Cyber security news February 2021

This posting is here to collect cyber security news in February 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

265 Comments

  1. Tomi Engdahl says:

    Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet
    And what may be CAD drawing of a military radar antenna
    https://www.theregister.com/2021/02/23/bombardier_clop_ransomware_leaks/

    Reply
  2. Tomi Engdahl says:

    The perils of non-disclosure? China ‘cloned and used’ NSA zero-day exploit for years before it was made public
    Check Point says Beijing ‘reconstructed’ Equation Group’s hacking tool long before leak
    https://www.theregister.com/2021/02/23/microsoft_chinese_nsa/?utm_source=dlvr.it&utm_medium=facebook

    A zero-day exploit said to have been developed by the NSA was cloned and used by Chinese government hackers on Windows systems years before the cyber-weapon was leaked online, it is claimed.

    Check Point put out a report on Monday digging into Chinese malware it calls Jian, and argues persuasively this particular software nasty was spawned sometime around 2014 from NSA exploit code that eventually leaked online in 2017.

    https://blog.checkpoint.com/2021/02/22/jian-the-chinese-double-edged-cyber-sword/

    Reply
  3. Tomi Engdahl says:

    Proof-of-concept exploit code has been published online earlier today, and active scans for vulnerable VMware systems have been detected already.

    More than 6,700 VMware servers exposed online and vulnerable to major new bug
    https://www.zdnet.com/article/more-than-6700-vmware-servers-exposed-online-and-vulnerable-to-major-new-bug/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    Proof-of-concept exploit code has been published online earlier today, and active scans for vulnerable VMware systems have been detected already.

    Reply
  4. Tomi Engdahl says:

    Oxford’s Division of Structural Biology is hacked by a crew that has allegedly sold data to governments. They acquired access to machines preparing biochemical samples.

    Exclusive: Hackers Break Into ‘Biochemical Systems’ At Oxford Uni Lab Studying Covid-19
    https://www.forbes.com/sites/thomasbrewster/2021/02/25/exclusive-hackers-break-into-biochemical-systems-at-oxford-uni-lab-studying-covid-19/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=221501d32a39

    One of the world’s top biology labs—one whose renowned professors have been researching how to counter the Covid-19 pandemic—has been hacked.

    Reply
  5. Tomi Engdahl says:

    Ukraine reports cyber-attack on government document management system
    Ukrainian officials blame “one of the hacker spy groups from the Russian Federation.”
    https://www.zdnet.com/article/ukraine-reports-cyber-attack-on-government-document-management-system/

    Reply
  6. Tomi Engdahl says:

    The group behind a global cyber-espionage campaign that compromised thousands of US software maker’s SolarWinds customers were likely seeking out specific targets, says Sudhakar Ramakrishna, the CEO of the company.

    Perpetrators of the attack were likely after a few prized assets – CEO of SolarWinds
    https://cybernews.com/security/perpetrators-of-the-attack-were-likely-after-a-few-prized-assets-ceo-of-solarwinds/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=ceo_solarwinds&fbclid=IwAR1FgnPecTGKpaaPxWqui_A5VFZUrUhWlRVkkKfXyiZa8djy4fLXcE9cVok

    The group behind a global cyber-espionage campaign that compromised thousands of US software maker’s SolarWinds customers were likely seeking out specific targets, Sudhakar Ramakrishna, the CEO of the company, said on Monday’s Center for Strategic and International Studies (CSIS) webinar.

    Ramakrishna, who took over the company weeks after the attack, will head to Washington this week to take part in a Senate intelligence panel over a hack in December that allowed threat actors to exploit the company’s software and continuously compromised up to 18,000 of its customers for more than a year.

    Reply
  7. Tomi Engdahl says:

    Amazon said it skipped a Congressional hearing about the SolarWinds hack because the e-commerce giant doesn’t use the company’s software
    https://www.businessinsider.com/amazon-solarwinds-hack-did-not-compromise-company-cyberattack-2021-2

    Reply
  8. Tomi Engdahl says:

    You’ll still be safe, relatively, using VPN instead..

    Code-execution flaw in VMware has a severity rating of 9.8 out of 10
    Thousands of servers running vCenter server could be in for a nasty surprise.
    https://arstechnica.com/information-technology/2021/02/armed-with-exploits-hackers-on-the-prowl-for-a-critical-vmware-vulnerability/

    Hackers are mass-scanning the Internet in search of VMware servers with a newly disclosed code-execution vulnerability that has a severity rating of 9.8 out of a possible 10.

    CVE-2021-21974, as the security flaw is tracked, is a remote code-execution vulnerability in VMware vCenter server, an application for Windows or Linux that administrators use to enable and manage virtualization of large networks. Within a day of VMware issuing a patch, proof-of-concept exploits appeared from at least six different sources. The severity of the vulnerability, combined with the availability of working exploits for both Windows and Linux machines, sent hackers scrambling to actively find vulnerable servers.

    “We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://vmware.com/security/advisories/VMSA-2021-0002.html),” researcher Troy Mursch of Bad Packets wrote.

    Mursch said that the BinaryEdge search engine found almost 15,000 vCenter servers exposed to the Internet, while Shodan searches revealed about 6,700. The mass scanning is aiming to identify servers that have not yet installed the patch, which VMware released on Tuesday.

    Unfettered code execution, no authorization required
    CVE-2021-21972 allows hacker with no authorization to upload files to vulnerable vCenter servers that are publicly accessible over port 443, researchers from security firm Tenable said. Successful exploits will result in hackers gaining unfettered remote code-execution privileges in the underlying operating system. The vulnerability stems from a lack of authentication in the vRealize Operations plugin, which is installed by default.

    VMware fixes dangerous vulnerabilities that threaten many large companies
    https://www.ptsecurity.com/ww-en/about/news/vmware-fixes-dangerous-vulnerabilities-that-threaten-many-large-companies/

    Reply
  9. Tomi Engdahl says:

    The U.S. securities regulator on Friday suspended trading in the securities of 15 companies because of “questionable trading and social media activity,” the latest in a string of temporary trading halts amid volatile trading in so-called “meme stocks.”

    U.S. SEC suspends trading in 15 securities due to ‘questionable’ social media activity
    https://www.reuters.com/article/us-retail-trading-sec/u-s-sec-suspends-trading-in-15-securities-due-to-questionable-social-media-activity-idUSKBN2AQ2VZ

    Reply
  10. Tomi Engdahl says:

    Critical RCE Flaws Affect VMware ESXi and vSphere Client — Patch Now
    https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html

    Reply
  11. Tomi Engdahl says:

    Google Discloses Details of Remote Code Execution Vulnerability in Windows
    https://www.securityweek.com/google-discloses-details-remote-code-execution-vulnerability-windows

    Google’s cybersecurity research unit Project Zero on Wednesday disclosed the details of a recently patched Windows vulnerability that can be exploited for remote code execution.

    The flaw, tracked as CVE-2021-24093, was patched by Microsoft on February 9 with its Patch Tuesday updates. Dominik Röttsches of Google and Mateusz Jurczyk of Google Project Zero have been credited for reporting the issue to Microsoft.

    Reply
  12. Tomi Engdahl says:

    Finnish IT Giant Hit with Ransomware Cyberattack
    https://threatpost.com/finnish-it-giant-ransomware-cyberattack/164193/

    TietoEVRY was forced to shut down services and infrastructure as the company continues to investigate the incident with relevant authorities.

    A major Finnish IT provider has been hit with a ransomware attack that has forced the company to turn off some services and infrastructure in a disruption to customers, while it takes recovery measures.

    Norwegian business journal E24 reported the attack on Espoo, Finland-based TietoEVRY on Tuesday, claiming to have spoken with Geir Remman, a communications director at the company. Remman acknowledged technical problems with several services that TietoEVRY provides to 25 customers, which are “due to a ransom attack,” according to the report.

    Reply
  13. Tomi Engdahl says:

    Hundreds of workers at cybersecurity agency vote to strike
    https://www.cbc.ca/news/politics/cse-cybersecurity-strike-1.5926825

    Strike vote comes as concerns mount about cyber attacks during pandemic

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*