Security week 6

Stay safe. We bring you our regular weekly overview of security news.

Thousands of Tor exit nodes enable SSL stripping attack

Since 2020, attackers have added a number of exit nodes to the Tor network, which have disrupted secure connections, especially with sites associated with crypto currencies. An SSL stripping attack allows you to drop a secure HTTPS connection and replace it with an HTTP connection. This makes the transmitted data available for eavesdropping or modification. In this case, legitimate crypto wallets were replaced by attackers’ wallets.

The severity of this attack is highlighted by the fact that attackers made up 27% of the exit nodes. Even though the nodes were removed, the Tor Project response was not very effective, as in early April, 4-6% of the exit nodes were represented by such malicious nodes again.

The criminal group Darkside is behind the attack on the American oil pipeline

The FBI has confirmed that the ransomware gang Darkside is behind the attack on Colonial Pipeline, which operates an oil pipeline leading from Texas to the East Coast to New York. The pipeline covers 45% of the US East Coast’s fuel consumption. The gang targets exchange-traded organizations (such as NASDAQ) and uses the stolen information to threaten companies. Misuse of this information could lead to a fall in stock prices, a unique approach by cybercriminals. The interesting thing about this gang is that it issued a public statement in which it undertook not to attack medical facilities, funeral services and companies engaged in the production and distribution of the vaccine against Covid-19.

Chinese hackers have targeted a Russian submarine designer

The China-bound APT group is suspected of using PortDoor malware to infiltrate the company’s system. This company designs submarines for the Russian Navy (Rubin Central Design Bureau for Marine Engineering). An infected RTF document was used to infiltrate the company. It was addressed by e-mail to the company’s director and it is assumed that it contained a description of the submarine autonomous underwater vehicle. After installation, it received new commands and other malicious software from control servers and, of course, conducted reconnaissance, escalating privileges.Malware delivery style and wording show considerable similarity with ATP groups Tonto Team, Rancor, TA428.

Swiss Cloud has become the target of a ransomware attack

On April 27, a security incident occurred that affected the operation of the cloud provider Swiss Cloud. Although the entire network was not compromised, more than 6,500 clients were affected. Due to the fact that it was a ransomware attack, the company is trying to recover the affected parts of the network, some need to be reinstalled and configured. The company did not disclose further details about the attack. Interestingly, a company of this type was attacked.

The task force requests a disruption of the ransomware groups

Companies such as Amazon, Cisco, FireEye, McAfee, Microsoft and many others have joined the US Department of Justice, Europol and the British National Criminal Agency to highlight the need to form an international coalition to combat ransomware by criminal groups. The White House received an 81-page report calling for this to be one of the priorities of US intelligence services. In the United States alone, nearly 2,400 government, health, and education organizations were attacked in 2020. The costs associated with these attacks far exceed the ransom paid.

Belgium was hit by a DDOS attack and shut down its government website and the internal network

Belnet – a Belgian internet provider for educational, research institutions and government services was hit by a massive DDoS attack. This caused the outage of websites, including the government and the police. The origin of the organizer of the attack is not yet known.

A 12-year driver bug affected hundreds of millions of computers

Dell has detected an error in the Dell DBUtil driver (which affects the BIOS) that could cause permissions to escalate and source code to run with kernel permissions. After gaining access to a computer, it is easy for attackers to move around the network and attack other computers with this vulnerability. It is recommended to update as soon as possible.

The security update addresses 21 issues with Exim mail servers

These 21 vulnerabilities, also known as 21Nails, can cause Exim mail servers to be completely compromised. Exim is a free mail server running on Unix-based operating systems and there are almost 4 million instances of it around the world. All versions released since 2004 are affected by these vulnerabilities. This is not the first vulnerability of these servers, the NSA has warned in the past against the Russian APT group, which exploited bugs in the system.