Any anons know what's going on out there in the IT world with the "cyber intrusions" that happened last Friday?
Major corporations and institutions are still trying to recover, but I'm not seeing much news on it all, just rumors and limited exposure through job.
It looks like the Solar Winds fallout continues….
https://www.zdnet.com/article/solarwinds-linked-hacking-group-silverfish-abuses-enterprise-victims-in-sandbox-malware-tests/
By Charlie Osborne for Zero Day | March 18, 2021 – 16:04 GMT (09:04 PDT) |
Cyberattackers involved in worldwide hacking campaigns are using the compromised systems of high-profile victims as playgrounds to test out malicious tool detection rates.
On Thursday, Swiss cybersecurity firm Prodaft said that SilverFish (.PDF), an "extremely skilled" threat group, has been responsible for intrusions at over 4,720 private and government organizations including "Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers."
Attacks are geared toward US and European entities and there is a specific focus on critical infrastructure and targets with a market value of over $100 million.
SilverFish been connected to the recent SolarWinds breach as "one of many" threat groups taking advantage of the situation, in which malicious SolarWinds Orion updates were pushed to customers, leading to the compromise of thousands of corporate networks.
In December, following the disclosure of the SolarWinds breach, Prodaft received an analysis request from a client and created a fingerprint based on public Indicators of Compromise (IoCs) released by FireEye.
After running IPv4 scans, the team found new detections within 12 hours and then began combing the web for command-and-control servers (C2s) used in the operation while refining fingerprint records. Prodaft says that after obtaining entry to the management C2 control panel, the company was able to verify links to existing SolarWinds security incidents and known victims by way of IP, username, command execution, country, and timestamp records.
Victims verified by the company include a US military contractor, a top COVID-19 testing kit manufacturer, aerospace and automotive giants, multiple police networks, European airport systems, and "dozens" of banking institutions in the US and Europe….(more of article at link)
The war is raging
https://www.zdnet.com/article/microsoft-exchange-server-attacks-theyre-being-hacked-faster-than-we-can-count-says-security-company/
By Danny Palmer | March 22, 2021 – 15:50 GMT (08:50 PDT) | Topic: Security
Microsoft Exchange Server attacks: 'They're being hacked faster than we can count', says security company
A 'significant' number of cyberattacks targeting vulnerable Microsoft Exchange servers are attempted every single day, warn researchers at F-Secure - who say it's critical to apply the patches immediately.
There are still thousands of cyberattacks targeting zero-day security vulnerabilities in Microsoft Exchange Server every single day as cyber criminals attempt to target organisations that have yet to apply the security patches released to mitigate them, according to a tech security company.
Microsoft released critical updates to secure Microsoft Exchange Servers against the four vulnerabilities on March 2 with organisations urged to apply them as a matter of urgency to prevent cyberattacks to their email servers.
But weeks later, many organisations are yet to apply the critical updates for Microsoft Exchange Server and cyber attackers are taking advantage to gain access to servers while it remains possible.
SEE: Network security policy (TechRepublic Premium)
And cyber criminals are doing just that, with security researchers at F-Secure identifying tens of thousands of attacks targeting organisations around the world that are still running vulnerable Microsoft Exchange Server every day. According to F-Secure analytics, only about half of the Exchange servers visible on the internet have applied the Microsoft patches for these vulnerabilities.
"Tens of thousands of servers have been hacked around the world. They're being hacked faster than we can count. Globally, this is a disaster in the making," said Antti Laatikainen, senior security consultant at F-Secure.
The fear is that an attack that successfully compromises a Microsoft Exchange Server not only gains access to sensitive information that's core to how businesses are run, but could also open the door for additional attacks – including ransomware campaigns.
Tens of thousands of organisations around the world are known to have had their email servers compromised in attacks targeting Microsoft Exchange.Microsoft have attributed the campaign to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
However, once knowledge of the vulnerabilities became public following the release of the patch, other state-sponsored and cyber-criminal hacking groups have attempted to target Microsoft Exchange servers that have yet to have patches applied.
https://www.cpomagazine.com/cyber-security/acer-reportedly-suffered-a-revil-ransomware-attack-attracting-the-highest-ransom-demand-in-history-of-50-million/
REvil ransomware exploited Acer via Microsoft Exchange server
Advanced Intel’s cyber intelligence platform Andariel reported that the REvil ransomware gang attempted to exploit Acer’s Microsoft Exchange server.
The Microsoft Exchange vulnerabilities are blamed for exploits affecting over 30,000 U.S. organizations. If Acer’s ransomware attack originated from Microsoft Exchange vulnerabilities, it would be the first high-profile ransomware attack associated with the popular mail server software hack.
Microsoft Exchange email server hack was attributed to Chinese state-sponsored threat actors “HAFNIUM.” Coincidentally, Taiwan and China are sworn enemies with the latter threatening military action against the island nation which it considers part of its territory. However, the REvil ransomware attack on Acer appears to have no political motives.
REvil ransomware group is also attributed to the Travelex ransomware attack in 2020 that attracted an initial $6 million ransom demand. The gang settled on a $2.3 million payment in Bitcoins.
“It was only a matter of time before the recent Microsoft Exchange vulnerability exploited an organization, and in the current climate, it was swift,” James McQuiggan, security awareness advocate at KnowBe4, said. “The WannaCry ransomware from 2017 utilized the EternalBlue exploit and took only a few months before a massive attack occurred. With this attack, it took just weeks.”
He advises organizations to maintain a multi-layer network infrastructure to reduce the chances of criminals accessing sensitive data. He also recommended security awareness training and monitoring endpoints for data transfers to unusual destinations during odd hours.
Is it all a setup?
https://thehill.com/policy/cybersecurity/544124-biden-under-growing-pressure-to-nominate-cyber-czar
March 21, 2021 - 07:30 AM EDT
President Biden is coming under increasing pressure from lawmakers and other officials to nominate a White House cyber czar as the government starts formulating its response to two major foreign cyberattacks.
More than halfway through his first 100 days in office, Biden has yet to name his pick for national cyber director, a Senate-confirmed position that comes with a 75-member staff.
The absence of a leader to coordinate federal policy on cybersecurity is becoming glaring as the administration works to quickly respond to both the Russian SolarWinds hack and the Microsoft Exchange Server vulnerabilities exploited by Chinese hackers.
“Fill senior positions — there is no substitute for getting people into jobs who develop policy proposals and then implementing those ideas,” said Michael Daniel, a cyber coordinator during the Obama administration who’s now president and CEO of the Cyber Threat Alliance.
“The Administration deserves credit for prioritizing filling cybersecurity positions, but it needs to press forward with filling the remaining positions as expeditiously as possible," he said.
The cyber czar position, created by the most recent National Defense Authorization Act, would carry even more authority than the White House cyber coordinator role that was eliminated by the Trump administration in a move to cut down on bureaucracy.
That left a gap in the executive branch to lead on cybersecurity, one that has been highlighted by recent security breaches.
The first incident, known as the SolarWinds hack, was discovered in December and involved likely Russian hackers breaching at least nine federal agencies and 100 private sector groups.
More recently, Microsoft announced this month that state-sponsored Chinese hackers were using vulnerabilities in Microsoft Exchange Server to infiltrate and steal data from hundreds of thousands of organizations.
An administration official stressed Friday that Biden saw filling the cyber czar position as “a priority,” noting that the administration is in the midst of a 60-day review of the position and its structure.
“Setting up a new federal entity is complicated — and we’re taking a look at how we can do this in a way that makes the most sense,” the official told The Hill. “This remains a priority. As it has been made clear by our actions, the White House takes cyber threats very seriously.”
The National Defense Authorization Act became law on Jan. 1.
Biden has taken some interim steps. He appointed Anne Neuberger, the former cybersecurity lead at the National Security Agency, to a new role on the National Security Council (NSC) as deputy national security adviser for cyber and emerging technology.
She is now serving as the point person in the executive branch on the SolarWinds incident.
But while Neuberger has been praised on both sides of the aisle, her position is not Senate-confirmed, and she does not have the same authorities designated to a cyber czar.
Weird timing with the Dodge commercial that came out