FireEye releases report and network auditing tool for SolarWinds-type hacks
The report, released yesterday, details the techniques used by the SolarWinds hackers inside the networks of companies they breached. Entitled “Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452,” it is available on the FireEye website. They have concurrently released a free diagnostic tool on GitHub named Azure AD Investigator, which is intended to help companies determine if the SolarWinds hackers used any of their techniques inside their networks.
SolarWinds malware arsenal widens with Raindrop
An additional piece of malware, dubbed Raindrop, has been unmasked in the sprawling SolarWinds supply-chain attacks story. Researchers said It was used in targeted attacks after the effort’s initial mass Sunburst compromise, This post-compromise backdoor installs the pen-testing tool Cobalt Strike and then helps attackers move more laterally through victims’ networks, using Cobalt Strike to exfiltrate data, deliver malware.
DNSpooq bugs let attackers hijack DNS on millions of devices
Israel-based security consultancy firm JSOF yesterday disclosed seven Dnsmasq vulnerabilities, collectively known as DNSpooq, that can be exploited to launch DNS cache poisoning, remote code execution, and denial-of-service attacks against millions of affected devices. Dnsmasq is a popular open-source Domain Name System (DNS) forwarding software that adds DNS caching and Dynamic Host Configuration Protocol (DHCP) server capabilities to networking equipment it runs on. Affected vendors currently include Android, Comcast, Cisco, Redhat, Netgear, Qualcomm, Linksys, IBM, D-Link, Dell, Huawei, and Ubiquiti.
Chrome 88 release brings an end to Flash and FTP
Google’s Chrome 88, released yesterday, is the first Chrome to not offer support for Flash, which was officially discontinued by Adobe on December 31. It ends an era in which bug-plagued Flash was central to online media. Apple and Mozilla have also stopped supporting Flash, and Microsoft is scheduled to end support later this month. But Chrome 88 goes further, removing support for accessing FTP links inside Chrome, and blocking mixed, insecure downloads, for example where when a user accesses a web page that starts with HTTPS, but where a file is then downloaded from an HTTP URL.
Thanks to our episode sponsor Armis
Hackers manipulated stolen COVID-19 vaccine data before leaking it online
In the latest update on the cyberattack that was first disclosed last month, the European Medicines Agency (EMA) has revealed how hackers accessed confidential internal emails from November about evaluation processes for COVID-19 vaccines. The ongoing investigation found that some of the contents of those emails had been manipulated by those behind the attack in what appears to be an attempt to create mistrust with disinformation about vaccines. It is not known who the perpetrators are or why they sought to spread disinformation and undermine trust in the vaccines.
Intel offers CPU-level threat detection capabilities to target ransomware
Intel has announced that its 11th Generation mobile processors sold with a VPro feature set will include threat detection technology that uses telemetry data from the CPU’s performance monitoring unit, combined with accelerated machine learning heuristics to detect potential threats. This is possible because some types of malicious programs including ransomware impact the performance of the CPU through the type of tasks they execute. Telemetry data and machine learning models can identify potentially suspicious or abnormal behavior, allowing malware detection at the CPU-level.
Health insurer Excellus fined $5.1m over data breach
The sum will be paid to the Office for Civil Rights at the US Department of Health and Human Services to settle potential HIPAA violations. It relates to a data breach that happened over 17 months between 2013 and 2015 and disclosed protected health information for over 9.3 million people using BlueCross BlueSHield plans in New York state. The OCR’s investigation found potential violations of the HIPAA rules, including failures to implement risk management, information system activity review, and access controls and failure to conduct an enterprise-wide risk analysis.
Linux devices under attack by FreakOut malware
FreakOut has a variety of capabilities including port scanning, information gathering and data packet and network sniffing. It is actively adding infected Linux devices to a botnet and has the ability to launch DDoS and network flooding attacks and cryptomining activity. Affected devices include data storage, web portal and website applications. To protect against FreakOut, researchers recommend Linux device users that utilize TerraMaster TOS, Zend Framework or Liferay Portal make sure they have deployed all patches.