fbpx

InForce Cyber

Threat Report December 2020

During the month of December the spotlight was hitting SolarWinds vulnerability. Here are some topics to support this statement:

Threat actor is selling a dump allegedly including 2,5M customers of service provider Ho Mobile

Threat intelligence analyst @Bank_Security first spotted on a popular hacking forum a threat actor that is selling a database allegedly containing the database of the Italian mobile service provider Ho mobile. Ho mobile is an Italian mobile telephone service offered by Vodafone Enabler Italia, an Italian virtual mobile telephone operator.

Koei Tecmo suffers data breach; stolen data exposed

Koei Tecmo suffers a data breach and has taken down their European and American websites soon after the stolen data was posted to a hackers forum site.

Koei Tecmo is a Japanese video game and anime company. The company includes popular games such as Hyrule Warriors, Nioh 2, Atelier Ryza, Dead or Alive etc.

The hacker claimed to have hacked into the koeitecmoeurope.com website through a spear-phishing campaign on December 18th.

The actor claims to have stolen a forum database with 65,000 users and implanted a web shell on the site for continuous access.

REvil gang threatens to release intimate pictures of celebs who are customers of The Hospital Group

REvil ransomware gang, aka Sodinokibi, hacked The Hospital Group and threatens to release before-and-after pictures of celebrity clients.

The Hospital Group has 11 clinics and has a celebrity clientele, but it made the headlines because the REvil ransomware gang, aka Sodinokibi, claims to have hacked its systems and threatens to release before-and-after pictures of celebrity clients.

SolarWinds says 18,000 customers were impacted by recent hack

In SEC documents filed today, SolarWinds said it notified 33,000 customers of its recent hack, but that only 18,000 used a trojanized version of its Orion platform.

Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware, SolarWinds said in a security advisory.

The trojanized Orion update allowed attackers to deploy additional and highly stealthy malware on the networks of SolarWinds customers. Only 18,000 of 300,000 customers were affected.

But while initial news reports on Sunday suggested that all of SolarWinds’ customers were impacted, in SEC documents filed today, SolarWinds said that of its 300,000 total customers, only 33,000 were using Orion, a software platform for IT inventory management and monitoring, and that fewer than 18,000 are believed to have installed the malware-laced update.

Hacked Software Firm SolarWinds’ Clients Include Ford, Microsoft, AT&T

A suspected Russia-led cyberattack that reportedly breached several U.S. government agencies seemingly exploited software from Texas-based software company SolarWinds, with malware pushed via booby-trapped updates.

A probe into the purported “nation state” hack is ongoing, spearheaded by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), after Reuters reported on Sunday that the U.S. Treasury and Commerce departments were believed to have been impacted, and the culprits had the ability to monitor internal emails.

The IT monitoring software targeted—called Orion—is used by “hundreds of thousands of organizations globally,” The Associated Press (AP) reported on Sunday. SolarWinds says on its website its products are currently used by more than 300,000 customers spanning sectors including military, government, business and education.

US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor

State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department’s National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign.

The Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that’s believed to have orchestrated a breach of US-based cybersecurity firm FireEye a few days ago leading to the theft of its Red Team penetration testing tools.

The motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated supply chain attack.

Norwegian Cruise Company Hurtigruten Hit by Cyberattack

Norwegian cruise company Hurtigruten announced Monday that it had been hit by a major cyberattack involving what appeared to be “ransomware”, designed to seize control of data to ransom it.

“It’s a serious attack,” said the company’s chief digital officer Ole-Marius Moe-Helgesen in a statement. “The entire worldwide digital infrastructure of Hurtigruten seems to have been hit.”

The company said it had alerted the relevant authorities when the attack was detected overnight Sunday to Monday. “The attack seems to be a so-called ransomware,” Hurtigruten added.

Ransomware is a kind of malware — malicious software — that encrypts the data of the target, locking the owner out of its own system until the victim agrees to pay for a decryption key to let him back in.

Emotet Shows up to Wish Merry Christmas

Emotet, the nefarious banking trojan that evolved into a downloader, is active again just days before Christmas. The attackers are already known for using various local events and incidents to lure their victims into clicking on malicious attachments. Recently they have been observed loading their payload as a DLL with a fake error message.

Many of the malicious emails used by the Emotet group were using Christmas-themed and COVID-19 vaccine-related lure.

  • This recent spam campaign started in mid-December and it could lead to compromised business networks, as people are still working from home.
  • More than 100k+ messages in English, German, Spanish, Italian, and other languages have been discovered. Lures are using thread hijacking with PW-protected zips, Word attachments, and URLs.
  • Emotet has worm-like features that enable network-wide infections. In addition, the trojan now uses modular DLL to regularly update and evolve its capabilities.
  • Proofpoint issued alerts on Twitter on December 21 that showed a screenshot of the social engineering trick fooling recipients into turning off a Microsoft 365 feature that blocks malicious documents.

Scottish Environment Protection Agency targeted in cyberattack

The agency was subjected to a ‘significant cyberattack’ in the early hours of Christmas Eve.

David Pirie said that while core regulatory, monitoring, flood forecasting and warning services continued, communication into and across the organisation was significantly impacted.

Mr Pirie said: “At one minute past midnight on Christmas Eve, Sepa systems were subject to a significant and ongoing cyberattack.

“The attack is impacting our contact centre, internal systems, processes and internal communications.

“We immediately enacted our robust business continuity arrangements, with our core regulatory, monitoring, flood forecasting and warning services adapting and continuing to operate.

Data Breaches
 Tax Relief Biz Exposed Personal Info on 100,000 Clients
A UK business specializing in tax relief for its clients has exposed the personal details of over 100,000 of them via a misconfigured content management system (CMS).Researchers at Website Planet told Infosecurity exclusively about the privacy snafu, which they discovered on October 13 and notified the firm about the next day.That company was Marriage Tax Refund, a Wolverhampton-based organization whose business model is to recover marriage tax allowance funds for UK clients.According to the research team, the firm had misconfigured its WordPress CMS, leaving a directory listing of PDF documents available for public view, with no password protection.
 
One Million US Dental Patients Impacted by Data Breach
An American healthcare provider has started notifying more than a million patients that their data may have been exposed as the result of a cyber-attack.Dental Care Alliance discovered on October 11 that it had been the victim of a hack that began on September 18, 2020. The company, which is headquartered in Sarasota, Florida, was able to contain the attack by October 13.Patient data that may have been accessed in the security incident included names, addresses, dental diagnosis and treatment information, patient account numbers, billing information, bank account numbers, the name of the patient’s dentist, and health insurance information.Dave Quigley, general counsel for DCA, told Databreaches.net that the breach had been reported to all relevant regulatory bodies and that DCA had notified all 1,004,304 people affected by the incident via letter in November. 
Spotify resets passwords after a security bug exposed users’ private account information
Spotify  said it has reset an undisclosed number of user passwords after blaming a software vulnerability in its systems for exposing private account information to its business partners.In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.” The company did not name the business partners, but added that Spotify “did not make this information publicly accessible.”Spotify said the vulnerability existed as far back as April 9 but wasn’t discovered until November 12. But like most data breach notices, Spotify did not say what the vulnerability was or how user account data became exposed..
Tech unicorn UiPath discloses data breach
Tech unicorn UiPath, a startup that makes robotics automation software, is currently emailing users about a security incident that exposed their personal information online.”On December 1, 2020, UiPath became aware of an incident that resulted in unauthorized disclosure of a file containing limited personal information about users of UiPath Academy,” the company wrote in an email sent to users today, seen by ZDNet.The file included details such as real names, email addresses, usernames, company name, country locations, and UiPath certification details for users who signed up for the company’s online learning platform, the UiPath Academy.

Security Threats By Trend

Vulnerability Summary Dec 2020

Following vulnerabilities, were rated “CRITICAL” by Microsoft

ProductPlatformImpactSeverityDetails
Microsoft Edge (EdgeHTML-based)Windows 10 Version 2004 for x64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 2004 for ARM64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 2004 for 32-bit SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 1903 for ARM64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 1903 for x64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 1903 for 32-bit SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 1909 for ARM64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 1909 for x64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 1909 for 32-bit SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows Server 2019Remote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 1809 for ARM64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 1809 for x64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 1809 for 32-bit SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 20H2 for ARM64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 20H2 for 32-bit SystemsRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Edge (EdgeHTML-based)Windows 10 Version 20H2 for x64-based SystemsRemote Code ExecutionCriticalCVE-2020-17131
Dynamics 365 for Finance and OperationsRemote Code ExecutionCriticalCVE-2020-17152
Microsoft SharePoint Foundation 2013 Service Pack 1Remote Code ExecutionCriticalCVE-2020-17118
Microsoft SharePoint Foundation 2010 Service Pack 2Remote Code ExecutionCriticalCVE-2020-17118
Microsoft SharePoint Server 2019Remote Code ExecutionCriticalCVE-2020-17118
Microsoft SharePoint Enterprise Server 2016Remote Code ExecutionCriticalCVE-2020-17118
Microsoft Exchange Server 2016 Cumulative Update 18Remote Code ExecutionCriticalCVE-2020-17132
Microsoft Exchange Server 2019 Cumulative Update 7Remote Code ExecutionCriticalCVE-2020-17132
Microsoft Exchange Server 2016 Cumulative Update 17Remote Code ExecutionCriticalCVE-2020-17132
Microsoft Exchange Server 2019 Cumulative Update 6Remote Code ExecutionCriticalCVE-2020-17132
Microsoft Exchange Server 2013 Cumulative Update 23Remote Code ExecutionCriticalCVE-2020-17132
ChakraCoreRemote Code ExecutionCriticalCVE-2020-17131
Microsoft Exchange Server 2016 Cumulative Update 18Remote Code ExecutionCriticalCVE-2020-17117
Microsoft Exchange Server 2019 Cumulative Update 7Remote Code ExecutionCriticalCVE-2020-17117
Microsoft Exchange Server 2016 Cumulative Update 17Remote Code ExecutionCriticalCVE-2020-17117
Microsoft Exchange Server 2019 Cumulative Update 6Remote Code ExecutionCriticalCVE-2020-17117
Microsoft Exchange Server 2013 Cumulative Update 23Remote Code ExecutionCriticalCVE-2020-17117
Windows Server 2016  (Server Core installation)Remote Code ExecutionCriticalCVE-2020-17095
Windows Server 2016Remote Code ExecutionCriticalCVE-2020-17095
Windows 10 Version 1607 for x64-based SystemsRemote Code ExecutionCriticalCVE-2020-17095
Windows Server, version 2004 (Server Core installation)Remote Code ExecutionCriticalCVE-2020-17095
Windows 10 Version 2004 for x64-based SystemsRemote Code ExecutionCriticalCVE-2020-17095
Windows Server, version 1903 (Server Core installation)Remote Code ExecutionCriticalCVE-2020-17095
Windows 10 Version 1903 for x64-based SystemsRemote Code ExecutionCriticalCVE-2020-17095
Windows Server, version 1909 (Server Core installation)Remote Code ExecutionCriticalCVE-2020-17095