Cybersecurity News Headlines Update on March 07, 2021

Microsoft Fixes Exchange Server Flaws Exploited by Hafnium Threat Actor. Microsoft has warned that Hafnium, a state-sponsored threat actor operating from China, has been exploiting four previously unknown vulnerabilities in Microsoft Exchange Server software to gain access to networks of targeted organizations and exfiltrate data. The attacks target on-premises Exchange Server software. Microsoft has released updates to address the vulnerabilities. They affect Microsoft Exchange Server 2013, 2016, and 2019. Read more in:

• HAFNIUM targeting Exchange Servers with 0-day exploits
• Multiple Security Updates Released for Exchange Server
• Microsoft Fixes Exchange Server Zero-Days Exploited in Active Attacks
• Microsoft fixes four zero-day flaws in Exchange Server exploited by China’s ‘Hafnium’ spies to steal victims’ data
• These Exchange Server zero-day flaws are being used by hackers, so update now
• Microsoft issues emergency patches for 4 exploited 0-days in Exchange
• Microsoft warns of state-sponsored Chinese hackers exploiting multiple zero-days

CISA Orders Federal Agencies to Mitigate Exchange Server Vulnerabilities. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive that requires federal government agencies to mitigate ”all instances of on-premises Microsoft Exchange Servers in the environment.” CISA recommends that organizations examine systems for evidence of malicious activity. If none is found, agencies should apply the security updates. If evidence of malicious activity is found, agencies “should assume network identity compromise and follow incident response procedures.” Agencies have until noon EST on Friday, March 5 to submit a report to CISA regarding actions taken. Read more in:

• Alert (AA21-062A) Mitigate Microsoft Exchange Server Vulnerabilities
• Emergency Directive 21-02 | Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
• CISA orders US agencies to address Microsoft flaws exploited by suspected Chinese hackers
• CISA tells agencies to patch or unplug on-premise Microsoft email systems
• CISA orders agencies to disconnect and Microsoft Exchange on-prem servers
• CISA Orders Federal Agencies to Patch Exchange Servers

Exchange Server Attacks. The Hafnium threat actors have been exploiting four critical vulnerabilities in Microsoft Exchange Server to gain access to email and steal and exfiltrate data. The attackers have targeted defense contractors, law firms, policy think tanks, non-government organizations, and organizations conducting infections disease research. Read more in:

• Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails
• Microsoft Exchange Server breaches more widespread than originally thought
• More Details Emerge on the Microsoft Exchange Server Attacks
• Microsoft Exchange Zero-Day Attackers Spy on U.S. Targets
• Exchange Attacks Hitting Broad Range of Organizations
• Multiple Cyberspy Groups Target Microsoft Exchange Servers via Zero-Day Flaws
• Exchange Server Attacks Spread After Disclosure of Flaws

Microsoft and FireEye Provide Details About New SolarWinds Malware. In a blog post, Microsoft describes newly detected malware that has ties to the SolarWinds supply chain attack. GoldMax is a command-and-control backdoor; Sibot helps achieve persistence on targeted machines and downloads and executes payloads; GoldFinder is an HTTP tracer tool. The new strains were used in the later stages of the attack in August and September 2020. FireEye has also provided details about the command-and-control backdoor, which it calls SUNSHUTTLE. Read more in:

• Microsoft, FireEye Uncover More Malware Used in the SolarWinds Campaign
• Microsoft, FireEye Unmask More Malware Linked to SolarWinds Attackers
• Microsoft links new malware to SolarWinds hackers
• Microsoft reveals 3 new malware strains used by SolarWinds hackers
• GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
• FireEye finds new malware likely linked to SolarWinds hackers
• New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452

Accellion FTA Vulnerability: Qualys Server Breached, Files Stolen. Qualys has confirmed that it is among the organizations affected by the Accellion File Transfer Appliance (FTA) vulnerability. Cyber extortionists published files that appear to have come from a Qualys server. Qualys says it had “deployed the Accellion FTA server in a segregated DMZ environment, completely separate from systems that host and support Qualys products.” Read more in:

• Qualys Update on Accellion FTA Security Incident
• Qualys Confirms Unauthorized Access to Data via Accellion Hack
• Qualys hit with ransomware: Customer invoices leaked on extortionists’ Tor blog
• Cybersecurity firm Qualys likely latest victim of Accellion hacks
• Cloud security firm Qualys reportedly victimized by prolific scammers
• Accession zero-day claims a new victim in cybersecurity company Qualys

Data Breach Affects Malaysia Airlines Frequent Flyer Members. Malaysia Airlines has disclosed that data belonging to members of its frequent flyer program were compromised for nine years. The breach occurred on the system of a third-party IT provider. The breach affects members of the Enrich frequent flyer program who registered between March 2010 and June 2019. In a separate story, data belonging to 580,000 Singapore Airlines frequent flyer members was compromised. Read more in:

• Malaysia Airlines suffers data security ‘incident’ spanning nine years
• Nine-year Malaysia Airlines breach gave attackers lots of time to misuse data
• Malaysia Airlines discloses a nine-year-long data breach
• Singapore Airlines frequent flyer members hit in third-party data security breach

Code Dependency Confusion Attack Targeting Amazon, Lyft, Slack, and Others. Attackers have weaponized a proof-of-concept code dependency confusion exploit to target internal applications for Amazon, Lyft, Slack, Zillow, and other companies by injecting malicious code into developer projects in the npm public code repository. Read more in: Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow

CompuCom MSP Discloses Ransomware Attack. IT managed services provider (MSP) CompuCom has disclosed that its IT systems were a ransomware attack, which has affected services provided to some customers. Last weekend, customers attempting to open troubleshooting tickets in the customer portal saw error messages. Read more in:

• CompuCom MSP hit by DarkSide ransomware cyberattack
• CompuCom Issues Statement Regarding Malware Incident

MITRE Ransomware Resource for Healthcare Organizations. On Monday, March 1, MITRE launched a Ransomware Resource Center for healthcare organizations. The website offers advice tailored to specific IT-related roles in healthcare. Tools are categorized according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. Read more in:

• MITRE Unveils Ransomware Resource for Hospitals, Healthcare Providers
• Ransomware Resource Center

CISA and NSA Release Guidance on Choosing Protective DNS Service. The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint information sheet providing guidance for selecting a protective DNS (PDNS) service. The document describes how PDNS works and provides an analysis of PDNS providers broken down by capabilities. Read more in:

• NSA, CISA issue guidance on Protective DNS services
• Selecting a Protective DNS Service (PDF)

GAO: DOD Needs to Provide Guidance for Cybersecurity Language in Weapons Systems Contracts. According to a report from the Government Accountability Office (GAO), three of five DOD weapons systems contracts reviewed by GAO had no cybersecurity requirements as awarded, and just vague recommendations added later. GAO recommends “that the Army, Navy, and Marine Corps provide guidance on how programs should incorporate tailored cybersecurity requirements into contracts. [Those contracts] should define requirements, identify criteria for accepting or rejecting the work, and establish how the government will verify that requirements have been met.” Read more in:

• GAO report finds DOD’s weapons programs lack clear cybersecurity guidelines
• WEAPON SYSTEMS CYBERSECURITY: Guidance Would Help DOD Programs Better Communicate Requirements to Contractors (PDF)

Indian Government Refutes Reports that China is Responsible for Power Sector Cyber Attacks. According to a report from cybersecurity company Recorded Future, hackers with ties to China’s government are behind a series of cyberattacks targeting power generation and distribution facilities in India. Ten Indian power organizations have been targeted since mid-2020. The report posits that the campaign may be responsible for an October 2020 power outage in Mumbai. India’s Ministry of Power responded to the allegations, saying, “There is no impact on any of the functionalities carried out by POSOCO (Power System Operation Corporation) due to the referred threat.” (An executive summary of the Recorded Future report is below; access to the full white paper requires registration.) Read more in:

• Suspected China-linked hackers targeted India’s energy sector, research suggests
• Malware attack that crippled Mumbai’s power system came from China, claims infosec intel outfit Recorded Future
• China’s new cyber tactic: targeting critical infrastructure
• China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions (Executive Summary)
• Mumbai blackout: Government denies CHina’s cyber campaign against Indian power grid
• Did Chinese Hackers Cause Mumbai’s Power Failure in October?

Oxford Univ. COVID Research Lab Targeted by Hackers. Hackers gained access to computers at the Division of Structural Biology lab at Oxford University (UK). The lab is conducting COVID-19-related research. The compromised machines are “used to purify and prepare biochemical samples.” The National Cyber Security Centre (NCSC) has been notified and will conduct an investigation. Read more in:

• Hackers Break Into ‘Biochemical Systems’ At Oxford University Lab Studying Covid-19
• Oxford University lab with COVID-19 research links targeted by hackers

NCSC Free Cybersecurity Tool for Small Businesses. The UK’s National Cyber Security Centre (NCSC) has established a free online service to help small businesses develop a customized cyber security action plan. The “Cyber Action Plan” tool is currently available to sole traders and small businesses; availability for individuals and families is forthcoming. Read more in:

• Free cybersecurity tool aims to help smaller businesses stay safer online
• Create your Cyber Action Plan

United Health Services Estimates 2020 Ransomware Attack Cost Them $67M. Universal Health Services, which experienced a ransomware attack in the fall of 2020 now says that the incident cost the organization $67 million in losses due to patients being diverted to other facilities, delayed billing, and the cost of restoring connectivity. The information was disclosed in an earnings statement released late last month. (Please note that the WSJ story is behind a paywall.) Read more in:

• Universal Health Services reports $67 million in losses after apparent ransomware attack
• Cyberattacks Cost Hospitals Millions During Covid-19 (paywall)
• Universal Health Services, Inc. Reports 2020 Fourth Quarter And Full Year Financial Results And 2021 Full Year Earnings Guidance

US House Solar Winds Hearing. On Friday, February 26, the US House of Representatives Homeland Security and Oversight and Reform Committees held a joint hearing on the SolarWinds supply chain attack. Executives from SolarWinds, FireEye, and Microsoft testified. Current and former SolarWinds CEOs Sudhakar Ramakrishna and Kevin Thompson faced pointed questioning regarding the company’s security culture. Homeland Security Committee chair Bennie G. Thompson said that laws needed to be updated to address the issues raised by the SolarWinds attack. Representatives Michael McCaul (R-Texas) and Jim Langevin (D-Rhode Island) plan to introduce a breach disclosure bill that would require companies to notify the government in the event of breaches. Read more in:

• At House SolarWinds hearing, bipartisan lawmakers announce breach disclosure bill
• House SolarWinds Hearing Focuses on Updating Cyber Laws
• Hearing on Hack Prompts Call for Review of Government’s Cloud Procurement
• Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign (video)

Microsoft Open-Sourcing CodeQL Queries. Microsoft is releasing the CodeQL queries it used to analyze source code during its investigation of the SolarWinds supply chain attack. Other organizations can use the tool to help them determine if their systems were infected by the attack. Read more in:

• Microsoft open sources CodeQL queries used to hunt for Solorigate activity
• Microsoft makes CodeQL queries public so security pros can better understand SolarWinds attack
• Microsoft Releases Free Tool for Hunting SolarWinds Malware

Logix PLC Hard-Coded Vulnerability. A severe vulnerability in Rockwell Automation’s Logix programable logic controllers (PLCs) can be remotely exploited to alter the devices’ application code and configuration. The issue lies in a hard-coded encryption key. Affected devices include Studio 5000 Logix Designer, RSLogix 5000, and numerous Logix Controllers. Rockwell has suggested mitigations and user actions to protect vulnerable systems. Read more in:

• Claroty Discovers Critical Authentication Bypass in Rockwell Software
• Hard-coded key vulnerability in Logix PLCs has severity score of 10 out of 10
• ICS Advisory (ICSA-21-056-03) Rockwell Automation Logix Controllers

NSA Publishes Zero-Trust Guidance. The US National Security Agency (NSA) has published guidance for organizations wanting to implement the Zero Trust security model, noting that Zero Trust “requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.” The document describes the basic principles of Zero Trust, outlines the benefits and challenges of its implementation, and offers recommendations for organizations that want to adopt the model. Read more in:

• Embracing a Zero Trust Security Model (PDF)
• NSA Releases Guidance on Zero-Trust Architecture
• NSA Issues Guidance on ‘Zero Trust’ Implementation
• NSA, Microsoft promote a Zero Trust approach to cybersecurity

T-Mobile Discloses Customer Data Breach. Telecommunications provider T-Mobile has disclosed that a data breach compromised customer information, including names, Social Security numbers, account numbers and associated PINs, and account security questions and answers. Some of the data appear to have been used in SIM-swapping attacks. T-Mobile notified affected customers in February. Read more in: T-Mobile discloses data breach after SIM swapping attacks

Chinese Businessman Charged in Attempted Theft of General Electric Intellectual Property. Federal authorities have indicted Chi Lung Winsman Ng for conspiring to steal trade secrets from General Electric (GE). The US Department of Justice said that Ng and unnamed co-conspirators allegedly conspired to steal sensitive data relating to GE’s silicon carbide metal-oxide semiconductor field-effect transistors (MOSFETs). One of the alleged co-conspirators was an engineer at GE for more than seven years. Read more in:

• Businessman charged with intent to steal General Electric’s secret silicon technology
• Chinese businessman plotted with GE insider to steal transistor secrets, say Feds
• Chinese Businessman Charged With Conspiring To Steal Trade Secrets