The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- SolarWinds: the tip of the iceberg. Our latest update on the recent SolarWinds supply chain attack.
- Networking device manufacturer faces data breach. Ubiquiti has identified unauthorised access to some of its key systems, which may include customer databases.
- Mimecast authentication certificate compromised. The compromise has, to date, impacted a small number of Mimecast customers.
- Ransomware on our radar. Chinese threat group, APT27, has reportedly added ransomware to its repertoire, meanwhile ransomware groups have been going after senior leadership to maximise their extortion operations.
- Concerns over mobile device security. A redeveloped strain of Android malware and a hacking campaign against Windows and Android users.
- Capitol riots: We the People, on social media. Last week’s riots at the US Capitol saw the fears of those researching online extremism realised, with tech giants taking decisive actions in response to the violence.
SolarWinds: the tip of the iceberg
- SolarWinds has provided an update on its investigation into the SUNBURST malware. Attackers first compromised SolarWinds’ development environment on 4 September 2019 and then began testing code designed to inject backdoors into Orion, a suite of SolarWinds tools used by many large global organisations.
- Technical analysis revealed that the intruders tried to deduce whether their specifically-designed ‘SUNSPOT’ malware could insert a malicious backdoor into Orion products without tripping alarms.
- The US Department of Justice (DOJ) confirmed that it too was caught up in the SolarWinds attack. Reportedly, hackers leveraged the trojanised Orion update to move across the DOJ’s network and access some employees’ O365 mailboxes.
So what for security teams? Review your network hardening and threat hunting capabilities.
So what for software development teams? Look to integrate security throughout the development process by designing security requirements, applying ongoing static and dynamic analysis, and conducting code reviews and penetration tests. (See here for more information regarding integrating security into the DevOps cycle with DevSecOps).
Another link in the supply chain: Ubiquiti suffers a data breach
- Networking device manufacturer and cloud management platform Ubiquiti suffered a data breach. Best known for its UniFi wired and wireless network products, Ubiquiti became aware of the breach after it noticed unauthorised access to cloud-hosted IT systems.
- This data breach may be related to a widespread outage to Ubiquiti’s cloud management platform that prevented use of web and mobile applications to manage their devices.
So what? Because hackers are targeting organisations to gain access to their customers, businesses should increase the scrutiny of their digital supply chains and re-evaluate their vendor risk management controls.
Sophisticated threat actor compromises Mimecast authentication certificate
- A threat actor successfully compromised a Mimecast certificate that is used to authenticate to Microsoft 365 Exchange Web Services. Mimecast, a global cloud security provider, was compromised in a hack that enabled the threat actor to use one of its digital certificates to gain access to its clients’ Office 365 accounts. While the incident has affected approximately 10 percent of Mimecast’s customer base, only a small number of Mimecast customers have had their Microsoft 365 tenancies targeted so far.
- Although several security companies, including CrowdStrike, have confirmed attempted attacks by the threat actors behind the SolarWinds breach, Mimecast has not stated that the “sophisticated threat actor” is the same as that involved in the SolarWinds attack.
So what? If you use Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products, refer to Mimecast’s latest update for urgent mitigation measures.
Ransomware: Enter China? Targeting Executives' Data?
- The Chinese threat group, APT27, has reportedly added ransomware to its repertoire. Although Chinese APT (Advanced Persistent Threat) groups are not traditionally linked to financially-motivated cybercrimes, researchers found malware code, tactics, techniques, and procedures that are closely associated with APT27 in several recent ransomware incidents.
- Data on devices belonging to senior executives and leadership teams are increasingly being targeted by ransomware groups in search of information that can be used to extort their victims into paying ransoms. Ransomware groups have been cold-calling executives to maximise their extortion operations, and now ZDNet reports that a ransomware group has been prioritising data exfiltration from senior executives’ workstations.
Mobile security: Android malware exposed and Google uncovers hacking campaign
- A new strain of Android malware, Rogue, has been identified on underground forums. The mobile remote administration access tool (MRAT) can access, monitor, modify, or exfiltrate sensitive user data including location, contacts, messages, files, and calls. (Refer to Check Point's research paper for further details.)
- Google’s bug-hunting team has reported a hacking campaign exploiting zero- and n-day vulnerabilities on Windows and Android phones.  The campaign took place in early 2020, although Google has not disclosed the attacker’s identity nor the victims targeted.
So what? Swiftly update mobile operating systems and maintain user vigilance when downloading applications from online stores.
Capitol riots: We the People, on social media
- Last week’s riots at the US Capitol saw the fears of those researching online extremism realised. Although security researchers had warning of increased online extremist chatter, US lawmakers are asking why the security apparatus was surprised when rioters stormed the Capitol last week.
- Tech companies took decisive (and divisive) action. Twitter permanently suspended @realDonaldTrump, while Facebook banned ‘stop the steal’ content. Parler, an alternative social media platform, was removed from Amazon’s cloud hosting service as well as from the Apple and Google Play stores. The riots and responses by tech companies have prompted debate on revising Section 230, the US law that provides immunity for websites from user content.
- In other social media developments, messaging apps Signal and Telegram saw a spike in new users while WhatsApp downloads declined by 17 percent. This is largely attributed to controversial changes to WhatsApp’s privacy terms, as the app looks to merge with Facebook’s Messenger app.
So what for security teams? Consider how threats made in the digital realm can turn physical and how monitoring for online threats can help you contain emerging risks to your organisation and people.
- Earlier this week was Microsoft’s monthly Patch Tuesday, where Microsoft patched 83 vulnerabilities, including one zero-day vulnerability (CVE-2021-1647) in its Defender antivirus that was being actively exploited in the wild.
- Capcom, the Japanese gaming company, has announced that as many as 390,000 people may be affected by a data breach originating from a ransomware attack it suffered in November last year. This follows our story last week regarding gaming companies being increasingly targeted by cybercriminals.
- Microsoft has updated its Sysmon utility to detect Process Herpaderping and Process Hollowing attacks. Both attacks involve altering content to hide malicious processes.
 ‘Going Rogue – a Mastermind behind Android Malware Returns with a New RAT’, Check Point Research, 12 January 2021.
 ‘Microsoft January 2021 Patch Tuesday fixes 83 flaws, 1 zero-day’, Bleeping Computer, 12 January 2021; ‘Microsoft patches Defender antivirus zero-day exploited in the wild’, Bleeping Computer, 12 January 2021.