Security week 1

Stay safe. We bring you our regular weekly overview of security news.

Was the SolarWinds supply chain attack IT’s Pearl Harbor?

The SolarWinds attack resulted in over 18,000 confirmed infiltrations of government and corporate networks. Data including user IDs, passwords, financial records and source codes were presumably leaked from many of these networks. A government agency in the USA (CISA) required all government institutions either to shut down their Orion systems or install a specific update that had been screened by the NSA, illustrating how serious the situation was. It was later discovered that, in addition to SunBurst, other malware programs were spreading through system vulnerabilities. One member of the senate intelligence committee noted that the hack looked “much much worse” than he first feared.

The list of compromised corporations is long: Cisco, SAP, Intel, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, MediaTek (one of the world’s largest semiconductor producers) and VMWare.

The following American federal institutions were also affected: National Institutes of Health, The Pentagon, Department of State, Department of Homeland Security, Department of Energy, Department of the Treasury, Department of Commerce, State and local governments, US nuclear weapons agency.

Vancouver metro operator victim of ransomware attack

A Vancouver metro operator (TransLink) has been attacked by the ransomware Egregor. Although no customer data were leaked, employee details including wages and social insurance numbers were breached. Egregor’s business plan is interesting—the creators of the malware receive 30% of the paid ransom, while those who penetrate the victims’ local network are awarded 70%. Attacks began in September 2020 and victims have included Ubisoft, Kmart, Cencosud and Crytek.

Firm fined for attack on competitor

Ticketmaster has been fined $10 million for illegally accessing the network of their competitor CrowdSurge using the login details of a former employee. The goal of the attack was to eliminate or severely weaken their competition. The main perpetrators of the attack were fired and the company was forced to implement a compliance and ethics program to prevent employees from breaking the law again.

FBI warns against noval abuse of vulnerabilities in smart homes

The FBI has warned consumers of a new trend in which poorly secured elements of smart homes (cameras, microphones, controllers) have been hacked. The attackers use the devices to report a serious crime at the address and then watch, or even livestream, as police arrive at the homes of unsuspecting people. In other, darker cases, devices are used to watch children in the house and even talk to them through speakers.

Russian hacker convicted

A Russian hacker has been sentenced to 12 years in prison for his role in an international hacking campaign targeting several financial institutions and financial news publishers, including JPMorgan Chase and Dow Jones. He was expedited to the USA from Georgia. He was a key organizer of the largest data breach ever carried out at a single institution, with close to 80 million victims.

Swift fall of extremist social network

The extremist social network Parler has recorded a precipitous decline, partly because Amazon removed the application from its web services platforms. The FBI is currently investigating whether the social network influenced supporters of Donald Trump in their recent attacks in Washington DC. To make things worse, hackers stole and subsequently published the personal details of many users. It is likely the social network had lamentably poor security.

Source code leak and admin/admin

Nissan North America failed to configure one of their Git servers correctly, resulting in leaked source codes of their mobile application and internal tools used by Nissan. They made a grave mistake by using default login details: admin/admin. The consequences are being investigated, but Nissan are certain that no personal details were leaked. The article contains a list of applications with relevant download links.

DDoSecrets – A less ethical WikiLeaks

The portal DDoSecrets aspires to be the heir of Wikileaks by publishing business secrets gained through ransomware campaigns. They defend their actions by claiming they bring transparency. WikiLeaks themselves, who also publish data gained through hacks, must bear at least some of the blame for this development. DDoSecrets also argue that the leaked data could be used to accelerate development in certain industrial segments. The case presents a huge ethical dilemma. Is the behavior of DDoSecrets morally defensible? Most experts answer in the negative, but a number of angles must be considered. The details uncovered by the attacks are usually only accessible for a short time, but DDoSecrets leaves them permanently visible, which raises the risk of damage. On the other hand, details published by the portal have been used to prove that a certain firm was engaging in unfair practices.

DarkSide ransomware can now be decrypted without any ransom

Bitdefender have released a new tool that allows victims of DarkSide ransomware to restore their encrypted files without paying any ransom. DarkSide functions as a RaaS (ransomware as a service). Admittedly, several months have passed since the malware has been used in any attacks, so most victims have probably resolved their issues with encrypted files. Nonetheless, they may find it useful to access the last good version of their details. Such a tool may spell the end for DarkSide, as has happened with other ransomwares, because its reputation as a ransomware has been undermined and its creators will have to rework the entire encoding part of the program, which will require considerable effort.   

SolarWinds – How was the Orion system compromised?

The third malware discovered during the SolarWinds supply chain attack, after Sunburst and TearDrop, was Sunspot, which scans servers for MsBuild.exe—an MS visual studio program used in compiling the Orion tool. If it finds the file and determines that Orion is running on that server, it replaces the source code in InventoryManager.cs with the source code Sunburst. The chief innovation of Sunspot was that it could insert itself into the process of compiling and building. The malware was created in February 2020, but the system had probably already been compromised before then—estimates suggest summer 2019— because the perpetrators already had considerable knowledge. Programmers usually require greater access privileges than regular users, and servers that run compiling and building of the whole product are adapted to this need. For example, some security features may be missing because they can negatively impact the process. This allows the malware to cause greater damage. It follows that similar attacks can be expected in future.

Attack on European Medicines Agency and vaccine disinformation

Hackers have attacked the European Medicines Agency and stolen details related to the Pfizer/Biontech vaccine, some of which they have published. Some of the published details had been tampered with to spread disinformation and erode trust in the vaccine. The attack only targeted one IT application and information related to COVID-19 and the vaccine.

Darkmarket has been taken down. Source: Europol

End of DarkMarket

Germany, Australia, Denmark, Moldova, Ukraine, UK, USA and Europol have co-operated to shut down the portal DarkMarket, which had more than 50,000 users and more than 2400 sellers of drugs, falsified bank notes, stolen or falsified credit cards, anonymous SIM cards and malware. The portal had hosted more than 320,000 transactions, trading 4650 bitcoins and 12,800 monero. An infrastructure of more than 20 servers in Moldova and Ukraine was also disabled.