"Hewlett Packard disclosed Wednesday that suspected state-backed Russian hackers broke into its cloud-based email system and stole data from cybersecurity and other employees.
"It said it believed the hackers were from Cozy Bear, a unit of Russia’s SVR foreign intelligence service.
"Microsoft reported last week that it also discovered an intrusion of its corporate network on Jan. 12.
📢 The #Nobelium hackers behind the #SolarWinds breach are back and have successfully breached the emails of top individuals and employees at Microsoft.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #44/2023 is out! It includes the following and much more:
➝ 🔓 #Okta hit by another #breach, this one stealing employee data from 3rd-party vendor
➝ 🔓 💸 #LastPass breach linked to theft of $4.4 million in crypto
➝ 🇮🇳 #India's Biggest Data Leak So Far? Covid-19 Test Info of 81.5Cr Citizens With ICMR Up for Sale
➝ 🔓 ✈️ #Lockbit ransomware group claims to have hacked #Boeing
➝ 🇳🇱 ⚖️ Dutch hacker jailed for extortion, selling stolen data on RaidForums
➝ 🇷🇺 🇺🇸 Russian Reshipping Service ‘SWAT USA Drop’ Exposed
➝ 🇮🇷 🦠 Iranian Cyber Spies Use ‘#LionTail’ Malware in Latest Attacks
➝ 📉 Security researchers observed ‘deliberate’ takedown of notorious #Mozi#botnet
➝ 🇮🇳 📱 Apple warns Indian opposition leaders of state-sponsored #iPhone attacks
➝ 🌍 Four dozen countries declare they won’t pay #ransomware ransoms
➝ 🇷🇺 How #Kopeechka, an Automated Social Media Accounts Creation Service, Can Facilitate #Cybercrime
➝ 🇪🇺 EU digital ID reforms should be ‘actively resisted’, say experts
➝ 🇷🇺 🇺🇦 #FSB arrests Russian hackers working for Ukrainian cyber forces
➝ 🇺🇸 FTC orders non-bank financial firms to report breaches in 30 days
➝ 🇨🇦 📱 #Canada Bans #WeChat and #Kaspersky Apps On Government Devices
➝ 🇺🇸 #SEC Charges #SolarWinds and Its #CISO With Fraud and Cybersecurity Failures
➝ 🇺🇸 🤖 #Biden Wants to Move Fast on AI Safeguards and Will Sign an Executive Order to Address His Concerns
➝ 🦠 📱 #Avast confirms it tagged Google app as #malware on Android phones
➝ 🦠 🇰🇵 North Korean Hackers Targeting Crypto Experts with #KANDYKORN#macOS Malware
➝ 👥 💸 EleKtra-Leak #Cryptojacking Attacks Exploit #AWS IAM Credentials Exposed on #GitHub
➝ 🦠 🐍 Trojanized #PyCharm Software Version Delivered via #Google Search Ads
➝ ✅ 🤖 #GooglePlay adds security audit badges for Android #VPN apps
➝ 🔐 Microsoft pledges to bolster security as part of ‘Secure Future’ initiative
➝ 🆕 FIRST Releases #CVSS 4.0 Vuln Scoring Standard
➝ 🆕 #MITRE Releases ATT&CK v14 With Improvements to Detections, ICS, Mobile
➝ ⛔️ 🦠 #Samsung Galaxy gets new Auto Blocker anti-malware feature
➝ 🍏 🔐 #Apple Improves #iMessage Security With Contact Key Verification
➝ 🔓 Researchers Find 34 #Windows Drivers Vulnerable to Full Device Takeover
➝ 🔓 🪶 3,000 #Apache#ActiveMQ servers vulnerable to RCE attacks exposed online
➝ 🗣️ #Atlassian CISO Urges Quick Action to Protect #Confluence Instances From Critical #Vulnerability
➝ 🔓 🩸 “This vulnerability is now under mass exploitation.” #CitrixBleed bug bites hard
➝ 🐛 💰 HackerOne paid ethical hackers over $300 million in #bugbounties
📚 This week's recommended reading is: "Permanent Record" by Edward Snowden
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
I'm seeing a lot of posts about the SEC's decision to charge both SolarWinds and their current CISO, (who was Vice President of Security and Architecture at the time) with fraud and internal control failures relating to allegedly known cyber security risks and vulnerabilities, and I'd highly recommend people read the full complaint from the SEC.
This wasn't just a case of a senior security professional being ignored by leadership during the period, this appears to be a considered purposeful approach from the organisation and the individual to downplay or ignore known issues in both their regulatory filings (13 of them during the relevant period) and repeated blog posts, press releases and podcasts where both the company and the CISO made repeated statements including how the Company “places a premium on the security of its products and makes sure everything is backed by sound security processes, procedures, and standards.” all the while knowing about the most fundamental of security failings including default passwords and the ability for un-managed devices to connect to the VPN.
SolarWinds also fell down in their risk management approach, using Risk Acceptance Forms to avoid fixing issues, with one form asking to “accept[] the risk of legacy issues in the Orion Platform” because “[t]he volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve.”
On top of this, arguably worse was to come when after multiple customers had been breached and the evidence was strongly suggesting one of their products was involved an employee falsely informed a firm they hadn't seen any previous activity even whilst messaging a colleague “Well I just lied.”
Finally, even when SolarWinds did report on the breach through their K-8 filing (required when there has been a major event that shareholders should know about) they claimed it was still being investigated “whether a vulnerability in the Orion monitoring products was exploited as a point of any infiltration of any customer systems.” when they knew the vulnerability had been exploited on at least three previous occasions.
A lot of focus will rightly be on the statements made within the regulatory filings, but I think it also brings into focus the typically bland statements organisations make on their websites about "how seriously they take security". The SEC's contention is that as the period in question (October 2018 to January 2021) coincided with the IPO of the firm and their return to being a listed company, it was a time where potential investors turned to the public statements from the firm to help determine whether they invest or not.
If your public facing statements don't match up to the reality you know about, this case may demonstrate that you could be on the hook for it. #SEC#SolarWinds#Cybersecurity
I imagine a lot of current CISOs will be looking into cashing out and taking early retirement in the near future. Good news for Info Risk Management types who've grown weary of banging their heads on the wall.
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #43/2023 is out! It includes the following and much more:
➝ 🇺🇸 🎰 Hackers that breached Las Vegas casinos rely on violent threats, research shows
➝ 🔓 🇺🇸 University of Michigan employee, student data stolen in #cyberattack
➝ 🔓 #1Password discloses security incident linked to #Okta breach
➝ 🇺🇸 Cyber attacks hit NY state #casino operation, two Hudson Valley hospitals
➝ 🇺🇸 🗳️ D.C. Board of Elections: Hackers may have breached entire voter roll
➝ 🔓 🇮🇪 Thousands of drivers have sensitive data exposed to hackers in major IT #breach
➝ 🇷🇺 📨 Pro-Russia hackers target inboxes with #0day in webmail app used by millions
➝ 🇫🇷 🇷🇺 #France says Russian state hackers breached numerous critical networks
➝ 🇳🇬 Nigerian Police dismantle #cybercrime recruitment, mentoring hub
➝ 🇵🇸 💸 #Palestine#crypto donation scams emerge amid Israel-Hamas war
➝ 🇪🇸 👮🏻♂️ #Spain arrests 34 #cybercriminals who stole data of 4 million people
➝ 🇨🇦 🇨🇳 #Canada: Lawmakers Targeted by China-Linked ‘#Spamouflage’ Disinformation
➝ 🇺🇸 🇷🇺 Ex-NSA Employee Pleads Guilty to Leaking Classified Data to #Russia
➝ 🦠 🇰🇵 N. Korean #Lazarus Group Targets Software Vendor Using Known Flaws
➝ 🦠 🇮🇷 Iranian Group #Tortoiseshell Launches New Wave of IMAPLoader #Malware Attacks
➝ 🦠 🪰 #StripedFly malware framework infects 1 million #Windows, #Linux hosts
➝ 🦠 📱 #iOS Zero-Day Attacks: Experts Uncover Deeper Insights into Operation Triangulation
➝ 🔓 📱 #Samsung Galaxy S23 hacked two more times at #Pwn2Own Toronto
➝ 🔓 Critical #OAuth Flaws Uncovered in #Grammarly, #Vidio, and #Bukalapak Platforms
➝ 🔓 🩺 Critical Flaw in NextGen's Mirth Connect Could Expose #Healthcare Data
➝ 🔓 #F5 Warns of Critical Remote Code Execution Vulnerability in BIG-IP
➝ 🔓 🍏 Hackers can force iOS and #macOS browsers to divulge #passwords and much more
➝ 🩹 #Citrix warns admins to patch #NetScaler CVE-2023-4966 bug immediately
➝ 🔓 ✌🏻 #Cisco Finds Second Zero-Day as Number of Hacked Devices Apparently Drops
➝ 🔓 Critical RCE flaws found in #SolarWinds access audit solution
📚 This week's recommended reading is: "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World" by Bruce Schneier
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Security researchers found three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges.
@BleepingComputer it should be noted that while these are important vulnerabilities, they were scored 8.8 high severity by SolarWinds and NVD is pending analysis:
Miss @chudypb's talk on .NET deserialization bugs during @hexacon_fr? Deserialization of untrusted data has become one of the most abused vulnerability classes across multiple programming languages. Over time, most developers have become adept with the secure handling of deserialization operations. Consequently, easy-to-exploit deserialization issues are mostly a thing of the past. His research gets past those defenses. You can check out his full white paper at: https://github.com/thezdi/presentations/blob/main/2023_Hexacon/whitepaper-net-deser.pdf
I've been working on a response to the Whitehouse RFI on open source security, and I feel like there's a trend starting to emerge
There are foundations, companies, universities, governments, think tanks ... It feels like everyone is trying to do something to fix open source security
And it also feels like nobody is talking to the open source developers. The people who are actually doing the work
This goes back to @Di4na "I am not a supplier" blog post I think
I'm also starting to wonder if this is turning into "YOU SHOULD BE GRATEFUL FOR THE SCRAPS I'M GIVING YOU!"
This stinks of ulterior motives to me. Someone with a lot of influence wants open source to stop being a thing entirely. Someone, perhaps, who dislikes being outcompeted by plainly superior offerings.
#Cybersecurity#Microsoft#Azure#China#SolarWinds: "Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.
I believe this all traces back to SolarWinds. In addition to Russia inserting malware into a SolarWinds update, China used a different SolarWinds vulnerability to break into networks. We know that Russia accessed Microsoft source code in that attack. I have heard from informed government officials that China used their SolarWinds vulnerability to break into Microsoft and access source code, including Azure’s."
Regarding the #solarwinds#CISO possibly going to jail over the hack, all I know is the links in their billing related emails are still HTTP, they clearly take security seriously now:
Solar Winds, the enterprise technology company made famous after suffering a nation state directed cyber attack in 2020, has been served notice by the SEC that further action is coming. Not only did they receive their own Wells Notice in October, but now two individuals, their CFO and CISO, have as well.
This is the first time a CISO has received a Wells Notice.
What should corporate directors know and do about this? To shed some light on the practical implications for business leaders we will ask for insights from two of our OODA network experts, Bob Flores and Junaid Islam.
😶 We've learned nothing from the SolarWinds hack
➥ cyrnel
"Given its high profile, I'm shocked to report that I feel very little has been learned from that attack.
To me, the hack was a wake-up call about how the way we install and run software is insecure by design and needs a rework, maybe using capabilities-based security. But all I hear about is a bunch of solutions that kinda miss the point. "
⛓️ The Untold Story of the Boldest Supply-Chain Hack Ever
➥ Wired
"Using techniques that investigators had never seen before, the hackers gained access to thousands of the company’s customers. Among the infected were at least eight other federal agencies, including the US Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms"
"The Mandiant team was facing a textbook example of a software-supply-chain attack—the nefarious alteration of trusted software at its source. In a single stroke, attackers can infect thousands, potentially millions, of machines." —@kimzetter for @WIRED