Cyber security news March 2021

This posting is here to collect cyber security news in March 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    A new Android spyware masquerades as a ‘system update’
    The malware can take complete control of a victim’s device

    Security researchers say a powerful new Android malware masquerading as a critical system update can take complete control of a victim’s device and steal their data.

    The malware was found bundled in an app called “System Update” that had to be installed outside of Google Play, the app store for Android devices. Once installed by the user, the app hides and stealthily exfiltrates data from the victim’s device to the operator’s servers.

  2. Tomi Engdahl says:

    German Parliament targeted again by Russian state hackers
    It is believed that the attackers were able to gain access to the
    email accounts of seven members of the German federal parliament
    (Bundestag) and 31 members of German regional parliaments. “The
    Ghostwriter campaign leverages traditional cyber threat activity and
    information operations tactics to promote narratives intended to chip
    away at NATO’s cohesion and undermine local support for the
    organization in Lithuania, Latvia, and Poland, ” FireEye said.

  3. Tomi Engdahl says:

    Hades ransomware operators are hunting big game in the US
    Accenture says that the threat actors are focused on hunting
    organizations that generate at least $1 billion in annual revenue. See

  4. Tomi Engdahl says:

    New Advanced Android Malware Posing as “System Update”
    The new malware disguises itself as a System Update application, and
    is stealing data, messages, images and taking control of Android
    phones. Once in control, hackers can record audio and phone calls,
    take photos, review browser history, access WhatsApp messages, and

  5. Tomi Engdahl says:

    Krebs: No, I Did Not Hack Your MS Exchange Server
    The Shadowserver Foundation says it has found 21, 248 different
    Exchange servers which appear to be compromised by a backdoor and
    communicating with brian[.]krebsonsecurity[.]top. The malware runs
    Windows Defender, which is a security product Microsoft ships with
    Windows devices that can help block attacks such as those we’ve seen
    targeting Exchange servers. In an unrelated case a reader found that a
    cryptominer had been dropped, pointing to
    XXX-XX-XXX[.]krebsonsecurity[.]top — where the Xs of the subdomain
    make up [Brian Krebs'] Social Security number.

  6. Tomi Engdahl says:

    Online vaccine scams: Homeland Security Investigations, INTERPOL issue
    public warning
    Homeland Security Investigations (HSI)and INTERPOL have joined forces
    to warn the public against purchasing alleged COVID-19 vaccines and
    treatments online.

  7. Tomi Engdahl says:

    Hackers backdoor PHP source code after internal repo hack

    Hackers have breached the internal Git repository of the PHP programming language and have added a backdoor to the PHP source code in an attack that took place over the weekend, on Sunday, March 28.

    The backdoor mechanism was first spotted by Michael Voříšek, a Czech-based software engineer.

    If the malicious code had made it into production, the code would have allowed threat actors to execute their own malicious PHP commands on victims’ servers.

    To trigger the malicious code execution, attackers had to send an HTTP request to a vulnerable server with a user-agent HTTP header that started with the string “zerodium,” the name of a well-known exploit broker.

    The PHP team formally confirmed the incident late on Sunday night in a message posted on its mailing list.

    According to their statement, the malicious code was added to the PHP source code through the accounts of two of the PHP team’s core members, Rasmus Lerdorf and Nikita Popov; however, Popov said that neither him nor Lerdorf were involved.

    As a result of the security breach, the PHP team decided yesterday that its internal Git server was not trustworthy anymore and has moved source code management operations to its official GitHub account, which will become PHP’s official Git repository going forward.

    PHP is currently used by almost 80% of all websites on the internet, according to tech stats website W3Techs; however, the incident would have affected only a small portion of these systems as most PHP servers usually lag in terms of patching and running the latest software version.

  8. Tomi Engdahl says:

    Channel Nine cyber-attack disrupts live broadcasts in Australia
    “Our IT teams are working around the clock to fully restore our
    systems which have primarily affected our broadcast and corporate
    business units. Publishing and radio systems continue to be
    operational,” the company said in a statement.. See also:

  9. Tomi Engdahl says:

    Docker Hub images downloaded 20M times come with cryptominers
    Researchers found that more than two-dozen containers on Docker Hub
    have been downloaded more than 20 million times for cryptojacking
    operations spanning at least two years. Docker Hub is the largest
    library of container applications, allowing companies to share images
    internally or with their customers, or the developer community to
    distribute open-source projects. The researcher estimates that the
    cryptojacking activity involving these containers enabled the
    attackers to mine about $200, 000 worth of cryptocurrency.. See also:

  10. Tomi Engdahl says:

    PHP’s Git server hacked to add backdoors to PHP source code
    The official PHP Git repository was hacked and the code base tampered
    with. Yesterday, two malicious commits were pushed to the php-src Git
    repository maintained by the PHP team. The code plants a backdoor for
    obtaining easy Remote Code Execution (RCE) on a website running this
    hijacked version of PHP. See also:

  11. Tomi Engdahl says:

    Ransomware admin is refunding victims their ransom payments
    Ziggy ransomware shut down in early February. In a short announcement,
    the administrator of the operation said that they were “sad” about
    what they did and that they “decided to publish all decryption keys.”
    After announcing the end of the operation, the administrator of Ziggy
    ransomware is now stating that they will also give the money back.

  12. Tomi Engdahl says:

    OVH reveals it’s scrubbing servers to get smoke residue off before
    Quite a few have come back online, but it takes seven hours to restore
    each rack. French cloud operator OVH has revealed how it is cleaning
    every server it thinks can be returned to service in its scorched
    Strasbourg data centres.

  13. Tomi Engdahl says:

    As Covid-19 Vaccines Ramp Up, So Do Covid-19 Scams
    The bogus websites have become phishing emails and phishing text
    messages. Now we have fake pollsters, fake messages from your HR
    department, fake cures and fake vaccine appointments. Scammers are
    using concern about the pandemic to steal identities and money.. In
    the year since Forbes first covered the scams preying on fears of the
    Covid-19 coronavirus, this area of cybercrime has simply exploded.

  14. Tomi Engdahl says:

    Backdoor Disguised as Typo Fix Added to PHP Source Code

    The developers of the PHP scripting language revealed on Sunday that they had identified what appeared to be malicious code in the php-src repository hosted on the server.
    The unauthorized code was disguised as two typo fix-related commits
    “We don’t yet know how exactly this happened, but everything points towards a compromise of the server (rather than a compromise of an individual git account),” Popov explained after the incident was discovered.
    Interestingly, the malicious code is triggered by the string “zerodium.” Zerodium is the name of a well-known and controversial exploit acquisition company that claims to provide exploits to “government organizations (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities.”
    The commit added to the PHP code also contains the text “REMOVETHIS: sold to zerodium, mid 2017.”
    It’s unclear if and how Zerodium is linked to this incident

  15. Tomi Engdahl says:

    ‘Hades’ Ransomware Hits Big Firms, but Operators Slow to Respond to Victims

    Researchers from CrowdStrike, Accenture, and Awake Security have dissected some of the attacks involving the Hades ransomware and published information on both the malware itself and the tactics, techniques and procedures (TTPs) employed by its operators.

    Initially observed in December 2020, the self-named Hades ransomware (a different malware family from the Hades Locker ransomware that emerged in 2016) employs a double-extortion tactic, exfiltrating victim data and threatening to leak it publicly unless the ransom is paid.

    The adversary appears mainly focused on enterprises, with some of the victims being multi-national organizations with more than $1 billion in annual revenues. The attacks mainly affected Canada, Germany, Luxembourg, Mexico, and the United States.

  16. Tomi Engdahl says:

    Vulnerability in ‘netmask’ npm Package Affects 280,000 Projects

    A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.

    The newly identified issue (which is tracked as CVE-2021-28918) resides in the fact that the package would incorrectly read octal encoding, essentially resulting in the misinterpretation of supplied IP addresses.

  17. Tomi Engdahl says:

    Alan Suderman / Associated Press:
    Sources: SolarWinds hackers gained access to emails of Trump administration’s top DHS officials, including acting Secretary Chad Wolf and cybersecurity staff — Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department …

    AP sources: SolarWinds hack got emails of top DHS officials

    Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries, The Associated Press has learned.

    The intelligence value of the hacking of then-acting Secretary Chad Wolf and his staff is not publicly known, but the symbolism is stark. Their accounts were accessed as part of what’s known as the SolarWinds intrusion, and it throws into question how the U.S. government can protect individuals, companies and institutions across the country if it can’t protect itself.

    The short answer for many security experts and federal officials is that it can’t — at least not without some significant changes.

    “The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS,” said Sen. Rob Portman of Ohio, top Republican on the Senate’s Homeland Security and Governmental Affairs Committee. “We are talking about DHS’s crown jewels.”

  18. Tomi Engdahl says:

    Whistleblower: Ubiquiti Breach “Catastrophic”
    Ubiquiti Inc. – a major vendor of cloud-enabled Internet of Things
    (IoT) devices such as routers, network video recorders and security
    cameras disclosed that a breach involving a third-party cloud provider
    had exposed customer account credentials. Now a source who
    participated in the response to that breach alleges Ubiquiti massively
    downplayed a “catastrophic” incident to minimize the hit to its stock
    price, and that the third-party cloud provider claim was a

  19. Tomi Engdahl says:

    Unfair exchange: ransomware attacks surge globally amid Microsoft
    Exchange Server vulnerabilities
    Over the past year, hospitals and the healthcare industry have been
    under tremendous pressure during the COVID-19 pandemic, not only
    dealing with surges in patient numbers, but also with shameless
    ransomware attacks. It now seems that criminals are shifting their
    attention to new targets, because they sense even easier opportunities
    for their extortion tactics.

  20. Tomi Engdahl says:

    Akamai Sees Largest DDoS Extortion Attack Known to Date
    Distributed denial of service (DDoS) attacks are growing bigger in
    volume, and they have also become more targeted and increasingly
    persistent, according to web security services provider Akamai. The
    most recent extortion attack peaking at more than 800 Gbps and
    targeting a European gambling company, was the biggest and most
    complex we’ve seen since the widespread return of extortion attacks
    that kicked off in mid-August 2020.

  21. Tomi Engdahl says:

    Cybercriminals Publish Data Allegedly Stolen From Shell, Multiple Universities

    The FIN11 hacking group has published on their leaks website files that were allegedly stolen from oil and gas giant Shell, likely during a cyber-security incident involving Accellion’s File Transfer Appliance (FTA) file sharing service.

    Last week, Shell revealed that it was one of the organizations affected by the Accellion cyber-attack, confirming that attackers were able to steal both corporate data and personal information pertaining to its employees.

    Some of these files — including passport copies, an evaluation report and a document written in Hungarian — are now public on a Tor-based website where hackers who conduct Clop ransomware attacks leak stolen information.

    At the time of the attack on Accellion’s FTA, the soon-to-be-retired service had roughly 300 customers, with up to 25 of them believed to have suffered significant data compromise. The impacted organizations include Qualys, Kroger, Jones Day, Bombardier, and the Office of the Washington State Auditor (SAO).

  22. Tomi Engdahl says:

    Child Unknowingly Tweets From US Nuclear Command’s Account

    Some jokingly said the cryptic tweet, “;l;;gmlxzssaw,” was a US nuclear launch code. Others, that the Pentagon had been hacked.

    And some even thought it was a signal to political conspiracists.

    Now the US Strategic Command, which runs the country’s powerful nuclear weapons force, says the enigmatic posting on its Twitter account in fact came from the hands of a precocious kid.

    But Stratcom told reporter Mikael Thalen of the Daily Dot that the tweet was no secret message, and was instead was the result of a Stratcom social media editor working from home.

    “The Command’s Twitter manager, while in a telework status, momentarily left the Command’s Twitter account open and unattended. His very young child took advantage of the situation and started playing with the keys and, unfortunately, and unknowingly, posted the tweet,” Stratcom official Kendall Cooper said in a letter Thalen posted on line.

    “Absolutely nothing nefarious occurred, i.e. no hacking of our Twitter account.”

    Thirty minutes later Stratcom tweeted to disregard the previous tweet, and then both of those messages were deleted.

  23. Tomi Engdahl says:

    Akamai Sees Largest DDoS Extortion Attack Known to Date

    Distributed denial of service (DDoS) attacks are growing bigger in volume, and they have also become more targeted and increasingly persistent, according to web security services provider Akamai.

    The recently observed assaults haven’t reached the magnitude of the largest DDoS attacks the company has mitigated to date, which have peaked at 1.35 Tbps in 2018 and at 1.44 Tbps in 2020, but three of them are among the six biggest volumetric DDoS attacks Akamai has ever encountered.

  24. Tomi Engdahl says:

    Linux Kernel Vulnerabilities Can Be Exploited to Bypass Spectre Mitigations

    Recent Linux kernel updates include patches for a couple of vulnerabilities that could allow an attacker to bypass mitigations designed to protect devices against Spectre attacks.

    The Spectre and Meltdown vulnerabilities were disclosed in January 2018, when researchers warned that billions of devices powered by CPUs from Intel, AMD and other vendors were affected. An attacker can exploit the flaws — in some cases remotely — to obtain potentially sensitive data, such as encryption keys and passwords.

    Patches and mitigations have been made available by both hardware and operating system vendors, but many devices are likely still vulnerable to attacks because the patches and mitigations have not been applied. It seems that it’s also still possible to launch attacks due to the fact that some mitigations can be bypassed by attackers.

    Symantec reported on Monday that Piotr Krysiuk, a member of its Threat Hunter team, has identified two new vulnerabilities in the Linux kernel that can be exploited to bypass mitigations for the Spectre vulnerabilities.

    One of the flaws, tracked as CVE-2020-27170, can be leveraged to obtain data from a device’s entire memory, while the second, identified as CVE-2020-27171, can be used to obtain contents from a 4Gb range of kernel memory. Both issues are related to the extended Berkeley Packet Filter (eBPF) technology used by the Linux kernel.

    BFP enables the execution of programs directly in the kernel, but not before these programs are analyzed to ensure they’re safe.This process should also provide protection against Spectre attacks, but the vulnerabilities discovered by the Symantec researcher can be exploited to bypass this protection, allowing a local attacker to obtain potentially sensitive data from the device’s memory.

  25. Tomi Engdahl says:

    Child tweets gibberish from US nuclear-agency account

    A young child inadvertently sparked confusion over the weekend by posting an unintelligible tweet to the official account of US Strategic Command.

  26. Tomi Engdahl says:

    Enough Is Enough: What Happens When Law Enforcement Bends Laws to Access Data

    Tutanota co-founder Matthias Pfau explains how a recent court order is a wake-up call to end the encryption debate once and for all
    In a world increasingly reliant on the Internet in our day-to-day lives, there’s no turning back on encryption.

    Encryption is a critical security tool for citizens, businesses, and governments to communicate confidentially and reliably. In some professions, such as the health and legal sectors, encryption is a requirement to protect sensitive client information. Journalists also rely on encryption to securely communicate with sources, which is critical to guarantee the freedom of the press and free speech.

    In fact, the right to privacy is enshrined in many democratic countries’ constitutions and is highly valued across societies. Strong encryption helps enable citizens to exercise that right.

    But time and again, the user trust guaranteed by encryption finds itself under attack.

    Law enforcement agencies and governments are increasingly asking for access to data to catch criminals, they say, including when the data is encrypted. Some are even trying to force companies to create so-called backdoors to encryption so that the authorities can gain access to encrypted communications upon request. While we all want to prevent crime online, there simply isn’t a magic key that would give access to the “good guys” without also making sensitive user data available to anyone else that wants it – including criminals. Strong encryption is binary: it’s either on or off. It either works for everyone or for no one. Weakening encryption only for criminals is technically impossible.

    For this single account, we were ordered to copy unencrypted incoming and outgoing emails before they were encrypted.

    Fortunately, the court order does not affect or undermine the security of the end-to-end encrypted emails in Tutanota. However, this approach to accessing unencrypted emails is disturbing on many levels. Two stand out in particular:

    Forcing a company to hand over data before it is encrypted significantly breaches the privacy and confidentiality that users expect.
    Granting access to data meant to be encrypted could set a dangerous precedent be used to force companies to compromise end-to-end encryption.

    The Right to Privacy Includes the Right to Encryption

    Preventing companies from offering the highest levels of security and privacy online puts businesses and users at incredible risk of harm. That’s why Tutanota is challenging the court’s decisions. We want to make sure that the ruling is not used as a precedent for German law enforcement agencies to force companies to undermine the security and privacy of their services.

    What we need in today’s Internet is not less encryption, but more. We must remain vigilant to make sure that law enforcement agencies cannot bend the laws the way they want to get access to data.

    The European GDPR specifically mentions end-to-end encryption as the best tool to protect citizens’ data from various threats online. Germany as well as the European Union must make sure that neither service providers nor criminals can abuse citizens’ data stored online.

    European citizens and businesses rely on unbreakable end-to-end encryption.

  27. Tomi Engdahl says:

    He believed Apple’s App Store was safe. Then a fake app stole his life
    savings in bitcoin.

  28. Tomi Engdahl says:

    Dutch Data Protection Authority Fines Over Incident Notification

    The Dutch Data Protection Authority announced on Wednesday that it has issued a fine of €475,000 (roughly $550,000) to online travel agency for failing to report a data security incident within the required timeframe.

    According to the privacy watchdog, the incident took place in December 2018 and it involved cybercriminals using voice phishing (vishing) and social engineering to trick the employees of 40 hotels in the United Arab Emirates into handing over their credentials for their accounts.

    The cybercrooks then used that access to obtain information on more than 4,000 individuals who had booked a hotel through They also managed to access payment card information belonging to nearly 300 people and attempted to phish the card information of others by posing as employees over the phone or email.

  29. Tomi Engdahl says:

    What’s being changed this time?

    Companies Must Quickly Report Hacks to U.S. Under Proposed Order

    Companies doing business with the federal government would be required to report hacks of their computer networks within a few days, according to a draft executive order that the Biden administration is urgently trying to complete, people familiar with the matter said.

    President Joe Biden hasn’t yet signed off on the executive actions, which are likely to reach his desk in the next two weeks, one of the people said.

    The executive order, when signed, would mandate important cybersecurity improvements, but it also would push basic changes that could deter cyber-attacks in both the government and private sector, according to people familiar with it. They requested anonymity to speak about actions the administration hasn’t yet announced.

  30. Tomi Engdahl says:

    Mandy Zuo / South China Morning Post:
    Report: Chinese hackers have stolen videos from thousands of home security cameras in the country and are selling them as “home video packages” via social media

    Hackers are stealing videos from private security cameras and selling them as home video tapes

    Videos can cost as little as US$3 and the perpetrators offer ‘set meal’ packages with multiple live streams
    One man claims 8,000 videos were shared in one group chat within 20 days in February

    Tens of thousands of hacked security videos are being sold online. Many are fairly boring, showing people just sitting around their homes or hotels.

    The video footage showcases clips from cameras
    installed by homeowners for security reasons or others secretly installed by ill-intentioned people in hotels, fitting rooms and beauty salons.

    The videos are priced based on how exciting they are and are sold via social media, according to an undercover investigative report aired by the television station on Monday.

    Video clips involving nudity or sexual acts are priced at 50 yuan (US$8) each, while those “normal ones shot in hotel rooms” are 20 yuan (US$3), said an unidentified seller of these videos in the report.

    Real-time viewing is also available at “set meal” prices. People can buy the IDs and passwords of cameras in 10 households for just 70 yuan (US$11), while 10 hotels plus 10 households costs 150 yuan (US$23), and 20 hotels plus 20 households for 258 yuan (US$39), according to another seller.

    They came from cameras located across the country, with Guangdong, Hunan and Hubei province being the most prominent sources.

  31. Tomi Engdahl says:

    Credit Card Hacking Forum Gets Hacked, Exposing 300,000 Hackers’ Accounts
    Credit card hacking forum Carding Mafia is the latest victim of the age-old hackers on hackers crime.

    Carding Mafia, a forum for stealing and trading credit cards has been hacked, exposing almost 300,000 user accounts, according to data breach notification service Have I Been Pwned.

    In March 2021, the Carding Mafia forum suffered a data breach that exposed almost 300k members’ email addresses. Dedicated to the theft and trading of stolen credit cards, the forum breach also exposed usernames, IP addresses and passwords stored as salted MD5 hashes.

  32. Tomi Engdahl says:

    Hackers backdoor PHP source code after breaching internal git server
    Code gave code-execution powers to anyone who knew the secret password: “zerodium.

  33. Tomi Engdahl says:

    Buffer overruns, license violations, and bad code: FreeBSD 13’s close call
    40,000 lines of flawed code almost made it into FreeBSD’s kernel—we examine how.

  34. Tomi Engdahl says:

    A new Android spyware masquerades as a ‘system update’
    The malware can take complete control of a victim’s device

  35. Tomi Engdahl says:

    Clothes retailer Fatface: Someone’s broken in and accessed your personal data, including partial card payment details… Don’t tell anyone
    ‘Strictly private and confidential’? SERIOUSLY?

    Several people wrote into The Register to let us know about the personal data leak, with reader Terry saying: “You will notice the Fatface email is marked as confidential. This annoyed me.”

    Chief exec Liz Evans wrote in an email titled “Strictly private and confidential – Notice of security incident” sent to users yesterday:

    Please do keep this email and the information included within it strictly private and confidential.

  36. Tomi Engdahl says:

    Google’s top security teams unilaterally shut down a counterterrorism operation
    MIT Technology Review ($): Bombshell of the week. Google shut down a nine-month counterterrorism operation by an unknown Western government. The government was using 11 zero-day vulnerabilities targeting Chrome, Android, but also iOS and Windows. Google’s logic to shut down the operation was that the vulnerabilities “will eventually be used by others,” and took action. But the move sent alarm bells ringing in both Google and the U.S. intelligence community. This was a monster scoop, and one that will likely have ramifications for a while.
    More: Google Project Zero | @chronic | @thegrugq

    Google’s top security teams unilaterally shut down a counterterrorism operation

    The decision to block an “expert” level cyberattack has caused controversy inside Google after it emerged that the hackers in question were working for a US ally.

    by Patrick Howell O’Neillarchive page
    March 26, 2021
    Google office
    Google’s security teams publicly exposed a nine-month hacking operation
    What wasn’t disclosed: The move shut down an active counter-terrorist operation being conducted by a Western government
    The decision has raised alarms inside Google and elsewhere
    Google runs some of the most venerated cybersecurity operations on the planet: its Project Zero team, for example, finds powerful undiscovered security vulnerabilities, while its Threat Analysis Group directly counters hacking backed by governments, including North Korea, China, and Russia. And those two teams caught an unexpectedly big fish recently: an “expert” hacking group exploiting 11 powerful vulnerabilities to compromise devices running iOS, Android, and Windows.

    But MIT Technology Review has learned that the hackers in question were actually Western government operatives actively conducting a counterterrorism operation. The company’s decision to stop and publicize the attack caused internal division at Google and raised questions inside the intelligence communities of the United States and its allies.


Leave a Comment

Your email address will not be published. Required fields are marked *