154660979
submission
wiredmikey writes:
The U.S. government wants to find the people responsible for the Colonial Pipeline ransomware attack (and many others) and it’s putting up multi-million rewards for data on the operators behind the DarkSide extortion campaign.
The Department of State on Thursday offered up to $10 million for information leading to the identification or location of senior members of the DarkSide gang that caused major gas disruptions earlier this year. (more)
152797373
submission
wiredmikey writes:
Russia on Wednesday detained the CEO of Group-IB, one of the country's leading cybersecurity firms on charges of treason, in a move that targets a company collaborating with the West on stemming cyberattacks.
Founded in 2003, the Group-IB group specializes in the detection and prevention of cyberattacks and works with Interpol and several other global institutions.
A Moscow court ordered the group's 35-year-old co-founder and CEO, Ilya Sachkov, to be held in pre-trial custody for two months on treason charges, the court's press service said, but did not provide details of the charges.
Group-IB said Wednesday that its Moscow headquarters had been searched the previous morning.
149765925
submission
wiredmikey writes:
Researchers have discovered three separate Chinese military affiliated advanced threat groups simultaneously targeting and compromising the same Southeast Asian telcos. The attack groups concerned are Soft Cell, Naikon, and a third group, possibly Emissary Panda (also known as APT27).
Cybereason released details of a triple-pronged attack by Chinese military-affiliated groups against cellular network providers in southeast Asia. Disturbingly, Yonatan Striem-Amit, CTO and co-founder of Cybereason, told SecurityWeek, “We discovered and have evidence that Chinese advanced groups have been using the Hafnium zero-days since at least 2017.” Cellular networks are a prime target for nation states because they provide an excellent steppingstone to many other types of attack and different targets. “At this point,” said Striem-Amit, “the attacks seem to be a stepping point for a major espionage campaign. We all carry a device in our pocket that knows where we are, where we have been, and who we are with.”
149192199
submission
wiredmikey writes:
The United States and several of its allies have officially attributed the Microsoft Exchange server attacks disclosed in early March to hackers affiliated with the Chinese government.
The White House has also attributed — “with a high degree of confidence” — the initial Microsoft Exchange attacks to hackers affiliated with China’s Ministry of State Security (MSS). The NSA, FBI and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Monday released an advisory detailing more than 50 tactics, techniques and procedures (TTPs) used by Chinese state-sponsored threat actors in their attacks.
149042087
submission
wiredmikey writes:
Starting on September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability to pass the details to the Chinese government and must not sell or give the knowledge to any third-party outside of China. Under the new rule, Chinese APTs are likely to acquire a greater stockpile of zero-days than they already have.
The most obvious assumption of the new law is that Chinese found zero-days will be funneled into the Chinese APT groups, and will not be made available for purchase by the NSA or Russian state actors.
147260890
submission
wiredmikey writes:
The ongoing multi-vendor investigations into the SolarWinds mega-hack took another twist this week with the discovery of new malware artifacts that could be used in future supply chain attacks. According to a new report, the latest wave of attacks being attributed to APT29/Nobelium threat actor includes a custom downloader that is part of a “poisoned update installer” for electronic keys used by the Ukrainian government. SentinelOne principal threat researcher Juan Andrés Guerrero-Saade documented the latest finding in a blog post that advances previous investigations from Microsoft and Volexity. “At this time, the means of distribution [for the poisoned update installer] are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack,” Guerrero-Saade said.
147028132
submission
wiredmikey writes:
The Russia-linked threat group believed to be behind the SolarWinds attack has been observed launching a new cyberattack campaign this week. The attacks have targeted the United States and other countries, and involve a legitimate mass mailing service and impersonation of a government agency.
The latest attacks were analyzed by Microsoft, which tracks the threat actor as Nobelium, and by incident response firm Volexity, which has found some links to APT29, a notorious cyberspy group previously linked to Russia.
Targeted organizations include government agencies, think tanks, NGOs, and consultants. Microsoft said at least a quarter of the targets are involved in human rights and international development work. Both Microsoft and Volexity have made available indicators of compromise (IoC) that organizations can use to detect attacks.
146205288
submission
wiredmikey writes:
An outside audit three years ago of the Colonial Pipelinefound “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author said. “We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”
Colonial said it initiated the restart of pipeline operations on Wednesday afternoon and that it would take several days for supply delivery to return to normal.
145978994
submission
wiredmikey writes:
A cyberattack has forced an operational shutdown of the Colonial Pipeline, the largest refined products pipeline in the United States. The Colonial Pipeline Company said late Friday that it was the victim of a cyberattack, sparking the company to proactively take certain systems offline and temporarily halt all pipeline operations. The company said the attack had impacted some of its IT systems, but did not say if any of its operational technology (OT) systems were directly impacted. It's unclear if the incident involved ransomware, or was another form or malware or breach. The Colonial Pipeline is the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily through a pipeline system that spans more than 5,500 miles
145716998
submission
wiredmikey writes:
Security researchers have shown how a Tesla — and possibly other cars — can be hacked remotely without any user interaction from a drone. This was the result of research conducted last year by Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris. A hacker who exploits the vulnerabilities can perform any task that a regular user could from the infotainment system. That includes opening doors, changing seat positions, playing music, controlling the air conditioning, and modifying steering and acceleration modes. They showed how an attacker could use a drone to launch an attack via Wi-Fi to hack a parked car and open its doors from a distance of up to 100 meters (roughly 300 feet). They claimed the exploit worked against Tesla S, 3, X and Y models.
145175400
submission
wiredmikey writes:
Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks. This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts.“Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” the company said, with no additional details.
145034014
submission
wiredmikey writes:
Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.
“This is a significant compromise. [We are now] working to figure out blast radius, given that this was exfiltrating credentials for several months,” a Silicon Valley security response professional told SecurityWeek.
The hack occurred four months ago but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021, the company said. Codecov is considered the vendor of choice for measuring code coverage in the tech industry. The company’s tools help developers understand and measure lines of codes executed by a test suite and is widely deployed in big tech development pipelines
143689104
submission
wiredmikey writes:
Incident responders at Molson Coors are not living the high life today, as they scramble to recover from a cyberattack that impacted brewery operations, production, and shipments. The iconic beer maker said did not provide technical details, but said it was “actively managing” the incident and working around the clock to get its systems back up as quickly as possible. The company produces several iconic beer brands including Coors Light, Miller Lite, Molson Canadian, Carling, Coors Banquet, Blue Moon and others.
143240634
submission
wiredmikey writes:
Microsoft late Tuesday raised the alarm after discovering Chinese cyber-espionage operators chaining multiple zero-day exploits to siphon e-mail data from corporate Microsoft Exchange servers.
Redmond's warning includes the release of emergency out-of-band patches for four distinct zero-day vulnerabilities that formed part of the threat actor's arsenal. Microsoft pinned the blame on a sophisticated Chinese APT operator called HAFNIUM that operates from leased VPS (virtual private servers) in the United States.
HAFNIUM primarily targets entities in the U.S. across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
142668960
submission
wiredmikey writes:
France's national cybersecurity agency is publicly blaming the Russia-linked Sandworm APT group for a string of long-term intrusions at European software and web hosting organizations. According the French National Agency for the Security of Information Systems (ANSSI), the data breaches date back to 2017 and include the eyebrow-raising compromise of Centreon, an IT monitoring software provider widely embedded throughout government organizations in France. A technical report showed the attacks targeted Linux servers running the CentOS operating system.
