The end of the year brings a wealth of big cybersecurity news. Our internal chat blew up with the latest breach revelations, but we also had a couple good on- and off-topic laughs—because isn’t that the secret to surviving 2020?
The Solar Winds breach
The Solar Winds breach is front page news these days, and not just in the cyber world. Mainstream media has picked up this gigantic hack, the scope of which is nearly unprecedented. Attackers used the SUNBURST backdoor to leverage SolarWinds’ supply chain, allowing them to breach the internal networks of at least 200 customers, including U.S. government agencies & private companies. In this article by Prevasio, the Sunburst Domain Generation Algorithm (DGA) is reversed and used to decrypt the victims’ domains.
“This post was interesting because it began to shine the light on the breadth of victims of the Solar Winds attack. Little by little, more victims are coming to light, and they are very relevant ones. This shows the importance of recognizing a breach and being able to determine whether the actors are still inside, which is what a deception platform excels at.” – Dan, Founder & CSO
COVID-19 vaccine cold chain becomes a target
Spear phishing emails attempting to gain credentials and access have been identified as an attempt by hackers to break into the COVID-19 vaccine cold chain. IBM’s cybersecurity division says that hackers are targeting companies associated with the storage and transportation of COVID-19 vaccines. No particular threat actor was identified, but IBM’s team said the phishing campaign showed the typical “hallmarks of nation-state tradecraft.” The targets are widespread, ranging from companies to governments to entire sectors.
“This year the world has turned around COVID-19, and malicious actors have been no different. Criminal groups have been aware from the outset of the amount of money that has gone into fighting the pandemic globally and have focused their efforts on finding mechanisms that could give them access to a share of all that money. To this end, they have not hesitated to make all kinds of attacks on sectors such as pharmaceuticals (e.g. to steal information on research for the development of vaccines against COVID-19) or, as in this case, on logistics companies (e.g. those responsible for maintaining the cold chain in the distribution of vaccines from the laboratories where they are produced to the distribution centres).” — Fernando, Founder
Source: ZDNet, December 3
iOS zero-click radio proximity exploit
This post on Project Zero’s blog outlines how one person, over the course of a few months, was able to build a hack that allowed them to reboot nearby iOS devices with zero user interaction. The weakness? An unauthenticated kernel memory corruption vulnerability. The entire process is outlined, showing how to exploit the iOS vulnerability that makes it possible to run arbitrary code on nearby devices, allowing the stealing of user data.
“This shows that the software running in our devices is so complex that it’s guaranteed to have exploitable bugs. What’s amazing about this article is how one intelligent person with enough time can figure out a way to hack a secure mobile device like the iPhone remotely and at enough distance to safely do it without the owner of the mobile phone realizing anything odd is happening. People with enough resources, like nation states, must be doing this. We must always assume someone has hacked into our systems.“ — Xabi, Full Stack Engineer
Source: Project Zero, December 1
Ransomware actors pick up the phone
Ransomware actors from Conti to Ryuk have begun cold-calling victims that don’t pay up via an outsourced call center group. The calls are made to hacked companies that the ransomware gangs suspect will use backups to avoid paying ransom demands. The scripted call threatens “If you want to stop wasting your time and recover your data this week, we recommend that you discuss this situation with us in the chat or the problems with your network will never end.” The problem may never end, which is a major reason to strengthen security posture to avoid playing victim to ransomware in the first place.
“We had a laugh about this one—sophisticated hacker gangs resorting to one of the oldest sales tactics around! This marks another escalation in tactics and also shows how normalized and widespread ransomware attacks have become. It also shows that the real issue with ransomware nowadays is not the recovery of the data but the fact that cybercriminals are moving forward and are using the stolen data to extort or threat customers. Before, cybercriminals were just seeking easy money—today, cybercriminals are not only cyphering victims data, they are stealing it and using extortion to threaten customers.” —The Development Team
Source: ZDNet, December 5
U.S. takes down websites offering VPNs for criminal activity
The United States assisted with an international takedown of a VPN, shutting down servers that hosted domains that offered “bulletproof hosting services”, which are intentionally designed to shelter criminals. Three domains involved (INSORG.ORG; SAFE-INET.COM; SAFE-INET.NET) were taken offline for supporting clients engaged in criminal activity from ransomware and E-skimming breaches to spear phishing and account takeovers. The takeover was a coordinated effort between German Reutlingen Police Headquarters, Europol, the FBI and other law enforcement agencies from around the world.
“Not everything is bad news. After a decade, and thanks to an important collaboration between different organizations, there’s been an operation that has resulted in the closure of Bulletproof Hosting, due to allegations it has been used to commit criminal acts. It looks like these Bulletproof services turned out not to be quite as bulletproof as they seem.” — Member of the development team