A Review of the Best News of the Week on Cyber Threats & Defense

SonicWall hit by attackers leveraging zero-day vulnerabilities in its own products? (Help Net Security, Jan 25 2021)
On Friday evening, SonicWall announced that it “identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.” The network security company said that several of its products are impacted, but the day after let everyone know that some of those were not affected, after all.

Injecting a Backdoor into SolarWinds Orion (Schneier on Security, Jan 19 2021)
Crowdstrike is reporting on a sophisticated piece of malware that was able to inject malware into the SolarWinds build process:

Key Points

SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Chipmaker Intel Corp. Blames Internal Error on Data Leak (SecurityWeek, Jan 23 2021)
The computer chipmaker Intel Corp. on Friday blamed an internal error for a data leak that prompted it to release a quarterly earnings report early. It said its corporate network was not compromised.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

SolarWinds Hackers Used ‘Raindrop’ Malware for Lateral Movement (SecurityWeek, Jan 19 2021)
The threat group behind the supply chain attack that targeted Texas-based IT management company SolarWinds leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads, Broadcom-owned cybersecurity firm Symantec reported on Tuesday.

The SolarWinds Hackers Used Tactics Other Groups Will Copy (Wired, Jan 19 2021)
The supply chain threat was just the beginning.

Fourth SolarWinds malware strain shows diversity of tactics (SC Media, Jan 19 2021)
While Teardrop was delivered by the original Sunburst backdoor in early July 2020, Raindrop was used just under two weeks later for spreading laterally across the victim’s network, Symantec said in a report.

Sophisticated Watering Hole Attack (Schneier on Security, Jan 20 2021)
Google’s Project Zero has exposed a sophisticated watering-hole attack targeting both Windows and Android:

Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws).

SVR Attacks on Microsoft 365 (Schneier on Security, Jan 20 2021)
FireEye is reporting the current known tactics that the SVR used to compromise Microsoft 365 cloud data as part of its SolarWinds operation:

Mandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud using a combination of four primary techniques…

Russian Government Agency Warns Firms of US Attack (Infosecurity Magazine, Jan 25 2021)
Alarmist security notice talks of Biden reprisals for SolarWinds campaign

Flash Is Dead—but Not Gone (Wired, Jan 24 2021)
Zombie versions of Adobe’s troubled software can still cause problems in systems around the world.

Rethinking Active Directory security (Help Net Security, Jan 19 2021)
In the wake of a cyberattack, Active Directory is sometimes dismissed as just another service that needs to be recovered, and security is an afterthought. But the hard reality is that if Active Directory is compromised, so is your entire environment. 90% of organizations use Active Directory as their primary store for employee authentication, identity management, and access control.

Microsoft to Launch ‘Enforcement Mode’ for Zerologon Flaw (Dark Reading, Jan 19 2021)
Enforcement mode for the Netlogon Domain Controller will be enabled by default with the Feb. 9 security update.

MAZE Exfiltration Tactic Widely Adopted (Infosecurity Magazine, Jan 19 2021)
Ransomware gang’s blackmail tactic taken up by 17 other cyber-criminal groups

FBI warns of voice phishing attacks stealing corporate credentials (WeLiveSecurity, Jan 19 2021)
Criminals coax employees into handing over their access credentials and use the login data to burrow deep into corporate networks

Why security pros need multiple data sources for investigations (SC Media, Jan 21 2021)
Schneider Electric has had great success managing its security data. Today’s columnist, Patrick Kelley of Axonius, offers insight into how better data management can help companies improve security investigations.

Breach Data Shows Attackers Switched Gears in 2020 (Dark Reading, Jan 21 2021)
Attackers focused more on ransomware, while the consolidation of data into large databases led to fewer reported breaches but more records leaked.

Exploit Allows Root Access to SAP (Infosecurity Magazine, Jan 21 2021)
Functional exploit affecting SAP made available to threat actors via GitHub

Thousands of Unprotected RDP Servers Can Be Abused for DDoS Attacks (SecurityWeek, Jan 22 2021)
Cybercriminals have been abusing unprotected servers running Microsoft’s Remote Desktop Protocol (RDP) service to launch distributed denial-of-service (DDoS) attacks, application and network performance management company NETSCOUT warned this week.

Today’s security threats require a bold, new ‘Triple Zero’ mindset (SC Media, Jan 25 2021)
Today’s columnist, Ofer Israeli of Illusive Networks, says ransomware attacks like the one last year on George Washington University Hospital won’t subside when the pandemic finally ends. He argues that security teams need to take on a tough, new mindset he calls ‘Triple Zero’ to lock down organizations.

Hundreds of thousands of cryptocurrency investors put at risk after BuyUCoin security breach (Graham Cluley, Jan 25 2021)
Another day, and another report that a cryptocurrency exchange has been breached by malicious hackers.
Indian cryptocurrency exchange BuyUCoin says that is investigating claims that sensitive data related to hundreds of thousands of its users has been published on the dark web, where it is available for free download.
Read more in my article on the Hot for Security blog.