Microsoft and FireEye Spell Out New Malware Strains Tied to SolarWinds Actor
Three top Russian language forums hacked, Star Alliance of Airlines IT operator hacked, Supermicro and Pulse Secure say some of their motherboards are vulnerable to Trickboot, and more
Plug: Virginia became the second state in the nation after California to pass a data protection law, which could spark other states to pass their own laws quickly. Check out my latest column on the subject.
Microsoft and FireEye published separate reports detailing new malware strains tied to the SolarWinds’ threat actor. Microsoft identified three new strains, including GoldMax, a Go-based backdoor that FireEye calls SUNSHUTTLE, three different variants of a VBScript malware strain called Sibot, and another Go-based malware strain called Goldfinger.
Microsoft said the new strains were linked to the threat actor, which they have now named Nobelium. The software and security giant said it found the three malware strains on some of its customers' networks that were compromised by Nobelium last year, some implanted as far back as June 2020.
Related: Dark Reading, The Record by Recorded Future, DataBreachToday.com, GovInfoSecurity.com, Bleeping Computer, SC Magazine, Threatpost, Cyberscoop, Microsoft, Microsoft Malware Protection Center, Security Affairs, Threat Research Blog, FireEye Threat Research Blog
Kim Zetter @KimZetterMandiant found another second-stage backdoor used by SolarWinds threat actor; it's written in GoLang. They're calling it SUNSHUTTLE. Someone (victim? security firm?) uploaded it to a malware repository (VT?) in Aug 2020, months before SW breach was exposed https://t.co/qGVdFjRwZ1
Three of the longest-running and most venerated Russian-language online forums, Mazafaka (a.k.a. “Maza,” “MFclub“), Verified, and Exploit, which collectively serve thousands of experienced cybercriminals, have been hacked.
In two cases, the forums’ user databases, including email and Internet addresses and hashed passwords, were stolen. One of the hackers dumped thousands of usernames, email addresses, and obfuscated passwords on the dark web stolen from Maza, verified by cybersecurity firm Intel 471. (Brian Krebs / Krebs on Security)
Cybersecurity firm Group-IB said that ransomware attacks more than doubled last year and increased in both scale and sophistication, with massive payouts that averaged between $1 and $2 million for some ransomware gangs.
Among the new ransomware groups emerging in 2020 are Conti, Egregor, and DarkSide. (Ionut Ilascu / Bleeping Computer)
IT operator Sita, which serves the Star Alliance of Airlines including Singapore, Lufthansa, and United, said that its systems containing frequent flyer data had been breached, exposing passenger data.
The exposed data does not include member passwords, credit card information, or other personal customer data such as itineraries, reservations, ticketing, passport numbers, email addresses, or other contact information. Other airlines affected include Finnair and a South Korean carrier called Jeju Air and Air New Zealand. (Martin Farrer / The Guardian)
Chip and firmware companies Supermicro and Pulse Secure said that some of their motherboards are vulnerable to the TrickBot malware's UEFI firmware-infecting module, known as TrickBoot, that can, in certain circumstances, read, write, and erase the firmware.
Supermicro has released BIOS version 3.4 to fix the vulnerability but has only released it publicly for one of the motherboards, the X10SLH-F motherboard. For the other motherboards, owners must contact Supermicro to get access to the new BIOS. Pulse Secure has released a BIOS patch for devices running Pulse Connect Secure or Pulse Policy Secure. Pulse One (On-Prem Appliance Only) owners will have to wait for a patch. (Lawrence Abrams / Bleeping Computer)
VMWare has issued a fix for a high severity unauthenticated RCE vulnerability in VMware View Planner that could allow attackers to abuse servers running unpatched software for remote code execution.
The privately reported security flaw tracked as CVE-2021-21978 received a CVSS security rating of 8.6 out of 10 and can be exploited remotely by unauthenticated attackers in low complexity attacks that don't require user interaction. (Sergiu Gatlan / Bleeping Computer)
According to researchers from North Carolina State University, Amazon has some security holes in its third-party access for Alexa that could allow users’ personal data, including banking and contact information, to be exposed.
The researchers say that Amazon does not properly vet its third-party skills developers and has no verification to ensure the person or company selling or giving a skill is who they say they are. (Tristan Greene / The Next Web)
In a new report, the U.S. Government Accountability Office (GAO) said the Department of Defense fails to communicate clear cybersecurity guidelines to contractors tasked with building systems for its weapons programs.
The report states that three out of five contracts reviewed by the GAO had no cybersecurity requirements written into the contract language when awarded, with only vague requirements added later. Only the Air Force has a record of issuing service-wide guidance on cybersecurity requirements in contracts. (Natalie Gagliordi / ZDNet)
Cybersecurity company Agari said that business email compromised scammers are using a new type of attack targeting investors that could leverage payouts seven times greater than average.
The scammers are using fake 'capital call' notices that carry a much larger payout than your standard BEC scam. (Lawrence Abrams / Bleeping Computer)
The 132d Wing of the Iowa Air National Guard, which carries out overseas intelligence missions, performs reconnaissance and conducts strikes with Reaper drones, bought access to location data harvested from ordinary apps installed on peoples' smartphones.
The Guard confirmed that it purchased software called Locate X, which harvests the location data, which would support the Guard’s mission overseas. (Joseph Cox / Motherboard)
The National Security Agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) released a joint information sheet on the benefits of using a Protective Domain Name System (PDNS), which uses existing DNS protocols and architecture to analyze DNS queries and mitigate threats.
Among the benefits cited by NSA and CISA of PDNS are that the service provides defenses in various network exploitation life cycle points, addressing phishing, malware distribution, command and control, domain generation algorithms, and content filtering. (Steve Zurier / SC Magazine)
Researchers at Barracuda Networks said that vaccine-related spearphishing emails rose 26% from October to the end of January, coinciding with the availability of vaccines from Pfizer and Moderna.
At the same time, Check Point Research said that vaccine-related domain registrations rose by 300% over the past eight months, with a large spike beginning in November and continuing through January. (Tim Starks / Cyberscoop)
Photo: NASA/SDO (AIA), Public domain, via Wikimedia Commons