Global Cyber News Digest

Daily News Digest

Stay current on the global cyber threat landscape and industry developments with CCOE’s daily digest and library of cybersecurity news and articles.

  • Third malware strain discovered in SolarWinds supply chain attack

    • Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack.
    • Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
    • The Sunspot malware was installed on SolarWinds build server, a type of software used by developers to assemble smaller components into larger software applications.
    • CrowdStrike said Sunspot had one singular purpose — namely, to watch the build server for build commands that assembled Orion, one of SolarWinds' top products, an IT resources monitoring platform used by more than 33,000 customers across the globe.
    • Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.
    • The SolarWinds hackers are tracked under different names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity), and StellarParticle (CrowdStrike), but this designation is expected to change once companies learn more.
    • One last mystery remains, and that is how did the SolarWinds hackers manage to breach the company's network in the first place, and install the Sunspot malware. Was it an unpatched VPN, an email spear-phishing attack, a server that was left exposed online with a guessable password?
    - Catalin Cimpanu | January 12, 2021
    hak-iq.us20.list-manage.comJanuary 12, 2021
  • Millions of Social Profiles Leaked by Chinese Data-Scrapers

    • More than 400GB of public and private profile data for 214 million social-media users from around the world has been exposed to the internet – including details for celebrities and social-media influencers in the U.S. and elsewhere.
    • The leak stems from a misconfigured ElasticSearch database owned by Chinese social-media management company SocialArks, which contained personally identifiable information (PII) from users of Facebook, Instagram, LinkedIn and other platforms.
    • The affected server, hosted by Tencent, was segmented into indices in order to store data obtained from each social-media source, which allowed researchers to look into the data further.
    • The scraped profiles included 11,651,162 Instagram user profiles; 66,117,839 LinkedIn user profiles; 81,551,567 Facebook user profiles; and 55,300,000 Facebook profiles that were deleted within a few hours after the open server was discovered.
    - Tara Seals | January 11, 2021
    hak-iq.us20.list-manage.comJanuary 11, 2021
  • Every Deleted Parler Post, Many With Users' Location Data, Has Been Archived

    • In the wake of the violent insurrection at the U.S. Capitol by scores of President Trump’s supporters, a lone researcher began an effort to catalogue the posts of social media users across Parler, a platform founded to provide conservative users a safe haven for uninhibited “free speech” — but which ultimately devolved into a hotbed of far-right conspiracy theories, unchecked racism, and death threats aimed at prominent politicians.
    • Hoping to create a lasting public record for future researchers to sift through, @donk_enby began by archiving the posts from that day. The scope of the project quickly broadened, however, as it became increasingly clear that Parler was on borrowed time. Apple and Google announced that Parler would be removed from their app stores because it had failed to properly moderate posts that encouraged violence and crime. The final nail in the coffin came Saturday when Amazon announced it was pulling Parler’s plug.
    • In a tweet early Sunday, @donk_enby said she was crawling some 1.1 million Parler video URLs. “These are the original, unprocessed, raw files as uploaded to Parler with all associated metadata,” she said. Included in this data tranche, now more than 56 terabytes in size, @donk_enby confirmed that the raw video files include GPS metadata pointing to exact locations of where the videos were taken.
    • The privacy implications are obvious, but the copious data may also serve as a fertile hunting ground for law enforcement.
    • Parler is unlikely to rebound quickly, if at all. Migrating a large product off AWS can take months of staging and possibly years to execute.
    - Dell Cameron | January 11, 2021
    hak-iq.us20.list-manage.comJanuary 11, 2021
  • Ubiquiti says customer data may have been accessed in data breach

    • In a short email to customers on Monday, the tech company said it became aware of unauthorized access to its systems hosted by a third-party cloud provider. Ubiquiti didn’t name the cloud company, when the breach happened or what caused the security incident.
    • “This data may include your name, email address, and the one-way encrypted password to your account,” said the email to customers. “The data may also include your address and phone number if you have provided that to us.”
    • Although the email says passwords are scrambled, the company says users should update their passwords and also enable two-factor authentication, which makes it harder for hackers from taking the stolen passwords and using them to break into accounts.
    • The networking company quickly followed its email with a post on its community pages confirming that the email was authentic, after several complained that the email sent to customers included typos.
    - Zack Whittaker | January 11, 2021
    hak-iq.us20.list-manage.comJanuary 11, 2021
  • Hackers Strike New Zealand's Central Bank

    • Bank Gov. Adrian Orr said in a prepared statement: "We are working closely with domestic and international cyber security experts and other relevant authorities as part of our investigation and response to this malicious attack. The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information."
    • Orr added: "The system has been secured and taken offline until we have completed our initial investigations. It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed. Our core functions remain sound and operational."
    • The latest breach likely was the work of a nation-state, rather than a criminal ring, Auckland University computer science professor Dave Parry told Radio New Zealand, according to the AP.
    • “Ultimately if you were coming from a sort of like criminal perspective, the government agencies aren’t going to pay your ransom or whatever, so you’d be more interested probably coming in from a government-to-government level,” he reportedly said
    | January 10, 2021
    hak-iq.us20.list-manage.comJanuary 10, 2021
  • Your personal WhatsApp data will soon be shared with Facebook

    • WhatsApp users will soon have their data, such as their mobile number, shared with their parent company Facebook, the messaging service has said in a statement.
    • Those who do not agree to share this information with Facebook will have no choice but to delete their WhatsApp accounts, and switch to another messaging app, or stop using such services altogether.
    • “Safety, security and integrity are an integral part of our services,” added WhatsApp. “We use information we have to verify accounts and activity, combat harmful conduct, protect users against bad experiences and spam, and promote safety, security and integrity on and off our services, such as by investigating suspicious activity or violations of our terms and policies, and to ensure our services are being used legally."
    | January 10, 2021
    hak-iq.us20.list-manage.comJanuary 10, 2021
  • New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys

    • Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks.
    • But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.
    • The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim's account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections.
    • An actor will have first to steal the target's login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account.
    • Although the security of a hardware security key isn't diminished by the above attack due to the limitations involved, a potential exploitation in the wild is not inconceivable.
    - Ravie Lakshmanan | January 8, 2021
    hak-iq.us20.list-manage.comJanuary 8, 2021
  • Data Leak Hits Nissan North America

    • Nissan North America recently suffered a data leak when source code for its mobile apps and internal tools surfaced online after the company presumably misconfigured one of its Git servers.
    • “Nissan is not the first vehicle manufacturer to have data stolen via misconfiguration in Gitlab. Mercedes suffered the same embarrassment when source-code breach for ‘smart car’ components leaked data in May 2020. It could immediately appear that these are not severe leaks; after all, it’s proprietary data that is only useful with the specific brand and partners,” says Laurence Pitt, global security strategy director at Juniper Networks in an emailed statement. “However, the data is valuable - buyers and downloaders of this data will use it to reverse-engineer code, look for weak-spots in web-portals and find ways to hack into consoles; either to gain competitive advantages or for darker, more damaging reasons.”
    • In both cases, the data was left exposed on an unsecured internet-facing server - a simple Google dork search, which people may run continuously, will find them, explains Pitt. “We need to remember that Google indexes anything it can see and validate, and so unencrypted, non-passworded data is fair game,” he says. “Organisations need to take a proactive approach to their security to prevent this from happening. Start thinking the same way as the person looking to steal this information and remember that if you can see without logging in, then so can anyone.”
    • Manufacturers need to consider the following as foundational security that should be checked and run continuously:
      • Protect, and test protection, for private data areas using authentication, multi-factor-based systems, and IP restrictions.
      • Encrypt data at rest, and data in motion.
      • Why not run regular Google dork queries back against systems just in case something shows up?
      • If something shows up, ask Google to remove it with their search console
      • Make sure that sensitive data cannot be indexed using a robots.txt file (this will prevent Google, but not every search engine)
    Week - Peter Fretty | January 6, 2021
    hak-iq.us20.list-manage.comJanuary 6, 2021
  • NSA Urges SysAdmins to Replace Obsolete TLS Protocols

    • The National Security Agency (NSA) is lighting a fire under system administrators who are dragging their feet to replace insecure and outdated Transport Layer Security (TLS) protocol instances.
    • The agency this week released new guidance and tools to equip companies to update from obsolete older versions of TLS (TLS 1.0 and TLS 1.1) to newer versions of the protocol (TLS 1.2 or TLS 1.3).
    • TLS (as well as its precursor, Secure Sockets Layer, or SSL) was developed as a protocol aimed to provide a private, secure channel between servers and clients to communicate. However, various new attacks against TLS and the algorithms it uses have been revealed – from Heartbleed to POODLE – rendering the older versions of the protocol insecure.
    • “The standards and most products have been updated, but implementations often have not kept up,” said the NSA in its guidance this week. “Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries. As a result, all systems should avoid using obsolete configurations for TLS and SSL protocols.”
    • According to Cloudflare - “both TLS 1.0 and TLS 1.1 are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic.”
    - Lindsey O'Donnell | January 6, 2021
    hak-iq.us20.list-manage.comJanuary 6, 2021
  • SolarWinds hack: Amid hardened security, attackers seek softer targets

    • Reported theories by SolarWinds hack investigators that federal agencies and private companies were too busy focusing on election security to recognize vulnerabilities tied to the software supply chain are unfair and misleading, say cybersecurity experts that used to work in government.
    • “This is an ‘apples and oranges’ comparison,” added Rosa Smothers, senior vice president of cyber operations at security awareness company KnowBe4, and a former CIA technical intelligence officer. “The role of managing an IT network is an entirely different role than monitoring our adversaries’ offensive cyber operations. In other words, those charged with monitoring Russia’s ops aren’t the same people implementing SolarWinds products on government networks.”
    • John Caruthers similarly objected to the accusation. “Since 2016, the U.S. intelligence community has established election task forces, staffed with dedicated personnel, across the country to specifically address and investigate election fraud,” he said. “All the while, teams of investigators and analysts have continued working their respective threats, to include those emanating from Russia and other nation states. I can’t speak on behalf of our private-sector partners but, based on experience, can confidently assume they were and are working diligently to identify threats from all sources.”
    • “There are a range of potential adversaries working against admins – nation states, hackers, criminal competitors – all with varying degrees of skill,” said Caruthers, business information security officer at Evotek and a former supervisory special agent at the FBI. “Without addressing all components, the bad guys will find your network’s Achilles heel.”
    - Bradley Barth | January 6, 2021
    hak-iq.us20.list-manage.comJanuary 6, 2021