Cyber security news March 2021

This posting is here to collect cyber security news in March 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    FBI: Phishing emails are spreading this sophisticated malware
    Alert by the FBI and CISA warns that Trickbot – one of the most common
    and most powerful forms of malware around – is using a new trick in an
    effort to infect even more victims.

  2. Tomi Engdahl says:

    Cathy Reisenwitz / OneZero :
    By eroding Section 230, Democratic senators’ SAFE TECH Act risks silencing marginalized communities and will make the internet less safe for sex workers

    The SAFE TECH Act Will Make the Internet Less Safe for Sex Workers

    Lawmakers should listen to the communities most affected before rushing to change Section 230 again

  3. Tomi Engdahl says:

    Hackers are exploiting a server vulnerability with a severity of 9.8 out of 10
    As if the mass-exploitation of Exchange servers wasn’t enough, now there’s BIG-IP.

  4. Tomi Engdahl says:

    Hobby Lobby Exposes Customer Data in Cloud Misconfiguration

    The arts-and-crafts retailer left 138GB of sensitive information open to the public internet.

    Arts-and-crafts retailer Hobby Lobby has suffered a cloud-bucket misconfiguration, exposing a raft of customer information, according to a report.

    An independent security researcher who goes by the handle “Boogeyman” uncovered the issue and reported it to Motherboard in an online chat, according to a Vice writeup.

    Cloud Misconfigurations: A Cyberthreat Attack Vector
    Cloud misconfigurations are a common threat vector for organizations of all sizes.

    Hobby Lobby Exposed 138GB of Data

    The cache included customer names, phone numbers, addresses, and the last four digits of their payment card.

  5. Tomi Engdahl says:

    Alert: Further targeted ransomware attacks on the UK education sector
    by cyber criminals
    The NCSC is responding to further targeted ransomware attacks on the
    education sector by cyber criminals.

  6. Tomi Engdahl says:

    ENCE-tähti Aleksi Jallin pelitili hakkeroitiin, peliyhtiö riensi
    hätiin näillä vinkeillä suojaudut huijareilta
    ENCEn Counter-Strike-pelaajan Aleksi “allu” Jallin henkilökohtainen
    Steam-pelitunnus hakkeroitiin maanantaina. Pelaaja kertoi asiasta

  7. Tomi Engdahl says:

    Pimeästä verkosta löytyi Sputnikia asiantuntija antaa tärkeän neuvon
    jo rokotetuille
    Kuvaa rokotetodistuksesta ei pitäisi jakaa sosiaalisessa mediassa,
    sillä se saattaa päätyä rikolliseen käyttöön.

  8. Tomi Engdahl says:

    Muutimme punaisen Exchange-varoituksen keltaiseksi
    Annoimme 3.3.2021 punaisen varoituksen haavoittuvista
    Exchange-palvelimista. Akuuttivaihe on takana, mutta organisaatioiden,
    joilla Exchange on tai on ollut käytössä, tulee tehdä

  9. Tomi Engdahl says:

    Google has disclosed that a now-patched vulnerability affecting
    Android devices that use Qualcomm chipsets is being weaponized by
    adversaries to launch targeted attacks
    Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an
    “improper input validation” issue in Qualcomm’s Graphics component
    that could be exploited to trigger memory corruption when an
    attacker-engineered app requests access to a huge chunk of the
    device’s memory. Also:

  10. Tomi Engdahl says:

    1-15 March 2021 Cyber Attack Timeline
    Here’s the first cyber attacks timeline of March, covering the main
    events occurred in the first half of this month. What an unbelievable
    period from an infosecurity standpoint! I have collected a staggering
    150 events, and the reason is that there are some factors that are
    undoubtedly characterizing the period and will probably leave some
    consequences throughout the entire 2021.

  11. Tomi Engdahl says:

    CISA Warns of Security Flaws in GE Power Management Devices
    The flaws could allow an attacker to access sensitive information,
    reboot the UR, gain privileged access, or cause a denial-of-service
    condition. Also:

  12. Tomi Engdahl says:

    Microsoft warns of phishing attacks bypassing email gateways
    An ongoing phishing operation that stole an estimated 400, 000 OWA and
    Office 365 credentials since December has now expanded to abuse new
    legitimate services to bypass secure email gateways (SEGs). The
    attacks are part of multiple phishing campaigns collectively dubbed
    the “Compact” Campaign, active since early 2020 first detected by the
    WMC Global Threat Intelligence Team. Also:

  13. Tomi Engdahl says:

    Ransomware attack shuts down Sierra Wireless IoT maker
    Sierra Wireless, a world-leading IoT (Internet of Things) solutions
    provider, today disclosed a ransomware attack that forced it to halt
    production at all manufacturing sites. The ransomware attack hit
    Sierra Wireless’ internal network over the weekend, on March 20. The
    company says that the attack did not impact any customer-facing
    services or products. Following the attack, the company also had to
    shut down manufacturing plants worldwide, and it expects to resume
    production and operations soon.

  14. Tomi Engdahl says:

    Microsoft: 92% of Exchange servers safe from ProxyLogon attacks
    Roughly 92% of all Internet-connected on-premises Microsoft Exchange
    servers affected by the ProxyLogon vulnerabilities are now patched and
    safe from attacks, Microsoft said on Monday.

  15. Tomi Engdahl says:

    Purple Fox Malware Squirms Like a Worm on Windows

    Malware hunters at Guardicore are warning that an aggressive botnet operator has turned to SMB password brute-forcing to infect and spread like a worm across the Microsoft Windows ecosystem.

    The malware campaign, dubbed Purple Fox, has been active since at least 2018 and the discovery of the new worm-like infection vector is yet another sign that consumer-grade malware continues to reap profits for cybercriminals.

    According to Guardicore researcher Amit Serper, the Purple Fox operators primarily used exploit kits and phishing emails to build botnets for crypto-mining and other nefarious uses.

    Now, the new SMB brute-force method is being combined with rootkit capabilities to hide and spread widely across internet-facing Windows computers with weak passwords.

    “Throughout the end of 2020 and the beginning of 2021, Guardicore Global Sensors Network (GGSN) detected Purple Fox’s novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes,” Serper explained.

  16. Tomi Engdahl says:

    Recently Patched Android Vulnerability Exploited in Attacks

    Google has warned Android users that a recently patched vulnerability has been exploited in attacks.

    The vulnerability in question, tracked as CVE-2020-11261, was patched by Google with the Android security updates released in January 2021.

    The vulnerability is a high-severity improper input validation issue affecting a display/graphics component from Qualcomm. The flaw was reported to Qualcomm through Google in July 2020 and it affects a long list of chipsets.

    In Qualcomm’s advisory, CVE-2020-11261 is described as a “memory corruption due to improper check to return error when user application requests memory allocation of a huge size.”

  17. Tomi Engdahl says:

    Resentful employee deletes 1,200 Microsoft Office 365 accounts, gets prison

    A former IT consultant hacked a company in Carlsbad, California, and deleted almost all its Microsoft Office 365 accounts in an act of revenge that has brought him two years of prison time.

    More than 1,200 user accounts were removed in this act of sabotage, causing a complete shutdown of the company’s operations for two days.

    Two-day downtime, months of recovery

  18. Tomi Engdahl says:

    Online trading broker FBS exposes 20TB of data with 16 billion records

    The leaked data also included unredacted credit cards and passports of millions of users around the world.

  19. Tomi Engdahl says:

    Tietomurtojen aalto ravistelee Suomea: Viranomaiselle kymmeniä ilmoituksia – lisää tulee

  20. Tomi Engdahl says:

    Microsoftin Exchange-palvelimen haavoittuvuudesta johtuvasta henkilötietojen tietoturvaloukkauksesta tulee ilmoittaa rekisteröidyille ja tietosuojavaltuutetun toimistolle

  21. Tomi Engdahl says:

    Microsoftin Exchange-palvelimen haavoittuvuudesta johtuvasta
    henkilötietojen tietoturvaloukkauksesta tulee ilmoittaa
    rekisteröidyille ja tietosuojavaltuutetun toimistolle
    Tietosuojavaltuutetun toimisto muistuttaa, että rekisterinpitäjän
    tulee ilmoittaa henkilötietojen tietoturvaloukkauksesta sen kohteena
    oleville henkilöille sekä valvontaviranomaiselle silloin, kun
    tietoturvaloukkaus aiheuttaa todennäköisesti korkean riskin
    rekisteröidyille. Kyberturvallisuuskeskus varoitti
    Exchange-sähköpostipalvelimen kriittisestä haavoittuvuudesta
    maaliskuun alussa.

  22. Tomi Engdahl says:

    Näin Postin nimissä levitettävä haittaohjelma luikertelee puhelimeesi
    Puhelinlasku voi sen jälkeen yskittää
    Haittaohjelman asentaminen älypuhelimeen vaatii uhrilta melkoista
    sinisilmäisyyttä. Lue:

  23. Tomi Engdahl says:

    Purple Fox malware worms its way into exposed Windows systems
    Purple Fox, a malware previously distributed via exploit kits and
    phishing emails, has now added a worm module that allows it to scan
    for and infect Windows systems reachable over the Internet in ongoing

  24. Tomi Engdahl says:

    Ransomware gang leaks data stolen from Colorado, Miami universities
    Grades and social security numbers for students at the University of
    Colorado and University of Miami patient data have been posted online
    by the Clop ransomware group.

  25. Tomi Engdahl says:

    Lahtelainen aluetaksi joutui hakkereiden kynsiin palvelunesto
    “onnistui totaalisesti”
    Kyberhyökkäykset eivät ole pelkästään isojen yritysten ongelma. Myös
    vahvasti alueelliset toimijat joutuvat kärsimään niistä. Lahden
    aluetaksin palvelimeen tehtiin noin kuukausi sitten
    palvelunestohyökkäys, jonka seurauksena yhtiö joutui hylkäämään oman
    palvelimensa ja vaihtamaan ulkopuoliseen palveluntarjoajaan.

  26. Tomi Engdahl says:

    Inside the Web Shell Used in the Microsoft Exchange Server Attacks
    The history and details of China Chopper – a Web shell commonly seen
    in the widespread Microsoft Exchange Server attacks. China Chopper Web
    shells are an older threat causing new problems for many organizations
    targeted in ongoing attacks against vulnerable Microsoft Exchange
    Servers worldwide.

  27. Tomi Engdahl says:

    Phish Leads to Breach at Calif. State Controller
    A phishing attack last week gave attackers access to email and files
    at the California State Controller’s Office (SCO), an agency
    responsible for handling more than $100 billion in public funds each
    year. The phishers had access for more than 24 hours, and sources tell
    KrebsOnSecurity the intruders used that time to steal Social Security
    numbers and sensitive files on thousands of state workers, and to send
    targeted phishing messages to at least 9, 000 other workers and their

  28. Tomi Engdahl says:

    REvil Ransomware Can Now Reboot Infected Devices
    The REvil ransomware gang has added a new malware capability that
    enables the attackers to reboot an infected device after encryption,
    security researchers at MalwareHunterTeam report. Also:

  29. Tomi Engdahl says:

    Facebook Disrupts Chinese Spies Using iPhone, Android Malware

    Facebook’s threat intelligence team says it has disrupted a sophisticated Chinese spying team that routinely use iPhone and Android malware to hit journalists, dissidents and activists around the world.

    The hacking group, known to malware hunters as Evil Eye, has used Facebook to plant links to watering hole websites rigged with exploits for the two major mobile platforms.

    Facebook’s Head of Cyber Espionage Investigations Mike Dvilyanski has published an advisory with indicators of compromise (IOCs) and other data to help victims and targets block the attacks.

  30. Tomi Engdahl says:

    Microsoft: Ongoing, Expanding Campaign Bypassing Phishing Protections

    A phishing email campaign detailed earlier this month is expanding with the use of additional email services to hide malicious intent, according to a warning from software giant Microsoft.

    Dubbed ‘Compact’ Campaign, the operation has been ongoing since December 2020, targeting thousands of users. In early March, researchers with the WMC Global Threat Intelligence Team estimated that more than 400,000 Outlook Web Access and Office 365 credentials had been compromised in multiple, connected campaigns.

  31. Tomi Engdahl says:

    Vulnerabilities in TBox RTUs Can Expose Industrial Organizations to Remote Attacks

    UK-based industrial automation company Ovarro recently patched a series of vulnerabilities in its TBox remote terminal units (RTUs). Cybersecurity experts say these flaws could pose a serious risk to organizations.

    Ovarro’s TBox RTUs are described by the vendor as a remote telemetry solution for remote automation and monitoring of critical assets. These devices are used worldwide, including in the water, oil and gas, power, transportation and process industries.

  32. Tomi Engdahl says:

    Insurer CNA Says Cyberattack Caused Network Disruption

    Commercial insurer CNA on Tuesday announced that it was recently targeted in what it described as a sophisticated cyberattack.

    The Chicago, Illinois-based company is one of the largest commercial insurers in the United States, offering cyber insurance policies alongside a broad range of other insurance products.

    In a March 23 announcement, the company revealed that, over the weekend, it fell victim to a cyberattack that impacted certain systems, and which resulted in network disruptions.

    “On March 21, 2021, CNA determined that it sustained a sophisticated cybersecurity attack. The attack caused a network disruption and impacted certain CNA systems, including corporate email,” the company says in an incident notification on its website.

  33. Tomi Engdahl says:

    Honeywell Says Malware Disrupted IT Systems

    Industrial giant Honeywell on Tuesday revealed that some of its IT systems were disrupted as a result of a malware attack.

    The company said the intrusion was detected “recently” and only a “limited number” of IT systems were disrupted. No other information has been provided regarding impact.

  34. Tomi Engdahl says:

    Purple Fox Malware Squirms Like a Worm on Windows

    Malware hunters at Guardicore are warning that an aggressive botnet operator has turned to SMB password brute-forcing to infect and spread like a worm across the Microsoft Windows ecosystem.

    The malware campaign, dubbed Purple Fox, has been active since at least 2018 and the discovery of the new worm-like infection vector is yet another sign that consumer-grade malware continues to reap profits for cybercriminals.

    According to Guardicore researcher Amit Serper, the Purple Fox operators primarily used exploit kits and phishing emails to build botnets for crypto-mining and other nefarious uses.

  35. Tomi Engdahl says:

    The Markup:
    Analysis of vaccine appointment sites for every US state, Puerto Rico, and DC shows some have issues maintaining users’ privacy, loading on mobile devices, more — The results, measuring accessibility and privacy protections, were not always great — Christine Meyer, a Pennsylvania doctor …

    We Ran Tests on Every State’s COVID-19 Vaccine Website

    The results, measuring accessibility and privacy protections, were not always great

  36. Tomi Engdahl says:

    Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins

    Over 100,000 WordPress websites could be exposed to attacks targeting a couple of recently addressed vulnerabilities affecting Thrive Theme plugins, warns the Wordfence Threat Intelligence Team at WordPress security company Defiant.

    The Thrive Themes represent a collection of themes and plugins that provide WordPress administrators with the means to quickly customize their websites.

    Two vulnerabilities that the Thrive Themes team addressed earlier this month are currently being targeted in live attacks to upload arbitrary files to vulnerable websites, and provide attackers with backdoor control to them.

    The most important of the bugs is a critical (CVSS score of 10) unauthenticated arbitrary file upload and option deletion vulnerability that affects all Thrive Theme’s Legacy Themes. The flaw exists because the Legacy Themes include an insecurely implemented function to automatically compress images during uploads.

    The second bug is considered medium severity (CVSS score of 5.8) and is an unauthenticated option update issue. The flaw is rooted in the insecure implementation of the ability to integrate with Zapier, which is available in the Thrive Dashboard.

  37. Tomi Engdahl says:

    FatFace tells customers to keep its data breach ‘strictly private’

    Clothing giant FatFace had a data breach, but doesn’t want you to tell anyone about it.

    The company sent an email to customers this week disclosing that it first detected a breach on January 17. A hacker made off with the customer’s name, email and postal address, and the last four-digits of their credit card. “Full payment card information was not compromised,” the notice reiterated.

    But despite going out to thousands of customers, the email said to “keep this email and the information included within it strictly private and confidential,” an entirely unenforceable request.

    Under the U.K. data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident, but there are no legal requirements on the customer to keep the information confidential. It didn’t take long for the company to face flack from the public. The company didn’t have much to say in response, asking instead to “DM us with any questions.”

  38. Tomi Engdahl says:

    Engineer punished for reporting data leak
    An engineer speaks out about how reporting a data leak to UK-based non-profit landed him in legal trouble

    Security engineer Rob Dyke recently reported a data leak to the Apperta Foundation, which is a non-profit, supported by NHS England and NHS Digital. The organisation thanked him for responsible reporting, however later ‘thanked him’ with legal correspondence and police intervention. Dyke discovered an exposed GitHub repository earlier this month, which was exposing passwords, API keys and sensitive financial records belonging to the Apperta Foundation. The repository had been public since at least 2019. The researcher encrypted the data he had found and securely stored it for 90 days, which is a part of the coordinated disclosure process.

    Dyke then received an email from a Northumbria Police cyber investigator, relating to a report of “computer misuse”. This was after he had received a reply from Apperta with the representative thanking him, and claiming they’ll sort the issue. The engineer stated: “I knew how I was supposed to report it to them. So I reported it to them, via their established procedure. And I didn’t really think any more about it.” Apperta’s lawyers stated they believed the engineer’s actions to be “unlawful” and demanded a written undertaking that any data the engineer had come across was deleted.

  39. Tomi Engdahl says:

    Saudi Arabia’s $500 billion megacity Neom is creating plans to harvest an unprecedented amount of data from future residents. Experts say it’s either dystopian or genius.

    Saudi Arabia is building a futuristic megacity from scratch named Neom.
    The city plans to ask future residents to submit a huge amount of personal data to help it run.
    Experts said technophiles would flock to Neom but warned about potential mass surveillance.

  40. Tomi Engdahl says:

    Cuomo’s Covid-19 Vaccine Passport Leaves Users Clueless About Privacy

  41. Tomi Engdahl says:

    Credit Card Hacking Forum Gets Hacked, Exposing 300,000 Hackers’ Accounts
    Credit card hacking forum Carding Mafia is the latest victim of the age-old hackers on hackers crime.

  42. Tomi Engdahl says:

    New Code Execution Flaws In Solarwinds Orion Platform

    Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that be exploited for remote code execution attacks.

    The patches were pushed out Thursday as part of a minor security makeover of the Orion Platform, the same compromised Solarwinds product that was exploited in recent nation-state software supply chain attacks.

    The latest Orion Platform 2020.2.5 addresses at least four security flaws, one rated “critical” because of the risk of remote code execution attacks. The company did not release technical details of the vulnerability, which does not yet have a CVE assigned.

    Solarwinds described that flaw simply as “RCE via Actions and JSON Deserialization.”

  43. Tomi Engdahl says:

    OpenSSL 1.1.1k Patches Two High-Severity Vulnerabilities

    The OpenSSL Project on Thursday announced the release of version 1.1.1k, which patches two high-severity vulnerabilities, including one related to verifying a certificate chain and one that can lead to a server crash.

    The first security hole, tracked as CVE-2021-3450, has been described as a “problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag.” The flaw was discovered by researchers at Akamai.

    “Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates,” the OpenSSL Project explained in its advisory.

    The second vulnerability, tracked as CVE-2021-3449 and discovered by employees of telecoms giant Nokia, involves sending a specially crafted renegotiation ClientHello message from a client, and it can be exploited for denial-of-service (DoS) attacks.

    “If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” reads the description of this vulnerability.

    Servers running OpenSSL 1.1.1 are affected by CVE-2021-3449 if they have TLS 1.2 and renegotiation enabled — this is the default configuration.

  44. Tomi Engdahl says:

    Dark web bursting with COVID-19 vaccines, vaccine passports
    Researchers saw listings increase 300% in the last three months.

    just $500, you could get a COVID-19 vaccine dose tomorrow (overnight shipping not included). Too rich for your blood? How about a vaccination card for just $150?

    Security researchers have seen a spike in listings on dark web marketplaces in recent weeks. The sites are advertising everything from vaccine doses to falsified vaccine certifications and negative test results. Currently, more than 1,200 listings are offering a variety of vaccines, including Pfizer, Moderna, Johnson & Johnson, AstraZeneca, Sputnik, and Sinopharm.

  45. Tomi Engdahl says:

    Joseph Cox / VICE:
    Text routing firm Aerialink says that all major US cell carriers have closed an SMS loophole that allowed hackers to easily reroute a target’s text messages — All the mobile carries have mitigated a major SMS security loophole that allowed a hacker to hijack text messages for just $16. — Joseph Cox

    T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation

    All the mobile carries have mitigated a major SMS security loophole that allowed a hacker to hijack text messages for just $16.

  46. Tomi Engdahl says:

    Source: Biden EO draft would require many software vendors to notify their federal govt. clients of cybersecurity breaches and preserve accompanying data logs — SAN FRANCISCO (Reuters) – A planned Biden administration executive order will require many software vendors to notify …

    Exclusive: Software vendors would have to disclose breaches to U.S. government users under new order: draft

    A planned Biden administration executive order will require many software vendors to notify their federal government customers when the companies have a cybersecurity breach, according to a draft seen by Reuters.

  47. Tomi Engdahl says:

    Google’s top security teams unilaterally shut down a counterterrorism operation

    The decision to block an “expert” level cyberattack has caused controversy inside Google after it emerged that the hackers in question were working for a US ally.


Leave a Comment

Your email address will not be published. Required fields are marked *