Biden Launches Sweeping Review of Intel Regarding SolarWinds Hack and Other Top Infosec News for 1/22/21

A malicious hacker stole Intel's financial data, Gangs abuse Windows RDP, Thousands of stolen logins available via Google search, the UK government shipped malware-laden laptops to students, more

Know someone who needs to stay on top of the developments swirling around cybersecurity? Please give them a gift subscriptions today!

Give a gift subscription

President Biden has ordered a sweeping review of American intelligence about Russia’s role in the SolarWinds supply chain attack, which has implicated vast swaths of the federal government and U.S. private industry.

Reportedly, some intelligence officials have “quietly concluded” that more than a thousand Russian software engineers were most likely involved in developing the SolarWinds intrusion, an estimate that some noted cybersecurity officials say is virtually impossible. (David E. Sanger and Julian E. Barnes / New York Times)

Related: Washington Post

Intel said that a malicious hacker stole financially sensitive information in the form of an infographic from its corporate website yesterday, forcing the chip giant to release its earnings early.

The infographic was circulated outside the company but was not published online. (Richard Waters / Financial Times)

Related: ReutersCNBC TechnologyBusiness InsiderCity AMCNBC TechnologyThe Register

Security firm NetScout said that cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to bounce and amplify junk traffic as part of DDoS attacks using a DDoS amplification factor.

Netscout said the amplification factor is 85.9, with the attackers sending a few bytes and generating "attack packets" that are "consistently 1,260 bytes in length." The firm is currently detecting more than 14,000 RDP servers exposed online and running on UDP port 3389, which are the servers that can be abused in the attacks. (Catalin Cimpanu / ZDNet)

Related: SecurityWeek

Researchers at Check Point and Otorio discovered that a phishing campaign running for more than six months unintentionally left over a thousand stolen login-in credentials accessible to the public via Google search.

The stolen credentials were stored in designated web pages on compromised servers, and Google indexed them as part of its regular web crawling. (Ian Barker / Beta News)

Related: ZDNet SecurityBleeping ComputerCyber KendraHotHardware.comThe Hacker NewsCyberscoopSecurityWeekGlobal Security MagazineCheck Point

Researchers at Sophos said they found evidence connecting the MrbMiner crypto-mining botnet operators to a small boutique software development company operating from the city of Shiraz, Iran.

Multiple MbrMiner domains used to host the crypto miner payloads were hosted on the same server used to host vihansoft.ir, the website of a legitimate Iranian-based software development firm, which was also used as the command and control (C&C) server for the MbrMiner operation. (Catalin Cimpanu / ZDNet)

Related: ThreatpostDataBreachToday.comThe Hacker News, Sophos

The UK government sent laptops to a Bradford school to support children home-schooling during lockdown that contained malware, a worm called Gamarue.I, which was contacting Russian servers.

The malware installs spyware that can gather information about browsing habits and harvest personal information such as banking details. (Jane Wakefield / BBC News)

Related: The GuardianIT ProSilicon UKBleeping ComputerThe Register, Mac Observer

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a campaign to increase ransomware awareness through the public and private sectors called Reduce the Risk of Ransomware Campaign.

One main goal of the effort is to lower the risk of ransomware to pandemic response and K-12 educational organizations. (Brenda Marie Rivers / GovConWire)

Related: Inside Cybersecurity, The Hill: CybersecurityCISA, StateScoop

Google Project Zero security researcher Natalie Silvanovich found logic bugs in the Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps that allowed attackers to listen to users' surroundings without permission before the person on the other end picked up the calls.

The bugs, which have now been fixed, made it possible to force targeted devices to transmit audio to the attackers' devices without gaining code execution. (Sergiu Gatlan / Bleeping Computer)

Related: Computing.co.ukE Hacking NewsCISO MAGSecureReading, TechRadar, Threatpost

Proofpoint researchers say that a threat actor has been sending thousands of emails to organizations as part of a reconnaissance campaign to identify targets for a possible follow-up business-email-compromise (BEC) attack.

The spear-phishing emails contain C-level executives' unique names from the target organizations, indicating that the cybercriminals have done their homework. (Lindsey O’Donnell / Threatpost)

Related: Proofpoint

A Russian researcher has published a functional exploit on GitHub targeting a critical vulnerability that SAP patched in its Solution Manager (SolMan) product in March 2020.

The vulnerability is tracked as CVE-2020-620 and is a missing authorization check in the EEM Manager component of SolMan. (Ionut Arghire / Security Week)

Related: Security Affairsisssource.com

A ransomware attack hit the Scottish Environment Protection Agency (SEPA) on Christmas Eve. Now, it has been discovered that the Conti ransomware gang has now published 4,150 files stolen during the attack.

Among the published data are corporate plans, contracts, spreadsheets, and potentially personal information about staff. (Graham Cluley / Graham Cluley)

Related: IT ProZDNet Security,  Reddit - cybersecurityEnergy VoiceDIGITHot for Security

Microsoft unveiled several new features to its Edge browser, including a password monitor developed by the Edge product team and a former Microsoft Research incubation group called the "Cryptography and Privacy Research Group.”

Password Monitor contacts a server periodically and verifies that the credentials you have saved in Edge are not present in a database of breached credentials.  (Usama Jawed / Neowin)

Related: Reddit - cybersecurityBusinessLine - HomeMobileSyrup.comAndroidHeadlines.comMacRumorsPocketnowgHacks, Microsoft, The Next Web

Photo by NASA Goddard Space Flight Center - Flickr: Magnificent CME Erupts on the Sun - August 31, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=21422679