Cybersecurity News Headlines Update on March 07, 2021

Microsoft Fixes Exchange Server Flaws Exploited by Hafnium Threat Actor. Microsoft has warned that Hafnium, a state-sponsored threat actor operating from China, has been exploiting four previously unknown vulnerabilities in Microsoft Exchange Server software to gain access to networks of targeted organizations and exfiltrate data. The attacks target on-premises Exchange Server software. Microsoft has released updates to address the vulnerabilities. They affect Microsoft Exchange Server 2013, 2016, and 2019. Read more in:

CISA Orders Federal Agencies to Mitigate Exchange Server Vulnerabilities. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive that requires federal government agencies to mitigate ”all instances of on-premises Microsoft Exchange Servers in the environment.” CISA recommends that organizations examine systems for evidence of malicious activity. If none is found, agencies should apply the security updates. If evidence of malicious activity is found, agencies “should assume network identity compromise and follow incident response procedures.” Agencies have until noon EST on Friday, March 5 to submit a report to CISA regarding actions taken. Read more in:

Exchange Server Attacks. The Hafnium threat actors have been exploiting four critical vulnerabilities in Microsoft Exchange Server to gain access to email and steal and exfiltrate data. The attackers have targeted defense contractors, law firms, policy think tanks, non-government organizations, and organizations conducting infections disease research. Read more in:

Microsoft and FireEye Provide Details About New SolarWinds Malware. In a blog post, Microsoft describes newly detected malware that has ties to the SolarWinds supply chain attack. GoldMax is a command-and-control backdoor; Sibot helps achieve persistence on targeted machines and downloads and executes payloads; GoldFinder is an HTTP tracer tool. The new strains were used in the later stages of the attack in August and September 2020. FireEye has also provided details about the command-and-control backdoor, which it calls SUNSHUTTLE. Read more in:

Accellion FTA Vulnerability: Qualys Server Breached, Files Stolen. Qualys has confirmed that it is among the organizations affected by the Accellion File Transfer Appliance (FTA) vulnerability. Cyber extortionists published files that appear to have come from a Qualys server. Qualys says it had “deployed the Accellion FTA server in a segregated DMZ environment, completely separate from systems that host and support Qualys products.” Read more in:

Data Breach Affects Malaysia Airlines Frequent Flyer Members. Malaysia Airlines has disclosed that data belonging to members of its frequent flyer program were compromised for nine years. The breach occurred on the system of a third-party IT provider. The breach affects members of the Enrich frequent flyer program who registered between March 2010 and June 2019. In a separate story, data belonging to 580,000 Singapore Airlines frequent flyer members was compromised. Read more in:

Code Dependency Confusion Attack Targeting Amazon, Lyft, Slack, and Others. Attackers have weaponized a proof-of-concept code dependency confusion exploit to target internal applications for Amazon, Lyft, Slack, Zillow, and other companies by injecting malicious code into developer projects in the npm public code repository. Read more in: Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow

CompuCom MSP Discloses Ransomware Attack. IT managed services provider (MSP) CompuCom has disclosed that its IT systems were a ransomware attack, which has affected services provided to some customers. Last weekend, customers attempting to open troubleshooting tickets in the customer portal saw error messages. Read more in:

MITRE Ransomware Resource for Healthcare Organizations. On Monday, March 1, MITRE launched a Ransomware Resource Center for healthcare organizations. The website offers advice tailored to specific IT-related roles in healthcare. Tools are categorized according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. Read more in:

CISA and NSA Release Guidance on Choosing Protective DNS Service. The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint information sheet providing guidance for selecting a protective DNS (PDNS) service. The document describes how PDNS works and provides an analysis of PDNS providers broken down by capabilities. Read more in:

GAO: DOD Needs to Provide Guidance for Cybersecurity Language in Weapons Systems Contracts. According to a report from the Government Accountability Office (GAO), three of five DOD weapons systems contracts reviewed by GAO had no cybersecurity requirements as awarded, and just vague recommendations added later. GAO recommends “that the Army, Navy, and Marine Corps provide guidance on how programs should incorporate tailored cybersecurity requirements into contracts. [Those contracts] should define requirements, identify criteria for accepting or rejecting the work, and establish how the government will verify that requirements have been met.” Read more in:

Indian Government Refutes Reports that China is Responsible for Power Sector Cyber Attacks. According to a report from cybersecurity company Recorded Future, hackers with ties to China’s government are behind a series of cyberattacks targeting power generation and distribution facilities in India. Ten Indian power organizations have been targeted since mid-2020. The report posits that the campaign may be responsible for an October 2020 power outage in Mumbai. India’s Ministry of Power responded to the allegations, saying, “There is no impact on any of the functionalities carried out by POSOCO (Power System Operation Corporation) due to the referred threat.” (An executive summary of the Recorded Future report is below; access to the full white paper requires registration.) Read more in:

Oxford Univ. COVID Research Lab Targeted by Hackers. Hackers gained access to computers at the Division of Structural Biology lab at Oxford University (UK). The lab is conducting COVID-19-related research. The compromised machines are “used to purify and prepare biochemical samples.” The National Cyber Security Centre (NCSC) has been notified and will conduct an investigation. Read more in:

NCSC Free Cybersecurity Tool for Small Businesses. The UK’s National Cyber Security Centre (NCSC) has established a free online service to help small businesses develop a customized cyber security action plan. The “Cyber Action Plan” tool is currently available to sole traders and small businesses; availability for individuals and families is forthcoming. Read more in:

United Health Services Estimates 2020 Ransomware Attack Cost Them $67M. Universal Health Services, which experienced a ransomware attack in the fall of 2020 now says that the incident cost the organization $67 million in losses due to patients being diverted to other facilities, delayed billing, and the cost of restoring connectivity. The information was disclosed in an earnings statement released late last month. (Please note that the WSJ story is behind a paywall.) Read more in:

US House Solar Winds Hearing. On Friday, February 26, the US House of Representatives Homeland Security and Oversight and Reform Committees held a joint hearing on the SolarWinds supply chain attack. Executives from SolarWinds, FireEye, and Microsoft testified. Current and former SolarWinds CEOs Sudhakar Ramakrishna and Kevin Thompson faced pointed questioning regarding the company’s security culture. Homeland Security Committee chair Bennie G. Thompson said that laws needed to be updated to address the issues raised by the SolarWinds attack. Representatives Michael McCaul (R-Texas) and Jim Langevin (D-Rhode Island) plan to introduce a breach disclosure bill that would require companies to notify the government in the event of breaches. Read more in:

Microsoft Open-Sourcing CodeQL Queries. Microsoft is releasing the CodeQL queries it used to analyze source code during its investigation of the SolarWinds supply chain attack. Other organizations can use the tool to help them determine if their systems were infected by the attack. Read more in:

Logix PLC Hard-Coded Vulnerability. A severe vulnerability in Rockwell Automation’s Logix programable logic controllers (PLCs) can be remotely exploited to alter the devices’ application code and configuration. The issue lies in a hard-coded encryption key. Affected devices include Studio 5000 Logix Designer, RSLogix 5000, and numerous Logix Controllers. Rockwell has suggested mitigations and user actions to protect vulnerable systems. Read more in:

NSA Publishes Zero-Trust Guidance. The US National Security Agency (NSA) has published guidance for organizations wanting to implement the Zero Trust security model, noting that Zero Trust “requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.” The document describes the basic principles of Zero Trust, outlines the benefits and challenges of its implementation, and offers recommendations for organizations that want to adopt the model. Read more in:

T-Mobile Discloses Customer Data Breach. Telecommunications provider T-Mobile has disclosed that a data breach compromised customer information, including names, Social Security numbers, account numbers and associated PINs, and account security questions and answers. Some of the data appear to have been used in SIM-swapping attacks. T-Mobile notified affected customers in February. Read more in: T-Mobile discloses data breach after SIM swapping attacks

Chinese Businessman Charged in Attempted Theft of General Electric Intellectual Property. Federal authorities have indicted Chi Lung Winsman Ng for conspiring to steal trade secrets from General Electric (GE). The US Department of Justice said that Ng and unnamed co-conspirators allegedly conspired to steal sensitive data relating to GE’s silicon carbide metal-oxide semiconductor field-effect transistors (MOSFETs). One of the alleged co-conspirators was an engineer at GE for more than seven years. Read more in: