Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about how VPNFilter, an IoT botnet discovered over two years ago, is still affecting routers today. Also, read about how cybersecurity company Malwarebytes was targeted by the SolarWinds hackers.
Through the Apex One with Endpoint Sensor (iES), Trend Micro discovered an incident where an attacker utilized sophisticated techniques in an attempt to exfiltrate sensitive information from a company. The unique tactics, techniques, and procedures (TTPs) used in this attack highlight the importance of cross-layered detection and response solutions.
Cybersecurity company Malwarebytes said that some of its emails were breached by the same hackers who used software company SolarWinds to hack into a series of U.S. government agencies. The company said that it does not use software made by SolarWinds, but it had been successfully targeted by the same hackers who were able to sneak into its Microsoft Office 365 and Microsoft Azure environments.
In this research blog, Trend Micro looks into VPNFilter, an IoT botnet discovered over two years ago, to see why there are still routers infected by the malware and what else can be done to minimize its potential risks. Trend Micro has also partnered with The Shadowserver Foundation in efforts to clean up any leftover VPNFilter infections.
Operators of a phishing campaign targeting the construction and energy sectors exposed credentials stolen in attacks that were publicly viewable with a simple Google search. This week, Check Point Research published a blog post describing the campaign, in which stolen information was dumped on compromised WordPress domains.
The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert regarding an advanced persistent threat (APT) compromising government agencies, critical infrastructures and private sector organizations. According to CISA, the APT actor is accountable for the compromise of the SolarWinds Orion supply chain. The actor is also responsible for the abuse of commonly used authentication mechanisms.
Bugs in several messaging and video chat mobile apps allowed attackers to spy on targeted users’ surroundings. The vulnerabilities in Signal, Google Duo, Facebook Messenger, JioChat, and Mocha could be triggered by simply placing a call to the target’s device – no other action was needed.
Cisco this week released patches to address a significant number of vulnerabilities across its product portfolio, including several critical flaws in SD-WAN products, DNA Center, and Smart Software Manager Satellite (SSMS). Several command injection bugs addressed in SD-WAN products could allow an attacker to perform actions as root on the affected devices, the most important of which is rated critical with a CVSS score of 9.9.
Bad actors have successfully compromised the cloud services of companies using various attack methods, including phishing, brute-force login attempts and potentially a "pass-the-cookie" attack, according to an alert from the Cybersecurity & Infrastructure Security Agency (CISA) this week. The activity is unrelated to the ongoing SolarWinds hack.
Cybersecurity firm Sophos said it found evidence connecting the operators of the MrbMiner crypto-mining botnet to a small boutique software development company operating from the city of Shiraz, Iran. The MrbMiner botnet has been operational since the summer of 2020. It was first detailed in a Tencent Security report in September last year.
In an update and white paper released on Tuesday, FireEye warned that the hackers–which intelligence services and computer security outfits have concluded were state-sponsored Russians–specifically targeted two groups of people: those with access to high-level information, and sysadmins. It details how to search logs and what to look for to see if an account has been compromised, complete with step-by-step instructions for how to cut access and provide additional protection in future.
The complex cyberattack campaign against major US government agencies and corporations including Microsoft and FireEye has driven home the reality of how attackers are setting their sights on targets' cloud-based services such as Microsoft 365 and Azure Active Directory to access user credentials — and ultimately the organizations' most valuable and timely information.
Surprised by the ongoing news cycle and impact of the SolarWinds hack? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.