Cyber security aggregate rss news

Cyber security aggregator - feeds history

image for VMware Flaw a Vector ...

 Data Breaches

U.S. government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. According to sources, among those was a flaw in software   show more ...

virtualization platform VMware, which the U.S. National Security Agency (NSA) warned on Dec. 7 was being used by Russian hackers to impersonate authorized users on victim networks. On Dec. 7, 2020, the NSA said “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.” VMware released a software update to plug the security hole (CVE-2020-4006) on Dec. 3, and said it learned about the flaw from the NSA. The NSA advisory (PDF) came less than 24 hours before cyber incident response firm FireEye said it discovered attackers had broken into its networks and stolen more than 300 proprietary software tools the company developed to help customers secure their networks. On Dec. 13, FireEye disclosed that the incident was the result of the SolarWinds compromise, which involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for users of its Orion network management software as far back as March 2020. In its advisory on the VMware vulnerability, the NSA urged patching it “as soon as possible,” specifically encouraging the National Security System, Department of Defense, and defense contractors to make doing so a high priority. The NSA said that in order to exploit this particular flaw, hackers would already need to have access to a vulnerable VMware device’s management interface — i.e., they would need to be on the target’s internal network (provided the vulnerable VMware interface was not accessible from the Internet). However, the SolarWinds compromise would have provided that internal access nicely. In response to questions from KrebsOnSecurity, VMware said it has “received no notification or indication that the CVE 2020-4006 was used in conjunction with the SolarWinds supply chain compromise.” VMware added that while some of its own networks used the vulnerable SolarWinds Orion software, an investigation has so far revealed no evidence of exploitation. “While we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation,” the company said in a statement. “This has also been confirmed by SolarWinds own investigations to date.” Asked about the potential connection, the NSA said only that if malicious cyber actors gain initial access to networks through the SolarWinds compromise, the tactics, techniques and procedures noted in its December 17 advisory may be used to forge credentials and maintain persistent access. “Our guidance in this advisory helps detect and mitigate against this, no matter the initial access method,” the NSA said. On Dec. 17, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released a sobering alert on the SolarWinds attack, noting that CISA had evidence of additional access vectors other than the SolarWinds Orion platform. CISA’s advisory specifically noted that “one of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).” Indeed, the NSA’s Dec. 7 advisory said the hacking activity it saw involving the VMware vulnerability “led to the installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data.” Also on Dec. 17, the NSA released a far more detailed advisory explaining how it has seen the VMware vulnerability being used to forge SAML tokens, this time specifically referencing the SolarWinds compromise. CISA’s analysis suggested the crooks behind the SolarWinds intrusion were heavily focused on impersonating trusted personnel on targeted networks, and that they’d devised clever ways to bypass multi-factor authentication (MFA) systems protecting networks they targeted. The bulletin references research released earlier this week by security firm Volexity, which described encountering the same attackers using a novel technique to bypass MFA protections provided by Duo for Microsoft Outlook Web App (OWA) users. Duo’s parent Cisco Systems Inc. responded that the attack described by Volexity didn’t target any specific vulnerability in its products. As Ars Technica explained, the bypass involving Duo’s protections could have just as easily involved any of Duo’s competitors. “MFA threat modeling generally doesn’t include a complete system compromise of an OWA server,” Ars’ Dan Goodin wrote. “The level of access the hacker achieved was enough to neuter just about any defense.” Several media outlets, including The New York Times and The Washington Post, have cited anonymous government sources saying the group behind the SolarWinds hacks was known as APT29 or “Cozy Bear,” an advanced threat group believed to be part of the Russian Federal Security Service (FSB). SolarWinds has said almost 18,000 customers may have received the backdoored Orion software updates. So far, only a handful of customers targeted by the suspected Russian hackers behind the SolarWinds compromise have been made public — including the U.S. Commerce, Energy and Treasury departments, and the DHS. No doubt we will hear about new victims in the public and private sector in the coming days and weeks. In the meantime, thousands of organizations are facing incredibly costly, disruptive and time-intensive work in determining whether they were compromised and if so what to do about it. The CISA advisory notes the attackers behind the SolarWinds compromises targeted key personnel at victim firms — including cyber incident response staff, and IT email accounts. The warning suggests organizations that suspect they were victims should assume their email communications and internal network traffic are compromised, and rely upon or build out-of-band systems for discussing internally how they will proceed to clean up the mess. “If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network,” CISA warned. “In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.”

image for Episode 197: The Rus ...

 APT

In this podcast, sponsored by LastPass, former U.S. CISO Greg Touhill joins us to talk about news of a vast hack of U.S. government networks, which he calls a "five alarm fire" reportedly set by Russia. The post Episode 197: The Russia Hack Is A 5 Alarm Fire | Also: Shoppers Beware! appeared first on The   show more ...

Security Ledger. Related StoriesEpisode 194: What Happened To All The Election Hacks?Episode 196: Building the Case Against Sandworm with Cisco TalosSpotlight Podcast: Taking a Risk-Based Approach to Election Security

 Govt., Critical Infrastructure

Ukraine is facing almost daily hacker attacks on its government resources and intends to sharply strengthen its cybersecurity, Ukrainian state security service SBU said on Friday.

 Companies to Watch

Cloudhouse Technologies, a London, UK-based provider of application compatibility packaging solutions, acquired UpGuard Core, from third-party risk and attack surface management platform UpGuard Inc.

 Companies to Watch

IDIQ provides identity theft and dark web monitoring, identity restoration, and related family protection services in the rapidly evolving $20 billion consumer identity monitoring market.

 Feed

CA Technologies, a Broadcom Company, is alerting customers to a risk with CA Service Catalog. A vulnerability can potentially exist in a specific configuration that can allow a remote attacker to cause a denial of service condition. CA published a solution and instructions to resolve the vulnerability. The   show more ...

vulnerability occurs due a default configuration setting that, if not modified during installation by customers, can allow a remote attacker to access and update configuration information that can result in a denial of service condition.

 Feed

Red Hat Security Advisory 2020-5605-01 - Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red   show more ...

Hat OpenShift Container Platform. Issues addressed include denial of service and remote shell upload vulnerabilities.

 Feed

The Pulse Connect Secure appliance versions prior to 9.1R9 suffer from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in remote code execution as root. Admin credentials are required for successful exploitation.

 Feed

The massive state-sponsored espionage campaign that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought. News of Microsoft's compromise was first reported by Reuters, which also said the company's own products were then

 Industry Intel

Trickbot spreading through Subway company emails Customers of Subway U.K. have been receiving confirmation emails for recent orders that instead contain malicious links for initiating Trickbot malware downloads. Subway has since disclosed that it discovered unauthorized access to several of its servers, which then   show more ...

launched the campaign. Users who do click on the malicious link initiate a process in Task Manager that can be stopped to prevent additional illicit activities typical of Trickbot infections. Scores of municipal websites attacked in Lithuania At least 22 websites belonging to various municipalities in Lithuania were compromised after a sophisticated cyberattack allowed intruders to take control. After gaining access to the sites, the attackers began delivering misinformation emails under the auspices of Lithuanian government and military ministries. Much of the misinformation being spread revolved around military enlistment and the suspicion of corruption at an airport housing a NATO facility. Researchers discover millions of medical records online Researchers at CybelAngel have uncovered over 45 million healthcare records on unprotected servers. Amongst the sensitive data was personal health information and other personally identifiable data, all left on servers with a login page that allowed access without credentials. It’s likely this data was left unsecured because of the number of medical professionals needing to access, though the security lapse is inexcusable. With healthcare facilities prime targets for ransomware attacks, communications between organizations should entail strict security to protect the valuable data. Ransomware strikes city of Independence, Missouri Officials for the city of Independence, Missouri, have been working for weeks to recover from a ransomware attack that forced them to take several essential services offline. Fortunately, recent file backups were available to restore some of the encrypted systems to normal. At this point, officials remain uncertain if customer or employee data was stolen during the attack, and no ransomware group has come forward to take credit for the attack or post the stolen data for sale. Data Breach Compromises Patient Data at California Hospital California’s Sonoma Valley Hospital recently delivered letters to roughly 67,000 patients regarding a data breach back in October that may have compromised personally identifiable information and other healthcare records. While the hospital was able to shut down some of their systems to prevent the breach from spreading, the attackers are believed to have gained access to and stole sensitive data. The post Cyber News Rundown: Trickbot Spreads Via Subway Emails appeared first on Webroot Blog.

2020-12
Aggregator history
Friday, December 18
TUE
WED
THU
FRI
SAT
SUN
MON
DecemberJanuaryFebruary