OSINT News - January 4th, by Bart Otten

by in Security

Nuclear weapons agency breached amid massive cyber onslaught

https://www.politico.com/news/2020/12/17/nuclear-agency-hacked-officials-inform-congress-447855 

Nuclear weapons agency breached amid massive cyber onslaught - POLITICO

Nuclear weapons agency breached amid massive cyber onslaught. Hackers accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile.

www.politico.com

 

---

SunBurst: the next level of stealth

https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth 

SunBurst: the next level of stealth

Executive summary. ReversingLabs: shows conclusive details that Orion software build and code signing infrastructure was compromised.; discloses compilation artifacts confirming that Orion source code was directly modified to include a malicious backdoor.; discloses software delivery artifacts confirming that a backdoored Orion software patch was delivered through its existing software release ...

blog.reversinglabs.com

 

---

How suspected Russian hackers outed their massive cyberattack

https://www.politico.com/news/2020/12/16/russian-hackers-fireeye-cyberattack-447226 

How suspected Russian hackers outed their massive cyberattack - POLITICO

In a 2016 blog post, FireEye laid out how such an attack might be carried out, noting that while “two-factor authentication is a best practice for securing remote access, it is also a Holy Grail ...

www.politico.com

 

---

Sunburst: connecting the dots in the DNS requests

https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/ 

sun.jpgSunburst: connecting the dots in the DNS requests | Securelist

On December 13, 2020 FireEye published important details of a newly discovered supply chain attack. An unknown attacker, referred to as UNC2452 or DarkHalo planted a backdoor in the SolarWinds Orion IT software. This backdoor, which comes in the form of a .NET module, has some really interesting and rather unique features.

securelist.com

---

Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

https://us-cert.cisa.gov/ncas/alerts/aa20-352a 

Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CKRegistered) version 8 framework. See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an ...

us-cert.cisa.gov

 

---

SolarWinds confirmes 18,000 customers may have been impacted

https://securityaffairs.co/wordpress/112294/hacking/solarwinds-sec-filing.html 

SolarWinds confirmes 18,000 customers may have been impacted--Security Affairs

18,000 SolarWinds customers may have been impacted by the attack against its supply chain, the company said in a SEC filing. SolarWinds revealed that 18,000 customers might have been impacted by the cyber attack against its supply chain. The alarming data emerged in a filing with the Securities and Exchange Commission (SEC) on Monday. “On December […]

securityaffairs.co

 

---

A moment of reckoning: the need for a strong and global cybersecurity response

https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/ 

A moment of reckoning: the need for a strong and global cybersecurity response - Microsoft On the Issues

The recent spate of cyberattacks require the government and the tech sector in the United States to look with clear eyes at the growing threats we face. At Microsoft, we are committed to being at the forefront of these efforts.

blogs.microsoft.com

 

---

NSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud Resources

https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2451159/nsa-cybersecurity-advisory-malicious-actors-abuse-authentication-mechanisms-to/#pop4744190 

NSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud Resources > National Security Agency Central Security Service > Article View

In response to ongoing cybersecurity events, the National Security Agency (NSA) released a Cybersecurity AdvisoryThursday “Detecting Abuse of Authentication Mechanisms.” This advisory provides guidance to National SecuritySystem (NSS), Department of,

www.nsa.gov

 

---

Israeli spy firm suspected of accessing global telecoms via Channel Islands

https://www.theguardian.com/world/2020/dec/16/israeli-spy-firm-suspected-accessing-global-telecoms-channel-islands 

Israeli spy firm suspected of accessing global telecoms via Channel Islands | World news | The Guardian

The Israeli private intelligence company Rayzone Group appears to have had access to the global telecommunications network via a mobile operator in the Channel Islands in the first half of 2018 ...

www.theguardian.com

 

---

AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped Computers

https://arxiv.org/abs/2012.06884 

[2012.06884] AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped Computers

In this paper, we show that attackers can exfiltrate data from air-gapped computers via Wi-Fi signals. Malware in a compromised air-gapped computer can generate signals in the Wi-Fi frequency bands. The signals are generated through the memory buses - no special hardware is required. Sensitive data can be modulated and secretly exfiltrated on top of the signals. We show that nearby Wi-Fi ...

arxiv.org

 

---

DoppelPaymer ransomware gang now cold-calling victims, FBI warns

https://securityaffairs.co/wordpress/112399/cyber-crime/doppelpaymer-fbi-alert.html 

DoppelPaymer ransomware gang now cold-calling victims, FBI warns--Security Affairs

FBI is warning of a new escalation in the extortion activities of the DoppelPaymer ransomware gang, the operators have been calling victims, threatening to send individuals to their homes if they don’t pay the ransom. According […]

securityaffairs.co

 

---

Digging the recently leaked Chinese Communist Party database

https://securityaffairs.co/wordpress/112382/data-breach/chinese-communist-party-db-leak.html 

Digging the recently leaked Chinese Communist Party database--Security Affairs

KELA researchers analyzed a database recently leaked online that contains data for 1.9 million Chinese Communist Party members in Shanghai. After the announcement of the leak of the database which contains the personal information of 1.9 million Chinese Communist Party (CCP) members in Shanghai, KELA researchers have obtained it. This database includes the members’ name, […]

securityaffairs.co

 

---

FireEye, GoDaddy, and Microsoft created a kill switch for SolarWinds backdoor

https://securityaffairs.co/wordpress/112376/apt/solarwinds-backdoor-kill-switch.html 

FireEye, GoDaddy,and Microsoft create kill switch for SolarWinds backdoor--Security Affairs

Microsoft, FireEye, and GoDaddy have created a kill switch for the Sunburst backdoor that was used in SolarWinds supply chain attack. Last week, Russia-linked hackers breached SolarWinds, the attackers had used a trojanized […]

securityaffairs.co

 

---

Europol and the european commission inaugurate new decryption platform to tackle the challenge of encrypted material for law enforcement investigations

https://www.europol.europa.eu/newsroom/news/europol-and-european-commission-inaugurate-new-decryption-platform-to-tackle-challenge-of-encrypted-material-for-law-enforcement 

Europol and the European Commission inaugurate new decryption platform to tackle the challenge of encrypted material for law enforcement investigations | Europol

This week Europol launched an innovative decryption platform, developed in close cooperation with the European Commission's Joint Research Centre. It will significantly increase Europol’s capability to decrypt information lawfully obtained in criminal investigations.

www.europol.europa.eu

 

---

PyMICROPSIA Windows malware includes checks for Linux and macOS

https://securityaffairs.co/wordpress/112335/apt/pymicropsia-malware.html 

PyMICROPSIA Windows malware includes checks for Linux and macOS--Security Affairs

Experts from Palo Alto Networks’s Unit 42 discovered a new Windows info-stealing malware, named PyMICROPSIA, that might be used soon to also target Linux and macOS systems. Experts spotted the PyMICROPSIA info stealer while investigating […]

securityaffairs.co

 

---

Flaws in Medtronic MyCareLink can allow attackers to take over implanted cardiac devices

https://securityaffairs.co/wordpress/112328/hacking/medtronic-mycarelink-flaws.html 

Flaws in Medtronic MyCareLink can allow attackers to take over implanted cardiac devices--Security Affairs

Experts from IoT security firm Sternum discovered vulnerabilities discovered in Medtronic’s MyCareLink Smart 25000 Patient Reader product that could be exploited to take control of a paired cardiac device. MyCareLink Smart […]

securityaffairs.co

 

---

SoReL-20M Sophos & ReversingLabs release 10 million disarmed samples for malware study

https://securityaffairs.co/wordpress/112302/malware/sorel-20m-free-malware-dataset.html 

SoReL-20M: Sophos & ReversingLabs release 10 million disarmed samples for malware study--Security Affairs

Sophos and ReversingLabs announced the release of SoReL-20M, a database containing 20 million Windows Portable Executable files, including 10 million malware samples. The SoReL-20M database includes a set of curated and labeled samples and security ...

securityaffairs.co

 

---

Hacked Subway UK marketing system used in TrickBot phishing campaign

https://securityaffairs.co/wordpress/112248/data-breach/subway-uk-trickbot-phishing.html 

Hacked Subway UK marketing system used in TrickBot phishing campaign--Security Affairs

Hackers have compromised a marketing system in Subway UK and used it to send out phishing messages to deliver malware to the customers. Subway UK customers received emails from ‘Subcard’ about the processing […]

securityaffairs.co

 

---

Norwegian cruise company Hurtigruten was hit by a ransomware

https://securityaffairs.co/wordpress/112320/malware/cruise-company-hurtigruten-ransomware.html 

Norwegian cruise company Hurtigruten was hit by a ransomware--Security Affairs

The Norwegian cruise company Hurtigruten announced its entire worldwide digital infrastructure was the victim of a cyber attack. “It’s a serious attack,” said the Hurtigruten’s chief digital officer Ole-Marius Moe-Helgesen in a statement. “The entire worldwide ...

securityaffairs.co

 

---

Pay2Key hackers stole data from Intel’s Habana Labs

https://securityaffairs.co/wordpress/112258/data-breach/pay2key-hacked-habana-labs.html 

Pay2Key hackers stole data from Intel's Habana Labs--Security Affairs

Intel-owned AI chipmaker Habana Labs was hacked by Pay2key ransomware operators who claim to have stolen from the company. The group announced the hack on Twitter, they claim to have stolen sensitive data, including information about […]

securityaffairs.co

 

---

Robotic Process Automation vendor UiPath discloses data breach

https://securityaffairs.co/wordpress/112267/data-breach/uipath-data-leak.html 

Robotic Process Automation vendor UiPath discloses data breach--Security Affairs

Last week, ZDnet reported in an exclusive that the tech unicorn UiPath admitted having accidentally exposed the personal details of some users. UiPath is a leading Robotic Process Automation vendor providing a complete software platform to help organizations efficiently automate business processes. The startup started reporting the security incident to its customers that had their data […]

securityaffairs.co

 

---

HPE discloses critical zero-day in Systems Insight Manager

https://securityaffairs.co/wordpress/112370/security/hpe-flaw-systems-insight-manager.html 

HPE discloses critical zero-day in Systems Insight Manager--Security Affairs

HPE has disclosed a zero-day vulnerability in the latest versions of its HPE Systems Insight Manager (SIM) software for both Windows and Linux. Hewlett Packard Enterprise (HPE) has disclosed a zero-day remote code execution flaw that affects the latest versions of its HPE Systems Insight Manager (SIM) software for Windows and Linux. HPE SIM is a […]

securityaffairs.co

 

---

Apple addressed multiple code execution flaws in iOS and iPadOS

https://securityaffairs.co/wordpress/112304/security/ios-ipados-flaws.html

Apple addressed multiple code execution flaws in iOS and iPadOS--Security Affairs

Apple released security updates to fix multiple severe code execution vulnerabilities in its iOS and iPadOS mobile operating systems. The IT giant released iOS 14.3 and iPadOS 14.3 version to address eleven security vulnerabilities, including code execution flaws. […]

securityaffairs.co

 

Anonymous