SolarWinds triggers a cyber storm
Subscribe to this bi-weekly newsletter here!
Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.
Earlier this week, several large US government agencies – including the Department of Homeland Security, Commerce, Treasury, and State – discovered their digital systems had been hurt by hackers who quickly emerge as a sophisticated supply chain attack.
Such attacks often work by first compromising a third party vendor with a connection to the actual target.
Infiltrating a third-party vendor that has access to their customers’ networks also greatly increases the scale of an attack, as a successful break-in allows access to all of the companies that depend on it and leaves them all vulnerable at the same time.
In this case, the attackers turned to SolarWinds, a Texas-based IT infrastructure provider, to inject malicious code into its monitoring tool, which was then propagated as software updates to nearly 18,000 of its customers.
SolarWinds is a customer of several US federal agencies and Fortune 500 companies.
According to cybersecurity firm FireEye, which is also a Victim of the same attackcalled it a meticulously planned Espionage campaign that may have been running since at least March 2020.
Although there is no concrete evidence that the attacks are tied to any particular threat actor, several media Reports have caught the intrusion into APT29 (also known as Cozy Bear), a hacking group affiliated with Russia’s foreign intelligence service.
It may take months to fully understand the breadth and depth of the hack, but the SolarWinds incident again shows the dire consequences of a supply chain compromise.
Of course, supply chain attacks have happened In front. What’s more here is how little has been done since to prevent them from happening again.
What’s hot in security?
Signal added support for encrypted group callswho have favourited Zodiac Killer Cipher was cracked After 51 long years, a former Cisco engineer was sentenced to 24 months in prison Deletion of 16,000 Webex accounts without permission.
- The Zodiac Killer Cipher was cracked after 51 years. “It was an exciting project to work on and it had a lot of people’s ‘best unsolved ciphers ever’,” said Dave Oranchak, one of the three men who cracked the encrypted message. [Ars Technica]
- Hackers get creative with web skimmers, which are designed to steal payment information from users when they visit a compromised shopping website. Researchers found criminal gangs who experimented with storing the malicious code CSS style sheetsand social media buttons. [ZDNet]
- GitHub found that vulnerabilities in open source projects often go undetected for more than four years before they are exposed. In addition, 17% of all software vulnerabilities are intentionally planted for malicious purposes. Open source is not always safe. [GitHub]
- Apple and Cloudflare have joined forces in a new initiative called Oblivious DNS-over-HTTPS (ODoH), which hides the websites you visit from your ISP. [Ars Technica / Gizmodo]
- Former Cisco engineer Sudhish Kasaba Ramesh, 31, was sentenced to 24 months in prison for deleting 16,000 Webex accounts without authorization. This cost the company more than $ 2.4 million, $ 1,400,000 in employee time, and $ 1,000,000 in customer refunds. [ZDNet]
- Secure messaging app Signal added support for encrypted group video calls with up to five people. [Signal]
- A German court has forced the encrypted email provider Tutanota to set up a back door that can be used to monitor a person’s inbox in connection with a blackmail case. [CyberScoop]
- A few weeks ago, we learned that the company behind the X-Mode SDK had been selling customer location data to government contractors. Now Forbes’ Thomas Brewster has reported how surveillance providers like Rayzone and Bsightful are pulling location data from smartphones using tools that serve mobile ads in third-party apps. [Forbes]
- Employees of an Arabic-speaking hacking group known as MoleRATs used mainstream technology services like Facebook and Dropbox to hide their malicious activities and filter data from targets across the Middle East. [Cybereason]
- Critical defects Detection in dozens of GE Healthcare’s radiology devices could allow an attacker to access sensitive personal health information, modify data, and even compromise the availability of the devices. Worse, these devices are secured with hard-coded standard passwords that can be used to access confidential patient scans. [CyberMDX]
- Apple, Google, Microsoft and Mozilla banned a digital certificate used by the Kazakh government to intercept and decrypt HTTPS traffic after the country asked citizens in its capital Nur-Sultan to install the certificate on their devices to access foreign internet services as part of a cybersecurity exercise. [ZDNet]
- The last 14 days of data breaches, leaks and ransomware: European Medicines Agency, Foxconn, Intel Havana Labs, Kmart, helicopter, Netgain, Edge position, Spotify, Vancouvers TransLink, UiPath, 45 million X-ray and other medical scan images, as well as personal information from 243 million Brazilian citizens.
According to the latest statistics from the National vulnerability databaseThere was a record number of reported bugs in 2020. 17,537 errors were recorded during the year, a slight increase from 17,306 in 2019.
Over the past 12 months, 4,177 high-severity vulnerabilities, 10,767 medium-severity vulnerabilities, and 2,593 low-severity vulnerabilities have been reported. 17,306 bugs were published in 2019: 4,337 high severity vulnerabilities, 10,956 medium severity vulnerabilities, and 2,013 low severity vulnerabilities.
That’s it. I’ll see you all in two weeks. Stay safe!
Delighted x TNW (enthusiastic[at]the next web[dot]With)