Supply chain attack is the new buzzword
For hackers, SolarWinds is the gift that keeps on giving.
Ever since the great SolarWinds hack, cyberattacks against the software supply chain is fast becoming one of the greatest unknown risks for organizations.
Details of the attack emerged in December 2020, when security experts discovered sophisticated threat actors had inserted a backdoor into a widely-used network monitoring software developed by SolarWinds, called Orion, that gave the intruders a digital back door into as many as 18,000 SolarWinds customers.
The company, which has come under the microscope since details of the supply chain attack surfaced last year, counts government agencies and numerous Fortune 500 firms as its customers.
Since then, the hacking operation — publicly pinned on Russia — has been traced back to at least September 2019, with the primary goal of compromising Solarwinds software to spy on government agencies and high-value corporate networks.
Now in a series of fresh disclosures, it has emerged that threat actors from China may have exploited a different vulnerability in the same software worm its way into the National Finance Center, a federal payroll agency with the Agriculture Department.
The new CEO of SolarWinds, Sudhakar Ramakrishna, said hackers were potentially reading the company’s emails for at least nine months since December 2019.
“Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader [Office] 365 environment was compromised,” Ramakrishna told the Wall Street Journal earlier this month.
While SolarWinds’s Orion was a major attack vector, it wasn’t the only one. Last week the acting director of the Cybersecurity and Infrastructure Security Agency (CISA) said that about 30% of the hackers’ victims had no direct connection with SolarWinds.
What’s Trending in Security?
🇺🇸 A water treatment facility in the U.S. state of Florida was successfully infiltrated by unknown threat actors, who managed to drastically alter the levels of sodium hydroxide (NaOH) in the water supply. Although the action was reversed, the breach has been blamed on poor password security and the use of outdated Windows operating system. [The Hacker News]
🛡️ European authorities disrupted Emotet, one of the most notorious botnet, as part of an internation takedown called “Operation Ladybird.” The malware will be uninstalled en masse from infected systems on April 25. [Risky Business / The Hacker News]
📱 Grayshift, the company behind iPhone unlocking technology, can now do the same for Android smartphones, starting with Samsung S20 and S9 devices. [Forbes]
🇨🇦 Canadian privacy commissioners ruled controversial facial recognition firm Clearview AI violates the country's privacy laws by collecting faces of Canadians without their consent. “What Clearview does, is mass surveillance and it is illegal,” the authorities said, calling on the company to halt its practice. [CBC]
🛑 Facebook, Instagram, TikTok, and Twitter took steps to crack down on users involved in trafficking high value usernames across their platforms. Hundreds of accounts connected to members of the OGUsers forum were removed. [Brian Krebs / Motherboard]
📍 450 Android apps have a location tracker embedded in them, out of which 199 apps have been found to send granular user location data to X-Mode, a data broker known to sell location data to U.S. military contractors. These apps have been downloaded at least 1 billion times. [ExpressVPN / TechCrunch]
⚠️ Pulling off phishing attacks just got a little more easier. A newly-uncovered phishing kit, dubbed LogoKit, automatically pulls victims' company logos onto a phishing login page, making it possible for attackers to convincingly mimic company login pages and steal credentials, credit card numbers, and social security numbers. [RiskIQ]
🇷🇺 For a cybercriminal, the best country is Russia — that's according to a LockBit ransomware operator, who was interviewed by Cisco Talos cybersecurity team. [Cisco]
🚫 Google booted The Great Suspender off the Chrome Web Store for being malware. [The Hacker News]
💳 Installing web skimmers to swipe payment details on shopping websites isn't new. But a new twist, threat actors have devised a custom script that siphons credit card details from the already existing fake form injected by the previous attackers. [Malwarebytes]
💵 Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks. The two flaws being exploited are CVE-2019-5544 and CVE-2020-3992. [ZDNet]
🇸🇸 The South Sudanese government obtained surveillance capabilities from an Israeli company named Verint Systems between at least 2015 and 2017 to wiretap citizens' communications. [Amnesty International]
🚨 A Barcode Scanner app with over 10 million installs from the Play Store turned rogue after an update on December 2020 displayed ads promoting other, potentially malicious, Android apps. [Malwarebytes]
🌐 Facebook stopped generating link previews in Messenger and Instagram for E.U. users. The researchers said "it is an implicit confirmation that Facebook's handling of link previews in Messenger and Instagram did not conform to privacy regulations in Europe," hinting that "Facebook may be using this content for purposes other than generating previews." [Mysk]
📧 A new form of phishing attack has been found to use Morse code to hide malicious URLs in email attachments. [Bleeping Computer]
💬 Slack fixed a bug in its Android app that stored users' passwords in plaintext. In a similar move, Telegram resolved an issue in its macOS app that stored app passcodes in plaintext and media messages in secret chats long after they disappeared. [Android Police / The Hacker News]
🌍 A previously undocumented threat actor named XDSpy has been found targeting government entities, including militaries and Ministries of Foreign Affairs, and private companies, in Eastern Europe and the Balkans to install backdoor on targeted systems at least since 2011. [ESET]
🗃 The past fortnight in data breaches, leaks, and ransomware: CD Projekt Red, Eletrobras, EscortReviews.com, Mutuelle Nationale des Hospitaliers, SitePoint, Spotify, Stormshield, UK Research and Innovation, USCellular, and Yandex.
$350 million
That’s the total amount of money ransomware gangs made in 2020, up 311% year-over-year, with the Ryuk strain as the year's top earner, followed by the now-defunct Maze.
According to a report by Chainalysis, the increase was driven by a “number of new strains taking in large sums from victims" and "a few pre-existing strains drastically increasing earnings."
But interestingly, average ransom payments appear to be declining, as more victims are realizing that giving in to cyber extortion when they are able to recover from back ups is a bad idea. Based on an analysis from Coveware, the payments plunged by 34% to just over $154,000 during Q4 2020, while median payments also dropped 55% from $110,532 to $49,450 over the same period.
That’s it for now. See you all in a week. Stay safe!
-Ravie