By the CyberWire staff
Suspected Chinese hackers exploited separate SolarWinds flaw.
Reuters reports that the FBI’s investigation of the SolarWinds supply chain attack is looking into evidence that Chinese threat actors successfully exploited a vulnerability in the company’s software to compromise the National Finance Center (NFC), a payroll system operated by the US Department of Agriculture. The flaw exploited in this case is different from the one used by suspected Russian actors to compromise SolarWinds’ Orion software, although the exploitation took place within the same timeframe and also involved Orion. Reuters cites anonymous sources to the effect that “the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.”
SolarWinds told Reuters that it was aware of a single case involving a second group of hackers, but that the hackers abused the company’s software only after they’d gained access to the network; the company said the attackers had initially gained access “in a way that was unrelated to SolarWinds.” Likewise, Reuters’ sources said the suspected Chinese hackers used the exploit to move laterally within networks they had already compromised.
Nextgov reports that the US Department of Agriculture is investigating, but has so far found no indication of such a breach. A USDA spokesperson told the publication, “In compliance with CISA’s emergency directive and to protect USDA systems, USDA notified customers in December that it had removed SolarWinds Orion products from its networks due to the SolarWinds compromise. While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center.”
Acting US CISA Director Brandon Wales told a meeting of the National Association of Secretaries of State that the agency has found no evidence that SolarWinds vulnerabilities were exploited against election systems, Reuters’ Chris Bing tweeted.
Trustwave has identified three additional vulnerabilities in SolarWinds products, one of which can lead to remote code execution with elevated privileges. Trustwave stated, “To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any ‘in the wild’ attacks. However, given the criticality of these issues, we recommend that affected users patch as soon as possible. We have purposely left out specific Proof of Concept (PoC) code in this post in order to give SolarWinds users a longer margin to patch but we will post an update to this blog that includes the PoC code on Feb. 9.”
See how budget-constrained security teams prevent ransomware in cost-effective ways.
Ransomware groups seek to make more money by expanding their attacks to a broader landscape of targets. This often means hospitals, schools, and local governments, who are the most resource-constrained segments of our societal infrastructure and the ones least able to accept downtime. Watch Morphisec’s on-demand webinar to see how businesses with limited resources are protecting themselves against this growing threat.
Internet jamming in Myanmar and India.
The Internet has gone down throughout much of Myanmar, CyberScoop reports. The reasons for the outage are unclear, but the overwhelming likelihood is that the outage is a deliberate takedown by the junta military leaders installed in a coup d’état over the weekend. Internet usage dropped by a good seventy-five percent Sunday, according to observations tweeted by NetBlocks, an NGO that operates an Internet observatory. NetBlocks says, “The pattern of disruption indicates centrally issued telecoms blackout order.” Internet jamming has become a familiar feature of the contemporary style of coup d’état. It’s what seizing the newspapers would have been in 1850, what taking over the radio station would have been in the 1930s.
India’s government has also jammed online platforms, especially locally, in the vicinity of New Delhi, CNN reports, as farmers clashed with police during protests over controversial proposed agricultural policies. The government also ordered Twitter to block certain high-profile accounts that were involved in tweeting about the protests and the conflicts between farmers and police. Twitter complied, but a few days later unblocked the accounts. That drew a warning from the Indian government, TechCrunch reports.
For more, see the CyberWire Pro Disinformation Briefing.
Spyware in South Sudan.
Amnesty International says South Sudan’s National Security Service (NSS) bought communications intercept tools from the Israeli branch of spyware vendor Verint Systems between 2015 and 2017. Amnesty International stated, “The NSS can likely only conduct communications surveillance with the collaboration of telecommunication service providers. A former employee of Vivacell, a telecommunications company that operated in South Sudan until March 2018, told Amnesty International that the NSS has direct access to all telecommunication service providers in the country through surveillance technology procured in Israel that, they believed, could be classified as dual use.”
The organization added, “The ex-Vivacell employee said that the South Sudanese government required all telecommunication companies operational in South Sudan to pay Verint Systems Ltd, the Israeli subsidiary of US Verint Systems Inc. for this equipment and annual service provision. Amnesty International wrote to all the companies regarding the findings and only received a response from MTN Group, which stated that South Sudanese authorities and laws require telecommunications companies ‘to cater for legal interception’ and explaining that MTN does not operate the system.”
Empower your modern security operations center.
Red Canary is your security ally offering security operations teams detection and response capabilities to maintain visibility of and protect all the critical areas of their environment—endpoints, network, and cloud. Red Canary is relentless in their mission to improve security for the entire community and committed to sharing open-source tools and educational content. See what it’s like to have a partner in the fight today.
Supply chain attack compromises Android emulator.
Researchers at ESET have uncovered a cyberespionage-focused supply chain attack that compromised the update mechanism of NoxPlayer, an Android emulator with more than 150 million users. The emulator is primarily used to play mobile games on PCs and Macs. The researchers say the campaign is focused on stealing information and there’s no evidence the attackers are interested in financial gain. ESET adds that the operation is “particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers.” ESET first noticed the activity in September 2020, and the campaign is currently ongoing.
The operation is extremely targeted so far, with the attackers manually selecting their victims. Over 100,000 of ESET’s customers have NoxPlayer installed on their computers, but only five of these were selected to receive the malicious update. The five victims were located in Taiwan, Hong Kong, and Sri Lanka.
ESET notes, “We spotted similarities in loaders we have been monitoring in the past with some of the ones used in this operation, such as instances we discovered in a Myanmar presidential office website supply-chain compromise on 2018, and in early 2020 in an intrusion into a Hong Kong university.” In the most recent cases, the loaders delivered the PoisonIvy remote access Trojan.
BigNox initially denied being affected, but the company told us on Wednesday that they’d reached an agreement with ESET to address the issue. They intend to cooperate in investigating the incident and will provide further information as it becomes available. ESET has published the following update to their post:
“Following the publication of our research, BigNox have contacted us to say that their initial denial of the compromise was a misunderstanding on their part and that they have since taken these steps to improve security for their users:
- “use only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks
- “implement file integrity verification using MD5 hashing and file signature checks
- “adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information
“BigNox have also stated that they have pushed the latest files to the update server for NoxPlayer and that, upon startup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.”
For more, see the CyberWire Pro Research Briefing.
Want to get your message to leaders in cyber?
Security leaders across the globe trust the CyberWire and depend on us every day to deliver the news and analysis they need to do their jobs. That’s also why so many top security companies and hot startups trust us to help get the word out about their brand and fill their sales funnels. We have lots of great sponsorship opportunities that can help you get the word out too. Learn more at thecyberwire.com/sponsorship.
Looking at criminal infrastructure-as-a-service.
Microsoft has been tracking emails sent by criminal infrastructure dubbed “StrangeU” and “RandomU,” which the company says is “robust enough to seem legitimate to many mail providers, while flexible enough to allow the dynamic generation of new domain names and remain evasive.” The infrastructure has apparently filled the vacuum in the criminal infrastructure-as-a-service market created by the disruption of the Necurs botnet in March 2020.
The infrastructure has been used by various criminal threat actors to distribute more than a million malware-laden emails per month. These campaigns had a significant focus on entities in the US, Australia, and the UK, and targeted the wholesale distribution, financial services, and healthcare sectors.
One of Microsoft’s conclusions from the research is that “[m]alware services rely on proxy providers to make tracking and attribution difficult, but the proxies themselves can provide insights into upcoming campaigns and improve our ability to proactively protect against them.”
Calls for IoT regulation.
ReFirm Labs has published research from colleagues at Florida Tech. Dr. TJ O’Connor and graduate student Daniel Campos uncovered four vulnerabilities affecting Merkury/Geeni smart home cameras and doorbells. The vulnerabilities are as follows:
- CVE-2020-28998: Remote telnet with static credentials on GNC-CW013 Doorbell (Firmware Version 1.8.1)
- CVE-2020-28999: Undocumented account with static credentials on GNC-CW013 Doorbell Steaming Video Application (Firmware Version 1.8.1)
- CVE-2020-29000: Ability to remotely shovel a telnet session by hijacking RTSP service on Geeni GNC-CW013 (Firmware Version 1.8.1)
- CVE-2020-29001: Remote command execution through the RESTFul API to enable telnet service and arbitrary file read. (Firmware Versions 2.7.2. 2.9.5, 2.9.6)
ReFirm argues that this demonstrates the need for regulation requiring “cybersecurity certification labels” for IoT devices, which would “allow consumers to make good purchasing decisions when it comes to cybersecurity, and force vendors to adopt secure development practices.” The security company concludes, “Just as you expect products you buy from name brand stores won’t catch on fire and burn down your house, consumers should demand that those same products won’t spy on them.”
For more, see the CyberWire Pro Privacy Briefing.
Students and members of the military, don’t be left out of CyberWire Pro! We’ve got you!
Due to your student or military status (active or reserve military status), you are able to subscribe to CyberWire Pro or CyberWire Pro+ at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit here and click on the Contact Us button in the Academic or Government & Military box.
Mergers and acquisitions.
Peraton, a Veritas Capital portfolio company formed from the government IT business of Harris Corporation, is acquiring Virginia-based defense contractor Perspecta for $7.1 billion. Perspecta says “[t]he combination will create a leading government technology provider that delivers end-to-end capabilities in IT and mission support and serves as the strategic partner of choice across a diverse array of U.S. government customers.” Veritas is also acquiring Northrop Grumman’s Federal IT and mission support business for $3.4 billion and merging it with Peraton. Washington Technology notes that “[a] combined Perspecta-Peraton-Northrop IT entity would have between $7.5 billion and $8 billion in annual revenue.”
Eden Prairie, Minnesota-based IT management software provider HelpSystems has acquired San Antonio, Texas-headquartered Digital Defense, a company whose platform provides “penetration testing, employee training, cybersecurity defense, enterprise risk assessment, and physical security testing.” HelpSystems stated, “As part of HelpSystems’ cybersecurity portfolio, Digital Defense joins Core Security and Cobalt Strike to establish a comprehensive, best-in-class security assessment toolkit.”
HelpSystems also acquired FileCatalyst, an enterprise file transfer acceleration provider based in Ottawa, Canada. HelpSystems CEO Kate Bolseth stated, “Our customers and partners have expressed a growing need to move significant volumes of data more quickly than ever before, and FileCatalyst addresses this problem effectively for many well-known organizations. FileCatalyst is an excellent addition to our managed file transfer and robotic process automation offerings, and we are pleased to bring the FileCatalyst team and their strong file acceleration knowledge into the global HelpSystems family.”
Boston-based security data and analytics company Rapid7 has acquired Israeli Kubernetes security startup Alcide for approximately $50 million, Geektime reports. Rapid7’s Senior Vice President of Cloud Security Brian Johnson stated, “By bringing together Alcide’s [cloud workload protection platform] capabilities with our existing posture management (CSPM) and infrastructure entitlements (CIEM) capabilities, we will be able to provide our customers with a cloud-native security platform that enables them to manage risk and compliance across their entire cloud environment.”
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.
SonicWall urges its customers to patch against CVE-2021-20016, a critical SQL injection vulnerability discovered by NCC Group that can allow a remote attacker to access credentials for SMA 100 devices. NCC Group tweeted that it’s seen “indication of indiscriminate use of an exploit in the wild.” SonicWall stated, “All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation.”
Crime and punishment.
KrebsOnSecurity also says the major criminal marketplace ValidCC has shut down. One of the operators of the criminal shop stated that ValidCC’s servers had been seized by law enforcement, although many of the shop’s customers are wondering if the operators simply decided to take their Bitcoin and run. A ValidCC spokesperson acknowledged the suspicious optics, stating, “We don’t know users’ balances, or your account logins or passwords, or the [credit cards] you purchased, or anything else! You are free to think what you want, but our team has never conned or let anyone down since the beginning of our operations! Nobody would abandon a dairy cow and let it die in the field! We did not take this decision lightly!” Krebs notes that, so far, no law enforcement agency has publicly acknowledged targeting ValidCC’s infrastructure.
Courts and torts.
Four Canadian regulatory agencies have concluded that facial recognition company Clearview AI violated privacy laws by scraping millions of Canadians’ photos from the Internet, the Wall Street Journal reports. The regulators said the company gathered “highly sensitive biometric information without the knowledge or consent of individuals.” Clearview says its services are no longer being offered in Canada and that it will erase Canadian citizens’ data upon request. The Journal notes that the regulators “acknowledged having limited enforcement powers in penalizing the New York-based company and others like it.”
Policies, procurements, and agency equities.
Alejandro Mayorkas was sworn in on Tuesday as US Secretary of Homeland Security. A CyberScoop and others have observed, Mayorkas arrives with a reputation for interest in cybersecurity which he acquired during an earlier stint at DHS during the Obama Administration.
The Cyberspace Solarium Commission has produced a Transition Book for the new US Administration. They recommend three steps for immediate action:
- “Establish the Office of the National Cyber Director,
- “Develop and promulgate a National Cyber Strategy, and
- “Improve the coherence and impact of existing government cybersecurity efforts and further strengthen partnerships with the private sector.”
The Commission also endorses the US Department of Defense’s strategy of “defend forward:”
“The new National Cyber Strategy should articulate a framework for successfully disrupting and deterring our adversaries from ever undertaking significant cyberattacks through layered cyber deterrence and should set forth ways and means of (1) shaping adversary behavior, (2) denying adversaries benefits, and (3) imposing costs on adversaries. While deterrence is an enduring American strategy, there are two factors that make layered cyber deterrence bold and distinct. First, the approach prioritizes deterrence by denial, specifically by increasing the defense and security of cyberspace through resilience and public- and private-sector collaboration, reducing the vulnerabilities adversaries can target. Second, the strategy incorporates the concept of ‘defend forward’ discussed above.”
The Biden Administration’s nominee for Deputy Defense Secretary, Kathleen Hicks, supports defending forward, but would like clarity on the who, what, where, and how, according to Defense News. At her confirmation hearing, she wondered about “how the authorities are being executed, what kind of oversight is involved, how we are consulting with allies and partners, [and] whose systems we might operate on.”
For more, see the CyberWire Pro Policy Briefing.