Compromised Password, Lack of Two Factor Authentication Led to Colonial Pipeline Attack, Mandiant
FBI probes 100 types of ransomware, Severe VMware vulnerability under active exploitation, Latvian woman charged in Trickbot indictment, Colonial Pipeline attack spurs new phishing campaign, more
Stay tuned for new original content available to our premium subscribers only. Consider becoming a premium subscriber today.
Charles Carmakal, senior vice president at cybersecurity firm Mandiant, soon to be spun off its parent company FireEye, said that the ransomware attack on the Colonial Pipeline company was the result of a single compromised password of a virtual private network that gave employees that gave employees the ability to access the company’s network remotely.
The appearance of the password in a cache of leaked passwords suggests an employee reused it on other sites, a fundamental cybersecurity error. Moreover, the VPN did not use two-factor authentication, another fundamental violation of cybersecurity hygiene. (William Turton, Kartikay Mehrotra / Bloomberg)
In a sign of increased, high-level government focus on ransomware threats, FBI Director Christopher Wray said the agency was investigating about 100 different types of ransomware, many tied to Russian actors. Wray also likened the current spate of ransomware attacks to 9/11 as President Joe Biden prepares to confront Russian President Vladimir Putin at the upcoming G7 Summit.
In an interview with the Wall Street Journal, Wray said: “Now realizing it can affect them when they’re buying gas at the pump or buying a hamburger—I think there’s a growing awareness now of just how much we’re all in this fight together.” (Aruna Viswanatha and Dustin Volz / Wall Street Journal)
Related: Washington Examiner, Daily Mail, New York Post, Politico, Tech Insider, The Sun, ZDNet, The Guardian, The Crime Report, Axios, Washington Post, Reuters: World News, Channel News Asia, NDTV Gadgets360.com, South China Morning Post, Raw Story, Business Insider, Techdirt, Cyberscoop, Channel News Asia, Straits Times, Euractiv
Security researchers say that a VMware vulnerability with a severity rating of 9.8 out of ten is under active exploitation.
The vulnerability, tracked as CVE-2021-21985, was first revealed last Wednesday and resides in the vCenter Server, a tool for managing virtualization in large data centers. Admins responsible for vCenter machines that have yet to patch the flaw should install an update immediately. (Dan Goodin / Ars Technica)
Bad Packets @bad_packetsMass scanning activity detected from 18.104.22.168 (🇳🇱) checking for VMware vSphere hosts vulnerable to remote code execution (CVE-2021-21985). Vendor advisory: https://t.co/D0aWkbQMPT #threatintel
The US Department of Justice arraigned in court a Latvian woman, Alla Witte, in a 47-count indictment stemming from her alleged role in a transnational cybercrime organization responsible for creating and deploying the Trickbot computer banking trojan and ransomware suite of malware.
Officials say that Witte, also known as “Max,” worked with seventeen other suspects as part of the Trickbot malware gang since it formed in November 2015 when a revamped version of the Dyre trojan was subsequently named Trickbot. (Catalin Cimpanu / The Record)
Researchers at Palo Alto Networks say they discovered new malware, dubbed Siloscape, that is compromising Windows containers to compromise Kubernetes clusters with the end goal of backdooring them and paving the way for attackers to abuse them in other malicious activities.
While the researchers previously saw malware targeting only containers in Linux, the heavily obfuscated Siloscape malware has targeted 23 Kubernetes clusters through Windows containers over the past year. (Sergiu Gatlan / Bleeping Computer)
Hacktivist group Anonymous released an ominous-sounding video calling out billionaire entrepreneur Elon Musk for his frequent comments on cryptocurrency that have caused severe fluctuations in the market.
The video said the “carefully curated” image of Elon Musk would be exposed, and people were “beginning to see [him] as nothing more than another narcissistic rich dude who is desperate for attention.” (News.com.au)
Ξlectric5heep @electric5heep#Anonymous addresses Elon in new video: https://t.co/PZ6F0rIpBN https://t.co/YQr027edY5
Researchers at cloud-based email security platform INKY say the ransomware attack on Colonial Pipeline inspired a threat actor to create a new phishing lure to trick victims into downloading malicious files that, when activated, attempt to compromise computer systems using the Cobalt Strike penetration testing tool.
The phishing email urges recipients to install a system update from an external link to enable the system to “detect and prevent the latest strains of ransomware,” with a deadline added to increase urgency. (Ionut Ilascu / Bleeping Computer)
Researchers at Positive Technologies disclosed as many as ten critical vulnerabilities impacting CODESYS automation software that malicious hackers could exploit to gain remote code execution on programmable logic controllers (PLCs).
The Russian cybersecurity firm said that the vulnerabilities stem from insufficient verification of input data, which may be caused by failure to comply with the secure development recommendations. (Ravie Lakshmanan / The Hacker News)
Cybersecurity company SentinelOne, a major competitor to CrowdStrike and Qualys, filed its prospectus for an initial public offering of its stock. It plans to list on the New York Stock Exchange under the symbol S.
In its S-1 Form registration statement, SentinelOne said that in the three months ending April 30, revenue grew 108% year over year to $37.4 million, while net losses more than doubled from $26.6 million to $62.6 million. (Riley de León / CNBC)
Many sources say that live streams for Cox Media Group radio and television stations were knocked offline by a ransomware attack.
Among the stations affected were News9, WSOC, WSB, WPXI, KOKI, and almost all Cox radio stations. The TV stations came back online more quickly than did the radio stations. Sources say that the company’s autonomous system, AS397123, has also disappeared from the internet DFZ (default-free zone) in what appears to be the company’s attempts to deal with the attack. (Catalin Cimpanu / The Record)
The UK’s largest independent furniture retailer Furniture Village was hit by a cyberattack, likely a ransomware attack, that left it unable to answer phone calls for at least six days.
The company stated on Friday saying that it is “working around the clock to restore all system-related functions of the business as soon as it’s safe to do so. “ (Tim Richardson / The Register)
The organizing committee of the Tokyo Olympics had become the latest Japanese organization to be swept up in an incident that began when unidentified attackers accessed data-sharing software made by technology firm Fujitsu.
The breach of the organizing committee affected around 70 people who participated in a cybersecurity drill ahead of the Olympic Games next month. Among the data leaked in the incident are the names and affiliations of people from 90 organizations involved in hosting the Olympics. (The Japan Times)
Meanwhile, Fujifilm said it has refused to pay a ransom demand to the cyber gang that attacked its network in Japan last week and instead relied on backups to restore operations.
The company said its computer systems in the US, Europe, the Middle East, and Africa are now “fully operational and back to business as usual.” Fujifilm Europe said it is “highly confident that no loss, destruction, alteration, unauthorized use or disclosure of our data, or our customers’ data, on Fujifilm Europe’s systems has been detected.” (Robert Scammell / Verdict)
One of the largest pizza restaurant chains in the Netherlands, New York Pizza, says that a hacker hit it with a data breach and then claimed he stole many customer data from the chain and threatened to publish or sell it.
New York Pizza believes the hacker stole the data of approximately 3.9 million users, a number that represents around 22% of the Netherlands’ entire population. (Catalin Cimpanu / The Record)