The attack resulted in the compromising of the software build system that was used to generate and distribute versions of the app for Windows and macOS. The app delivers VoIP and PBX services to “over 600,000 clients,” some of which include American Express, Mercedes-Benz, and Price Waterhouse Cooper. Since the attackers controlled the software development system, they were able to insert malware into 3CX applications, even though those applications had been digitally signed using the official signing key for the firm.

This is a traditional kind of attack on supply chains, and its purpose is to take advantage of the trust connections that exist between an organization and third parties.

According to the cybersecurity company CrowdStrike, the infrastructure and encryption key used in the attack are identical to those seen in a campaign carried out by Labyrinth Chollima on March 7. Labyrinth Chollima is the tracking name for a threat actor that is aligned with the North Korean government.

The attack was first discovered late on Wednesday night, when products from a variety of different security organizations started identifying malicious activity emanating from properly signed binaries for 3CX desktop applications. No later than February 2022, the threat actor registered a huge collection of domains that were used to interact with infected devices. These domains were employed in the preparations for the complex operation that was to follow. Around the 22nd of March, the cybersecurity company Sentinel One saw an increase in the number of behavioral detections of the 3CXDesktopApp. On the same day, 3CX customers began online discussions about what they thought could have been erroneous 3CXDesktopApp detections by their endpoint security programs.

Electron Mac App versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 all include a “security problem,” according to 3CX Chief Information Security Officer Pierre Jourdan. He claimed the payloads were put into packaged libraries produced using Git, a mechanism that software developers use to monitor changes in the programs they create. According to him, a significant number of the servers owned by the attackers that compromised workstations attempt to communicate with have already been taken down.

Since the 2020 attack on SolarWinds, which resulted in data breaches at businesses and governmental organizations all across the globe, software vendors have been on high alert for supply-chain invasions.

The post 600,000 companies networks using 3CX VoIP software infected with malware. Biggest supply chain attack appeared first on Information Security Newspaper | Hacking News.

The document, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”, invites buyers and end users of digital hardware, software, and services to conduct due diligence on the origin and security of components of a digital/technology product.

Supply chain attacks have become one of the most dangerous hacking variants, as they allow threat actors to compromise multiple devices at once, in addition to exploiting vulnerabilities in widely used components. Just remember the SolarWinds attack, which impacted thousands of organizations worldwide.

For Ilkka Turunen, software supply chain security specialist at Sonatype, these measures are important to substantially improve the security of organizations: “This document outlines fundamental best practices, such as generating software bills of materials (SBOM), as well as describing the maintenance activities necessary to maintain effective security practices in the supply chain.”

The researcher adds that software risk mitigation begins with understanding how the use of managed and unmanaged software occurs in an organization, in addition to the progressive mitigation of those risks at the vendor level and with the constant participation of customers.

On the other hand, Cequence Security experts recently alerted the cybersecurity community about the persistence of attacks exploiting flaws such as Log4Shell, discovered a few months ago and that allows abusing the Apache Log4j login utility, considered omnipresent.

A new wave of attacks, identified as LoNg4j, demonstrates the interaction between modern enterprise IT infrastructure and the digital supply chain, spreading across all kinds of applications and creating a critical attack vector in case any vulnerability is exploited.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post NIST updates the Cybersecurity Supply Chain Risk Management Guidance (C-SCRM) in Response to Executive Order Signed by President Biden appeared first on Information Security Newspaper | Hacking News.

Since the SolarWinds supply chain attack incident these hacking variants have become common. A report by the European Union Cyber Security Agency (ENISA) studied 24 attacks reported between January and July 2021, noting that up to 50% of these attacks came from known threat actors, a trend that could increase in the following months.

These attacks could prove even more significant in an implementation like PEAR, as this resource is likely to run on a computer before being deployed to production servers, which could give hackers access to a compromised network.

It is estimated that around 285 million packages of pear.php.net have been downloaded, the most popular being the PEAR client itself, Console_Getopt, Archive_Tar and Mail. Although alternatives like Composer cover a larger sector of the market, these PEAR packages are still widely used.

SonarSource found at least two bugs, claiming that both have been exploitable for more than 15 years. If a threat actor manages to exploit the first vulnerability and publish malicious releases, the second flaw would allow access to the central PEAR server.

While this is a considerable security risk, the good news is that maintainers have already begun to address the issue. A first patch was released on August 4, introducing a secure method to generate pseudorandom bytes in the password reset feature.

As shown in the following screenshot, a string composed of 16 random bytes is mapped to $random_bytes, while md5($rand_bytes) is named afterwards. This second variable does not exist ($random_bytes vs $rand_bytes) and this operation will always result in the MD5 hash of an empty string (d41d8cd98f00b204e9800998ecf8427e).

These issues were reported to PEAR maintainers in July 2021 and their full correction could be ready next May.

The researchers recommend users of affected deployments stay on top of the release of updates, as well as consider other options such as Composer, which has a more active and constantly maintained community of collaborators, focused on preventing flaws and attacks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Two critical code vulnerabilities in a core component of the PHP supply chain repository appeared first on Information Security Newspaper | Hacking News.

Authorities say the threat actors had access to all kinds of compromised information, including attachments sent and received via email, as well as messages and drafts on these accounts. “While other districts were affected to a lesser degree, hackers gained access to office 365 email accounts of at least 80% of officials working in U.S. prosecutors’ offices.”

The offices of U.S. prosecutors breached during attacks that had at least the Microsoft O365 email account of an employee compromised as part of the SolarWinds supply chain attack that directly impacts the U.S. government and the private sector includes:

• Central District of California
• Northern District of California
• District of Columbia
• Northern District of Florida
• Middle District of Florida
• Southern District of Florida
• Northern District of Georgia
• District of Kansas
• District of Maryland
• District of Montana
• District of Nevada
• District of New Jersey
• Eastern District of New York
• Northern District of New York
• Southern District of New York
• Western District of New York

The DOJ confirmed that the hackers responsible behind the SolarWinds supply chain attack managed to compromise Microsoft Office 365 email environment. Last April, the U.S. government attributed the incident to the Russian government’s specialized intelligence unit, claiming that the exploitation of the SolarWinds Orion platform made it possible to carry out this attack.

As some users will recall, a hacking group managed to compromise SolarWinds’ internal systems to install the hidden Sunburst Trojan in a malicious update. This incident affected at least 18 thousand public and private organizations.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hackers gained access to the Office 365 email accounts of at least 80% of employees working in the U.S. attorneys’ offices via SolarWinds appeared first on Information Security Newspaper | Hacking News.

This vulnerability appears to be unrelated to attacks on the sunburst supply chain and backdoor. Apparently, the attacks were discovered by a Microsoft research team during a routine analysis that yielded intriguing results in the SolarWinds Serv-U product.

“Microsoft sent a proof of concept of the exploit to the affected company, in addition to evidence of exploitation,” the company’s statement said. Microsoft added that it does not have a rough estimate of the number of customers affected and there are no hypotheses about the identity of the attacker.

In response to the report, SolarWinds issued an emergency update addressing the detected vulnerability, present in Serv-U 15.2.3 HF1 and earlier. The company also released some indicators of compromise, though additional details will be kept secret so as not to facilitate exploitation before full patches are released.

“The vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploited this vulnerability could run arbitrary code with privileges. An attacker could then install programs; view, change, or delete data; or run programs on the affected system”, SolarWinds stated.

As mentioned at the beginning, SolarWinds rules out that this vulnerability is related to the severe attacks detected a few months ago against its SolarWinds Orion solution, attributed to threat actors based in Russia. These taques have also been linked to hacking groups in China, although these incidents were limited to the delivery of a malware variant, unlike the other incidents related to the installation of a backdoor on the compromised networks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Another zero-day vulnerability in SolarWinds Serv-U product exploited by cyber criminals appeared first on Information Security Newspaper | Hacking News.

The hacking group behind the attack on SolarWinds, allegedly sponsored by the Russian government, used highly sophisticated code to modify an update to the SolarWinds Orion network management software, which was downloaded about 18 thousand times by system administrators worldwide.

Thanks to this malicious update, hackers could use SolarWinds to enter a network and then create a backdoor that would guarantee them continuous access to compromised resources.

The backdoor remained on the Danish bank’s networks for more than seven months, until it was detected by experts from security firm Fire Eye. This is a worrying fact since the Central Bank manages transactions for billions of dollars on a daily basis, although a representative assures that so far no real impact has been detected derived from this incident.

Although an additional statement has been requested from SolarWinds, the company has not commented on this new report.

Microsoft’s current president has repeatedly described this incident as “the largest and most sophisticated attack ever recorded,” which appears to have been confirmed after the company concluded its investigation into the SolarWinds Orion engagement.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Denmark’s Central Bank hacked through SolarWinds vulnerability appeared first on Information Security Newspaper | Hacking News.

For the cybersecurity community, this incident is yet another example of the severe weaknesses in the software supply chain, something that has been exploited by hackers with disastrous consequences as happened with the attack on SolarWinds.

As G Data experts mentioned earlier, the driver communicates to China-based implementations, to which Karsten Hahn commented: “Since Windows Vista, any code running in kernel mode must be signed before public release to ensure the stability of the operating system. Microsoft unsigned drivers cannot be installed by default.”

The researcher analyzed the driver and concluded that it was a malware sample: “The sample has an automatic update routine that sends its own MD5 hash to the server via hxxp://110.42.4.180:2081/v?V=6&m=.“

Microsoft has already received the report and announced that it will launch an investigation, although it was confirmed that so far there is no evidence that stolen code signing certificates have been used. A first hypothesis suggests that the threat actors followed Microsoft’s process to send the malicious Netfilter drivers, thereby obtaining Microsoft’s legitimate signature on the binary.

“Microsoft is investigating a hacking group that distributes malicious drivers in gaming environments. This group sends the drivers for certification through the corresponding Windows program but these malicious developments have not been developed by Microsoft. We decided to suspend the associated account and review all of its submissions to support the investigation of this malicious campaign,” the company says.

The company’s report notes that threat actors have mainly targeted the gaming sector in China; so far there is no indication that implementations in other industries have been compromised. Microsoft declined to attribute this incident to any nation state-sponsored hacking group.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Netfilter gaming driver is a Chinese backdoor approved by Microsoft. Uninstall this driver immediately appeared first on Information Security Newspaper | Hacking News.

Through a statement released a few hours ago, the company reported, “Using this entry point malicious hackers managed to access some certificates issued by Mimecast, as well as compromise information related to the client’s server connection.”

“The malicious hacker would have accessed a small subset of email addresses and other contact details, some hashed protected access credentials, as well as accessing and downloading a limited number of our source code repositories, although we can say that there is no evidence of arbitrary alterations in these resources,” the company adds.

The report ensures that the source code extracted by threat actors is incomplete and it is impossible to develop functional versions from stolen information: “Forensic analysis indicates that the process of building our executables was not altered.”

As users may remember, the hackers responsible for the SolarWinds supply chain attack managed to compromise the security of a small number of Microsoft 365 users after stealing a company-issued certificate in order to protect Microsoft 365 synchronization tasks. 

While Mimecast did not disclose the exact number of clients that used the stolen certificate, the release refers to 105 of the total affected users; Since Mimecast is employed by about 36,000 users, the total number of affected deployments could approach 3,600.

Mimecast’s internal investigation revealed some of the access methods used by hackers, which were shut down after detection. So far, no evidence has been found to suggest that threat actors have been able to access the content of affected users’ emails. It should be remembered that a couple of weeks ago Microsoft also confirmed that SolarWinds hackers also managed to download incomplete snippets of the source code from deployments such as Azure or Exchange, although the compromised material is also not enough to develop functional versions for subsequent attacks.

 Security measures established by Mimecast to mitigate the risks arising from this incident include:

• Rotation of all affected certificates and encryption keys
• Strengthening the updated encryption algorithm for all stored credentials
• Implementation of enhanced monitoring protocols for all certificates and encryption keys
• Implementation of additional host security monitoring features across the infrastructure

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post SolarWinds hackers stole source code from email security firm Mimecast appeared first on Information Security Newspaper | Hacking News.

Microsoft is one of the institutions that have invested the most resources in investigating this complex attack, which has enabled the detection of source code, engagement indicators, and behavior patterns associated with the hacking group responsible for the Solorigate malware operation.

As a way to provide better defenses methods against such incidents, Microsoft decided to open source the CodeQL code, a queries set used during Solorigate’s investigation, so that other organizations can conduct similar analyses. Using these queries, researchers will be able to detect any source code that shares similarities with Solorigate, either in its basic elements or functionalities.

Using these queries to detect indicators of compromise is not a foolproof method (threat actors could restrict Solorigate’s analyzed functions); however, using this method as part of a comprehensive framework would best address this new cyber risk variant.

What exactly is CodeQL?

This is a semantic code analysis engine that is part of GitHub and works primarily in two stages; first, as part of compiling source code into binaries, CodeQL creates a database to capture the build code model, parsing the source code and creating its own build model.

Subsequently, this database is used to query in the same way as any other database, as the CodeQL language was specially designed by Microsoft to facilitate the selection of some complex code conditions. Its developers ensure that CodeQL is a useful resource as its two-stage approach unlocks multiple scenarios, including the ability to use static analysis for reactive code analysis over a complete network.

Using CodeQL databases will allow researchers to perform semantic searches on a multitude of different codes to find code conditions linkable to a specific malicious build. CodeQL will help analyze thousands of repositories for discovery repositories for some variant of failures potentially related to Solorigate.

These queries evaluate code-level compromise flags, which are also available in the GitHub repository for CodeQL. This platform hosts all the information required to detect a potential Solorigate attack, as well as guidance for other queries.

Code-level threat detection

In this research, Microsoft employed two main tactics for detecting indicators of compromise: the first approach is based on finding a particular syntax at the code level, while the latter is focused on the detection of general semantic patterns for techniques present in code-level indicators of compromise.

In addition, writing and executing syntactic queries is a relatively fast process and offers multiple advantages over finding searchable regular expressions. Semantic patterns look for general techniques, such as hashing process names, time delays before contacting C2 servers, among others. These are durable for substantial variations, but are more complicated to create and more compute-intensive when analyzing many code bases at once.

The combination of these two approaches allows detecting potentially malicious scenarios, although researchers should not forget that a threat actor could modify both syntax and its attack techniques, so CodeQL should only be considered an auxiliary tool in the context of a full security approach.

Although in its description this set of queries focuses on Solorigate code-level engagement indicators, CodeQL developers mention that the tool provides multiple options for backdoor querying and functionality and other evasion techniques. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.

The post Microsoft has released a free tool to remove Solorigate from infected networks appeared first on Information Security Newspaper | Hacking News.

Authorities have not officially spoken out about it, although specialists believe the U.S. government has been aware of this incident for a few weeks now, when national security adviser Anne Neuberger stated that they were aware of at least nine federal agencies engaged during this incident.

In this regard, the Department of Transportation issued a statement in which they claim to be investigating the report. On the other hand, a NASA spokesperson mentions that a team from the Agency for Cybersecurity and Infrastructure Security (CISA) is working on a detailed investigation to find any possible traces of malicious activity.

About the group responsible for the attack, specialists mention that this campaign could be linked to a group identified as StellarParticle, also known as UNC2452, SolarStorm or Dark Halo.

Microsoft is one of the companies that has invested the most resources for investigating this incident, which has allowed its security teams to develop a detailed timeline regarding the attack. In addition to its description of the context in which the SolarWinds Orion hack occurred, Microsoft ensures that public agencies such as:

• US Treasury Department
• National Telecommunications and Information Administration (NTIA)
• State Department
• National Institute of Health (NIH)
• US Department of Homeland Security (DHS)
• Department of Energy (DOE)
• National Nuclear Safety Administration (NNSA)

In early 2021, the US Administrative Office revealed an investigation revealing a possible commitment by computer systems operating in U.S. federal courts, as well as a possible attack on their storage systems. Moreover, Microsoft also reported that SolarWinds hackers also managed to download snippets of the source code from developments such as Azure or Exchange.

Although considered ideologically opposed to former President Trump, Joe Biden’s administration could also implement some sanctions on the Russian government for its alleged involvement in these campaigns, although no official pronouncement has been issued. To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.

The post SolarWinds hackers also compromised NASA systems appeared first on Information Security Newspaper | Hacking News.

Although the Sunburst and Solorigate malware variants were detected in late 2020, in recent weeks it was revealed that operators of this attack injected Sunspot malware into compromised systems since September 2019, at which point it initiated the attack on SolarWinds networks.

Experts mention that Sunburst was injected into SolarWinds Orion monitoring software to implement a backdoor on the networks that used this tool. Many of these loads included custom loaders for the Cobalt Strike kit, which included Teardrop: “An undefined stage of attack was the passage from backdoor to Cobalt Strike loader. We found that hackers showed a special approach to making sure the components didn’t have apparent connections to avoid detection,” Microsoft’s report says.

Microsoft researchers mention that threat actors removed the Sunburst backdoor in June 2020 after distributing it during March 2020, starting testing in real-world environments between May and June 2020. The report also mentions that the attackers spent more than a month delimiting their potential victims, as well as preparing their C&C infrastructure: “Although the malware would have been injected into up to 18,000 corporate and government networks, the hackers’ practical activities were critical to the commitment of their main goals,” the report adds.

In addition, the attackers also attempted to separate the Cobalt Strike loader’s execution from the SolarWinds process to ensure a successful infection: “Hackers expected that, should Cobalt Strike be detected and eliminated, the compromised SolarWinds binary would remain active.”

Hackers prepared Cobalt Strike implants in a customized way for each machine, avoiding overlapping folder names, file names, HTTP requests, timestamps, among other compromise indicators, Microsoft concludes. The attack on SolarWinds continues to prove to be a highly sophisticated exploitation campaign, so specialists believe this is unlikely to be the latest report produced in this regard that contains new details. Experts anticipate that these reports will help you better understand this incident and prevent it from happening again in the future.

The post New details about the SolarWinds attack are disclosed appeared first on Information Security Newspaper | Hacking News.

On the possible attack vector, the company mentions that hackers would have gained access by exploiting an unpatched vulnerability in Azure Active Directory and using some malicious applications for Office 365. The Microsoft Security Response Center (MSRC) was notified of the incident late last year.

Additional reports indicate that, at the time of receipt of this report, Microsoft was conducting a strict audit in Office 365 and Azure for possible malicious activity related to SolarWinds hackers, identified as Dark Halo or UNC2452.

Malwarebytes’ security team began an investigation immediately after detecting the intrusion: “After extensive research, we determined that threat actors accessed only a limited subset of our employees’ email addresses,” said CEO Marcin Kleczynski.

The main concern for Malwarebytes was that attackers had managed to inject Sunburst malware into their systems, which would have made it easier to install backdoors. The audit deployed by the company’s researchers focused on finding any indicator of engagement similar to the past supply chain attack: “Our internal systems showed no evidence of unauthorized access or compromise in any local and production environment,” Kleczynski said.

In this way Malwarebytes becomes the fourth security company affected by Dark Halo, a group allegedly linked to the Russian government although these remain speculation. Microsoft, CrowdStrike and FireEye have also been targets of this hacking group.

The post Malwarebytes, the new victim of SolarWinds hackers appeared first on Information Security Newspaper | Hacking News.