Emails from DHS officials obtained in SolarWinds hack

The Associated Press’ sources say as part of the SolarWinds Orion supply chain attack, threat actors obtained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security Chad Wolfe and members of the department’s cybersecurity staff. The intelligence value of the emails is unknown. Officials say following disclosure of the attack, DHS officials switched to clean phones and used the messaging app Signal to communicate. One official speaking to AP said the agency’s response was hampered by outdated technology and struggled for weeks to identify how many servers it had running SolarWinds software.

(AP News)

Docker Hub images contain cryptominers

Security researchers at  Palo Alto Networks discovered that thirty Docker Hub containers, downloaded over twenty million times over the last two years, have contained cryptojacking software. These containers are tied to ten different accounts, with Monero the predominant cryptocurrency mined. Grin (GRIN) or ARO (Aronium) were also mined in a few images. Looking at the mining pools tied to the software, researchers estimate the cryptojacking has generated a combined $200,000 in cryptocurrency. While many of the containers are still available on Docker Hub as of this recording, a full list of impacted containers is available at Palo Alto’s website. 

(Bleeping Computer)

Commits with backdoor pushed to PHP

Over the weekend, two malicious commits to add a backdoor were pushed to the official PHP Git repository, meant to look like a minor typo correction that appeared to be signed by PHP maintainers Rasmus Lerdorf  and Nikita Popov. Popov said the commits were reverted “right away” as part of a post-commit code review, identified as “obviously malicious.” The malicious activity stemmed from a compromised server. The project is now planning to decommission the git server and move to GitHub permanently to avoid the issue again. 

(Bleeping Computer)

The cloud impact of cutting trade ties with Myanmar

The US cut trade ties two months after the country’s military staged a coup to overthrow the country’s democratically elected president, and will be in place “until the return of a democratically elected government.” It’s unclear how cloud services will be impacted in the country as each company interprets the order. For example, in 2016 IBM blocked access to services in Syria, Cuba, and Iran, while companies like Rackspace and Linode simply do not allow users in sanctioned countries to sign up for services. Myanmar’s military government has indefinitely blocked access to Facebook, Twitter and Instagram in the country. 


Thanks to our episode sponsor, Remediant

Former Incident Response practitioners Tim Keeler and Paul Lanzi founded Remediant, a leader in Privileged Access Management. They did it to solve the one problem they saw repeatedly – standing administrator privileges. Repeatedly, they saw these rights weaponized by adversaries to deploy ransomware and move laterally across a network. Remediant uniquely addresses the challenge of standing privilege and be a force multiplier to Security programs worldwide.

To learn more about Tim & Paul’s story, watch the video at

MIT study looks at AI dataset labelling issues

MIT computer scientists led a team that looked at 10 of the most-cited datasets used to test machine learning systems and found that 3.4% of data was either inaccurate or mislabeled. Google’s QuickDraw test set, which includes user submitted doodles, had the most errors at about 5 million, 10% of the dataset. Researchers used a confidence learning framework to examine datasets for label noise, then reviewed the possible label mistakes using people on Mechanical Turk. Higher-capacity models were less impacted by these mislabelings, and lower capacity models significantly improved ML model performance when using the corrected datasets for training.


Microsoft provides guidance after Exchange breach

Last week Microsoft revealed that 92% of Exchange servers vulnerable to the zero-day exploits the company disclosed in early March had been patched or had mitigations applied. While patching mitigates some risk, Microsoft warned in a blog post that “patching a system does not necessarily remove the access of the attacker”. With many impacted Exchange servers have not receiving a secord-stage action, Microsoft warns that attackers may be waiting to deploy ransomware or cryptominers against already exploited systems. In cases where systems are known to have been compromised, Microsoft urges admins to practice the principle of least privilege and mitigate lateral movement on a network.


Hades ransomware gang connected to Hafnium

Researchers at Awake Security published a report looking at characteristics of the Hades ransomware group, concluding that the group is either operated by the APT Hafnium, or that several different groups coincidentally compromised the same environments. They came to this conclusion after finding a Hafnium domain as an indicator of compromise in a Hades attack. Additionally, Hades toolsets and approaches include those often used by espionage-focused groups, with a focus on manufacturing organizations. The researchers said a combination of amateurish data leaks from Hades victims, combined with the relative sophistication of their technical operations, indicates an APT behind the organization.   


GPT-3 sees growing adoption

OpenAI announced its AI text-generator GPT-3 is being used in over 300 different apps and generated 4.5 billion words per day. Companies still need to apply to access GPT-3’s general API, with Microsoft signing an exclusive deal last year for unique access to GPT-3’s underlying code. OpenAI was initially founded as a non-profit before switching to a for-profit company in 2019, with GPT-3 its first commercial product. 

(The Verge)