This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2021.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
318 Comments
Tomi Engdahl says:
Colonial Pipeline restores operations, $5 million ransom demanded https://www.bleepingcomputer.com/news/security/colonial-pipeline-restores-operations-5-million-ransom-demanded/
Colonial Pipeline has recovered quickly from the ransomware attack suffered less than a week ago and expects all its infrastructure to be fully operational today. The company has already brought much of the pipeline system online and is currently delivering refined petroleum products to most of the markets it services. Multiple media publications on Wednesday, citing people familiar with the matter, reported that the company had no plan to pay the ransom, albeit Colonial Pipeline did not communicate its official position on this..
Also:
https://www.zdnet.com/article/colonial-pipeline-paid-close-to-5-million-in-ransomware-blackmail-payment/.
https://www.theregister.com/2021/05/13/colonial_pipeline_ransom/. YLE:
https://yle.fi/uutiset/3-11930230
Tomi Engdahl says:
Threat Actors Use MSBuild to Deliver RATs Filelessly https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly
Anomali Threat Research discovered a campaign in which threat actors used MSBuild – a tool used for building apps and gives users an XML schema that controls how the build platform processes and builds software – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks. The malicious MSBuild files we observed in this campaign contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, joxi[.]net. While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples we analyzed deliver Remcos as the final payload.
Tomi Engdahl says:
Meet Lorenz A new ransomware gang targeting the enterprise https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/
A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms. The Lorenz ransomware gang began operating last month and has since amassed a growing list of victims whose stolen data has been published on a ransomware data leak site. Michael Gillespie of ID Ransomware has told BleepingComputer that the Lorenz ransomware encryptor is the same as a previous operation known as ThunderCrypt.
Tomi Engdahl says:
Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/
Web skimming continues to be a real and impactful threat to online merchants and shoppers. The threat actors in this space greatly range in sophistication from amateurs all the way to nation state groups like Lazarus. In terms of security, many e-commerce shops remain vulnerable because they have not upgraded their content management software (CMS) in years. The campaign we are looking at today is about a number of Magento 1 websites that have been compromised by a very active skimmer group.
Tomi Engdahl says:
The New Ransomware Threat: Triple Extortion https://blog.checkpoint.com/2021/05/12/the-new-ransomware-threat-triple-extortion/
Global surge in ransomware attacks hits 102% increase this year compared to the beginning of 2020, and shows no sign of slowing down.
Number of organizations impacted by ransomware globally has more than doubled in the first half of 2021 compared with 2020. The healthcare and utilities sectors are the most targeted sectors since the beginning of April 2021. Organizations in Asia Pacific are targeted more than any other region. Check Point Research (CPR) warns of new ransomware threat: Triple Extortion.
Tomi Engdahl says:
FragAttack: New Wi-Fi vulnerabilities that affect basically everything https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/fragattack-new-wi-fi-vulnerabilities-that-affect-basically-everything/
A new set of vulnerabilities with an aggressive name and their own website almost always bodes ill. The name FragAttack is a contraction of fragmentation and aggregation attacks, which immediately indicates the main area where the vulnerabilities were found. The vulnerabilities are mostly in how Wi-Fi and connected devices handle data packets, and more particularly in how they handle fragments and frames of data packets. As far as the researcher is aware every Wi-Fi product is affected by at least one vulnerability.. Also:
https://www.bleepingcomputer.com/news/security/all-wi-fi-devices-impacted-by-new-fragattacks-vulnerabilities/.
https://thehackernews.com/2021/05/nearly-all-wifi-devices-are-vulnerable.html.
https://therecord.media/wifi-devices-going-back-to-1997-vulnerable-to-new-frag-attacks/.
https://threatpost.com/fragattacks-wifi-bugs-millions-devices/166080/
Tomi Engdahl says:
Microsoft: Threat actors target aviation orgs with new malware https://www.bleepingcomputer.com/news/security/microsoft-threat-actors-target-aviation-orgs-with-new-malware/
Microsoft warns of an ongoing spear-phishing campaign targeting aerospace and travel organizations with multiple remote access trojans
(RATs) deployed using a new and stealthy malware loader. “In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT,” Microsoft said.
Tomi Engdahl says:
Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations https://thehackernews.com/2021/05/ransomware-gang-leaks-metropolitan.html
The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data if their ransom demands are not met. “The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data,” the gang said in a statement on their data leak site.
Tomi Engdahl says:
Microsofts May Patch Tuesday release addressed a modest 55 cybersecurity vulnerabilities, including just four critical bugs. Its the smallest monthly update from the computing giant since 2020, but it does contain a patch for a concerning wormable vulnerability found in the Windows OS https://threatpost.com/wormable-windows-bug-dos-rce/166057/
The good news is that none of the vulnerabilities are being actively exploited in the wild, according to Microsoft, though three are listed as publicly known.
Tomi Engdahl says:
Microsoft fixes WSUS bug blocking May Windows security updates https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-wsus-bug-blocking-may-windows-security-updates/
Microsoft has resolved a known issue preventing managed devices from receiving the May 2021 Patch Tuesday Windows security updates. “When checking for updates within Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager and managed devices that connect to these servers,” this month’s security updates “might not be available or offered,” as Microsoft explained on the Windows Health Dashboard.
Tomi Engdahl says:
FBI warns of cybercriminals abusing search ads to promote phishing sites https://therecord.media/fbi-warns-of-cybercriminals-abusing-search-ads-to-promote-phishing-sites/
The Federal Bureau of Investigation says that cybercrime gangs are using search results and search engine ads to lure victims on phishing sites for financial institutions in order to collect their login credentials. The schemes resulted in illicit ACH transfers amounting to hundreds of thousands of dollars in financial losses, the FBI said in a private industry notification (PIN) send to the US private sector on Tuesday.
Tomi Engdahl says:
Hakkerit estivät koulujen avaamisen Venäjää syytetään rikollisten suojelusta https://www.tivi.fi/uutiset/tv/eecee20f-3e14-44af-adb0-ca65a1c4a9be
Venäläisten hakkereiden toiminta on ollut tällä viikolla puheenaiheena, kun palvelunestohyökkäys sotki polttoainetoimitukset Yhdysvalloissa. BBC kirjoittaa, että Britannian ulkoministeri Dominic Raab on ladellut tiukkoja sanoja Moskovan suuntaan tästä huolimatta.
Hän puhui asiasta brittien kyberturvallisuuskeskuksen (National Cyber Security Centre, NCSC) konferenssissa. Kun rikolliset toimivat Venäjän kaltaisten valtioiden maaperällä, maalla on velvollisuus saattaa heidät oikeuden eteen, ei suojella heitä, Raab sanoi. Hänen mukaansa demokraattiset ja autoritääriset valtiot seisovat eri puolilla rintamalinjaa tässäkin asiassa.
Venäjä kiisti olevansa USA:ssa öljyputkeen kohdistetun kyberhyökkäyksen takana
https://yle.fi/uutiset/3-11927157
Yhdysvaltojen tiedustelun mukaan kiristysohjelman alkuperä on Venäjällä. Venäjä on kiistänyt, että se olisi vastuussa öljyputkijärjestelmään Yhdysvalloissa kohdistetusta kyberhyökkäyksestä. Kiistämme kategorisesti kaikki journalistien esittämät kuvitelmat. Toistamme, että Venäjä ei harjoita “pahantahtoista” toimintaa virtuaalisissa tiloissa, Venäjän Yhdysvaltain-suurlähetystö ilmoitti lausunnossa.
Tomi Engdahl says:
DarkSide Ransomware Shutdown: An Exit Scam or Running for Hills?
https://www.securityweek.com/darkside-ransomware-shutdown-exit-scam-or-running-hills
The criminal gang behind the disruptive Colonial Pipeline ransomware hack says it is shutting down operations, but threat hunters believe the group will reemerge with a new name and new ransomware variants.
The DarkSide cybercrime gang claims it is shuttering operations amidst massive blowback from U.S. government and global law enforcement officials.
According to multiple threat hunters tracking darkweb communications, the DarkSide ransomware-as-a-service infrastructure has gone offline along with a naming-and-shaming website used by the criminal gang to pressure victims during extortion negotiations.
Security vendor FireEye says its researchers have also seen the DarkSide announcement, which claims the criminals “lost access to their infrastructure, including their blog, payment, and CDN servers and would be closing their service.”
However, FireEye says it has not independently validated the claims and warns that this could be part of “an exit scam.”
Threat intelligence company Flashpoint believes — with moderate confidence based on code analysis — that the ransomware used in the Colonial Pipeline attack is a variant of the notorious REvil ransomware.
Tomi Engdahl says:
Impacted Vendors Release Advisories for FragAttacks Vulnerabilities
https://www.securityweek.com/impacted-vendors-release-advisories-fragattacks-vulnerabilities
Impacted vendors have released security advisories in response to the recently disclosed Wi-Fi vulnerabilities collectively tracked as FragAttacks.
A dozen CVE identifiers have been assigned to the FragAttacks (fragmentation and aggregation attacks) flaws discovered last year by researcher Mathy Vanhoef, including three for design flaws and nine for implementation flaws.
Vanhoef tested 75 Wi-Fi devices and found that they were all affected by at least one vulnerability, but most of them were impacted by multiple issues. This suggests that a vast majority — if not all — devices with Wi-Fi capabilities are exposed to attacks. The design flaws are more difficult to exploit, while the implementation weaknesses are easier to use in attacks.
The researcher demonstrated that the vulnerabilities can allow an attacker who is within Wi-Fi range of the targeted device to conduct various activities, including redirect users to arbitrary websites, take control of devices on the network, bypass router firewalls, steal user information, and spy on victims.
Some of the affected vendors have been notified and given 9 months to release patches. Shortly after Vanhoef made his findings public, more than a dozen vendors released advisories, and some organizations, such as the Wi-Fi Alliance, have released statements on FragAttacks.
Some vendors say their products are affected only by the design flaws, but others appear to be impacted by multiple CVEs. Some companies noted that their products are affected due to the use of third-party components.
A majority of vendors have assigned the flaws a moderate/medium severity rating. Some have already released updates that should address the vulnerabilities, while others say they are working on developing patches.
CVE-2020-24587
Description The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
https://www.fragattacks.com/
Tomi Engdahl says:
Biden Signs Executive Order on Strengthening Cybersecurity Defenses: Feedback Friday
https://www.securityweek.com/biden-signs-executive-order-strengthening-cybersecurity-defenses-feedback-friday
U.S. President Joe Biden this week signed an executive order on improving the country’s cybersecurity defenses. The order represents the government’s response to the SolarWinds and other significant attacks carried out by foreign threat actors.
The executive order focuses on removing barriers to threat information sharing, adopting more modern security solutions (e.g. zero trust architecture), enhancing the security of the software supply chain by requiring developers to improve their security practices, establishing a Cyber Safety Review Board that will review and assess significant incidents, and standardizing the government’s response to vulnerabilities and incidents.
Executive Order on Improving the Nation’s Cybersecurity
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Tomi Engdahl says:
Colonial Pipeline Paid $5 Million to Ransomware Gang: Reports
https://www.securityweek.com/colonial-pipeline-paid-5m-ransom-retrieve-files-stolen-hackers-reports
Tomi Engdahl says:
Access To Arizona Government Routers Has Been Subpoenaed
Cyber Ninjas has found a way to access voter information without having to do a canvas
https://medium.com/politically-speaking/access-to-arizona-government-routers-has-been-subpoenaed-aa8f466fad6f
In the latest installment of the ongoing saga of the audit of the ballots cast in Maricopa County, Arizona in the November election, Cyber Ninjas, the firm with no election experience who is conducting the audit, has demanded access to the state government internet routers and passwords.
The Arizona state Senate which is controlled by Republicans and hired Cyber Ninjas to do the audit, has issued a subpoena on their behalf for the routers and passwords.
I’m not going to bore you with detailed explanations of how routers and password authorities work. I could because I used to work with that stuff and find it endlessly fascinating but I know that you don’t so I’ll spare you the geeky stuff.
Instead, I’m just going to tell you what information can be gained using high level access to the routers. It’s pretty scary. I nearly fell out of my chair when I read about the subpoena because I know exactly how much sensitive data would be revealed.
Ready?
Tomi Engdahl says:
https://etn.fi/index.php/13-news/12148-miljoonissa-wifi-laitteissa-haavoittuvuuksia
Tomi Engdahl says:
https://hackaday.com/2021/05/14/this-week-in-security-fragattacks-the-pipeline-codecov-and-ipv6/
Tomi Engdahl says:
https://www.fragattacks.com/
Tomi Engdahl says:
Impacted Vendors Release Advisories for FragAttacks Vulnerabilities
https://www.securityweek.com/impacted-vendors-release-advisories-fragattacks-vulnerabilities
Tomi Engdahl says:
Hackers behind Colonial Pipeline attack received $90 million in bitcoin before shutting down
https://www.cnbc.com/2021/05/18/colonial-pipeline-hackers-darkside-received-90-million-in-bitcoin.html
DarkSide, the hacker group behind the Colonial ransomware attack, received $90 million in bitcoin ransomware payments, according to Elliptic.
The cybercriminal gang shut down last week after losing access to its servers and as its cryptocurrency wallets were emptied.
Elliptic said that DarkSide’s bitcoin wallet contained $5.3 million worth of the digital currency before its funds were drained last week.
Tomi Engdahl says:
A bit sloppy on chain of custody…
City pays $350,000 after suing “hackers” for opening Dropbox link it sent them
Employee mistakenly sent the link when replying to a records request.
https://arstechnica.com/tech-policy/2021/05/city-pays-350000-after-suing-hackers-for-opening-dropbox-link-it-sent-them/
The city of Fullerton, California, has agreed to pay $350,000 to settle a lawsuit it brought against two bloggers it accused of hacking the city’s Dropbox account.
Joshua Ferguson and David Curlee frequently made public record requests in the course of covering city government for a local blog, Friends for Fullerton’s Future. The city used Dropbox to fulfill large file requests, and in response to a June 6, 2019, request for records related to police misconduct, Ferguson and Curlee were sent a link to a Dropbox folder containing a password-protected zip file.
But a city employee also sent them a link to a more general “Outbox” shared folder that contained potential records request documents that had not yet been reviewed by the city attorney. The folder wasn’t password protected or access restricted. At the time, there were 19 zip files in the outbox, five of which were not password protected.
The bloggers downloaded the files related to their records request and the 19 zip files in the outbox link. In the unprotected files, Ferguson and Curlee found emails relating to police internal affairs investigations and an insurance claim regarding an automobile crash involving an allegedly drunk city employee, among others. Throughout June 2019, the bloggers published posts using the documents as source material.
The city sent two cease and desist letters to Ferguson and Curlee, claiming that the files were confidential and had not been intended for either blogger. On October 24, 2019, the city also filed a restraining order, asking the court to order the bloggers to stop further publication of the documents.
In early November 2019, the city filed a lawsuit against the bloggers, alleging violations of the Computer Fraud and Abuse Act and California’s Comprehensive Computer Data Access and Fraud Act. An Orange County judge hearing the case granted the restraining order, which later was overturned by a California appellate court. Months later, the city again filed to block publication and again was rebuffed on appeal.
As the case made its way through the courts, both the Electronic Frontier Foundation and the Reporters Committee for Freedom of the Press filed amicus briefs earlier this year in support of the bloggers. The EFF’s brief was particularly pointed. “The City’s interpretation would permit public officials to decide—after making records publicly available online (through their own fault or otherwise)—that accessing those records was illegal,” the group wrote. “The City proposes that journalists perusing a website used to disclose public records must guess whether particular documents are intended for them or not, intuit the City’s intentions in posting those documents, and then politely look the other way—or be criminally liable.”
The city of Fullerton faced increasingly long odds of winning the lawsuit, and last week, the city council voted 3-2 to settle the suit. Under the terms of the settlement, the city will pay the defendants $230,000 in attorneys costs and $60,000 each in damages. The city will also post a public apology on its website.
https://www.eff.org/document/friends-fullertons-future-v-city-fullerton-eff-amicus-brief
Tomi Engdahl says:
https://thehackernews.com/2021/05/how-apple-gave-chinese-government.html?m=1
https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html
Tomi Engdahl says:
Ransomware’s Dangerous New Trick Is Double-Encrypting Your Data
Even when you pay for a decryption key, your files may still be locked up by another strain of malware.
https://www.wired.com/story/ransomware-double-encryption/
RANSOMWARE GROUPS HAVE always taken a more-is-more approach. If a victim pays a ransom and then goes back to business as usual—hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time.
Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other.
“The groups are constantly trying to work out which strategies are best, which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not actually decrypted at all.”
Tomi Engdahl says:
Hackers behind Colonial Pipeline attack reportedly received $90 million in bitcoin before shutting down
https://www.cnbc.com/2021/05/18/colonial-pipeline-hackers-darkside-received-90-million-in-bitcoin.html
Tomi Engdahl says:
Ransomware: Patient data could be ‘abused’ after health service attack, warns Irish government https://www.zdnet.com/article/ransomware-patient-data-could-be-abused-after-health-service-attack-warns-irish-government/
Condemning any public release by the attackers of stolen patient data as “utterly contemptible”, officials have urged anyone who is affected to contact the Health Service Executive (HSE) or the authorities. .
Press release at
https://www.gov.ie/en/press-release/a2f03-government-ministers-meet-on-the-hse-cyber-attack/
Tomi Engdahl says:
Wizard Spider profile: Suspected gang behind HSE attack is part of world’s first cyber-cartel
Health service attack regarded as a for-profit crime rather than any proxy attack by Russia
https://www.irishtimes.com/news/crime-and-law/wizard-spider-profile-suspected-gang-behind-hse-attack-is-part-of-world-s-first-cyber-cartel-1.4568806?mode=amp
the attack on the HSE is regarded as a for-profit crime intended to extract a ransom from the HSE, rather than any proxy attack by Russia on the Republic.
Wizard Spider has been known to attack healthcare facilities in the past but its attack on the Irish health system is regarded as unprecedented in its scale and because it has targeted a national healthcare system, which has never happened before. The size of the ransom demanded is also much larger than previous demands.
Ciaran Martin, the Northern Irishman who until recently lead Britain’s National Cyber Security Centre (NCSC), said while healthcare facilities in the US and some in Europe had been targeted in ransomware attacks, he knew of no attack on the same scale as that on the HSE.
“The deliberate targeting of a State-run health care system is without parallel in my experience,” he said. While the NHS had been hit by the WannaCry ransomware attack four years ago, it had been accidentally infected during an effort by North Korea to rob Asian banks rather than being the target.
Those members of Wizard Spider who are based in Russia rarely, if ever, leave that country for fear of being arrested. However, security sources said it was highly likely the people who make up Wizard Spider – who have never been identified – are also based in other countries, mainly Ukraine. The same sources said it was likely many members of the groups had never met and did not know each other, apart from on the Darknet.
Espionage Malware
Wizard Spider previously used Ryuk ransomware though, of late, has been using Conti, which is the ransomware deployed against the HSE. Uniquely among cybergangs, evidence has been found of ransoms from simultaneous Ryuk and Conti attacks being transferred into Bitcoin wallets controlled by Wizard Spider.
Tomi Engdahl says:
Found a paper just now of general interest, on using graphics processors (CUDA) to rapidly scan files in parallel on a system for malware. Might be fast enough to run during boot up. https://www.techrepublic.com/article/new-intel-tool-uses-gpu-to-scan-for-viruses-saving-time-and-compute-resources/ but the recent paper was from 2019.
New Intel tool uses GPU to scan for viruses, saving time and compute resources
https://www.techrepublic.com/article/new-intel-tool-uses-gpu-to-scan-for-viruses-saving-time-and-compute-resources/
Tomi Engdahl says:
No more fuzzy pictures? The end of an era!
Cloudflare says it’s time to end CAPTCHA ‘madness’, launches new security key-based replacement
It works great, but don’t expect CAPTCHAs to disappear just yet
https://www.theverge.com/platform/amp/2021/5/16/22436395/cloudflare-end-captcha-madness-security-key-cryptographic-attestation-of-personhood
Tomi Engdahl says:
Ireland’s Health Service Executive Held to Ransom by Conti Gang
https://www.securityweek.com/irelands-health-service-executive-held-ransom-conti-gang
Ireland’s Health Service Executive (HSE) was hit by a ransomware attack late last week, forcing the organization to shut down its IT system (reported as more than 80,000 computers) on Friday. Green Party Minister of State for Communications Ossian Smyth said the attack was “possibly the most significant cybercrime attack on the Irish State”.
He said the ransom would not be paid, just as it emerged that HSE may not have been the only target. By Sunday it was learned that the Department of Health had also been attacked by what was assumed to be the same gang. Prime Minister Micheal Martin said, “I think we’re very clear we’re not going to be paying any ransom or engaging in any of that sort of stuff, so we’re very clear on that.”
Details of the attack on HSE have not yet been disclosed. All that is thought so far is that the attack was by the Conti gang (Conti came to light in the summer of last year), that they demanded a ransom of around $20 million, and it is thought the attack involved the use of a zero day threat.
Tomi Engdahl says:
Microsoft Build Engine Abused for Fileless Malware Delivery
https://www.securityweek.com/microsoft-build-engine-abused-fileless-malware-delivery
An ongoing campaign abuses the Microsoft Build Engine (MSBuild) platform for the fileless delivery of malware, security researchers with threat intelligence firm Anomali reveal.
Described as the build platform for Microsoft and Visual Studio, MSBuild has a feature that allows developers to specify for code to be executed in memory, and adversaries have abused this in a new campaign for the fileless delivery of their malicious payloads.
Tomi Engdahl says:
Researchers Find Exploitable Bugs in Mercedes-Benz Cars
https://www.securityweek.com/researchers-find-exploitable-bugs-mercedes-benz-cars
Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution.
The vulnerabilities were found in the Mercedes-Benz User Experience (MBUX), the infotainment system initially introduced on A-class vehicles in 2018, but has since been adopted on the car maker’s entire vehicle line-up.
The vulnerabilities, tracked as CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910, provides hackers with remote control of some of the car’s functions, but not with access to physical features, such as steering or braking systems.
In addition to targeting the main infotainment head unit, the security researchers also analyzed Mercedes-Benz’s T-Box, successfully exploited some of the identified attack scenarios, and even combined some of them to compromise the head unit even in real-world vehicles.
Tomi Engdahl says:
Lawmakers Reintroduce ‘Pipeline Security Act’ Following Colonial Hack
https://www.securityweek.com/lawmakers-reintroduce-pipeline-security-act-following-colonial-hack
More than a dozen U.S. lawmakers led by Rep. Emanuel Cleaver (D-MO) have reintroduced the Pipeline Security Act, whose goal is to aid the DHS’s efforts to protect pipeline infrastructure against cyberattacks, terrorist attacks and other threats.
The Pipeline Security Act was first introduced in 2019, but it did not receive a vote. Now, following the recent ransomware attack on Colonial Pipeline, which had a significant impact, the bill was reintroduced.
The bipartisan pipeline security legislation would ensure that the roles of the Transportation Security Administration (TSA), which has been the primary agency responsible for securing pipelines, and the Cybersecurity and Infrastructure Security Agency (CISA) are clarified and they are fully empowered for securing pipelines and pipeline facilities.
Tomi Engdahl says:
DarkSide: Newly Found Variant and Implications for the Ransomware Gang’s Future
https://www.securityweek.com/darkside-newly-found-variant-and-implications-ransomware-gangs-future
Tomi Engdahl says:
Probe Into Florida Water Plant Hack Led to Discovery of Watering Hole Attack
https://www.securityweek.com/probe-florida-water-plant-hack-led-discovery-watering-hole-attack
An investigation conducted by industrial cybersecurity firm Dragos into the recent cyberattack on the water treatment plant in Oldsmar, Florida, led to the discovery of a watering hole attack that initially appeared to be aimed at water utilities.
Law enforcement revealed in early February that a hacker had gained remote access to systems at the water plant in Oldsmar and attempted to elevate levels of a certain chemical to a point where it could put the public at risk of being poisoned.
The attacker abused TeamViewer, which staff at the plant had been using to monitor and control systems remotely. Due to password sharing and other poor security practices, it was easy for the hacker to gain access and start making unauthorized changes in an HMI. Fortunately, the breach was spotted — staff noticed the mouse moving on the screen — and a disaster was prevented.
While investigating the incident, Dragos’ threat hunters noticed that the website of a Florida water infrastructure construction company had been compromised and set up to serve as a watering hole. Malicious code planted on this site collected information on the computers used to access it.
The malicious script was present for nearly two months between December 2020 and February 2021, and it collected information about the operating system, CPU, browser, input methods, camera, accelerometer, microphone, touchpoints, video card, time zone, geolocation, the screen, and browser plugins. In addition, it directed victims to a couple of sites that collected browser cipher fingerprints, which are used by some network defense solutions to detect connections from hosts infected with malware.
Dragos determined that more than 1,000 computers accessed the watering hole during the two-month timeframe, including state and local government organizations, municipal water utility customers, and private firms related to the water industry. Most of the organizations profiled by the malicious code were in Florida and other parts of the United States. This appeared to indicate that the watering hole was set up as part of a targeted attack aimed at the water sector in the U.S.
Tomi Engdahl says:
Google Workspace Gets New Security Features
https://www.securityweek.com/google-workspace-gets-new-security-features
Google this week announced adding new security features to its Google Workspace collaboration and productivity solution, to provide administrators with more capabilities and controls for protecting users and organizations.
Admins can now access VirusTotal reports directly from the Alert Center in Google Workspace, through a new enrichment widget (VT Augment) that will be displayed for notifications that contain supported VirusTotal entities (including domains, file attachment hashes, or IP addresses).
For paid VirusTotal subscribers, an enhanced version of the report will become available, offering indicators of compromise and details on their relations with other artifacts in the VirusTotal dataset; a graph view of those connections; reputation information; geographical and time-spread data; and the ability to launch VirusTotal Enterprise advanced searches with a single click.
Tomi Engdahl says:
Colonial Pipeline CEO Explains $4.4M Ransomware Payment
https://www.securityweek.com/colonial-pipeline-ceo-explains-44m-ransomware-payment
Colonial Pipeline chief executive Joseph Blount has confirmed the company shelled out $4.4 million to purchase a decryption key to recover from the disruptive ransomware attack that caused gasoline shortages in parts of the U.S.
A Wall Street Journal (WSJ) report said Colonial Pipeline made the $4.4 million payment on the evening of May 7 in the form of bitcoin. The company did receive a decryption tool to retrieve the locked data but white the tool was somewhat useful, it was ultimately not enough to immediately restore the pipeline’s systems, the newspaper said.
While the pipline operator did not confirm the amount of the payment, it did confirm to SecurityWeek that it had paid the ransom.
“Colonial Pipeline is critical to the economic and national security of our nation,” a company spokesperson told SecurityWeek. “When we were attacked on May 7, a decision was quickly made to take our entire system offline. We needed to do everything in our power to restart the system quickly and safely. The decision was made to pay the ransom. This decision was not made lightly, however, one that had to be made. Tens of millions of Americans rely on Colonial – hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public. Our focus remains on continued operations to safely deliver refined products to communities we serve.”
The Colonial Pipeline CEO told the WSJ that making the ransom payment was “the right thing to do for the country.”
“I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this,” Blount said, noting that the multi-million payment to the ransomware-as-a-service group was a “highly controversial decision.”
The ransomware attack has already led to ‘state of emergency’ declarations, temporary lines at gas pumps and rising gas prices.
Tomi Engdahl says:
Glass and Metal Packaging Giant Ardagh Group Discloses Cyberattack
https://www.securityweek.com/glass-and-metal-packaging-giant-ardagh-group-discloses-cyberattack
Glass and metal packaging giant Ardagh Group this week disclosed a cyberattack that forced it to shut down certain systems and applications.
The Luxembourg-based company, one of the largest producers of glass and metal packaging products, says it was able to safely continue operations at its facilities despite the incident.
Ardagh Group initiated defense and containment procedures immediately after learning of the cyber-incident, and says it is now in the process of restoring key systems, a phased operation that is expected “to be substantially achieved by the end of this month.”
The company says that, while production continued at all of its metal and glass packaging facilities, the incident did result in some delays, affecting some supply chain operations. Furthermore, the company had to implement alternative solutions, such as manual workarounds, to ensure uninterrupted operations.
Tomi Engdahl says:
Email attachment believed to have opened door to cyber-attack on Waikato hospitals https://www.stuff.co.nz/national/125175283/email-attachment-believed-to-have-opened-door-to-cyberattack-on-waikato-hospitals
This crashed phone lines and computers on Tuesday morning, blocking all information technology (IT) services except email in Waikato, Thames, Tokoroa, Te Kiti and Taumarunui hospitals.
Tomi Engdahl says:
Royal Mail phish deploys evasion tricks to avoid analysis https://blog.malwarebytes.com/scams/2021/05/royal-mail-phish-deploys-evasion-tricks-to-avoid-analysis/
The below code tests for WebGL renders which it may associate with (for example) VirtualBox or RDP (Remote Desktop Protocol). It also wants to know if site visitors have a display or not. Remember, not having a screen is a possible sign of automated research tools in virtual machines. This is a tactic pulled right out of malware analysis evasion land.
Tomi Engdahl says:
That Salesforce outage: Global DNS downfall started by one engineer trying a quick fix https://www.theregister.com/2021/05/19/salesforce_root_cause/
To recap, on May 11 around 2100 UTC, a configuration change was applied to Salesforce’s Domain Name System (DNS) servers that resulted in folks unable to access the software-as-a-service titan’s products.
For about five hours, clients could not log in, and things got so bad that even the status page was unavailable.. Root cause analysis at
https://help.salesforce.com/articleView?id=000358392&type=1&mode=1 .
“The configuration change was applied on Domain Name System (DNS) servers, and the change subsequently exposed a design issue in the shutdown process that resulted in a failed restart of DNS services across multiple Salesforce data centers, thus causing any applications or services that rely on DNS to become unavailable.”
Tomi Engdahl says:
Miscreants started scanning for Exchange Hafnium vulns five minutes after Microsoft told world about zero-days https://www.theregister.com/2021/05/19/hafnium_scans_5_mins_post_disclosure/
Although research director Rob Rachwald did not elaborate when The Register asked for more detail on its findings, a released report reckoned “scans began within 15 minutes after Common Vulnerabilities and Exposures (CVE) announcements were released between January and March.”
Tomi Engdahl says:
The Microsoft Authenticator extension in the Chrome store wasn’t actually made by Microsoft. Oops, Google https://www.theregister.com/2021/05/19/chrome_extension_microsoft_authenticator_fake/
The trustworthiness of Google’s Chrome Store was again called into question after an extension billing itself as Microsoft Authenticator was published by the software souk without the simplest of checks.
Tomi Engdahl says:
GitLab tries to address crypto-mining abuse by requiring card details for free stuff https://www.theregister.com/2021/05/19/gitlab_crypto/
In a bid to tackle cryptocurrency miners slurping free pipeline minutes, GitLab will expect users to provide a valid credit or debit card number to use shared runners on its platform.
Tomi Engdahl says:
MountLocker ransomware uses Windows API to worm through networks https://www.bleepingcomputer.com/news/security/mountlocker-ransomware-uses-windows-api-to-worm-through-networks/
“Many corporate environments rely on complex active directory forests and computer within then. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan,” Kremez told BleepingComputer in a conversation about the malware.
Tomi Engdahl says:
Chrome now automatically fixes breached passwords on Android https://www.bleepingcomputer.com/news/security/chrome-now-automatically-fixes-breached-passwords-on-android/
Now, whenever checking for stolen passwords on supported sites and apps, Google Assistant will display a “Change password” button that will instruct Chrome to navigate to the website and go through the entire password change process on its own.
Tomi Engdahl says:
Colonial Pipeline says ransomware recovery efforts caused network outage for shippers https://www.cyberscoop.com/colonial-pipeline-hack-recovery-disruption/
Our internal server that runs our nomination system experienced intermittent disruptions this morning due to some of the hardening efforts that are ongoing and part of our restoration process, Colonial Pipeline said in a statement. These issues were not related to the ransomware or any type of reinfection.
Tomi Engdahl says:
Israel bombed two Hamas cyber targets
https://therecord.media/israel-bombed-two-hamas-cyber-targets/
According to the official Israel Air Force Twitter account, the first strike hit a cyber-equipment storage site in the northern Gaza Strip belonging to Hamas military intelligence that was apparently being used as an impromptu data center.
Tomi Engdahl says:
https://therecord.media/solarwinds-ceo-apologizes-for-blaming-an-intern-says-attack-may-have-started-in-january-2019/
On the topic of the breach itself, [CEO] Ramakrishna also gave additional details about the timeline of the attack. The group behind the compromise, which the U.S. government has attributed to Russias foreign intelligence service, may have been in our environment as early as jan 2019 doing very early recon activities, Ramakrishna said.
The company has said that it believed hackers . initially accessed SolarWinds systems as early as September 2019.