. (Flash reached its official end-of-life in January 2021.) A security company recently reported alerts associated with the version of Flash being distributed in China. Analysts found that when users downloaded Flash, it was installed along with another file that caused a new browser window to open and display sites with lots of ads. Read more in: Flash version distributed in China after EOL is installing adware

Canadian Aircraft Manufacturer Bombardier Discloses Data Breach. Canadian aircraft manufacturer Bombardier has disclosed a data breach after hackers posted stolen files on the dark web. The threat actors gained access to the information “by exploiting a vulnerability affecting a third-party file-transfer application,” according to a statement from the company. The files include “personal and other confidential information relating to employees, customers and suppliers.” Read more in:

• Bombardier Statement on Cybersecurity Breach
• Plane-maker Bombardier discloses breach after stolen data surfaces
• Ransomware gang extorts jet maker Bombardier after Accellion breach

Botnet Uses Blockchain to Maintain Persistence. Researchers at Akamai have discovered that a botnet being used to mine cryptocurrency is now using blockchain to facilitate infected machines’ communications with the command-and-control server. In the event that the regular command-and-control server is sinkholed, the infected machines search for the IP address of a backup server that is encoded in the Bitcoin blockchain. Read more in:

• Bitcoins, Blockchains, and Botnets
• The bitcoin blockchain is helping keep a botnet from being taken down
• Botnet Uses Blockchain to Obfuscate Backup Command & Control Information

Ransomware Attack Hits Finnish IT Company TietoEVRY. Finnish IT services provider TietoEVRY was forced to disconnect services to 25 clients after its network was hit with a ransomware attack. TietoEVRY has contacted authorities and is investigating the incident. Read more in:

• Information about ransomware attack in Norway
• Finnish IT Giant Hit with Ransomware Cyberattack
• Finnish IT services giant TietoEVRY discloses ransomware attack

China Used Malicious Firefox Extension to Spy on Tibetan Organizations. Using a malicious Firefox extension, state-sponsored Chinese hackers targeted Tibetan organizations. Researchers from Proofpoint say that the extension allows the hackers to take control of Gmail accounts, including receiving notifications, reading and deleting messages, and sending emails. It also gives hackers access to certain Firefox functions. Read more in:

• TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations
• Chinese cyberspies targeted Tibetans with a malicious Firefox add-on
• Malicious Mozilla Firefox Extension Allows Gmail Takeover

Silver Sparrow Malware Has Infected 30,000 macOS Devices. Malware that targets Apple’s macOS has been found on 30,000 mac computers, but it is unclear what the malware, dubbed Silver Sparrow, is supposed to do. Once an hour, the infected machines check a control server for commands, but researchers have not seen evidence of a payload. There are two versions of the malware; one that targets x86-based machines and a second that targets both x86-based and M1-based machines. Read more in:

• Mysterious Silver Sparrow Malware Found Nesting on 30K Macs
• 30,000 Macs infected with new Silver Sparrow malware
• Malware monsters target Apple’s M1 silicon with ‘Silver Sparrow’
• New malware found on 30,000 Macs has security pros stumped
• Attackers Already Targeting Apple’s M1 Chip with Custom Malware
• Mysterious Mac Malware Infected at Least 30,000 Devices Worldwide
• New Silver Sparrow malware infects 30,000 Macs for unknown purpose

Chinese Hackers Built Clone of NSA Hacking Tool in 2014. Researchers at security firm Check Point have disclosed evidence that a Chinese hacking group managed to obtain and use an NSA hacking tool. The tool, which was developed by the Equation Group, is called EpMe and is used to gain elevated privileges. Using EpMe code from 2013, the Chinese hackers developed a clone in 2014 and used it from 2015 until March 2017, when Microsoft patched the vulnerability the tool exploited. Read more in:

• The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
• China Hijacked an NSA Hacking Tool in 2014—and Used It for Years
• Chinese hackers cloned attack tool belonging to NSA’s Equation Group
• Chinese hackers used NSA exploit years before Shadow Brokers leak
• Chinese hackers stole another NSA-linked hacking tool, research finds

Underwriters Laboratories Hit with Ransomware. Underwriters Laboratories (UL) has shut down its IT systems following a ransomware attack. The incident occurred on February 13; devices in UL’s data center were encrypted. UL shut down all systems to prevent the malware from spreading. The organization is reportedly restoring its systems from backups and does not intent to pay the ransom. Read more in: Underwriters Laboratories (UL) certification giant hit by ransomware

Payment Processor AFTS Hit With Ransomware. Ransomware operators targeted Seattle-based payment processor, AFTS, and stole files before encrypting the company’s IT system. Automatic Funds Transfer Services (AFTS) is used by government agencies and other organizations across the US to process payments and verify addresses. AFTS customers include the California DMV and numerous other municipalities and agencies in California and Washington. The California Department of Motor vehicles has notified residents of the breach. Read more in:

• US cities disclose data breaches after vendor’s ransomware attack
• California DMV Contractor Hack May Have Exposed Driver Info
• ‘Cuba Ransomware’ attack disrupts payment provider used by state and local agencies
• Payment processor used by government hit by ‘Cuba’ ransomware gang
• ‘Cuba’ Ransomware Gang Hits Payment Processor, Steals Data

Georgetown County, SC, Government Still Recovering from Ransomware. A month after a ransomware attack took control of its IT system, Georgetown County, South Carolina, is still working to repair its systems. The county did not pay the demanded ransom. Roughly half of employees now have access to their county email accounts. Read more in: South Carolina County Rebuilds Network After Hacking

FBI Warns of Telephony Denial of Service Attacks Affecting First Responders. A public service announcement (PSA) from the US Federal Bureau of Investigation (FBI) warns that first responder systems are vulnerable to Telephony Denial of Service (TDoS) attacks, which consumes resources at call centers and prevent true emergency calls from getting through. The attacks have been targeting Public Safety Answering Points (PSAPs), which are call hubs for connecting callers to emergency services. The PSA recommends finding out how to contact emergency services in the event of a 911 outage, having non-emergency numbers on hand. Read more in:

• TDoS Attacks Take Aim at Emergency First-Responder Services
• Telephony Denial of Service Attacks Can Disrupt Emergency Call Center Operations

Lakehead University Extends Winter Break Due to Cyberattack. Lakehead University in Canada has extended its winter study break through February 26 due to a cyberattack. The incident forced the school to prevent access to its servers. The attack targeted Lakehead’s file share servers. Users who kept sensitive information, including access credentials, on the file share servers are being advised to change their passwords. Read more in:

• Lakehead University extends winter study break after cyber attack
• Lakehead University shuts down campus network after cyberattack

Accellion Breach: Possible Threat Actors Identified. Researchers at FireEye have linked attacks exploiting vulnerabilities in Accellion’s File Transfer Appliance (FTA) to a cybercrime group identified as FIN11. The threat actors exploited four unpatched vulnerabilities in the legacy software to install a web shell known as DEWMODE, which was used to download files from FTA appliances. Victims of the attacks include Singtel, the Reserve Bank of New Zealand, and Kroger Supermarkets. Read more in:

• Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
• Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims
• FireEye links 0-day attacks on FTA servers & extortion campaign to FIN11 group
• Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11
• Accellion: How Attackers Stole Data and Ransomed Companies
• Global Accellion data breaches linked to Clop ransomware gang
• Kroger data breach exposes pharmacy and employee data
• Supermarket Chain Kroger Discloses Data Breach

Microsoft Flaw Fixed in February Had Been Exploited Since Summer 2020. One of the vulnerabilities that Microsoft fixed in its February 2021 Patch Tuesday release has been exploited in the wild since the summer of 2020. The high-severity privilege elevation issue can be exploited “by triggering a use-after-free condition in the win32k.sys core kernel component.” Read more in: Recently fixed Windows zero-day actively exploited since mid-2020

Buggy Software is Causing Problems for Arizona Prison System. Software used by the Arizona State Department of Corrections is riddled with problems. Bugs in the system have placed inmates in cells with people they should not have contact with, have failed to keep inmates’ medications with them when inmates are transferred to a new unit, and they have failed to identify inmates who qualify for programs to reduce their sentences, keeping inmates incarcerated past their release dates. People working on the system knew there were problems and urged the department not to take it live, but their concerns went unheeded because the department had already spent so much money on the project. Rather than fix the software, Department of Connections employees are solving the problems manually. Read more in:

• Whistleblowers: Software Bug Keeping Hundreds Of Inmates In Arizona Prisons Beyond Release Dates
• Software bugs reportedly keep Arizona inmates jailed past release dates

NIST Updates Smart Grid Framework. The US National Institute of Standards and Technology (NIST) has released an updated version of its smart grid framework. The NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 4.0, “includes updates to the Smart Grid Conceptual Model, introduces new Communication Pathways Scenarios and an Ontology for the smart grid, provides guidance on cybersecurity practices and tools, and develops the concept of an Interoperability Profile to facilitate testing and certification to improve smart grid interoperability and functionality.” Read more in:

• NIST updates smart grid framework
• NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 4.0

NurseryCam Suspends Service After Hack. NurseryCam, a system that allows parents to watch their children while they are at nursery school, has temporarily suspended its operations to improve its security. Last week, NurseryCam account credentials were accessed and posted online. The NurseryCam service has been used by roughly 40 nurseries in the UK. Read more in:

• NurseryCam hacked, company shuts down IoT camera service
• Parents alerted to NurseryCam security breach

SolarWinds: Neuberger White House Briefing. At a White House briefing on Wednesday, February 17, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, said that the Biden administration is working on an executive action to help agencies respond to the SolarWinds supply chain attack. Nine federal agencies and 100 private companies are known to have been affected by the attack; that number is likely to grow. Read more in:

• Agencies ‘building back better’ after SolarWinds breach, top Biden cyber official says
• White House warns SolarWinds breach cleanup will take time
• SolarWinds Hack ‘Compromised’ 9 Fed Agencies; ‘Executive Action’ on the Way
• ‘White House Plans Executive Action in Response to Hack Involving SolarWinds
• White House Promises Cybersecurity Action, SolarWinds Response
• Biden Likely to Take Executive Action on SolarWinds Hack
• SolarWinds attack hit 100 companies and took months of planning, says White House

SolarWinds: Microsoft Says Attackers Accessed Source Code. In a blog published on Thursday, February 18, Microsoft says that the hackers behind the SolarWinds supply chain attack accessed code repositories for “a small subset of Azure components (subsets of service, security, identity), a small subset of Intune components, and a small subset of Exchange components.” In some cases, the attackers downloaded source code. Read more in:

• Microsoft Internal Solorigate Investigation – Final Update
• Microsoft admits some Azure, Exchange, Intune source code snaffled in SolarWinds schemozzle
• Microsoft says SolarWinds hackers downloaded some Azure, Exchange, and Intune source code
• Microsoft: SolarWinds hackers downloaded Azure, Exchange source code
• Microsoft says SolarWinds hackers stole source code for 3 products
• SolarWinds hackers studied Microsoft source code for authentication and email

Malware Targeting Apple M1 Processors. Researchers have detected two malware strains that target Apple’s new M1 processors. The M1 system-on-a-chip (SoC) was launched late last year and is used in the most recent generations of MacBook Air, MacBook Pro, and Mac mini devices. Read more in:

• Malware Is Now Targeting Apple’s New M1 Processor
• M1 Malware Has Arrived
• Mac Malware Targets Apple’s In-House M1 Processor
• Hackers Are Starting to Code Malware Specifically for Apple’s M1 Computers
• Apple touts M1 features in updated security guide, days after malicious code discovery

Microsoft Replaces Two Windows 10 Servicing Stack Updates. Microsoft has pulled two problematic Windows 10 servicing stack updates (SSUs) and replaced them with new ones. KB4601392 has been replaced by KB5001078, and KB4601390 has been replaced with KB5001079. Read more in:

• Microsoft Pulls Bad Windows Update After Patch Tuesday Headaches
• Microsoft pulls a second Windows SSU for blocking security updates
• KB5001078: Servicing stack update for Windows 10, version 1607: February 12, 2021
• KB5001079: Servicing stack update for Windows 10: February 12, 2021

US DoJ Indicts Three Alleged Hackers Linked to North Korean APT Group. The US Department of Justice (DoJ) has unsealed an indictment charging three North Korean individuals in connection with cyberattacks conducted over more than six years. The individuals were allegedly involved in the 2014 attack against Sony Pictures, the deployment of the WannaCry malware in 2017, and stealing $200 million from banks, ATMs, and cryptocurrency organizations. The individuals charged are believed to be part of a hacking group known as Lazarus, Hidden Cobra, or APT38. Read more in:

• Feds Indict North Korean Hackers for Years of Heists and Scams
• Uncle Sam accuses three suspected North Korean govt hackers of stealing $1.3bn+ from banks, crypto orgs
• US charges two more members of the ‘Lazarus’ North Korean hacking group
• U.S. Indicts North Korean Hackers in Theft of $200 Million
• Indictment (PDF)

Following Credential-Stuffing Attack, RIPE NCC Internet Registry Urges Users to Adopt 2FA. The RIPE Network Coordination Center (RIPE NCC) is urging users to enable two-factor authentication (2FA). IN a notice on its website, RIPE NCC writes, “Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime.” RIPE NCC is a not-for-profit regional Internet registry for Europe, the Middle East, and the former USSR. The organization is headquartered in Amsterdam. Read more in:

• Attack on RIPE NCC Access: Please Enable Two-Factor Authentication
• RIPE NCC discloses failed brute-force attack on its SSO service
• RIPE NCC Internet Registry discloses SSO credential stuffing attack

Virginia Privacy Law. The Virginia Consumer Data Protection Act received overwhelming support in both the Virginia House and Senate; it is now headed to the governor’s desk. If it is signed into law, the bill would apply to companies that “conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.“ Read more in:

• Virginia Takes Different Tack Than California With Data Privacy Law
• Virginia Data Protection Proposal Will Land on Governor’s Desk
• HB 2307 Consumer Data Protection Act; establishes a framework for controlling and processing personal data.

Critical Vulnerabilities in Ninja Forms WordPress Plugin. Four critical flaws in the Ninja Forms WordPress plugin could be exploited to intercept email, take control of vulnerable websites, and redirect administrators to malicious sites. The plugin is installed on more than one million WordPress sites. Users are urges to update to Ninja Forms version 3.4.34.1 or newer. Read more in:

• One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms
• Ninja Forms WordPress Plugin Bug Opens Websites to Hacks

Health IT Security News Roundup. Incidents covered in Health IT Security’s weekly breach roundup include an 18-month long data leak due to third-party software at Sutter Buttes Imaging in California; a January ransomware attack against Granite Wellness Centers, also in California; an employee email account breach at Grand River Medical Group in Iowa; and a data breach at Texas Spine Consultants. Read more in:

• Sutter Buttes Imaging Vulnerability Hack Causes 18 Month Data Breach
• Notice of Potential Data Breach (PDF)
• Notice of Data Security Incident
• Grand River Website Notice (PDF)
• Security Incident

WatchDog Cryptojacking Campaign Started in January 2019. Researchers from Palo Alto Network’s Unit 42 have uncovered an ongoing cryptojacking campaign that has been active for more than two years. The WatchDog campaign mines for Monero cryptocurrency; it has compromised nearly 500 Windows and Linux devices. Read more in:

• WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years
• Windows, Linux Devices Hijacked In Two-Year Cryptojacking Campaign

Hackers Targeted an Obsolete Version of Centreon Software to Infiltrate IT Providers’ Networks. For the past several years, hackers have been targeting vulnerable instances of Centreon monitoring software to gain access to IT providers’ networks. Centreon says that the attackers exploited “an obsolete open source version (v2.5.2), which has been unsupported for 5 years.” French cybersecurity watchdog ANSSI says the attacks bear similarities to those conducted by the Sandworm APT group. Read more in:

• French IT monitoring company’s software targeted by hackers: cyber agency
• France Ties Russia’s Sandworm to a Multiyear Hacking Spree
• Russian Sandworm hackers only hit orgs with old Centreon software