France links Russian Sandworm hackers to hosting provider attacks

France’s national cyber-security agency ANSSI linked a series of attacks dating back to 2017 to the group, breaching several entities using vulnerabilities in Centreon IT monitoring software. The attacks targeted Centreon systems left exposed on the internet, although its unclear if the attackers used a specific exploit or social engineering to obtain passwords needed for access. Once into the systems, the attackers installed a P.A.S. web shell and the Exaramel backdoor trojan to take over the connected server and gain access to adjacent networks. ANSSI warned those using Centreon to look for signs of intrusions. 

(Bleeping Computer)

Privacy problems with Azure and Canonical

Security analyst Luca Bongiorni found that soon after he spun up a Ubuntu Linux instance on Azure for sandbox testing, he received a message on LinkedIn from a Canonical sales rep. Microsoft said it does not share Azure data with third-parties, but does share customer information with Azure Marketplace publishers when customers deploy their product for tech support, but not for marketing. Microsoft further clarified it shares contact information and transaction specifics with publishers, but not “customer data” without permission. Canonical says the employee contacting Luca used a poor choice of words framing the contact for further sales. 

(ZDNet)

Microsoft estimates thousands of developers touched SolarWinds malware

This comes from Microsoft president Brad Smith from the company’s initial analysis on the malware, placing the level of effort needed for the attack at over 1000 developers. Smith further said the malware was “the largest and most sophisticated attack the world has ever seen,” further comparing the approach and scale to the tactics the Russian government used against Ukraine. 

(The Register)

Parler is back online

The site had been functionally knocked offline in January after AWS suspended services to the platform for violation of its terms of service. The social network is now accessible for users with existing accounts and will accept new signups starting next week. While previous user accounts can log into the service, old posts are not currently available on the platform. Parler also named Mark Meckler as interim CEO, who previously cofounded the right-wing group Tea Party Patriots. Parler’s apps on iOS and Android remain delisted from their respective app stores. 

(The Verge)

Thanks to our episode sponsor, Kenna Security

Kenna Katalyst is Kenna Security’s newest on-demand educational series designed to help you shift gears to risk-based vulnerability management. Get the six key steps you need to go risk-based along with actionable tips to help your team focus on the risks that matter most. Participants can earn 1 CPE credit through (ISC)². Learn more at kennasecurity.com/katalyst.

India removes regulations on geospatial data

The country will no longer require local firms to obtain a license or other permission to collect, generate, store and share geospatial data, now also providing access to Indian ground stations for real time positioning and street view surveys. Foreign firms can license API access to geospatial data from local firms, but cannot re-use or resell the data. 

(TechCrunch)

Microsoft adds phishing alerts to Forms

The company added a new security alert to its Security and Compliance Center to inform IT admins of detected phishing attempts abusing Microsoft Forms in their tenants. Forms had previously been limited to business users with Microsoft 365 subscriptions, but was recently opened for personal use to anyone with a Microsoft account. Microsoft will proactively identify malicious password collection in forms and surveys, with alerts sent to admins of blocked or suspicious activity. 

(Bleeping Computer)

Skepticism from the security community about the Bloomberg Supermicro story

We reported yesterday on a Bloomberg feature that alleged prolonged Chinese infiltration of Supermicro’s products. This follows a similar 2018 story that alleged chips were installed on Supermicro boards that were used at Apple and Amazon. At the time the FBI, the NSA, and Homeland Security, Apple, and Amazon all denied the reports validity. In response to this latest report, the NSA stood by its previous statement of being “befuddled” by Bloomberg’s reporting. Other researchers noted that the source cited as seeing the chips allegedly inserted into Supermicro boards was an advisor to two security firms analyzing the boards, indicating an indirect and potentially non-technical understanding of the findings. Further named sources in the story seem to indicate that what is being described seems closer to inserting a backdoor into firmware, rather than physically implanting a chip for the purpose. 

(Twitter)

Most cryptocurrency money laundering goes through a few addresses

According to a new report by Chainalysis, 55% of all cryptocurrency money laundering is driven by 270 service deposit addresses, with mainstream exchanges receiving the bulk of illicit cryptocurrency. The US, Russia, and China were the largest destinations for illicit currency. While the overall share of illicit funds received by the top 5 receiving services decreased in 2020 from 61% to 55%, 78% of all ransomware funds went to one of those top 5 services, up 18% on the year.

(Chainalysis)

Notion outage caused by phishing alerts

The online workspace app suffered a multi-hour outage last week, impacting over four million users. Notion said the outage was caused by a “very unusual DNS issue that occurred at the registry operator level.” The company domain registrar received a complaint from Hexonet, which manages the top-level .so domain used by Notion, about phishing sites tied to Notion pages, resulting in temporary hold placed on Notion’s overall domain. The companies are now partnering on new protocols to ensure that phishing concerns can be addressed without impacting all of Notion’s users. 

(TechCrunch)