Reuters reports: A second hacking group, different from the suspected Russian team now associated with the major SolarWinds data breach, also targeted the company's products earlier this year, according to a security research blog by Microsoft. "The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," the blog said... It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file's compile times. Microsoft's detailed blog post notes that the code "provides an attacker the ability to send and execute any arbitrary C# program on the victim's device."

Read more of this story at Slashdot.

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, reports ZDNet, citing an announcement from cybersecurity company Avast: Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains. "For every redirection to a third party domain, the cybercriminals would receive a payment," the company said. Avast said it discovered the extensions last month and found evidence that some had been active since at least December 2018, when some users first started reporting issues with being redirected to other sites. Jan Rubín, Malware Researcher at Avast, said they couldn't identify if the extensions had been created with malicious code from the beginning or if the code was added via an update when each extension passed a level of popularity. And many extensions did become very popular, with tens of thousands of installs. Most did so by posing as add-ons meant to help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo, or Spotify. Avast said it reported its findings to both Google and Microsoft and that both companies are still investigating the extensions. ZDNet's article includes Avast's lists of the 28 extensions which they're recommending be uninstalled by users. ZDNet also notes that "A day after Avast published its findings, only three of the 15 Chrome extensions were removed, while all the Edge add-ons were still available for download. A source familiar with the investigation told ZDNet that Microsoft has not been able to confirm the Avast report."

Read more of this story at Slashdot.

Usama Jawad writes via Neowin: has been a proponent of passwordless technology for quite some time, saying that it wants traditional and unsafe passwords to die. To that end, it has invested in various solutions over the past few years such as Windows Hello, Microsoft Authenticator, FIDO2 security keys, and a palm vein authentication system, among other things. Now, the company has highlighted the strides it made to kill off passwords in 2020, and has stated that it plans to make them a thing of the past for all its customers in 2021. Microsoft noted that almost 80% of all cyberattacks target passwords, and one in 250 corporate accounts get compromised each month due to this. That said, the company is making an effort to transition people to passwordless solutions. In November 2019, 100 million people were using Microsoft's passwordless sign-in. This number grew to 150 million by May 2020, which goes to show how millions of people are ready to ditch passwords due to the inconvenience of remembering them, coupled with how insecure they can be. [...] 2021 is the year in which Microsoft plans to make passwords obsolete for all its customers. It is currently developing new APIs and a UX for managing FIDO2 security keys, and is also aiming to deliver a "converged registration portal," where customers can manage their passwordless credentials. While it hopes that 2021 marks a return to the "old normal," the company has emphasized that going passwordless will make online lives significantly easier.

Read more of this story at Slashdot.

The U.S. nuclear weapons agency and at least three states were hacked as part of a suspected Russian cyber attack that struck a number of federal government agencies. Microsoft Corp. was also breached, and its products were used to further attacks on others, Reuters reported. Bloomberg reports: The Energy Department and its National Nuclear Security Administration, which maintains America's nuclear stockpile, were targeted as part of the larger attack, according to a person familiar with the matter. An ongoing investigation has found the hack didn't affect "mission-essential national security functions," Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement. "At this point, the investigation has found that the malware has been isolated to business networks only," Hynes said. The hack of the nuclear agency was reported earlier by Politico. In addition, two people familiar with the broader government investigation into the attack said three states were breached, though they wouldn't identify the states. A third person familiar with the probe confirmed that states were hacked but didn't provide a number. In an advisory Thursday that signaled the widening alarm over the the breach, the Cybersecurity and Infrastructure Security Agency said the hackers posed a "grave risk" to federal, state and local governments, as well as critical infrastructure and the private sector. The agency said the attackers demonstrated "sophistication and complex tradecraft."

Read more of this story at Slashdot.

As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or phishing sites, a security firm said on Wednesday. Ars Technica reports: In all, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions remained available for download from Google and Microsoft. Avast researchers found malicious code in the JavaScript-based extensions that allows them to download malware onto an infected computer. In a post, the researchers wrote: "Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User's privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)." The researchers don't yet know if the extensions came with the malicious code preinstalled or if the developers waited for the extensions to gain a critical mass of users and only then pushed a malicious update. It's also possible that legitimate developers created the add-ons and then unknowingly sold them to someone who intended to use them maliciously. [...] The list Avast provides in its blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should remove it immediately and run a virus scan.

Read more of this story at Slashdot.

An anonymous reader quotes a report from ZDNet: Microsoft and a coalition of tech companies have intervened today to seize and sinkhole a domain that played a central role in the SolarWinds hack, ZDNet has learned from sources familiar with the matter. The domain in question is avsvmcloud[.]com, which served as command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company's Orion app. SolarWinds Orion updates versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, contained a strain of malware named SUNBURST (also known as Solorigate). Once installed on a computer, the malware would sit dormant for 12 to 14 days and then ping a subdomain of avsvmcloud[.]com. According to analysis from security firm FireEye, the C&C domain would reply with a DNS response that contained a CNAME field with information on another domain from where the SUNBURST malware would obtain further instructions and additional payloads to execute on an infected company's network. Earlier today, a coalition of tech companies seized and sinkholed avsvmcloud[.]com, transferring the domain into Microsoft's possession. Sources familiar with today's actions described the takedown as "protective work" done to prevent the threat actor behind the SolarWinds hack from delivering new orders to infected computers.

Read more of this story at Slashdot.

Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card. From a report: Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel. Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems. [...] At the core of the AIR-FI technique is the fact that any electronic component generates electromagnetic waves as electric current passes through. Since Wi-Fi signals are radio waves and radio is basically electromagnetic waves, Guri argues that malicious code planted on an air-gapped system by attackers could manipulate the electrical current inside the RAM card in order to generate electromagnetic waves with the frequency consistent with the normal Wi-Fi signal spectrum (2,400 GHz). In his research paper, titled "AIR-FI: Generating Covert WiFi Signals from Air-Gapped Computers," Guri shows that perfectly timed read-write operations to a computer's RAM card can make the card's memory bus emit electromagnetic waves consistent with a weak Wi-Fi signal. This signal can then be picked up by anything with a Wi-Fi antenna in the proximity of an air-gapped system, such as smartphones, laptops, IoT devices, smartwatches, and more. Guri says he tested the technique with different air-gapped computer rigs where the Wi-Fi card was removed and was able to leak data at speeds of up to 100 b/s to devices up to several meters away.

Read more of this story at Slashdot.

An anonymous reader shares a report: On an earnings call two months ago, SolarWinds Chief Executive Kevin Thompson touted how far the company had gone during his 11 years at the helm. There was not a database or an IT deployment model out there to which his Austin, Texas-based company did not provide some level of monitoring or management, he told analysts on the Oct. 27 call. "We don't think anyone else in the market is really even close in terms of the breadth of coverage we have," he said. "We manage everyone's network gear." Now that dominance has become a liability -- an example of how the workhorse software that helps glue organizations together can turn toxic when it is subverted by sophisticated hackers. On Monday, SolarWinds confirmed that Orion -- its flagship network management software -- had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers. [...] Cybersecurity experts across government and private industry are still struggling to understand the scope of the damage, which some are already calling one of the most consequential breaches in recent memory. [...] Experts are reviewing their notes to find old examples of substandard security at the company. Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds' update server by using the password "solarwinds123" "This could have been done by any attacker, easily," Kumar said. Others -- including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress -- noticed that, even days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

Read more of this story at Slashdot.

IT software provider SolarWinds downplayed a recent security breach in documents filed with the US Securities and Exchange Commission on Monday. From a report: SolarWinds disclosed on Sunday that a nation-state hacker group breached its network and inserted malware in updates for Orion, a software application for IT inventory management and monitoring. Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware, SolarWinds said in a security advisory. The trojanized Orion update allowed attackers to deploy additional and highly stealthy malware on the networks of SolarWinds customers. But while initial news reports on Sunday suggested that all of SolarWinds' customers were impacted, in SEC documents filed today, SolarWinds said that of its 300,000 total customers, only 33,000 were using Orion, a software platform for IT inventory management and monitoring, and that fewer than 18,000 are believed to have installed the malware-laced update. The company said it notified all its 33,000 Orion customers on Sunday, even if they didn't install the trojanized Orion update, with information about the hack and mitigation steps they could take.

Read more of this story at Slashdot.

In a joint security alert published this week, the US Cybersecurity Infrastructure and Security Agency, along with the Federal Bureau of Investigation, warned about increased cyber-attacks targeting the US K-12 educational sector, often leading to ransomware attacks, the theft of data, and the disruption of distance learning services. From a report: "As of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors," the alert reads. "Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year," it added. But of all the attacks plaguing the K-12 sector (kindergarten through twelfth-grade schools), ransomware has been a particularly aggressive threat this year, CISA and the FBI said. "According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year," the two agencies said. "In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July," they said.

Read more of this story at Slashdot.

Jerry Rivers shares a report from TechCrunch, adding: "...and it took the music service seven months to notice." From the report: In a data breach notification filed with the California attorney general's office, the music streaming giant said the data exposed "may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify." The company did not name the business partners, but added that Spotify "did not make this information publicly accessible." The company says the vulnerability existed as far back as April 9 but wasn't discovered until November 12. It didn't say what the vulnerability was or how user account data became exposed. "We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted," the letter read.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The New York Times : For years, the cybersecurity firm FireEye has been the first call for government agencies and companies around the world who have been hacked by the most sophisticated attackers, or fear they might be. Now it looks like the hackers -- in this case, evidence points to Russia's intelligence agencies -- may be exacting their revenge. FireEye revealed on Tuesday that its own systems were pierced by what it called "a nation with top-tier offensive capabilities." The company said hackers used "novel techniques" to make off with its own tool kit, which could be useful in mounting new attacks around the world. It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the F.B.I.'s investigative tools. In fact, FireEye said on Tuesday, moments after the stock market closed, that it had called in the F.B.I. The $3.5 billion company, which partly makes a living by identifying the culprits in some of the world's boldest breaches -- its clients have included Sony and Equifax -- declined to say explicitly who was responsible. But its description, and the fact that the F.B.I. has turned the case over to its Russia specialists, left little doubt who the lead suspects were and that they were after what the company calls "Red Team tools." These are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools — with the permission of a client company or government agency -- to look for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards. The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack while American attention -- including FireEye's -- was focused on securing the presidential election system. At a moment that the nation's public and private intelligence systems were seeking out breaches of voter registration systems or voting machines, it may have a been a good time for those Russian agencies, which were involved in the 2016 election breaches, to turn their sights on other targets. The hack was the biggest known theft of cybersecurity tools since those of the National Security Agency were purloined in 2016 by a still-unidentified group that calls itself theShadowBrokers. [...] The N.S.A.'s tools were most likely more useful than FireEye's since the U.S. government builds purpose-made digital weapons. FireEye's Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks. Still, the advantage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Dozens of radiology products from GE Healthcare contain a critical vulnerability that threatens the networks of hospitals and other health providers that use the devices, officials from the US government and a private security firm said on Tuesday. The devices -- used for CT scans, MRIs, X-Rays, mammograms, ultrasounds, and positron emission tomography -- use a default password to receive regular maintenance. The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare. Attackers can exploit these shortcomings by abusing the maintenance protocols to access the devices. From there, the attackers can execute malicious code or view or modify patient data stored on the device or the hospital or healthcare provider servers. Aggravating matters, customers can't fix the vulnerability themselves. Instead, they must request that the GE Healthcare support team change the credentials. Customers who don't make such a request will continue to rely on the default password. Eventually, the device manufacturer will provide patches and additional information. The flaw has a CVSS severity rating of 9.8 out of 10 because of the impact of the vulnerability combined with the ease of exploiting it. Security firm CyberMDX discovered the vulnerability and privately reported it to the manufacturer in May. The US Cyber Security and Infrastructure Security Agency is advising affected healthcare providers to take mitigation steps as soon as possible. In a statement, GE Healthcare officials wrote: "We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority. We are providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall. Additionally, we are advising the facilities where these devices are located to follow network management and security best practices."

Read more of this story at Slashdot.

FriendlySolipsist writes: Independent journalist Rebekah Jones, a scientist fired by the Florida state government because, she said, of her refusal to manipulate official COVID-19 data releases to coincide with political considerations and who now operates website floridacovidaction.com, had her home raided by the FL state police who seized computers and cellphones, the Miami Herald reported. The FDLE affidavit in support of the raid was published by the Miami Herald and asserts that an unauthorized internal message was sent to the "ReadyOps" system within the state Department of Health from an IPv6 address associated with the Comcast account at Jones residence. "The Florida Department of Law Enforcement on Monday raided the home of a former Department of Health data analyst who has been running an alternative web site to the state's COVID dashboard, alleging that she may have broken into a state email system and sent an unauthorized message to employees," reports the Miami Herald. "But Rebekah Jones, who was was fired from her job in May as the geographic information system manager for DOH's Division of Disease Control and Health Protection and who has since filed a whistleblower complaint against the state, denied having any role in the alleged intrusion into the state web site and instead said she believes Monday's action was intended to silence her." Slashdot reader mtrachtenberg shares a thread on Twitter of Jones describing what happened.

Read more of this story at Slashdot.

A mysterious hacker sed a cyber-attack to force-open the doors of 2,732 package delivery lockers across Moscow. ZDNet reports: The attack, which took place on Friday afternoon, December 4, targeted the network of PickPoint, a local delivery service that maintains a network of more than 8,000 package lockers across Moscow and Saint Petersburg. Russians can order products online and choose to have any of their orders delivered to a PickPoint locker instead of their home address. Once the package arrives, users receive an email or mobile notification, and they can show up and pick up their orders using the PickPoint app. However, the same system that allows users to open lockers and retrieve their packages was attacked on Friday. Using a yet-to-be-identified exploit, a mysterious hacker forced open the doors for a third of PickPoint's lockers, leaving thousands of packages exposed to theft across Moscow. The reason for the attack has yet to be discovered, but in press releases over the weekend, PickPoint said it notified authorities. The Russian company said it is currently working to restore its network, which has been damaged during the attack. It also remains unclear if packages were stolen from lockers. As the company highlighted in a press release on Saturday, this appears to be "the world's first targeted cyberattack against a post-gateway network."

Read more of this story at Slashdot.

PC maker powerhouse Dell announced today a flurry of new enterprise security solutions for the company's line of enterprise products. From a report: The new services can be grouped into two categories, with (1) new solutions meant to protect the supply chain of Dell products while in transit to their customers and (2) new features meant to improve the security of Dell products while in use. While Dell has previously invested in securing its customers' supply chains, the company has announced today three new services. The first is named SafeSupply Chain Tamper Evident Services and, as its name implies, involves Dell adding anti-tampering seals to its devices, transport boxes, and even entire pallets before they leave Dell factories. The anti-tampering seals will allow buyers of Dell equipment to determine if any intermediary agents or transporters have opened boxes or devices to alter physical components. The second supply chain security offering, named the Dell SafeSupply Chain Data Sanitization Services, is meant for tampering made at the storage level.

Read more of this story at Slashdot.

IBM's cyber-security division says that hackers are targeting companies associated with the storage and transportation of COVID-19 vaccines using temperature-controlled environments -- also known as the COVID-19 vaccine cold chain. From a report: The attacks consisted of spear-phishing emails seeking to collect credentials for a target's internal email and applications. While IBM X-Force analysts weren't able to link the attacks to a particular threat actor, they said the phishing campaign showed the typical "hallmarks of nation-state tradecraft." Targets of the attacks included a wide variety of companies, sectors, and government organizations alike.

Read more of this story at Slashdot.

The US Federal Bureau of Investigation says that cyber-criminals are increasingly relying on email forwarding rules in order to disguise their presence inside hacked email accounts. From a report: In a PIN (Private Industry Notification) alert sent last week and made public today, the FBI says the technique has been seen and abused in recent BEC (Business Email Compromise) attacks reported over the summer. The hackers' technique relies on a feature found in some email services called "auto-forwarding email rules." As its name implies, the feature allows the owner of an email address to set up "rules" that forward (redirect) an incoming email to another address if a certain criteria is met. Threat actors absolutely love email auto-forwarding rules as they allow them to receive copies of all incoming emails without having to log into an account each day -- and be at risk of triggering a security warning for a suspicious login.

Read more of this story at Slashdot.

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. From a report: The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis. According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries. The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.

Read more of this story at Slashdot.

Dan Goodin, writing for ArsTechnica: Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device -- over Wi-Fi, with no user interaction required at all. Oh, and exploits were wormable -- meaning radio-proximity exploits could spread from one nearby device to another, once again, with no user interaction needed. This Wi-Fi packet of death exploit was devised by Ian Beer, a researcher at Project Zero, Google's vulnerability research arm. In a 30,000-word post published on Tuesday afternoon, Beer described the vulnerability and the proof-of-concept exploit he spent six months developing single-handedly. Almost immediately, fellow security researchers took notice. "This is a fantastic piece of work," Chris Evans, a semi-retired security researcher and executive and the founder of Project Zero, said in an interview. "It really is pretty serious. The fact you don't have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you're walking along, the phone is in your pocket, and over Wi-Fi someone just worms in with some dodgy Wi-Fi packets." Beer's attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple-proprietary mesh networking protocol that makes things like Airdrop work. Because drivers reside in the kernel -- one of the most privileged parts of any operating system -- the AWDL flaw had the potential for serious hacks. And because AWDL parses Wi-Fi packets, exploits can be transmitted over the air, with no indication that anything is amiss.

Read more of this story at Slashdot.