Cyber security news February 2021

This posting is here to collect cyber security news in February 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

310 Comments

  1. Tomi Engdahl says:

    Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet
    And what may be CAD drawing of a military radar antenna
    https://www.theregister.com/2021/02/23/bombardier_clop_ransomware_leaks/

    Reply
  2. Tomi Engdahl says:

    The perils of non-disclosure? China ‘cloned and used’ NSA zero-day exploit for years before it was made public
    Check Point says Beijing ‘reconstructed’ Equation Group’s hacking tool long before leak
    https://www.theregister.com/2021/02/23/microsoft_chinese_nsa/?utm_source=dlvr.it&utm_medium=facebook

    A zero-day exploit said to have been developed by the NSA was cloned and used by Chinese government hackers on Windows systems years before the cyber-weapon was leaked online, it is claimed.

    Check Point put out a report on Monday digging into Chinese malware it calls Jian, and argues persuasively this particular software nasty was spawned sometime around 2014 from NSA exploit code that eventually leaked online in 2017.

    https://blog.checkpoint.com/2021/02/22/jian-the-chinese-double-edged-cyber-sword/

    Reply
  3. Tomi Engdahl says:

    Proof-of-concept exploit code has been published online earlier today, and active scans for vulnerable VMware systems have been detected already.

    More than 6,700 VMware servers exposed online and vulnerable to major new bug
    https://www.zdnet.com/article/more-than-6700-vmware-servers-exposed-online-and-vulnerable-to-major-new-bug/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    Proof-of-concept exploit code has been published online earlier today, and active scans for vulnerable VMware systems have been detected already.

    Reply
  4. Tomi Engdahl says:

    Oxford’s Division of Structural Biology is hacked by a crew that has allegedly sold data to governments. They acquired access to machines preparing biochemical samples.

    Exclusive: Hackers Break Into ‘Biochemical Systems’ At Oxford Uni Lab Studying Covid-19
    https://www.forbes.com/sites/thomasbrewster/2021/02/25/exclusive-hackers-break-into-biochemical-systems-at-oxford-uni-lab-studying-covid-19/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=221501d32a39

    One of the world’s top biology labs—one whose renowned professors have been researching how to counter the Covid-19 pandemic—has been hacked.

    Reply
  5. Tomi Engdahl says:

    https://www.infosecurity-magazine.com/news/crowdstrike-slams-microsoft-over/

    Reply
  6. Tomi Engdahl says:

    Ukraine reports cyber-attack on government document management system
    Ukrainian officials blame “one of the hacker spy groups from the Russian Federation.”
    https://www.zdnet.com/article/ukraine-reports-cyber-attack-on-government-document-management-system/

    Reply
  7. Tomi Engdahl says:

    The group behind a global cyber-espionage campaign that compromised thousands of US software maker’s SolarWinds customers were likely seeking out specific targets, says Sudhakar Ramakrishna, the CEO of the company.

    Perpetrators of the attack were likely after a few prized assets – CEO of SolarWinds
    https://cybernews.com/security/perpetrators-of-the-attack-were-likely-after-a-few-prized-assets-ceo-of-solarwinds/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=ceo_solarwinds&fbclid=IwAR1FgnPecTGKpaaPxWqui_A5VFZUrUhWlRVkkKfXyiZa8djy4fLXcE9cVok

    The group behind a global cyber-espionage campaign that compromised thousands of US software maker’s SolarWinds customers were likely seeking out specific targets, Sudhakar Ramakrishna, the CEO of the company, said on Monday’s Center for Strategic and International Studies (CSIS) webinar.

    Ramakrishna, who took over the company weeks after the attack, will head to Washington this week to take part in a Senate intelligence panel over a hack in December that allowed threat actors to exploit the company’s software and continuously compromised up to 18,000 of its customers for more than a year.

    Reply
  8. Tomi Engdahl says:

    Corellium—The Startup Apple Is Suing—Joins Forces With ARM Security Genius To Build iPhone, Mac And Android Research Heaven
    https://www.forbes.com/sites/thomasbrewster/2021/02/26/corellium-the-startup-apple-is-suing-hires-arm-security-genius-to-build-iphone-mac-and-android-research-heaven/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie&sh=5ae47d223eb9

    Reply
  9. Tomi Engdahl says:

    Amazon said it skipped a Congressional hearing about the SolarWinds hack because the e-commerce giant doesn’t use the company’s software
    https://www.businessinsider.com/amazon-solarwinds-hack-did-not-compromise-company-cyberattack-2021-2

    Reply
  10. Tomi Engdahl says:

    You’ll still be safe, relatively, using VPN instead..

    Code-execution flaw in VMware has a severity rating of 9.8 out of 10
    Thousands of servers running vCenter server could be in for a nasty surprise.
    https://arstechnica.com/information-technology/2021/02/armed-with-exploits-hackers-on-the-prowl-for-a-critical-vmware-vulnerability/

    Hackers are mass-scanning the Internet in search of VMware servers with a newly disclosed code-execution vulnerability that has a severity rating of 9.8 out of a possible 10.

    CVE-2021-21974, as the security flaw is tracked, is a remote code-execution vulnerability in VMware vCenter server, an application for Windows or Linux that administrators use to enable and manage virtualization of large networks. Within a day of VMware issuing a patch, proof-of-concept exploits appeared from at least six different sources. The severity of the vulnerability, combined with the availability of working exploits for both Windows and Linux machines, sent hackers scrambling to actively find vulnerable servers.

    “We’ve detected mass scanning activity targeting vulnerable VMware vCenter servers (https://vmware.com/security/advisories/VMSA-2021-0002.html),” researcher Troy Mursch of Bad Packets wrote.

    Mursch said that the BinaryEdge search engine found almost 15,000 vCenter servers exposed to the Internet, while Shodan searches revealed about 6,700. The mass scanning is aiming to identify servers that have not yet installed the patch, which VMware released on Tuesday.

    Unfettered code execution, no authorization required
    CVE-2021-21972 allows hacker with no authorization to upload files to vulnerable vCenter servers that are publicly accessible over port 443, researchers from security firm Tenable said. Successful exploits will result in hackers gaining unfettered remote code-execution privileges in the underlying operating system. The vulnerability stems from a lack of authentication in the vRealize Operations plugin, which is installed by default.

    VMware fixes dangerous vulnerabilities that threaten many large companies
    https://www.ptsecurity.com/ww-en/about/news/vmware-fixes-dangerous-vulnerabilities-that-threaten-many-large-companies/

    Reply
  11. Tomi Engdahl says:

    The U.S. securities regulator on Friday suspended trading in the securities of 15 companies because of “questionable trading and social media activity,” the latest in a string of temporary trading halts amid volatile trading in so-called “meme stocks.”

    U.S. SEC suspends trading in 15 securities due to ‘questionable’ social media activity
    https://www.reuters.com/article/us-retail-trading-sec/u-s-sec-suspends-trading-in-15-securities-due-to-questionable-social-media-activity-idUSKBN2AQ2VZ

    Reply
  12. Tomi Engdahl says:

    Critical RCE Flaws Affect VMware ESXi and vSphere Client — Patch Now
    https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html

    Reply
  13. Tomi Engdahl says:

    Google Discloses Details of Remote Code Execution Vulnerability in Windows
    https://www.securityweek.com/google-discloses-details-remote-code-execution-vulnerability-windows

    Google’s cybersecurity research unit Project Zero on Wednesday disclosed the details of a recently patched Windows vulnerability that can be exploited for remote code execution.

    The flaw, tracked as CVE-2021-24093, was patched by Microsoft on February 9 with its Patch Tuesday updates. Dominik Röttsches of Google and Mateusz Jurczyk of Google Project Zero have been credited for reporting the issue to Microsoft.

    Reply
  14. Tomi Engdahl says:

    Finnish IT Giant Hit with Ransomware Cyberattack
    https://threatpost.com/finnish-it-giant-ransomware-cyberattack/164193/

    TietoEVRY was forced to shut down services and infrastructure as the company continues to investigate the incident with relevant authorities.

    A major Finnish IT provider has been hit with a ransomware attack that has forced the company to turn off some services and infrastructure in a disruption to customers, while it takes recovery measures.

    Norwegian business journal E24 reported the attack on Espoo, Finland-based TietoEVRY on Tuesday, claiming to have spoken with Geir Remman, a communications director at the company. Remman acknowledged technical problems with several services that TietoEVRY provides to 25 customers, which are “due to a ransom attack,” according to the report.

    Reply
  15. Tomi Engdahl says:

    Hundreds of workers at cybersecurity agency vote to strike
    https://www.cbc.ca/news/politics/cse-cybersecurity-strike-1.5926825

    Strike vote comes as concerns mount about cyber attacks during pandemic

    Reply
  16. Tomi Engdahl says:

    Former SolarWinds CEO blames intern for ‘solarwinds123′ password leak
    https://edition.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html

    Current and former top executives at SolarWinds are blaming a company intern for a critical lapse in password security that apparently went undiagnosed for years.

    The password in question, “solarwinds123,” was discovered in 2019 on the public internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server.

    Several US lawmakers ripped into SolarWinds for the password issue Friday, in a joint hearing by the House Oversight and Homeland Security committees.
    “I’ve got a stronger password than ‘solarwinds123′ to stop my kids from watching too much YouTube on their iPad,” said Rep. Katie Porter. “You and your company were supposed to be preventing the Russians from reading Defense Department emails!”

    SolarWinds representatives told lawmakers Friday that as soon as the password issue was reported, it was corrected within days.

    But it is still unclear what role, if any, the leaked password may have played in enabling suspected Russian hackers to spy on multiple federal agencies and businesses in one of the most serious security breaches in US history.
    Stolen credentials are one of three possible avenues of attack SolarWinds is investigating as it tries to uncover how it was first compromised by the hackers, who went on to hide malicious code in software updates that SolarWinds then pushed to some 18,000 customers, including numerous federal agencies.

    Other theories SolarWinds is exploring, said SolarWinds CEO Sudhakar Ramakrishna, include the brute-force guessing of company passwords, as well as the possibility the hackers could have entered via compromised third-party software.
    Confronted by Rep. Rashida Tlaib, former SolarWinds CEO Kevin Thompson said the password issue was “a mistake that an intern made.”

    “They violated our password policies and they posted that password on an internal, on their own private Github account,” Thompson said. “As soon as it was identified and brought to the attention of my security team, they took that down.”

    Emails between Kumar and SolarWinds showed that the leaked password allowed Kumar to log in and successfully deposit files on the company’s server. Using that tactic, Kumar warned the company, any hacker could upload malicious programs to SolarWinds.
    During the hearing, FireEye CEO Kevin Mandia said it may be impossible to fully determine how much damage was done by the suspected Russian hack.

    “The bottom line: We may never know the full range and extent of the damage, and we may never know the full range and extent as to how the stolen information is benefiting an adversary,” Mandia testified.
    In order to make a damage assessment, Mandia said, officials must not only catalogue what data was accessed, but also imagine all of the ways that data could be used and misused by foreign actors — a monumental task.

    Reply
  17. Tomi Engdahl says:

    Oxford University COVID-19 laboratory hacked by cyber gang -Telegraph
    https://news.trust.org/item/20210225190914-joyrc

    Feb 25 (Reuters) – An Oxford University biology laboratory researching COVID-19 has been hacked by a cyber gang amid fears they are trying to sell secrets to the highest bidder, The Telegraph reported on Thursday.

    The hack occurred at the Division of Structural Biology, known as Strubi, which has been carrying out research into COVID-19, according https://bit.ly/2NYG4Ag to the newspaper.

    Reply
  18. Tomi Engdahl says:

    https://arstechnica.com/information-technology/2021/02/armed-with-exploits-hackers-on-the-prowl-for-a-critical-vmware-vulnerability/

    Reply
  19. Tomi Engdahl says:

    CNN:
    In a hearing with US lawmakers, ex-SolarWinds CEO blamed an intern for the “solarwinds123” password leak discovered in 2019 that had exposed a SolarWinds server — FireEye CEO on how the SolarWinds hack was discovered — Washington (CNN)Current and former top executives …

    https://edition.cnn.com/2021/02/26/politics/solarwinds123-password-intern/

    Reply
  20. Tomi Engdahl says:

    Jason Aten / Inc.com:
    A look at Clubhouse’s privacy flaws: room audio is “temporarily” saved for trust and safety purposes, user accounts or personal data can’t be deleted, and more

    Clubhouse Is Recording Your Conversations. That’s Not Even Its Worst Privacy ProblemThe popular new social media platform is scooping up more data than you might think.
    https://www.inc.com/jason-aten/clubhouse-is-recording-your-conversations-thats-not-even-its-worst-privacy-problem.html

    Clubhouse was sort of perfectly made for the pandemic. People aren’t going out, and they’re desperately searching for social connections and entertainment. The app provides both in a way, while also capitalizing on the draw of celebrity influencers on the platform.

    It’s also built on one of the most effective strategies for generating buzz and excitement–scarcity. In order to join Clubhouse, you have to have an invite from someone who is already a member. Not only that, they have to have your phone number and give Clubhouse access to their iPhone contacts. No access, no invites.

    From a business standpoint, it certainly makes sense that Clubhouse is taking this approach. Building a social graph from scratch is very hard, and requiring users to upload their contacts list is the most effective way to determine connections.

    1. Clubhouse is recording your audio.

    One of the “features” of Clubhouse is that it’s ephemeral. You can’t listen to it later, or even pause the room you’re in. You have to show up live in order to participate in the experience. That’s one thing that sets it apart from, say, podcasts, which are recorded and can be listened to at any time. You can’t even record conversations on Clubhouse.

    Except, Clubhouse can, and does record what you say. The app’s privacy policy says that Clubhouse rooms are recorded:

    That means that if someone does report a problem, everything that happened in the room is recorded and saved. And, Clubhouse isn’t clear about what happens to it then other than it is saved in order for the company to make a determination. It doesn’t say who can listen to it, or under what conditions.
    2. You can’t delete information other people share about you.

    Even if you haven’t created an account, if someone you know has, there’s a good chance Clubhouse already has your phone number. That’s because the app encourages users to upload their entire contacts database in order to send invitations. You can only invite someone who is in your contacts, and it doesn’t include any ability to only share specific contacts. It’s all or nothing.

    3. You can’t just delete your account.

    In fact, even if you have an account, you can’t delete it without sending an email to a support account. There’s no option anywhere in the app to delete your account, and neither are there any instructions on what to do if you want to delete it. You have to send an email to “[email protected]” in order to request that your account be canceled, and wait for someone to take action.
    4. They can share your personal information without notifying you.

    One of the biggest questions surrounding Clubhouse is how it intends to eventually make money. Looking through the privacy policy, it’s clear that it will likely involve some form of advertising or sponsorship system. To get ready for that, Clubhouse is making clear that it “may share Personal Data with our current and future affiliates.”

    5. Clubhouse is tracking you.

    The privacy policy says it uses cookies, pixels, and tracking technologies to monitor what you do within Clubhouse, and across the web even though they aren’t currently monetizing the app. This is both confirmed by the privacy policy, as well as traffic monitoring,

    It seems pretty clear that Clubhouse is getting ready to monetize the platform it’s building. That’s fair–every business should have a plan for making money.

    Reply
  21. Tomi Engdahl says:

    Microsoft shares tool to hunt for compromise in SolarWinds breach
    https://www.cyberscoop.com/microsoft-solarwinds-breach-compromise-open-source-codeql/

    Microsoft is offering up the tool it used to track down potential indicators of compromise in the sweeping SolarWinds breach, the company announced Thursday.

    Microsoft is releasing the so-called CodeQL queries it used to investigate its source code, in an effort to help other organizations mitigate the risk from the cascading cyber-espionage campaign involving a breach at the U.S. federal contractor SolarWinds. Microsoft is aiming to help firms pinpoint code-level indicators of compromise (IoCs), Microsoft’s Security Team said in a blog.

    By digging into their own code, organizations can assess if they have been compromised by the hack, in which suspected Russian hackers laced malicious software in a SolarWinds product’s software update, Microsoft said. The company has described the campaign as “Solorigate.”

    https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/

    Reply
  22. Tomi Engdahl says:

    Security News This Week: The SolarWinds Body Count Now Includes NASA and the FAA
    https://www.wired.com/story/solarwinds-nasa-faa-robot-dog-fight-security-news/

    SOME BLASTS FROM the past surfaced this week, including revelations that a Russia-linked hacking group has repeatedly targeted the US electrical grid, along with oil and gas utilities and other industrial firms. Notably, the group has ties to the notorious industrial-control GRU hacking group Sandworm. Meanwhile, researchers revealed evidence this week that an elite NSA hacking tool for Microsoft Windows, known as EpMe, fell into the hands of Chinese hackers in 2014, years before that same tool then leaked in the notorious Shadow Brokers dump of NSA tools.

    Reply
  23. Tomi Engdahl says:

    Former SolarWinds CEO blames intern for ‘solarwinds123′ password leak
    https://www.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html

    Reply
  24. Tomi Engdahl says:

    The ‘real consequences’ of ransomware against schools
    https://statescoop.com/k12-ransomware-attacks-cybersecurity/

    The public school system in Yazoo County, Mississippi, last week revealed that it paid a company $300,000 to help recover data that had been encrypted and stolen in a ransomware incident. In other words, the school district became the latest ransomware victim to pay its attacker’s demands.

    But as threat intelligence analyst Allan Liska of the security firm Recorded Future pointed out Tuesday, that $300,000 payment represents about 1.5% of the Yazoo County schools’ entire $19.5 million annual budget.

    “And that’s a budget that’s going down next year because of declining revenue due to the coronavirus pandemic,” Liska said while hosting an online panel about an ongoing spate of ransomware attacks against K-12 organizations.

    Reply
  25. Tomi Engdahl says:

    North Korea hacked Pfizer because it wants to sell bootleg COVID vaccines on the international black market. North Korea’s intent was likely to raise funds in foreign currency. The hermit dictatorship’s domestic currency is mostly worthless outside its borders.

    North Korea hacked Pfizer because it wants to sell bootleg COVID vaccines on the international black market, sources say
    https://www.businessinsider.com/north-korea-hack-pfizer-covid-19-coronavirus-vaccine-2021-2?utm_source=reddit.com

    North Korea wants “to decide which [vaccine] will be the easiest to bootleg and transport for the black market,” said an official.
    The nation has a long history of counterfeiting, bootlegging, drug dealing, and arms smuggling.
    The dictatorship wants foreign currency. Its domestic currency is mostly worthless.

    Reply
  26. Tomi Engdahl says:

    Far-Right Platform Gab Has Been Hacked—Including Private Data
    The transparency group DDoSecrets says it will make the 70GB of passwords, private posts, and more available to researchers, journalists, and social scientists.
    https://www.wired.com/story/gab-hack-data-breach-ddosecrets/

    WHEN TWITTER BANNED Donald Trump and a slew of other far-right users in January, many of them became digital refugees, migrating to sites like Parler and Gab to find a home that wouldn’t moderate their hate speech and disinformation. Days later, Parler was hacked and then dropped by Amazon web hosting, knocking the site offline. Now Gab, which inherited some of Parler’s displaced users, has been badly hacked too.

    An enormous trove of its contents has been stolen—including what appears to be passwords and private communications.

    On Sunday night the WikiLeaks-style group Distributed Denial of Secrets is revealing what it calls calling “GabLeaks,” a collection of more than 70 gigabytes of Gab data representing more than 40 million posts.

    DDoSecrets says a hacktivist who self-identifies as “JaXpArO and My Little Anonymous Revival Project” siphoned that data out of Gab’s backend databases in an effort to expose the platform’s largely rightwing users.

    DDoSecrets says it’s not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers. WIRED viewed a sample of the data

    Gab CEO Andrew Torba acknowledged the breach in a brief statement Sunday.

    According to DDoSecrets’ Best, the hacker says that they pulled out Gab’s data via a SQL injection vulnerability in the site

    Alleged Data Breach – 26 February 2021
    https://news.gab.com/2021/02/26/alleged-data-breach-26-february-2021/

    Reply
  27. Tomi Engdahl says:

    the right can’t infosec?

    Nothing is safe

    Reply
  28. Tomi Engdahl says:

    SolarWinds Hack Pits Microsoft Against Dell, IBM Over How Companies Store Data
    Microsoft argues the cloud offers more protection; rivals point to the need of firms to hold, access their information on-premises
    https://www.wsj.com/articles/solarwinds-hack-pits-microsoft-against-dell-ibm-over-how-companies-store-data-11614456066

    Reply
  29. Tomi Engdahl says:

    Safety Certification Giant UL Has Been Hit By Ransomware
    https://www.forbes.com/sites/leemathews/2021/02/19/safety-certification-giant-ul-has-been-hit-by-ransomware/
    UL, which you may know better as Underwriters Laboratories, has
    overcome countless obstacles in its 127-year run as the world’s
    leading safety testing authority. Now they’re facing down a true 21st
    century menace: ransomware. Lisäksi:
    https://www.bleepingcomputer.com/news/security/underwriters-laboratories-ul-certification-giant-hit-by-ransomware/

    Reply
  30. Tomi Engdahl says:

    Recently fixed Windows zero-day actively exploited since mid-2020
    https://www.bleepingcomputer.com/news/security/recently-fixed-windows-zero-day-actively-exploited-since-mid-2020/
    Microsoft says that a high-severity Windows zero-day vulnerability
    patched during the February 2021 Patch Tuesday was exploited in the
    wild since at least the summer of 2020 according to its telemetry
    data. The actively exploited zero-day bug is tracked as ‘CVE-2021-1732
    - – Windows Win32k Elevation of Privilege Vulnerability.’

    Reply
  31. Tomi Engdahl says:

    Scoop: Sequoia Capital says it was hacked
    https://www.axios.com/sequoia-capital-says-it-was-hacked-590dcdd6-fe49-46c6-8422-60a944272302.html
    Sequoia Capital told its investors on Friday that some of their
    personal and financial information may have been accessed by a third
    party, after a Sequoia employee’s email was successfully phished,
    Axios has learned.

    Reply
  32. Tomi Engdahl says:

    Experian challenged over massive data leak in Brazil
    https://www.zdnet.com/article/experian-challenged-over-massive-data-leak-in-brazil
    Consumer rights body criticizes explanations from the credit bureau in
    relation to the data exposure of over 220 million citizens. After
    receiving feedback from Experian over a massive data leak in Brazil,
    São Paulo state consumer rights foundation Procon described the
    company’s explanations as “insufficient” and said it is likely that
    the incident was initiated in a corporate environment.

    Reply
  33. Tomi Engdahl says:

    Kroger data breach exposes pharmacy and employee data
    https://www.bleepingcomputer.com/news/security/kroger-data-breach-exposes-pharmacy-and-employee-data/
    Supermarket giant Kroger has suffered a data breach after a service
    used to transfer files securely was hacked, and threat actors stole
    files. Kroger is one of the largest retailers in the world, with
    almost 2, 800 stores in 35 states. Kroger employs approximately 500,
    000 people and had over $122 billion in sales for 2019.

    Reply
  34. Tomi Engdahl says:

    IronNetInjector: Turla’s New Malware Loading Tool
    https://unit42.paloaltonetworks.com/ironnetinjector/
    In recent years, more and more ready-made malware is released on
    software development hosting sites available for everybody to use
    including threat actors. This not only saves the bad guys development
    time, but also makes it much easier for them to find new ideas to
    prevent detection of their malware. Unit 42 researchers have found
    several malicious IronPython scripts whose purpose is to load and run
    Turla’s malware tools on a victim’s system. The use of IronPython for
    malicious purposes isn’t new, but the way Turla uses it is new. The
    overall method is known as Bring Your Own Interpreter (BYOI).

    Reply
  35. Tomi Engdahl says:

    Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
    https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
    “”. Starting in mid-December 2020, malicious actors that Mandiant
    tracks as UNC2546 exploited multiple zero-day vulnerabilities in
    Accellion’s legacy File Transfer Appliance (FTA) to install a newly
    discovered web shell named DEWMODE. The motivation of UNC2546 was not
    immediately apparent, but starting in late January 2021, several
    organizations that had been impacted by UNC2546 in the prior month
    began receiving extortion emails from actors threatening to publish
    stolen data on the “CL0P^_- LEAKS”.onion website. Some of the
    published victim data appears to have been stolen using the DEWMODE
    web shell. Lisäksi:
    https://www.zdnet.com/article/fireeye-links-0-day-attacks-on-fta-servers-extortion-campaign-to-fin11-group.
    Lisäksi:
    https://thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html

    Reply
  36. Tomi Engdahl says:

    Information about ransomware attack in Norway
    https://www.tietoevry.com/en/newsroom/all-news-and-releases/other-news/2021/02/information-about-ransomware-attack-in-norway/
    Monday 22nd of February 2021 TietoEVRY experienced technical
    challenges in several services that we deliver to 25 customers within
    retail, manufacturing and service-related industries. Investigations
    showed that the incident was caused by a ransomware attack, and hence
    we consider it as a serious criminal act. Lisäksi:
    https://www.bleepingcomputer.com/news/security/finnish-it-giant-tietoevry-discloses-ransomware-attack/.
    Lisäksi:
    https://www.tivi.fi/uutiset/tv/14c047ae-8727-4770-9b7e-9d48976dca0f

    Reply
  37. Tomi Engdahl says:

    How Does Triton Attack Triconex Industrial Safety Systems?
    https://blogs.cisco.com/security/how-does-triton-attack-triconex-industrial-safety-systems
    Triton is malware developed to affect industrial systems, particularly
    the Triconex safety system from Schneider. This is deployed at over
    15, 000 sites across the world, but the malware allegedly only
    targeted a critical energy industrial site in the Middle East in 2017.

    Reply
  38. Tomi Engdahl says:

    Ukraine: DDoS attacks on govt sites originated from Russia
    https://www.bleepingcomputer.com/news/security/ukraine-ddos-attacks-on-govt-sites-originated-from-russia/
    The National Security and Defense Council (NSDC) of Ukraine is
    accusing threat actors located on Russia networks of performing DDoS
    attacks on Ukrainian government websites since February 18th. The
    National Coordination Center for Cybersecurity (NCCC) at the NSDC
    state that these DDoS attacks have been massive and have targeted
    government websites in the defense and security sector.

    Reply
  39. Tomi Engdahl says:

    Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs
    https://thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html
    Researchers have demonstrated a novel class of attacks that could
    allow a bad actor to potentially circumvent existing countermeasures
    and break the integrity protection of digitally signed PDF documents.

    Reply
  40. Tomi Engdahl says:

    NASA and the FAA were also breached by the SolarWinds hackers
    https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/
    NASA and the US Federal Aviation Administration (FAA) have also been
    compromised by the nation-state hackers behind the SolarWinds
    supply-chain attack, according to a Washington Post report. The two
    attacks are part of a broader espionage effort targeting and
    compromising multiple US government agencies over the last year.

    Reply
  41. Tomi Engdahl says:

    Heavily used Node.js package has a code injection vulnerability
    https://www.bleepingcomputer.com/news/security/heavily-used-nodejs-package-has-a-code-injection-vulnerability/
    A heavily downloaded Node.js library has a high severity command
    injection vulnerability revealed this month. Tracked as
    CVE-2021-21315, the bug impacts the “systeminformation” npm component
    which gets about 800, 000 weekly downloads and has scored close to 34
    million downloads to date since its inception.

    Reply
  42. Tomi Engdahl says:

    Attackers scan for vulnerable VMware servers after PoC exploit release
    https://www.bleepingcomputer.com/news/security/attackers-scan-for-vulnerable-vmware-servers-after-poc-exploit-release/
    After security researchers have developed and published
    proof-of-concept (PoC) exploit code targeting a critical vCenter
    remote code execution (RCE) vulnerability, attackers are now actively
    scanning for vulnerable Internet-exposed VMware servers. Lisäksi:
    https://www.zdnet.com/article/more-than-6700-vmware-servers-exposed-online-and-vulnerable-to-major-new-bug

    Reply
  43. Tomi Engdahl says:

    Health Website Leaks 8 Million COVID-19 Test Results
    https://threatpost.com/health-website-leaks-covid-19-test/164274/
    A teenaged ethical hacker discovered a flawed endpoint associated with
    a health-department website in the state of Bengal, which exposed
    personally identifiable information related to test results.

    Reply
  44. Tomi Engdahl says:

    North Korean hackers target defense industry with custom malware
    https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-defense-industry-with-custom-malware/
    A North Korean-backed hacking group has targeted the defense industry
    with custom backdoor malware dubbed ThreatNeedle since early 2020 with
    the end goal of collecting highly sensitive information.

    Reply
  45. Tomi Engdahl says:

    Malicious Mozilla Firefox Extension Allows Gmail Takeover
    https://threatpost.com/malicious-mozilla-firefox-gmail/164263/
    A newly uncovered cyberattack is taking control of victims’ Gmail
    accounts, by using a customized, malicious Mozilla Firefox browser
    extension called FriarFox. Lisäksi:
    https://www.zdnet.com/article/chinese-cyberspies-targeted-tibetans-with-a-malicious-firefox-add-on/.
    Lisäksi:
    https://thehackernews.com/2021/02/chinese-hackers-using-firefox-extension.html

    Reply
  46. Tomi Engdahl says:

    Google’s Password Checkup tool rolling out to Android devices
    https://www.welivesecurity.com/2021/02/24/google-password-checkup-android-devices
    Google is extending its Password Checkup feature to Android in a bid
    to help people make their online accounts more secure. Originally
    introduced as an extension for the Google Chrome web browser two years
    ago, the tool was later integrated into Chrome for desktop before
    making its way into the browser’s versions for Android and iOS.

    Reply
  47. Tomi Engdahl says:

    Ransomware gang hacks Ecuador’s largest private bank, Ministry of
    Finance
    https://www.bleepingcomputer.com/news/security/ransomware-gang-hacks-ecuadors-largest-private-bank-ministry-of-finance/
    A hacking group called ‘Hotarus Corp’ has hacked Ecuador’s Ministry of
    Finance and the country’s largest bank, Banco Pichincha, where they
    claim to have stolen internal data.

    Reply
  48. Tomi Engdahl says:

    Ryuk ransomware now self-spreads to other Windows LAN devices
    https://www.bleepingcomputer.com/news/security/ryuk-ransomware-now-self-spreads-to-other-windows-lan-devices/
    “Through the use of scheduled tasks, the malware propagates itself -
    machine to machine – within the Windows domain,” ANSSI (short for
    Agence Nationale de la Sécurité des Systèmes d’Information) said in a
    report published today.. Original at
    https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf

    Reply
  49. Tomi Engdahl says:

    Google looks at bypass in Chromium’s ASLR security defense, throws
    hands up, won’t patch garbage issue
    https://www.theregister.com/2021/02/26/chrome_aslr_bypass/
    In early November, a developer contributing to Google’s open-source
    Chromium project reported a problem with Oilpan, the garbage collector
    for the browser’s Blink rendering engine: it can be used to break a
    memory defense known as address space layout randomization (ASLR)..
    About two weeks later, Google software security engineer Chris Palmer
    marked the bug “WontFix” because Google has resigned itself to the
    fact that ASLR can’t be saved Spectre and Spectre-like
    processor-level flaws can defeat it anyway, whether or not Oilpan can
    be exploited.

    Reply
  50. Tomi Engdahl says:

    Bombardier Blindsided By Extortion Threat After Hackers Breach Server
    https://www.forbes.com/sites/leemathews/2021/02/27/bombardier-blindsided-by-extortion-threat-after-hackers-breach-server/
    It seems likely that the attackers intent was never to launch a more
    sophisticated and lucrative attack. Instead they sought to use a
    fresh exploit to hit as many Accellion FTA customers as quickly as
    possible.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*