SolarWinds Actors Are Back With New Hack Affecting 3,000 Email Accounts and 150 Agencies

Pulse Secure hackers may have been tipped off to FireEye's probe, FBI warns of APT group's exploit of Fortigate appliance, Troy Hunt open sources HIBP, Klarna Bank exposes 90K customer accounts, more

May 28

Check out my latest column in CSO on the TSA’s release of its pipeline security directive, which experts say has some problems but is a step in the right direction. And please don’t forget to support Metacurity with a premium subscription and gain access to our archives and exclusive premium content.

Microsoft said it observed this week the same Russian hackers behind the SolarWinds hack, the Nobelium group, targeting government agencies, think tanks, consultants, and non-governmental organizations, affecting more than 3,000 email accounts across 150 agencies, a quarter of which are involved international development, humanitarian and human rights.

The actors were able to launch the attacks by breaching the Constant Contact account of USAID via a phishing campaign that inserted a malicious file used to distribute a backdoor that Microsoft calls NativeZone. The backdoor is capable of stealing data to infect other computers on the network. Microsoft said many of the attacks targeting its customers were blocked automatically, and Windows Defender blocked the malware involved in this attack. (David E. Sanger, Nicole Perlroth / New York Times)

Microsoft Security Intelligence @MsftSecIntel

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP, GoldMax, and other related components.

New sophisticated email-based attack from NOBELIUM - Microsoft SecurityMicrosoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and …microsoft.com

FireEye said that at least one of the groups involved in attacks that exploited a zero-day in Pulse Secure VPN appliances began removing its malware from infected networks three days before its researchers exposed the attacks. FireEye previously reported that two groups, UNC2630, and UNC2717, installed web shells on Pulse Secure devices to steal credentials, emails, and sensitive documents.

Fireye Mandiant incident responders observed UNC2630 access dozens of compromised devices and remove webshells like ATRIUM and SLIGHTPULSE between April 17th and 20th, 2021, raising questions that they might have known of FireEye’s probing. (Catalin Cimpanu / The Record)

Catalin Cimpanu @campuscodi

The wording is quite strong, and something that I haven't seen in a report in recent times. FireEye even goes into an analysis of recent Chinese cyber-espionage operations and how they stand up to the old Obama-Xi agreement.

The FBI issued a TLP:WHITE flash alert warning that as of at least May 2021, “an APT actor group almost certainly exploited a Fortigate appliance to access a web server hosting the domain for a U.S. municipal government.”

After gaining access to the government’s server, the actors moved laterally through the network and created a new domain controller, server, and workstation user accounts mimicking existing ones. The Bureau said that the actors are targeting “a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors.” (Sergiu Gatlan / Bleeping Computer)

Data breach security specialist Troy Hunt announced that his data breach service Have I Been Pwned (HIBP) will now also receive compromised passwords discovered in the course of FBI investigations. Hunt also said that HIBP is now open-sourced via Microsoft’s .NET foundation.

HIBP is adding a new open-source program, Pwned Passwords, to easily let the FBI data flow into HIBP, which will be provided in SHA-1 and NTLM hash pairs. (Troy Hunt / Troy Hunt’s Blog)

Related: Dark Reading, ZDNet Security

Shmuel Sunray, chief legal counsel for notorious Israeli spyware company NSO Group, offered insight into how NSO chooses its clients. The company has been accused of spying for ruthless regimes, including helping the Saudi government spy on a close associate of Washington Post columnist Jamal Khashoggi, who the Saudi government murdered.

Sunray declined to comment on any work for Saudi Arabia but did say that it considers a country’s entire governance when deciding who to sell its tools to. He also said the company has permanently cut ties with only four clients since its founding. (Jenna McLaughlin / Yahoo News)

Eva @evacide

NSO Group's latest charm offensive, where they promise a transparency report and a scoring system of clients that takes into account their human rights records, is a completely insincere waste of time.

An infamous Israeli spyware firm looks to bolster its image by scoring customersNSO is reportedly considering going public with an estimated value of up to $2 billion. But serious questions remain about the firm’s clientele, and how they...yahoo.com

In its continuing investigation of the neighborhood watch app Citizen, Motherboard obtained internal documents, messages, and roadmaps that show the company aims to be a vigilante private law enforcement agency, fueling paranoia and fear of neighbors and “suspicious” people.

Aside from what a former employee calls Citizen’s “insanely racist” user base, Citizen incentivizes its employees and the public to create incidents because “they are the core currency of the app and what drives user engagement, user retention, and a sense of reliance on the app itself.” (Joseph Cox and Jason Koebler / Motherboard)

Related: IT Pro, Techdirt

Swedens’ Klarna bank suffered a severe technical issue this morning that allowed mobile app users to log into about 90,000 other customers' accounts and see their stored information.

The “self-inflicted” incident lasted for about 31 minutes, according to Klarna. Customers stated that they would get access to a different account each time they logged into the account. (Lawrence Abrams / Bleeping Computer)

Researchers at Germany’s Ruhr-University Bochum discovered security flaws in PDFs that could allow a savvy hacker to manipulate or deface the contents of certified documents surreptitiously.

The researchers developed two attacks, the Sneaky Signature Attack (SSA) and the Evil Annotation Attack (EAA), that manipulate the flaws in the PDF certification process that allow the documents to be manipulated. (Lucas Ropek / Gizmodo)

NASA plans to advance a wide-ranging cybersecurity management contract called CyPreSS Cybersecurity and Privacy Enterprise Solutions and Services following a highly critical report by NASA’s Inspector General. That report concluded “that NASA's ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture."

The IG assessed NASA has been subjected to more than 6,000 cyberattacks in the past four years, including phishing scams and malware, and has exposed itself to a “higher-than-necessary” risk from cyber threats. (Justin Katz / FCW)

Catalin Cimpanu @campuscodi

NASA OIG report says the agency detected 1,785 cyber-security incidents last year. Nothing major reported. PDF: oig.nasa.gov/docs/IG-21-019…

Image via Skjoldbro, Public domain, via Wikimedia Commons