A New Threat Actor is Exploiting Pulse Secure VPN and SolarWinds Orion Vulnerabilities to Install Credential-Stealing Malware

Prometei botnet hackers are exploiting Exchange flaws, Hackers use ToxicEye RAT to hack Telegram, Threat actors exploiting new Trend Micro bug, 18 new C&C SolarWinds' hackers servers found, more

Plug: Check out my latest column on the Biden administration’s 100-day push for better electric sector cybersecurity.

The Cybersecurity and Infrastructure Security Agency (CISA) warns that a new threat actor aside from Russia is exploiting a vulnerability in Pulse Secure’s virtual private network (VPN) appliance, moving laterally to its SolarWinds Orion server, installing malware referred to by security researchers as SUPERNOVA (a .NET webshell), and stealing credentials.

CISA issued a warning earlier this week about FireEye's discovery that a hacking group linked to the Chinese government uses vulnerabilities in the VPN to target defense industrial base contractors and entities in Europe. (Justin Katz / FCW)

Related: CISO MAGSensorsTechForumCyber News GroupDataBreaches.net, CISA.gov, Dark Reading: Attacks/Breaches, MSSP AlertThe Register - SecurityCyberdefense Magazine, CRNHealthITSecurityTalos IntelSecurityWeekHelp Net SecurityThe HillTechTargetComputing.co.ukThe Register, NBC News, Threatpost

Researchers at Cybereason report that after Microsoft revealed a Chinese hacking group called Hafnium had exploited flaws in its Exchange server, Russian-speaking attackers controlling a botnet called the Prometei botnet used those vulnerabilities to conduct a series of intrusions at companies in North America.

Although the botnet administrators seem mostly interested in earning money, they have some technical groundwork in place should they want to embrace more “destructive payloads,” according to Cybereason. (Sean Lyngaas / Cyberscoop)

Related: Reddit - cybersecurity,  ZDNetMSSP AlertTechNadu, Infosecurity MagazineDecipherSecurity BriefHelp Net Security, Cybersecurity ReviewWindows CentralDark Reading: Threat IntelligenceMSSP Alert, Cybereason BlogBleeping Computer

Researchers at Check Point say that hackers are leveraging the Telegram messaging app by embedding its code inside a remote access trojan (RAT) dubbed ToxicEye, giving the hacker control over the messaging account.

The researchers say that an indication of infection on PCs is the presence of a file called “rat.exe” located within the directory C:\Users\ToxicEye\rat[.]exe and that organizations should monitor the traffic generated from PCs to Telegram accounts when the Telegram app is not installed on the systems in question. (Elizabeth Montalbano / Threatpost)

Related: Forbes - Zak DoffmanTechTargetCheck PointGlobal Security MagazineThe Hacker News, ZDNet SecurityTechNadu

Trend Micro said that a threat actor began using a bug in its antivirus products to gain admin rights on Windows systems as part of its attacks. The vulnerability, tracked as CVE-2020-24557, affects the company’s Apex One and OfficeScan XG, two advanced security products aimed at enterprise customers.

Patched in August, the bug could not be used to break into systems but was used as a second step in a multi-phase exploit chain after hackers already planted malicious code on a victim’s computer and used the bug to take full control of an infected system. According to a source familiar with the attacks, the bug was likely used by a state-sponsored espionage group. (Catalin Cimpanu / The Record)

Related: Cybersecurity ReviewSecurity Affairs

Researchers at RiskIQ have uncovered eighteen additional command-and-control servers used in the SolarWinds hacking campaign, indicating that the operation was broader in scope than previously known.

Cybersecurity researchers previously identified about three dozen command-and-control servers used in the operation. (Kim Zetter / Zero Day)

Related: Cybersecurity ReviewThe Hacker NewsRiskIQ

The Darkside ransomware crew is branching out to notify crooked market traders of a ransomware attack in advance so they can short a company’s stock price before they list its name on their website as a victim.

However, ransomware attacks have generally not been severe enough to cause long-term damage to a company’s market listing, with the price taking only small hits for very short periods. (Catalin Cimpanu / The Record)

Related: Slashdot

A security researcher who goes by the name Sick Codes discovered that two bugs in tractor and equipment maker John Deere's apps and website could have allowed hackers to find and download the personal data of all owners of the company's farming vehicles and equipment.

The company fixed the bugs after the researcher reported them to John Deere on April 12 and 13. (Lorenzo Franceschi-Bicchierai / Motherboard)

In a development that provides insight into the bustling cybercrime economy, the login names and passwords for 1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials.

By purchasing the stolen accounts, threat actors and researchers can search for compromised devices in a particular country, state, city, zip code, ISP, or operating system, allowing them to find the specific server they need. (Lawrence Abrams / Bleeping Computer)

Related: DataBreaches.net

In remarks clearly aimed at China’s growing dominance in technology, the head of the UK’s top spy agency, GCHQ, said that the UK and the U.S. should “develop sovereign technologies” or otherwise face a “moment of reckoning” in which the West does not control encryption and other technologies.

Fleming believes the UK must maintain a foothold in ultra-high-speed quantum computing and areas such as artificial intelligence and bioscience. (Dan Sabbagh / The Guardian)

Related: Financial Times Technology, Daily Mail

Michael Gillespie, the ransomware identification service ID-Ransomware creator, says that a new ransomware strain named Qlocker is infecting hundreds of QNAP network-attached storage (NAS) devices every day.

In an advisory, QNAP told customers to apply recent updates for three apps to secure their devices from ransomware attacks, although it didn’t say which of the three updates the attackers are exploiting. (Catalin Cimpanu / The Record)

Related: The Register - SecurityBleeping Computer, QNAP

Cybersecurity leader Window Snyder is now leading a company called Thistle Technologies which received $2.5 million in seed funding from True Ventures.

Thistle aims to help manufacturers of Internet of things devices bake security into the products from the outset. (Dan Goodin / Ars Technica)


End-to-end deep learning cybersecurity start-up Deep Instinct has closed a $100 million Series D venture funding round.

The round was ed by BlackRock. Other investors include Untitled Investments, The Tudor Group, Anne Wojcicki, Millennium, Unbound, and Coatue Management. (Chris O’Brien / Venture Beat)

Related: SiftedAlleyWatchBloombergGlobesBusiness Wire Technology NewsThe Times of IsraelSolutions ReviewPrivate Equity WireMSSP AlertBloomberg, Global Security Magazine,  Private Equity WireHypepotamusPYMNTS.comThe Fintech TimesSolutions ReviewNoCamels, FinSMEs

Online fraud prevention start-up Sift has raised $50 million in a new venture fund round.

The financing was led by global venture capital and private equity firm Insight Partners, with Union Square Ventures and Stripes participation. (Mary Ann Azevedo / TechCrunch)

Related: Global Newswire

Photo by Chris Hainto on Unsplash