The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- Codecov supply chain attack: Attackers inject a trojan into a code coverage tool to harvest credentials.
- US sanctions Russia: The White House takes punitive actions for SolarWinds supply chain attack.
- Securing the grid: Eversource, the largest energy supplier in New England, suffers breach impacting 4.3M customers.
- Ransomware round-up: Apple extorted, and a ransomware group demands gift codes.
- Roped in: Hostile state manipulation at an ‘industrial scale’ on professional networking sites.
- SonicWall vulnerabilities exploited in the wild: Customers should upgrade to a patched version!
CODE COVERAGE TOOL UNCOVERS A TROJAN IN SUPPLY CHAIN ATTACK
- Attackers exploited a vulnerability in Codecov’s development process to inject a trojan into the software supply chain tool Bash Uploader. The threat actors modified the tool to send any credentials, code, and keys to attacker-owned servers.
- Codecov became aware of the breach after a client reported the tool using an incorrect checksum. The actors reportedly had access since the end of January.
SO WHAT? Consider verifying the checksum of all tools that you use to ensure they have not been tampered with. Reset all credentials that could have been accessed by Codecov if used in your projects.
US SANCTIONS RUSSIA FOR SOLARWINDS, AND A NEW BACKDOOR EXTENDS THE SOLARWINDS TIMELINE
- US expels ten diplomats and places new sanctions on Russia. The economic and diplomatic actions penalise Russia for SolarWinds, as well as other activity, such as attempts to manipulate US elections.
- SolarWinds backdoor uploaded to VirusTotal in August 2020. The newly discovered backdoor sample was uploaded by a US Commerce Department employee, four months before the supply chain attack came to light in December 2020.
SO WHAT? These US government actions signal a change of approach to cyber espionage by the Biden administration. Senior US officials suggest some punitive actions ‘will remain unseen,’ suggesting the White House response might include covert cyber measures.
SECURING THE GRID: ELECTRICITY PROVIDER’S DATA BREACH SHOCK
- Energy supplier Eversource suffers data breach. An unsecured cloud storage server exposed the personal details of 4.3 million customers including names, addresses, phone numbers, social security numbers, and account numbers.
- Biden protects energy companies’ supply chains. US President Biden agreed to resume implementation of a suspended Trump-era executive order to shore up the cyber security of the power grid and impose restrictions on electric equipment from China and Russia.
SO WHAT? Organisations should secure public facing cloud services, ensuring that access is restricted.
RANSOMWARE ROUND-UP: APPLE EXTORTED, AND RANSOMWARE GROUP DEMAND GIFT CARDS
- REvil extorts Apple. The ransomware group stole product blueprints from Apple’s business partner Quanta Computer, a Taiwanese manufacturer.
- New ransomware group Nitro Ransomware demands Discord Nitro gift codes, to decrypt files. Deviating from the typical cryptocurrency demand, the group demands its victims supply gift codes for Discord’s Nitro subscription add-on, purchasable for USD 9.99 per month.
SO WHAT? Ransomware groups are continuously innovating. Organisations must include supplier ransomware attack and breach into their incident response planning, and expect payment be demanded in ways other than Bitcoin.
SOCIAL MEDIA MANIPULATION: RECOGNISE, REALISE, REPORT, REMOVE
- Over 10,000 UK nationals approached via malicious LinkedIn profiles. Security services identify government employees and those in critical industries as most at risk from malicious campaigns run by hostile states and criminal organisations.
- UK Government’s Centre for the Protection of National Infrastructure (CPNI) draws awareness with ‘Think Before you Link’ campaign. LinkedIn backs the initiative to prevent manipulation and data leaks.
SO WHAT? Encourage employees to think about the ‘4 Rs’ – recognise, realise, report, remove – to help mitigate social engineering attempts on professional networking sites.
SONICWALL VULNERABILITIES ACTIVELY EXPLOITED
- SonicWall urges customers to patch three zero-day vulnerabilities affecting security products. The vulnerabilities have been actively exploited in the wild, allowing threat actors to install backdoors, access emails, and move laterally across the network.
- The three vulnerabilities in question are CVE-2021-20021, CVE-2021-2002 and CVE-2021-20023.
SO WHAT? SonicWall customers should upgrade their email security builds to 10.0.9.6173 for Windows and 10.0.9.6177 for hardware / ESXi virtual appliances. Upgrade instructions can be found here.