An anonymous reader shares a report: Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim's IP address and check it against an IP-to-geo database like MaxMind's GeoIP to get a victim's approximate geographical location. While the technique isn't very accurate, it is still the most reliable method of determining a user's actual physical location based on data found on their computer. However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first. This second technique relies on grabbing the infected user's BSSID. Known as a "Basic Service Set Identifier," the BSSID is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi. You can see the BSSID on Windows systems by running the command: netsh wlan show interfaces | find "BSSID" Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.

Read more of this story at Slashdot.

CNN reports that some critics are now questioning whether America's Cybersecurity and Infrastructure Security Agency (CISA) is equipped to protect the integrity of government systems from adversaries: Some of the nearly half-dozen government agencies affected by the hack have recently reached out to CISA for help with addressing the known vulnerabilities that were exploited in the attack but were told the agency did not have enough resources to provide direct support, according to a source familiar with the requests. The person noted the slow response has only increased the perception that CISA is overstretched. Multiple sources told CNN that CISA, which operates as the Department of Homeland Security's cyber arm, does not have the appropriate level of funding or necessary resources to effectively handle an issue of this magnitude. "It's a two-year-old agency with about 2,000 employees, so clearly that level of responsibility is not commensurate with the resources that they have," Kiersten Todt, a former Obama cybersecurity official and managing director of the Cyber Readiness Institute, recently told CNN.... "CISA is not capable," according to James Andrew Lewis, cybersecurity and technology expert at the Center for Strategic and International, who added that the agency's failure to detect the breach months ago was largely due to the fact its attention and resources were consumed by efforts to secure the 2020 presidential election. "CISA has always been and will continue to be slammed by the responsibilities heaped on it by law," Daniel Dister, New Hampshire's chief information security officer, told CNN. "They have been overloaded with work from the start and have had a hard time coming up to the level of expertise that DoD/CYBERCOM/NSA has enjoyed." Yesterday the New York Times noted the breach wasn't detected by any U.S. government cyberdefense agency (or the Department of Homeland Security), but by private cybersecurity firm FireEye. "It's clear the United States government missed it," the Times was told by Senator Mark Warner, ranking member of the Senate Intelligence Committee. "And if FireEye had not come forward, I'm not sure we would be fully aware of it to this day." The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks. The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security. "Early warning" sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking.

Read more of this story at Slashdot.

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel. From a report: The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities. Device owners are advised to update systems as soon as time permits. Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.

Read more of this story at Slashdot.

T-Mobile has announced a data breach exposing customers' proprietary network information (CPNI), including phone numbers and call records. From a report: Starting this week, T-Mobile began texting customers that a "security incident" exposed their account's information. According to T-Mobile, its security team recently discovered "malicious, unauthorized access" to their systems. After bringing in a cybersecurity firm to perform an investigation, T-Mobile found that threat actors gained access to the telecommunications information generated by customers, known as CPNI. The information exposed in this breach includes phone numbers, call records, and the number of lines on an account.

Read more of this story at Slashdot.

The US Cybersecurity and Infrastructure Security Agency has updated its official guidance for dealing with the fallout from the SolarWinds supply chain attack. From a report: In an update posted late last night, CISA said that all US government agencies that still run SolarWinds Orion platforms must update to the latest 2020.2.1HF2 version by the end of the year. Agencies that can't update by that deadline are to take all Orion systems offline, per CISA's original guidance, first issued on December 18. The guidance update comes after security researchers uncovered a new major vulnerability in the SolarWinds Orion app over the Christmas holiday. Tracked as CVE-2020-10148, this vulnerability is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations. This vulnerability was being exploited in the wild to install the Supernova malware on servers where the Orion platform was installed, in attacks separate from the SolarWinds supply chain incident.

Read more of this story at Slashdot.

A group of mysterious hackers has carried out a clever supply chain attack against Vietnamese private companies and government agencies by inserting malware inside an official government software toolkit. From a report: The attack, discovered by security firm ESET and detailed in a report named "Operation SignSight," targeted the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents. Any Vietnamese citizen, private company, and even other government agency that wants to submit files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate. The VGCA doesn't only issue these digital certificates but also provides ready-made and user-friendly "client apps" that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.

Read more of this story at Slashdot.

As the United States comes to grips with a far-reaching Russian cyberattack on federal agencies, private corporations and the nation's infrastructure, new evidence has emerged that the hackers hunted their victims through multiple channels. From a report: The most significant intrusions discovered so far piggybacked on software from SolarWinds, the Austin-based company whose updates the Russians compromised. But new evidence from the security firm CrowdStrike suggests that companies that sell software on Microsoft's behalf were also used to break into customers of Microsoft's Office 365 software. Because resellers are often entrusted to set up and maintain clients' software, they -- like SolarWinds -- have been an ideal front for Russian hackers and a nightmare for Microsoft's cloud customers, who are still assessing just how deep into their systems Russia's hackers have crawled. "They couldn't get into Microsoft 365 directly, so they targeted the weakest point in the supply chain: the resellers," said Glenn Chisholm, a founder of Obsidian, a cybersecurity firm. CrowdStrike confirmed Wednesday that it was also a target of the attack. In CrowdStrike's case, the Russians did not use SolarWinds but a Microsoft reseller, and the attack was unsuccessful. A CrowdStrike spokeswoman, Ilina Dimitrova, declined to elaborate beyond a company blog post describing the attempted attack. The approach is not unlike the 2013 attack on Target in which hackers got in through the retailer's heating and cooling vendor. The latest Russian attacks, which are thought to have begun last spring, have exposed a substantial blind spot in the software supply chain. Companies can track phishing attacks and malware all they want, but as long as they are blindly trusting vendors and cloud services like Microsoft, Salesforce Google's G-Suite, Zoom, Slack, SolarWinds and others -- and giving them broad access to employee email and corporate networks -- they will never be secure, cybersecurity experts say. "These cloud services create a web of interconnections and opportunity for the attacker," Mr. Chisholm said. "What we are witnessing now is a new wave of modern attacks against these modern cloud platforms, and we need 2021 defenses." Some reports have confused the latest development with a breach of Microsoft itself. But the company said it stood by its statement last week that it was not hacked, nor was it used to attack customers.

Read more of this story at Slashdot.

An anonymous reader shares a report (alternative source): "2020 has been a record year for GoDaddy, thanks to you!" the email read. Sent by [email protected], tucked underneath a glittering banner of a snowflake and stamped with the words "GoDaddy Holiday Party," the Dec. 14 email to hundreds of GoDaddy employees promised some welcome financial relief during an otherwise stressful year. "Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!" the email read. "To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th." But, two days later, the company sent another email. "You're getting this email because you failed our recent phishing test," the company's chief security officer Demetrius Comes wrote. "You will need to retake the Security Awareness Social Engineering training." The follow-up email from Comes said that roughly 500 GoDaddy employees clicked on the holiday bonus email and failed the test. Scottsdale-based GoDaddy, the world's largest domain registrar and web-hosting company, did not respond to repeated requests for comment about the emails. The emails were forwarded to The Copper Courier by three GoDaddy employees.

Read more of this story at Slashdot.

Hackers have stolen the data of a large cosmetic surgery chain and are threatening to publish patients' before and after photos, among other details. From a report: The Hospital Group, which has a long list of celebrity endorsements, has confirmed the ransomware attack. It said it had informed the Information Commissioner of the breach. On its darknet webpage, the hacker group known as REvil said the "intimate photos of customers" were "not a completely pleasant sight." It claimed to have obtained more than 900 gigabytes of patient photographs. The Hospital Group, which is also known as the Transform Hospital Group, claims to be the UK's leading specialist weight loss and cosmetic surgery group. It has 11 clinics specialising in bariatric weight loss surgery, breast enlargements, nipple corrections and nose adjustments. The company has previously promoted itself via celebrity endorsements, although it has not done so for several years. Former Big Brother contestant Aisleyne Horgan-Wallace told Zoo magazine about her breast enhancement surgery with The Hospital Group in 2009. Atomic Kitten singer Kerry Katona, Shameless actress Tina Malone and reality TV star Joey Essex from The Only Way is Essex are also previous patients who have endorsed the clinic.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Reuters: Dozens of email accounts at the U.S. Treasury Department were compromised by the powerful hackers responsible for a wide-ranging espionage campaign against U.S. government agencies, the office of U.S. Senator Ron Wyden said on Monday. In a written statement, Wyden's office said that Senate Finance Committee staff were briefed that the hack of the Treasury Department appears to have been a significant one, "the full depth of which isn't known." Wyden, the most senior Democrat on the committee, said that Microsoft notified the agency that dozens of email accounts had been compromised and that the hackers also penetrated the systems at Treasury's Departmental Offices division, which is home to its top officials. "Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen," the statement said, although it added that the Internal Revenue Service said there was no evidence the tax agency was compromised or that taxpayer data was affected. A Wyden aide said the hackers were able to access the Treasury officials' Microsoft-hosted inboxes after taking control of the cryptographic key used by Treasury's "single sign on" infrastructure -- a service used in many organizations so that employees can access a variety of services with a single username and password. The aide quoted Treasury officials as saying Mnuchin's inbox was not among those affected. Wyden's statement contrasts Treasury Secretary Steven Mnuchin, who told CNBC earlier in the day that "the good news is there has been no damage, nor have we seen any large amounts of information displaced." He added: "I can assure you, we are completely on top of this."

Read more of this story at Slashdot.

A group made up of 19 security firms, tech companies, and non-profits, headlined by big names such as Microsoft and McAfee, have announced on Monday plans to form a new coalition to deal with the rising threat of ransomware. From a report: Named the Ransomware Task Force (RTF), the new group will focus on assessing existing technical solutions that provide protections during a ransomware attack. The RTF will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members. The end result should be a standardized framework for dealing with ransomware attacks across verticals, one based on an industry consensus rather than individual advice received from lone contractors.

Read more of this story at Slashdot.

Reuters reports: A second hacking group, different from the suspected Russian team now associated with the major SolarWinds data breach, also targeted the company's products earlier this year, according to a security research blog by Microsoft. "The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," the blog said... It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file's compile times. Microsoft's detailed blog post notes that the code "provides an attacker the ability to send and execute any arbitrary C# program on the victim's device."

Read more of this story at Slashdot.

More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, reports ZDNet, citing an announcement from cybersecurity company Avast: Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains. "For every redirection to a third party domain, the cybercriminals would receive a payment," the company said. Avast said it discovered the extensions last month and found evidence that some had been active since at least December 2018, when some users first started reporting issues with being redirected to other sites. Jan Rubín, Malware Researcher at Avast, said they couldn't identify if the extensions had been created with malicious code from the beginning or if the code was added via an update when each extension passed a level of popularity. And many extensions did become very popular, with tens of thousands of installs. Most did so by posing as add-ons meant to help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo, or Spotify. Avast said it reported its findings to both Google and Microsoft and that both companies are still investigating the extensions. ZDNet's article includes Avast's lists of the 28 extensions which they're recommending be uninstalled by users. ZDNet also notes that "A day after Avast published its findings, only three of the 15 Chrome extensions were removed, while all the Edge add-ons were still available for download. A source familiar with the investigation told ZDNet that Microsoft has not been able to confirm the Avast report."

Read more of this story at Slashdot.

Usama Jawad writes via Neowin: has been a proponent of passwordless technology for quite some time, saying that it wants traditional and unsafe passwords to die. To that end, it has invested in various solutions over the past few years such as Windows Hello, Microsoft Authenticator, FIDO2 security keys, and a palm vein authentication system, among other things. Now, the company has highlighted the strides it made to kill off passwords in 2020, and has stated that it plans to make them a thing of the past for all its customers in 2021. Microsoft noted that almost 80% of all cyberattacks target passwords, and one in 250 corporate accounts get compromised each month due to this. That said, the company is making an effort to transition people to passwordless solutions. In November 2019, 100 million people were using Microsoft's passwordless sign-in. This number grew to 150 million by May 2020, which goes to show how millions of people are ready to ditch passwords due to the inconvenience of remembering them, coupled with how insecure they can be. [...] 2021 is the year in which Microsoft plans to make passwords obsolete for all its customers. It is currently developing new APIs and a UX for managing FIDO2 security keys, and is also aiming to deliver a "converged registration portal," where customers can manage their passwordless credentials. While it hopes that 2021 marks a return to the "old normal," the company has emphasized that going passwordless will make online lives significantly easier.

Read more of this story at Slashdot.

The U.S. nuclear weapons agency and at least three states were hacked as part of a suspected Russian cyber attack that struck a number of federal government agencies. Microsoft Corp. was also breached, and its products were used to further attacks on others, Reuters reported. Bloomberg reports: The Energy Department and its National Nuclear Security Administration, which maintains America's nuclear stockpile, were targeted as part of the larger attack, according to a person familiar with the matter. An ongoing investigation has found the hack didn't affect "mission-essential national security functions," Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement. "At this point, the investigation has found that the malware has been isolated to business networks only," Hynes said. The hack of the nuclear agency was reported earlier by Politico. In addition, two people familiar with the broader government investigation into the attack said three states were breached, though they wouldn't identify the states. A third person familiar with the probe confirmed that states were hacked but didn't provide a number. In an advisory Thursday that signaled the widening alarm over the the breach, the Cybersecurity and Infrastructure Security Agency said the hackers posed a "grave risk" to federal, state and local governments, as well as critical infrastructure and the private sector. The agency said the attackers demonstrated "sophistication and complex tradecraft."

Read more of this story at Slashdot.

As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or phishing sites, a security firm said on Wednesday. Ars Technica reports: In all, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions remained available for download from Google and Microsoft. Avast researchers found malicious code in the JavaScript-based extensions that allows them to download malware onto an infected computer. In a post, the researchers wrote: "Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User's privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)." The researchers don't yet know if the extensions came with the malicious code preinstalled or if the developers waited for the extensions to gain a critical mass of users and only then pushed a malicious update. It's also possible that legitimate developers created the add-ons and then unknowingly sold them to someone who intended to use them maliciously. [...] The list Avast provides in its blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should remove it immediately and run a virus scan.

Read more of this story at Slashdot.

An anonymous reader quotes a report from ZDNet: Microsoft and a coalition of tech companies have intervened today to seize and sinkhole a domain that played a central role in the SolarWinds hack, ZDNet has learned from sources familiar with the matter. The domain in question is avsvmcloud[.]com, which served as command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company's Orion app. SolarWinds Orion updates versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, contained a strain of malware named SUNBURST (also known as Solorigate). Once installed on a computer, the malware would sit dormant for 12 to 14 days and then ping a subdomain of avsvmcloud[.]com. According to analysis from security firm FireEye, the C&C domain would reply with a DNS response that contained a CNAME field with information on another domain from where the SUNBURST malware would obtain further instructions and additional payloads to execute on an infected company's network. Earlier today, a coalition of tech companies seized and sinkholed avsvmcloud[.]com, transferring the domain into Microsoft's possession. Sources familiar with today's actions described the takedown as "protective work" done to prevent the threat actor behind the SolarWinds hack from delivering new orders to infected computers.

Read more of this story at Slashdot.

Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card. From a report: Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel. Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems. [...] At the core of the AIR-FI technique is the fact that any electronic component generates electromagnetic waves as electric current passes through. Since Wi-Fi signals are radio waves and radio is basically electromagnetic waves, Guri argues that malicious code planted on an air-gapped system by attackers could manipulate the electrical current inside the RAM card in order to generate electromagnetic waves with the frequency consistent with the normal Wi-Fi signal spectrum (2,400 GHz). In his research paper, titled "AIR-FI: Generating Covert WiFi Signals from Air-Gapped Computers," Guri shows that perfectly timed read-write operations to a computer's RAM card can make the card's memory bus emit electromagnetic waves consistent with a weak Wi-Fi signal. This signal can then be picked up by anything with a Wi-Fi antenna in the proximity of an air-gapped system, such as smartphones, laptops, IoT devices, smartwatches, and more. Guri says he tested the technique with different air-gapped computer rigs where the Wi-Fi card was removed and was able to leak data at speeds of up to 100 b/s to devices up to several meters away.

Read more of this story at Slashdot.

An anonymous reader shares a report: On an earnings call two months ago, SolarWinds Chief Executive Kevin Thompson touted how far the company had gone during his 11 years at the helm. There was not a database or an IT deployment model out there to which his Austin, Texas-based company did not provide some level of monitoring or management, he told analysts on the Oct. 27 call. "We don't think anyone else in the market is really even close in terms of the breadth of coverage we have," he said. "We manage everyone's network gear." Now that dominance has become a liability -- an example of how the workhorse software that helps glue organizations together can turn toxic when it is subverted by sophisticated hackers. On Monday, SolarWinds confirmed that Orion -- its flagship network management software -- had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers. [...] Cybersecurity experts across government and private industry are still struggling to understand the scope of the damage, which some are already calling one of the most consequential breaches in recent memory. [...] Experts are reviewing their notes to find old examples of substandard security at the company. Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds' update server by using the password "solarwinds123" "This could have been done by any attacker, easily," Kumar said. Others -- including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress -- noticed that, even days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

Read more of this story at Slashdot.

IT software provider SolarWinds downplayed a recent security breach in documents filed with the US Securities and Exchange Commission on Monday. From a report: SolarWinds disclosed on Sunday that a nation-state hacker group breached its network and inserted malware in updates for Orion, a software application for IT inventory management and monitoring. Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware, SolarWinds said in a security advisory. The trojanized Orion update allowed attackers to deploy additional and highly stealthy malware on the networks of SolarWinds customers. But while initial news reports on Sunday suggested that all of SolarWinds' customers were impacted, in SEC documents filed today, SolarWinds said that of its 300,000 total customers, only 33,000 were using Orion, a software platform for IT inventory management and monitoring, and that fewer than 18,000 are believed to have installed the malware-laced update. The company said it notified all its 33,000 Orion customers on Sunday, even if they didn't install the trojanized Orion update, with information about the hack and mitigation steps they could take.

Read more of this story at Slashdot.