Compromised Password, Lack of Two Factor Authentication Led to Colonial Pipeline Attack, Mandiant

FBI probes 100 types of ransomware, Severe VMware vulnerability under active exploitation, Latvian woman charged in Trickbot indictment, Colonial Pipeline attack spurs new phishing campaign, more

Stay tuned for new original content available to our premium subscribers only. Consider becoming a premium subscriber today.

Charles Carmakal, senior vice president at cybersecurity firm Mandiant, soon to be spun off its parent company FireEye, said that the ransomware attack on the Colonial Pipeline company was the result of a single compromised password of a virtual private network that gave employees that gave employees the ability to access the company’s network remotely.

The appearance of the password in a cache of leaked passwords suggests an employee reused it on other sites, a fundamental cybersecurity error. Moreover, the VPN did not use two-factor authentication, another fundamental violation of cybersecurity hygiene. (William Turton, Kartikay Mehrotra / Bloomberg)

Related: CRNCNN.com - PoliticsEngadgetDataBreaches.netSlashdot

In a sign of increased, high-level government focus on ransomware threats, FBI Director Christopher Wray said the agency was investigating about 100 different types of ransomware, many tied to Russian actors. Wray also likened the current spate of ransomware attacks to 9/11 as President Joe Biden prepares to confront Russian President Vladimir Putin at the upcoming G7 Summit.

In an interview with the Wall Street Journal, Wray said: “Now realizing it can affect them when they’re buying gas at the pump or buying a hamburger—I think there’s a growing awareness now of just how much we’re all in this fight together.” (Aruna Viswanatha and Dustin Volz / Wall Street Journal)

Related: Washington ExaminerDaily MailNew York PostPoliticoTech InsiderThe SunZDNetThe GuardianThe Crime ReportAxiosWashington Post, Reuters: World NewsChannel News AsiaNDTV Gadgets360.comSouth China Morning Post, Raw StoryBusiness InsiderTechdirtCyberscoopChannel News AsiaStraits TimesEuractiv

Security researchers say that a VMware vulnerability with a severity rating of 9.8 out of ten is under active exploitation.

The vulnerability, tracked as CVE-2021-21985, was first revealed last Wednesday and resides in the vCenter Server, a tool for managing virtualization in large data centers. Admins responsible for vCenter machines that have yet to patch the flaw should install an update immediately. (Dan Goodin / Ars Technica)

Related: Security AffairsBleeping Computer

The US Department of Justice arraigned in court a Latvian woman, Alla Witte, in a 47-count indictment stemming from her alleged role in a transnational cybercrime organization responsible for creating and deploying the Trickbot computer banking trojan and ransomware suite of malware.

Officials say that Witte, also known as “Max,” worked with seventeen other suspects as part of the Trickbot malware gang since it formed in November 2015 when a revamped version of the Dyre trojan was subsequently named Trickbot. (Catalin Cimpanu / The Record)

Related: SecureReadingThe VergeE Hacking News, Justice.gov, Security Affairs

Researchers at Palo Alto Networks say they discovered new malware, dubbed Siloscape, that is compromising Windows containers to compromise Kubernetes clusters with the end goal of backdooring them and paving the way for attackers to abuse them in other malicious activities.

While the researchers previously saw malware targeting only containers in Linux, the heavily obfuscated Siloscape malware has targeted 23 Kubernetes clusters through Windows containers over the past year. (Sergiu Gatlan / Bleeping Computer)

Related: ZDNetUnit 42 - Palo Alto NetworksPalo Alto Networks

Hacktivist group Anonymous released an ominous-sounding video calling out billionaire entrepreneur Elon Musk for his frequent comments on cryptocurrency that have caused severe fluctuations in the market.

The video said the “carefully curated” image of Elon Musk would be exposed, and people were “beginning to see [him] as nothing more than another narcissistic rich dude who is desperate for attention.” (News.com.au)

Related: IBTimes IndiaTech TimesBig News NetworkThe Korea Times NewsDaily MailAl BawabaIndia Today Latest StoriesNewsweekSecureReadingBitcoin NewsBitcoinist.comTechDator

Researchers at cloud-based email security platform INKY say the ransomware attack on Colonial Pipeline inspired a threat actor to create a new phishing lure to trick victims into downloading malicious files that, when activated, attempt to compromise computer systems using the Cobalt Strike penetration testing tool.

The phishing email urges recipients to install a system update from an external link to enable the system to “detect and prevent the latest strains of ransomware,” with a deadline added to increase urgency. (Ionut Ilascu / Bleeping Computer)

Related: ZDNetWashington ExaminerExploit OneInvestor's Business DailyBusiness InsiderMondaq.Com, TechRepublic, Hot Hardware, CybertechInfosecurity MagazineThe Hacker News

Researchers at Positive Technologies disclosed as many as ten critical vulnerabilities impacting CODESYS automation software that malicious hackers could exploit to gain remote code execution on programmable logic controllers (PLCs).

The Russian cybersecurity firm said that the vulnerabilities stem from insufficient verification of input data, which may be caused by failure to comply with the secure development recommendations. (Ravie Lakshmanan / The Hacker News)

Related: SecurityWeek, Positive Technologies

Cybersecurity company SentinelOne, a major competitor to CrowdStrike and Qualys, filed its prospectus for an initial public offering of its stock. It plans to list on the New York Stock Exchange under the symbol S.

In its S-1 Form registration statement, SentinelOne said that in the three months ending April 30, revenue grew 108% year over year to $37.4 million, while net losses more than doubled from $26.6 million to $62.6 million. (Riley de León / CNBC)

Related: Dark Reading: OperationsSecurityWeekTechCrunchSEC.gov, Silicon Angle

Many sources say that live streams for Cox Media Group radio and television stations were knocked offline by a ransomware attack.

Among the stations affected were News9, WSOC, WSB, WPXI, KOKI, and almost all Cox radio stations. The TV stations came back online more quickly than did the radio stations. Sources say that the company’s autonomous system, AS397123, has also disappeared from the internet DFZ (default-free zone) in what appears to be the company’s attempts to deal with the attack. (Catalin Cimpanu / The Record)

Related: NBC, Security News | Tech TimesIT ProThe Hill: CybersecurityExploit OneApple Insider, TV Technology

The UK’s largest independent furniture retailer Furniture Village was hit by a cyberattack, likely a ransomware attack, that left it unable to answer phone calls for at least six days.

The company stated on Friday saying that it is “working around the clock to restore all system-related functions of the business as soon as it’s safe to do so. “ (Tim Richardson / The Register)

Related: Security News | Tech TimesDaily Mail

The organizing committee of the Tokyo Olympics had become the latest Japanese organization to be swept up in an incident that began when unidentified attackers accessed data-sharing software made by technology firm Fujitsu.

The breach of the organizing committee affected around 70 people who participated in a cybersecurity drill ahead of the Olympic Games next month. Among the data leaked in the incident are the names and affiliations of people from 90 organizations involved in hosting the Olympics. (The Japan Times)

Related: All - Kyodo News+CyberscoopMercury News
Reddit - cybersecurity

Meanwhile, Fujifilm said it has refused to pay a ransom demand to the cyber gang that attacked its network in Japan last week and instead relied on backups to restore operations.

The company said its computer systems in the US, Europe, the Middle East, and Africa are now “fully operational and back to business as usual.” Fujifilm Europe said it is “highly confident that no loss, destruction, alteration, unauthorized use or disclosure of our data, or our customers’ data, on Fujifilm Europe’s systems has been detected.” (Robert Scammell / Verdict)

Related: SiliconANGLEDataBreaches.net, Fujifilm

One of the largest pizza restaurant chains in the Netherlands, New York Pizza, says that a hacker hit it with a data breach and then claimed he stole many customer data from the chain and threatened to publish or sell it.

New York Pizza believes the hacker stole the data of approximately 3.9 million users, a number that represents around 22% of the Netherlands’ entire population. (Catalin Cimpanu / The Record)

Related: DataBreaches.net

Photo by Erik Mclean on Unsplash