A Review of the Best News of the Week on Cyber Threats & Defense
U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise (Krebs on Security, Dec 14 2020)
“Communications at the U.S. Treasury and Commerce Departments were reportedly compromised by a supply chain attack on SolarWinds, a security vendor that helps the federal government and a range of Fortune 500 companies monitor the health of their IT networks. Given the breadth of the company’s customer base, experts say the incident may be just the first of many such disclosures.”
U.S. Agencies Hacked in Foreign Cyber Espionage Campaign Linked to Russia (WSJ, Dec 14 2020)
Multiple federal agencies, including the Treasury and Commerce departments, have had some of their computer systems breached as part of a widespread campaign believed to be the work of the Russian government.
Phishing campaign spoofs Microsoft domain. Is lack of DMARC enforcement to blame? (SC Media, Dec 09 2020)
Researchers observed a spear phishing campaign that exactly spoofed a Microsoft email domain to trick Office 365 users. This suggests Microsoft’s servers were not enforcing protective DMARC authentication protocols when communications were received – and perhaps still are not.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
4 major browsers are getting hit in widespread malware attacks (Ars Technica, Dec 10 2020)
Chrome, Firefox, Edge, and Yandex are all affected in widespread ad-injection campaign.
US agencies hacked in monthslong global cyberspying campaign (AP, Dec 14 2020)
In a rare emergency directive issued late Sunday, the Department of Homeland Security’s cybersecurity arm warned of an “unacceptable risk” to the executive branch from a feared large-scale penetration of U.S. government agencies that could date back to mid-year or earlier.
‘Disconnect or power down’: After high profile hacks hit federal agencies, CISA demands drastic SolarWinds mitigation (SC Media, Dec 14 2020)
Impact of the supply chain attacks are not limited to government, with consulting, technology, and telecom sectors all caught in the crosshairs.
FBI, CISA, MS-ISAC: Cybercriminals Increasingly Attacking K-12 Distance Learning (Dark Reading, Dec 11 2020)
Ransomware attacks reported against US K-12 schools jumped from 28% in January through July to 57% in August and September.
NSA Warns of Exploits Targeting Recently Disclosed VMware Vulnerability (Dark Reading, Dec 07 2020)
Agency urges organizations to deploy patch as soon as possible since exploit activity is hard to detect.
D-Link routers vulnerable to remotely exploitable root command injection flaw (Help Net Security, Dec 08 2020)
The Digital Defense Vulnerability Research Team uncovered a previously undisclosed vulnerability affecting D-Link VPN routers. D-Link DSR-150, DSR-250, DSR-500 and DSR-1000AC VPN routers running firmware version 3.14 and 3.17 are vulnerable to a remotely exploitable root command injection flaw.
Oblivious DNS-over-HTTPS (Schneier on Security, Dec 08 2020)
“This new protocol, called Oblivious DNS-over-HTTPS (ODoH), hides the websites you visit from your ISP.
Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.”
85,000 MySQL Servers Hit in Active Ransomware Campaign (Dark Reading, Dec 10 2020)
Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.
New Injection Technique Exposes Data in PDFs (SecurityWeek, Dec 10 2020)
Security researchers on Thursday documented and described a new injection technique capable of extracting sensitive data from PDF files.
Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10 (Ars Technica, Dec 11 2020)
The company failed to adequately fix the vulnerability before, so it’s trying again.
Engineers design transistor that disguises key computer chip hardware from hackers (Help Net Security, Dec 10 2020)
A hacker can reproduce a circuit on a chip by discovering what key transistors are doing in a circuit – but not if the transistor “type” is undetectable. Purdue University photo/John Underwood Purdue University engineers have demonstrated a way to disguise which transistor is which by building them out of a sheet-like material called black phosphorus.
Operation StealthyTrident: corporate software under attack (WeLiveSecurity, Dec 10 2020)
LuckyMouse, TA428, HyperBro, Tmanger and ShadowPad linked in Mongolian supply-chain attack
Hackers Accessed Covid Vaccine Data Through the EU Regulator (Wired, Dec 11 2020)
The European Medicines Agency has released limited details about the cyberattack.
Finnish Data Theft and Extortion (Schneier on Security, Dec 10 2020)
“The Finnish psychotherapy clinic Vastaamo was the victim of a data breach and theft. The criminals tried extorting money from the clinic. When that failed, they started extorting money from the patients:
Neither the company nor Finnish investigators have released many details about the nature of the breach, but reports say the attackers initially sought a payment of about 450,000 euros to protect about 40,000 patient records. The company reportedly did not pay up.”
Facebook says hackers backed by Vietnam’s government are linked to IT firm (Ars Technica, Dec 11 2020)
Group is known for its robust, custom-made malware. IT firm says the link is a mistake.
Microsoft Warns of Powerful New Adware (Dark Reading, Dec 11 2020)
The new adware, dubbed Adrozek, is being distributed by large, well organized threat actors, according to Microsoft research.
Sophos, ReversingLabs Release 20 Million Sample Dataset for Malware Research (SecurityWeek, Dec 14 2020)
Sophos and ReversingLabs on Monday announced SoReL-20M, a database of 20 million Windows Portable Executable files, including 10 million malware samples.