SolarWinds Hackers Gained Access to Emails of DHS Chief, Cybersecurity Staff: Report

Lawmakers pressure Biden on cyber czar position, Attackers hit Australia's Nine Entertainment and possibly Parliament this weekend, Russian hackers targeted German policymakers, much more

Check out my latest CSO Online column on how states are granting organizations liability protection if they adopt serious cybersecurity practices.

As part of the SolarWinds breach, Russian hackers gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security, then-acting Secretary Chad Wolf, and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries, based on interviews with more than a dozen current and former U.S. government officials.

The hackers were also able to obtain officials' private schedules at the Energy Department, including then-Secretary Dan Brouillette, one former high-placed administration official said.

Wolf and other top Homeland Security officials used new phones that had been wiped clean along with the popular encrypted messaging system Signal to communicate in the days after the hack. One official confirmed that the Federal Aviation Administration was among the agencies affected by the breach but has been so hampered by outdated technology that it is only now capable of identifying how many servers had SolarWinds software. (Alan Suderman / Associated Press)

The Biden White House is under pressure by lawmakers to name a national cybersecurity director as the U.S. comes under increasing assault by malicious foreign actors.

Sen. Angus King (I-Maine), who serves as co-chairman of the Cyberspace Solarium Commission, says he’s frustrated by the delay in naming the director. Still, Congress has yet to fund the cybersecurity director’s office. Some officials point to the bureaucratic struggle that might underlie the delays. Deputy National Security Advisory for Cyber and Emerging Technology Anne Neuberger, who is currently the senior-most adviser to the president on cyber issues, has reportedly clashed in the past with the top candidate for the national cyber director role, Jen Easterly, who also headed cyber policy for the Biden transition team. (Natasha Bertrand / Politico)

Australian media giant Nine Entertainment is still in the throes of what appears to be a major ransomware attack that struck the organization over the weekend, forcing some programming off the air and crippling other activities, including publishing operations at the organization’s Sydney headquarters.

Although no official cause of the attack has been released, an email to staff suggested that some files associated with a known ransomware strain called MedusaLocker could have been behind the attack. Staff was instructed to check their laptops for the presence of a file called Recovery_ Instructions.html, which is reportedly a calling card for Medusa. (Paul Smith / Financial Review)

Related: PerthNowNew Zealand HeraldThe GuardianDaily, Reuters: World NewsRT News, iTnews - Security, News.comDaily New Daily, channelnewsInfosecurity MagazineTV Black BoxTechTargetThe Record by Recorded FutureSecurity AffairsData Breaches DigestComputer WeeklyIT Wire, WA Today - TechnologySydney Morning HeraldSecurity Affairs, BBC News

In a situation that is seemingly unrelated to the likely ransomware attack on Nine Entertainment, a major technical disruption resulted in Australian members of parliament and senators losing email access over the weekend.

The Department of Parliamentary Services (DPS), which oversees Parliament House in Canberra, said some services on DPS-issued smartphones and tablets had been disrupted. Not all were back to normal. (Sarah Martin with the Australian Associated Press / The Guardian)

Related: Daily MailSecurity News | Tech New Daily

According to a report in Der Spiegel, alleged Russian hackers who are part of a Russian military campaign called Ghostwriter launched cyberattacks against dozens of German policymakers.

At least seven members of Germany's federal parliament, the Bundestag, and another 31 state legislators, along with dozens of activists, were targeted in the campaign. (Deutsche Welle)

Related: TODAYonlineThe Record by Recorded Future, The Moscow TimesBig News NetworkSecurityWeekBleeping ComputerCyberscoop,

The Shadowserver Foundation, which helps network owners identify and fix security threats, discovered that some malicious hacker had compromised more than 21,000 Microsoft Exchange email servers with malware that invokes noted cybersecurity journalist Brian Krebs and his website, KrebsonSecurity.

The KrebsonSecurity.exe file dropped with the malware installs a backdoor, /owa/auth/babydraco.aspx, in the compromised location. It also installs a root certificate, modifies the system registry, and tells Windows Defender not to scan the file.  (Brian Krebs / Krebs on Security)

Related: ARNSlashdotZDNet

IT software provider SolarWinds, which was compromised as part of a massive Russian espionage campaign, released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that an authenticated attacker could exploit to achieve remote code execution.

The most important fix is for a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via the test alert actions feature in the Orion Web Console. (Ravie Lakshmanan / The Hacker News)

Related: The Register - SecuritySecurity AffairsCyber Kendra

Multinational router and IoT device maker Sierra Wireless announced it has resumed production and started to recover its internal systems following a ransomware attack that began on March 20.

Sierra said it does not expect there to be any product security patches or firmware or software updates required due to the attack. (Danny Palmer / ZDNet)

Related: Business Wire Technology News

Apple issued an update for iPhones, iPads, and Watches to patch a security vulnerability under active attack by hackers.

The vulnerability found in WebKit, the browser engine that powers the Safari browser across all Apple devices, was discovered by security researchers at Google’s Project Zero. (Zack Whittaker / TechCrunch)

Related: TechNaduPocketnowTechDatorSecurity News | Tech TimesSecurity Affairs, Apple, Objective-See's BlogiPhone HacksBGR

Follow Us on Twitter

Researchers from security firm Zimperium have discovered a remote access Android trojan masquerading as a system update that finds sensitive information stored on infected devices and sends it to attacker-controlled servers.

Messaging apps that are vulnerable to database theft include the widely popular WhatsApp. (Dan Goodin / Ars Technica)

Related: TechCrunchZimperiumPYMNTS.comAndroid PoliceAndroid CentralTechNaduTech Insider, Bleeping ComputerThe Hacker News, Tom's GuideHotHardware.comBleeping ComputerKomando.comSecurity AffairsSecurity AffairsHackRead, Tom's GuideFudzillaZDNetSlashGear, Slashdot

In yet another software supply chain hack, the official PHP Git repository was hacked and the code base tampered with when two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their server.

In making the malicious commits, the threat actors posed as known PHP developers and maintainers, Rasmus Lerdorf and Nikita Popov. PHP is the server-side programming language to power over 79% of the websites on the internet. (Ax Sharma / Bleeping Computer)

Related: The Record by Recorded Future

ODP, CompuCom, and Office Depot's parent said that a Darkside ransomware attack that struck CompuCom in late February would cost the MSP between $5 million and $8 million in lost revenue and up to $20 million in cleanup costs. 

The added costs of the attack come at a bad time for ODP, which is attempting to sell CompuCom. (Sergiu Gatlan / Bleeping Computer)

Related: Reddit - cybersecurityIT Governance Blog, MSSP Alert

Image by Inter-American Dialogue - 12th Sol M. Linowitz Forum, CC BY 2.0,