U.S. government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. According to sources, among those was a flaw in software show more ...
virtualization platform VMware, which the U.S. National Security Agency (NSA) warned on Dec. 7 was being used by Russian hackers to impersonate authorized users on victim networks. On Dec. 7, 2020, the NSA said “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.” VMware released a software update to plug the security hole (CVE-2020-4006) on Dec. 3, and said it learned about the flaw from the NSA. The NSA advisory (PDF) came less than 24 hours before cyber incident response firm FireEye said it discovered attackers had broken into its networks and stolen more than 300 proprietary software tools the company developed to help customers secure their networks. On Dec. 13, FireEye disclosed that the incident was the result of the SolarWinds compromise, which involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for users of its Orion network management software as far back as March 2020. In its advisory on the VMware vulnerability, the NSA urged patching it “as soon as possible,” specifically encouraging the National Security System, Department of Defense, and defense contractors to make doing so a high priority. The NSA said that in order to exploit this particular flaw, hackers would already need to have access to a vulnerable VMware device’s management interface — i.e., they would need to be on the target’s internal network (provided the vulnerable VMware interface was not accessible from the Internet). However, the SolarWinds compromise would have provided that internal access nicely. In response to questions from KrebsOnSecurity, VMware said it has “received no notification or indication that the CVE 2020-4006 was used in conjunction with the SolarWinds supply chain compromise.” VMware added that while some of its own networks used the vulnerable SolarWinds Orion software, an investigation has so far revealed no evidence of exploitation. “While we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation,” the company said in a statement. “This has also been confirmed by SolarWinds own investigations to date.” Asked about the potential connection, the NSA said only that if malicious cyber actors gain initial access to networks through the SolarWinds compromise, the tactics, techniques and procedures noted in its December 17 advisory may be used to forge credentials and maintain persistent access. “Our guidance in this advisory helps detect and mitigate against this, no matter the initial access method,” the NSA said. On Dec. 17, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released a sobering alert on the SolarWinds attack, noting that CISA had evidence of additional access vectors other than the SolarWinds Orion platform. CISA’s advisory specifically noted that “one of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).” Indeed, the NSA’s Dec. 7 advisory said the hacking activity it saw involving the VMware vulnerability “led to the installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data.” Also on Dec. 17, the NSA released a far more detailed advisory explaining how it has seen the VMware vulnerability being used to forge SAML tokens, this time specifically referencing the SolarWinds compromise. CISA’s analysis suggested the crooks behind the SolarWinds intrusion were heavily focused on impersonating trusted personnel on targeted networks, and that they’d devised clever ways to bypass multi-factor authentication (MFA) systems protecting networks they targeted. The bulletin references research released earlier this week by security firm Volexity, which described encountering the same attackers using a novel technique to bypass MFA protections provided by Duo for Microsoft Outlook Web App (OWA) users. Duo’s parent Cisco Systems Inc. responded that the attack described by Volexity didn’t target any specific vulnerability in its products. As Ars Technica explained, the bypass involving Duo’s protections could have just as easily involved any of Duo’s competitors. “MFA threat modeling generally doesn’t include a complete system compromise of an OWA server,” Ars’ Dan Goodin wrote. “The level of access the hacker achieved was enough to neuter just about any defense.” Several media outlets, including The New York Times and The Washington Post, have cited anonymous government sources saying the group behind the SolarWinds hacks was known as APT29 or “Cozy Bear,” an advanced threat group believed to be part of the Russian Federal Security Service (FSB). SolarWinds has said almost 18,000 customers may have received the backdoored Orion software updates. So far, only a handful of customers targeted by the suspected Russian hackers behind the SolarWinds compromise have been made public — including the U.S. Commerce, Energy and Treasury departments, and the DHS. No doubt we will hear about new victims in the public and private sector in the coming days and weeks. In the meantime, thousands of organizations are facing incredibly costly, disruptive and time-intensive work in determining whether they were compromised and if so what to do about it. The CISA advisory notes the attackers behind the SolarWinds compromises targeted key personnel at victim firms — including cyber incident response staff, and IT email accounts. The warning suggests organizations that suspect they were victims should assume their email communications and internal network traffic are compromised, and rely upon or build out-of-band systems for discussing internally how they will proceed to clean up the mess. “If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network,” CISA warned. “In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.”
In this podcast, sponsored by LastPass, former U.S. CISO Greg Touhill joins us to talk about news of a vast hack of U.S. government networks, which he calls a "five alarm fire" reportedly set by Russia. The post Episode 197: The Russia Hack Is A 5 Alarm Fire | Also: Shoppers Beware! appeared first on The show more ...
Security Ledger. Related StoriesEpisode 194: What Happened To All The Election Hacks?Episode 196: Building the Case Against Sandworm with Cisco TalosSpotlight Podcast: Taking a Risk-Based Approach to Election Security
While many details remained unclear, revelation about new modes of attack raises fresh questions about the access that Russian hackers were able to gain in government and corporate systems globally.
Iranian-backed hacking group Fox Kitten (or Parisite) has been linked to the Pay2Key ransomware operation that has recently started targeting organizations from Israel and Brazil.
The discovery suggests that the scope of the attack, which appears to extend beyond nuclear laboratories and Pentagon, Treasury and Commerce Departments, complicates the challenge for investigators.
A threat actor is distributing fake Windows and Android installers for the Cyberpunk 2077 game that is installing a ransomware calling itself CoderWare, according to a Kaspersky researcher.
The hackers have been able to do more damage at FERC than the other agencies, and officials there have evidence of highly malicious activity, the officials said, but did not elaborate.
An ongoing law enforcement operation has disrupted aspects of a leading website where internet scammers frequently buy and sell stolen data, according to the site’s administrators.
Suspected Russian hack involving SolarWinds software that compromised parts of the U.S. government was executed on a scale that has surprised even veteran security experts.
News of Microsoft's compromise was first reported by Reuters, which also said the company's own products were then used to strike other victims by leveraging its cloud offerings.
In one attack, Dark Halo leveraged a newly disclosed vulnerability for the Microsoft Exchange server that allowed them to bypass multi-factor authentication defenses against unauthorized email access.
A critical unrestricted file upload bug in Contact Form 7 allows an unauthenticated visitor to take over a site running the plugin. A patch for the vulnerability was released Thursday.
SocGholish impersonates legitimate browser, Flash, and Microsoft Teams updates to trick users into executing malicious ZIP files that are automatically downloaded on visiting an infected webpage.
Bouncy Castle is a set of cryptography APIs used by both Java and C#/.NET developers building security applications who'd rather not worry about rolling their own cryptographic algorithms.
It is now in the process of notifying all the impacted organizations, 80% of which are located in the US, with the rest spread across Canada, Mexico, Belgium, Spain, the UK, Israel, and the UAE.
The NSA has published a security advisory on Thursday warning about two techniques hackers are using to escalate access from compromised local networks into cloud-based infrastructure.
Because states routinely spy on one another—friends and foes alike—there are a very limited number of credible punishments states can use to threaten others into not spying.
The EU unveiled Wednesday plans to revamp the 27-nation bloc’s dated cybersecurity rules, just days after data on a new coronavirus vaccine was unlawfully accessed in a hack attack on the EMA.
Internet users in India were sent spurious links to click on and participate in a contest where individuals could win an OPPO F17 Pro (Matte Black, 8 GB RAM, 128 GB Storage) smartphone.
Earlier this month, an unknown adversary sent SMS messages to users in France urging the recipients to download what it claimed was the official French COVID-19 contact tracing app, TousAntiCovid.
Nearly two-thirds (64%) of business decision-makers expect their company to face a rise in COVID-19 themed phishing attacks in 2021, according to a new study from Centrify.
Ukraine is facing almost daily hacker attacks on its government resources and intends to sharply strengthen its cybersecurity, Ukrainian state security service SBU said on Friday.
Cloudhouse Technologies, a London, UK-based provider of application compatibility packaging solutions, acquired UpGuard Core, from third-party risk and attack surface management platform UpGuard Inc.
Fraudsters are using popular brand names, existing lottery names and the coronavirus to mislead recipients into believing that they have won millions of dollars in various online lotteries.
IDIQ provides identity theft and dark web monitoring, identity restoration, and related family protection services in the rapidly evolving $20 billion consumer identity monitoring market.
PlainID raised $11 Million in a Series A financing. Israeli venture capital firm Viola Ventures led the effort, with participation from Capri Ventures, Springtide Ventures and iAngels.
The Defense Innovation Unit and the Cybersecurity and Infrastructure Security Agency are teaming up to share information and coordinate cybersecurity technology investments, DOD announced Thursday.
CA Technologies, a Broadcom Company, is alerting customers to a risk with CA Service Catalog. A vulnerability can potentially exist in a specific configuration that can allow a remote attacker to cause a denial of service condition. CA published a solution and instructions to resolve the vulnerability. The show more ...
vulnerability occurs due a default configuration setting that, if not modified during installation by customers, can allow a remote attacker to access and update configuration information that can result in a denial of service condition.
Programi Bilanc build 007 release 014 31.01.2020 supplies an .exe file containing several hardcoded credentials to different servers that allow remote attackers to gain access to the complete infrastructure including the website, update server, and external issue tracking tools.
Red Hat Security Advisory 2020-5605-01 - Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red show more ...
Hat OpenShift Container Platform. Issues addressed include denial of service and remote shell upload vulnerabilities.
It has been noticed that Rocket.Chat has quietly fixed a persistent cross site scripting vulnerability but as of 12/18/2020 no release contains these fixes.
This Metasploit module exploits an unauthenticated directory traversal vulnerability in WordPress Duplicator plugin versions 1.3.24 through 1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.
The Pulse Connect Secure appliance versions prior to 9.1R9 suffer from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in remote code execution as root. Admin credentials are required for successful exploitation.
This Metasploit module affects WordPress Yet Another Stars Rating plugin versions prior to 1.8.7 and demonstrates a PHP object injection vulnerability.
Alumni Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Original discovery of cross scripting vulnerability in this version is attributed to Valerio Alessandroni in December of 2020.
Alumni Management System version 1.0 suffers from a remote SQL injection vulnerability. SQL injection was originally discovered in this version in October of 2020 by Ankita Pal.
Alumni Management System version 1.0 suffers from a remote shell upload vulnerability. Original discovery for this vulnerability in this version is attributed to Valerio Alessandroni.
The massive state-sponsored espionage campaign that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought. News of Microsoft's compromise was first reported by Reuters, which also said the company's own products were then
It’s scary to receive a ransom demand from a cybercriminal, but I would argue it’s even more frightening to receive a threatening phone call from your attackers if you refuse to pay. Read more in my article on the Hot for Security blog.
Trickbot spreading through Subway company emails Customers of Subway U.K. have been receiving confirmation emails for recent orders that instead contain malicious links for initiating Trickbot malware downloads. Subway has since disclosed that it discovered unauthorized access to several of its servers, which then show more ...
launched the campaign. Users who do click on the malicious link initiate a process in Task Manager that can be stopped to prevent additional illicit activities typical of Trickbot infections. Scores of municipal websites attacked in Lithuania At least 22 websites belonging to various municipalities in Lithuania were compromised after a sophisticated cyberattack allowed intruders to take control. After gaining access to the sites, the attackers began delivering misinformation emails under the auspices of Lithuanian government and military ministries. Much of the misinformation being spread revolved around military enlistment and the suspicion of corruption at an airport housing a NATO facility. Researchers discover millions of medical records online Researchers at CybelAngel have uncovered over 45 million healthcare records on unprotected servers. Amongst the sensitive data was personal health information and other personally identifiable data, all left on servers with a login page that allowed access without credentials. It’s likely this data was left unsecured because of the number of medical professionals needing to access, though the security lapse is inexcusable. With healthcare facilities prime targets for ransomware attacks, communications between organizations should entail strict security to protect the valuable data. Ransomware strikes city of Independence, Missouri Officials for the city of Independence, Missouri, have been working for weeks to recover from a ransomware attack that forced them to take several essential services offline. Fortunately, recent file backups were available to restore some of the encrypted systems to normal. At this point, officials remain uncertain if customer or employee data was stolen during the attack, and no ransomware group has come forward to take credit for the attack or post the stolen data for sale. Data Breach Compromises Patient Data at California Hospital California’s Sonoma Valley Hospital recently delivered letters to roughly 67,000 patients regarding a data breach back in October that may have compromised personally identifiable information and other healthcare records. While the hospital was able to shut down some of their systems to prevent the breach from spreading, the attackers are believed to have gained access to and stole sensitive data. The post Cyber News Rundown: Trickbot Spreads Via Subway Emails appeared first on Webroot Blog.