Microsoft admits to signing rootkit malware in supply-chain fiasco
Microsoft has confirmed signing a malicious driver being distributed within gaming environments. Called “Netfilter,” it is a rootkit that was observed communicating with Chinese command-and-control IPs. This incident has once again exposed threats to software supply-chain security, except this time stemming from a weakness in Microsoft’s code-signing process. Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used. It seems to have resulted from a threat actor following Microsoft’s process to submit the malicious Netfilter drivers and managing to acquire the Microsoft-signed binary in a legitimate manner. Nation-state actors have not been implicated in this incident as yet.
Senate fails to confirm new CISA director before two-week break, drawing criticism
Jen Easterly, a former U.S. National Security Agency official, was expected to be confirmed as CISA director concurrent with Chris Inglis taking the national cyber director chair. The Senate confirmed Inglis last week. A vote on Easterly’s nomination was blocked twice by Sen. Rick Scott (R-Fla.), who says he will continue to hold the nomination until Vice President Harris visits the border. The obstruction was criticized as “a gift to our enemies.” The Senate adjourned Friday for a two-week recess until July 9.
Hackers release free games laced with cryptomining malware
A new report from BBC News has revealed that copies of top rated games like Grand Theft Auto, NBA 2K and Pro Evolution Soccer are being offered in some places for free. These games, however, are infected with malware that allows hackers to access personal details and infect the computer with a cryptomining malware called Crackonosh. When installed, the malware disables Windows Updates and uninstalls all security software, while setting up mining operations.
My Book Live users wake up to find their data deleted
My Book Live NAS, made by Western Digital, is a network-attached storage device that looks like a small book and that allows owners to access their files and manage their devices remotely, even if the NAS is behind a firewall or router. On Thursday of last week, My Book Live and WD My Book Live DUO owners worldwide suddenly found that all of their files were mysteriously deleted, and they could no longer log into the device via a browser or an app, following a mysterious factory reset. In a statement shared with BleepingComputer, Western Digital has determined that My Book Live and My Book Live Duo devices connected directly to the Internet are being targeted using a remote code execution vulnerability. Users are urged to unplug their devices from the internet immediately.
Thanks to our episode sponsor,
Hackers target Cisco ASA devices after a PoC exploit code published online
Experts are issuing warnings about attacks against Cisco Adaptive Security Appliances after researchers from Positive Technologies published a PoC exploit code on Twitter for the CVE-2020-3580 XSS vulnerability. Experts at Tenable stated that following its publication, other researchers are chasing bug bounties for this issue, but there will also be attacks in the wild exploiting the flaw. They point out that in a real attack scenario, successful exploitation of this vulnerability requires an attacker to trick an administrative user to login and navigate to the webpage where the malicious code has been implanted.
Zyxel firewalls and VPNs under active cyberattack
Taiwanese networking equipment company Zyxel is warning customers of an ongoing attack targeting a “small subset” of its security products such as firewall and VPN servers. Attributing the attacks to a “sophisticated threat actor,” the firm noted that the attacks single out appliances that have remote management or SSL VPN enabled, namely in the USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware, implying that the targeted devices are publicly accessible over the internet. Enterprise VPNs and other network devices have become a top target of attackers as a way to find new avenues into corporate networks.
Nobellium: A new breach discovered during Microsoft probe of SolarWinds hackers
Microsoft said on Friday an attacker that it has named NOBELLIUM had won access to one of its customer-service agents and then used information from that to launch hacking attempts against customers. The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds. Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in.
Fast, reliable broadband is now a key selling point for UK house hunters
Research from online real estate agency Purple Bricks found that 41% of potential buyers in the UK now place speed of broadband internet connectivity as top priority when buying a home, more than the proximity to schools, transit, stores and restaurants. This change is being seen as another indicator of growing interest in working from home as a more permanent arrangement for many. And a surge of interest in people wanting to move to the country has been coupled with demand for good internet in areas that might otherwise have weak connections, to a point that telecom companies are becoming involved in purchase negotiations, offering plans for connectivity upgrades.