26 December 2020

CYBERSECURITY NEWS V. 26.12 – Cyber Attack on SolarWinds, RubyGems packages infected with bitcoin stealers

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts

News for discussion

Cyber Attack on SolarWinds

On December 13, 2020, a sophisticated large-scale attack on the SolarWinds clients was disclosed. On December 8, FireEye reported that a group of suspected government hackers had attacked it. Cybercriminals stole the FireEye Red Team's tools. There was no information on how they had gained access to the FireEye network until December 13, when Microsoft, FireEye, SolarWinds, and the US government released a report stating that a group of government hackers hacked SolarWinds. FireEye was one of SolarWinds' customers affected by this attack.

Attackers gained access to the SolarWinds Orion build system and added a backdoor to the SolarWinds.Orion.Core.BusinessLayer.dll file. This DLL was then distributed to SolarWinds' customers through an automatic update platform. Upon downloading, the backdoor connects to a remote command and control server in the avsvmcloud [.]com subdomain. It could then be anything from providing remote access to attackers to installing additional malware or stealing data. Kim Zetter's report, published on December 19, indicates that the attackers may have performed a test run of the attack back in October 2019. During the test run, the DLL was distributed without the malicious SunBurst backdoor. The researchers suppose that after the attackers had begun spreading the backdoor in March 2020, they collected data and performed malicious activities on compromised networks without being noticed for months.

The researchers estimate that the SolarWinds attack distributed the malicious DLL to approximately 18,000 clients. However, the attackers only target high-profile victims. The current list of the affected organizations includes companies like FireEye, Microsoft, and Cisco, and several US government entities: the US Department of the Treasury, the US National Telecommunications and Information Administration (NTIA), the US Department of State, National Institutes of Health (NIH), the US Department of Homeland Security (DHS), the US Department of Energy (DOE), the US National Nuclear Safety Administration (NNSA), as well as individual states (not disclosed).

Microsoft has also notified more than 40 of its customers affected by the attack without disclosing the details. The company said 80% of the victims come from the US, and 44% are high-tech companies. Although Microsoft had already detected and warned about problems in the SolarWinds files, Windows Defender did not quarantine them, fearing that it could affect the organization's network management services. On December 16, Defender began quarantining the DLLs.

Users of SolarWinds products are encouraged to immediately refer to the company's guidelines and FAQs and update to the latest clean version of the software. Microsoft also posted a list of 19 malicious DLL variants that it has detected so far.

hexway commentary:

That's very high-profile news due to a large number of "important" victims.

The supply chain is probably the preferred mechanism for compromising companies that take information security seriously, and what comes to publicity is exceptionally high-profile cases.

From the apparent consequences of this incident, companies may apply more stringent IS requirements to their suppliers. The question is how long it will last.

News FYI

Cyberspies hacked journalists' iPhones using 0-day

The iPhones of Al Jazeera and Al Araby TV journalists were attacked by Pegasus spyware distributed by the Israeli NSO Group. Pegasus was sold to four buyers, including actors from the UAE and Saudi Arabia affiliated with the Monarchy and Sneaky Kestrel groups. Hackers jailbroke iPhones using a zero-day vulnerability in the iMessage app. This zero-day vulnerability is part of the Kismet system that worked on iPhones up to version 11, running iOS 13.5.1, and was fixed after iOS 14.

Apple has announced its own investigation. The NSO Group stated that it has no information about any illegal use of Pegasus.

RubyGems packages infected with bitcoin stealers

Sonatype experts have discovered the pretty_color and ruby-bitcoin malicious packages in the official RubyGems repository. The hidden malware targeted Windows devices and replaced any cryptocurrency wallets' addresses in the clipboard with the attackers' wallet address. In essence, the malware helped hackers to intercept transactions and steal cryptocurrency. pretty_color contained legitimate files for colorize, a well-known and reliable open-source component, making it difficult to detect the threat. The package also included a file named version.rb that supposedly contained version metadata, but in fact, it had obfuscated code designed to run a malicious script on Windows computers. According to the Sonatype researchers, the ruby-bitcoin package contains only malicious code (the same as in the version.rb file from pretty_color).

The malware has already been removed from the platform.

QNAP patches dangerous vulnerabilities in QTS, QES, and QuTS hero

Qnap has released several updates that fix several vulnerabilities in the company's NAS running the QES, QTS, and QuTS hero operating systems. In total, the vendor has fixed six vulnerabilities that affected early OS versions based on FreeBSD, Linux, and 128-bit ZFS. The issues include XSS, path bypass, hardcoded passwords, and command injections.

The developers fixed them with QES 2.1.1 Build 0201006 (and newer), QTS 4.5.1.1495 build 20201123 (and newer), and QuTS hero h4.5.1.1491 build 20201119 (and newer).

Try Hexway online

Related posts