The Record reports that Microsoft Exchange Server patching has gone “extraordinarily well,” with approximately 92% of Exchange Servers secured against the ProxyLogon vulnerabilities. The success is largely due to Microsoft’s release of an easy-to-use script to apply mitigations. Redmond says around 30,000 servers remain vulnerable.
Threatpost stresses that patching alone won’t secure systems that have already been compromised. CyberNews quotes Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency, as saying in a webinar this week, “We know that multiple adversaries have compromised networks prior to patches being applied. And if you apply a patch, your system may still be compromised, the adversary can still be inside of your network, still be able to utilize you to attack others and disrupt your operations….You should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that.”
Ars Technica says the BlackKingdom ransomware operators are among those exploiting the flaws.
Acer sustains ransomware attack.
Taiwanese computer manufacturer Acer has suffered a REvil ransomware attack, with the attackers demanding $50 million in payment, BleepingComputer reports. BleepingComputer notes that this is the highest known ransom demand to date, and the ransom note claims that it will double to $100 million if the ransom isn’t paid by the deadline.
Vitali Kremez told BleepingComputer that a REvil affiliate had targeted a Microsoft Exchange Server belonging to Acer, though it’s not yet clear if this was the cause of the attack. “Advanced Intel’s Andariel cyberintelligence system detected that one particular REvil affiliate pursued Microsoft Exchange weaponization,” Kremez said.
Acer hasn’t confirmed the attack, but told BleepingComputer in a statement:
“Acer routinely monitors its IT systems, and most cyberattacks are well defensed. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries. We have been continuously enhancing our cybersecurity infrastructure to protect business continuity and our information integrity. We urge all companies and organizations to adhere to cyber security disciplines and best practices, and be vigilant to any network activity abnormalities.”
Threat actor uses 11 zero-days in watering hole attacks.
Google’s Project Zero has published an update on a campaign they began tracking in February of last year. The campaign targeted Windows, iOS, and Android systems, usually via watering hole attacks. The threat actor was observed using four zero-days in February 2020 and seven more in October, including:
- “1 full chain targeting fully patched Windows 10 using Google Chrome
- “2 partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser, and
- “RCE exploits for iOS 11-13 and privilege escalation exploit for iOS 13 (though the vulnerabilities were present up to iOS 14.1)”
Project Zero notes that the actors were highly skilled and the campaign would have been expensive to carry out:
“The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out.”
The researchers don’t offer any attribution for the attacks, although they believe there are two distinct entities working together on the campaign:
“These operational exploits also lead us to believe that while the entities between exploit servers #1 and #2 are different, they are likely working in a coordinated fashion. Both exploit servers used the Chrome Freetype RCE (CVE-2020-15999) as the renderer exploit for Windows (exploit server #1) and Android (exploit server #2), but the code that surrounded these exploits was quite different. The fact that the two servers went down at different times also lends us to believe that there were two distinct operators.”
For more, see the CyberWire Pro Research Briefing.
Facebook versus disinformation and espionage.
In an op-ed published in the Morning Consult, Facebook described the steps it’s recently taken against disinformation. In the last quarter of 2020, for example, the company took down more than 1.3 billion fake accounts. This is part of the company’s familiar work against inauthenticity, against users pretending to be who they’re not. Facebook also described the action it’s taken more directly against disinformation: “We’ve found that one of the best ways to fight this behavior is by disrupting the economic incentives structure behind it. We’ve built teams and systems to detect and enforce against inauthentic behavior tactics behind a lot of clickbait. We also use artificial intelligence to help us detect fraud and enforce our policies against inauthentic spam accounts.”
Misinformation, innocently propagated falsehoods, is in some respects a tougher challenge. Facebook is addressing it with teams of fact-checkers. All of the content moderation will be received with the usual animadversions about freedom of speech and its curtailment by censorship.
Facebook also announced on Wednesday that it had taken down a Chinese cyberespionage operation directed principally against “Uyghur activists, journalists & dissidents living abroad in Turkey, Kazakhstan, US, Syria, Australia, Canada & other countries.” Facebook’s tweet announcing the takedown cited earlier work on the threat actor by Volexity, Project Zero, and Trend Micro (who called the group “Evil Eye”). Facebook said that a lot of the surveillance activity was conducted “off platform,” with surveillance installed via maliciously crafted, bogus news articles that falsely represented themselves as media reports in outlets covering news of interest to the Uyghur diaspora. Those links are now blocked on Facebook.
SecurityWeek reports that much of the “off-platform” stuff took the form of content carried by iOS or Android apps. The Washington Post notes that the takedown shows that Facebook’s intelligence operations are now looking beyond Facebook itself.
For more, see the CyberWire Pro Disinformation Briefing.
California State Controller’s Office discloses data breach.
The California State Controller’s Office disclosed last Saturday that a threat actor gained access to the email account of an employee in its Unclaimed Property Division. The employee unwittingly submitted their login credentials on a malicious website after falling for a phishing email. The compromised data in the account includes the social security numbers and other personal identifying information of thousands of state workers. KrebsOnSecurity reports that in addition to accessing the account, the threat actor also sent spearphishing emails to over 9,000 of the employee’s contacts. The SCO stated:
“An employee of the California State Controller’s Office (SCO) Unclaimed Property Division clicked on a link in an email that appeared to come from a trusted outside entity and unknowingly provided an unauthorized user with access to the employee’s email account. The unauthorized user had access to the account from March 18, 2021 at 1:42 p.m. to March 19, 2021 at 3:19 p.m. and sent potentially malicious emails to some of the SCO employee’s contacts….SCO has reason to believe the compromised email account had personal identifying information contained in Unclaimed Property Holder Reports. These reports are submitted by companies that, after losing contact for a period of years with someone with whom they previously transacted business, turned that person’s property over to SCO. That information potentially includes the property owner’s first and last name, address at the time the property was deemed lost by the company, social security number, birth date, and the value of the property turned over to SCO.”
It’s worth noting that although SCO does offer employee training on detecting phishing scams, due to a recent change in the training guidelines not all employees are required to participate. According to an SCO spokesperson, SCO has reached out to the contacts who may have received a malicious email from the intruder, and the office is notifying all individuals whose data might have been exposed.
For more, see the CyberWire Pro Privacy Briefing.
Florida-based security awareness training company KnowBe4 has filed for an IPO and is looking to raise $100 million, the Tampa Bay Times reports. The company stated in its filing, “We continue to experience significant growth, with total revenue of $71.3 million, $120.6 million and $174.9 million for the years ended December 31, 2018, 2019 and 2020, respectively. As of the ends of the same periods, we had annual recurring revenue, or ARR, of $88.6 million, $145.4 million and $198.4 million. For the years ended December 31, 2018, 2019 and 2020 we had net losses of $9.2 million, $124.3 million and $2.4 million, which included $0.9 million, $118.1 million and $5.2 million of stock-based compensation expense, respectively.”
Israeli cloud security company Orca Security has raised $210 million in a Series C round led by CapitalG and Redpoint Ventures, bringing the company’s valuation to $1.2 billion. Orca stated, “By the end of 2021, Orca Security plans to have nearly tripled its R&D and sales teams since its A round in May of 2020. The company also aims to expand its sales offices in Europe, recently opened a new office in Austria, and has plans to open an office in Australia to better serve APAC markets. Orca Security is also expanding its global partner program and is continuing to build rapid customer traction with partners in the U.S., Europe, Australia, and Japan.” (The company’s announcement celebrates its unicorn status by adding a narwhal tusk to its orca logo.)
New York-headquartered security risk ratings firm SecurityScorecard has raised $180 million in Series E funding from “new investors including Silver Lake Waterman, funds and accounts advised by T. Rowe Price Associates, Inc., Kayne Anderson Rudnick, and Fitch Ventures, as well as existing investors Evolution Equity Partners, Accomplice, Riverwood Capital, Intel Capital, NGP Capital, AXA Venture Partners, GV (Google Ventures), and Boldstart Ventures.” The company stated, “The new round of funding will further accelerate SecurityScorecard’s corporate growth with planned investments across new product lines, global expansion, a broadening partner ecosystem and additional functionality to assess and mitigate cybersecurity risk in novel ways.”
Jumio, an identity verification provider headquartered in Palo Alto, has raised $150 million in a funding round led by Great Hill Partners. The company stated, “The investment will accelerate Jumio’s significant global lead in the digital identity space by devoting additional resources to automate its identity verification solutions, expand the breadth of the Jumio KYX Platform and grow its suite of AML compliance services.”
Axis Security has raised $100 million in a Series C round led by Spark Capital, with participation from existing investors Canaan Partners, Ten Eleven Ventures, and Cyberstarts. The company says the funding “will accelerate Axis’ product development and feature velocity, and expand go-to-market initiatives, including expanding its direct sales team, support for channel partners, integrations, and partnerships with leading security information and event management (SIEM), security orchestration, automation and response (SOAR), identity management, and endpoint security vendors among others.”
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.
CISA on Tuesday released six advisories on industrial control systems: Ovarro TBox, GE MU320E, Weintek EasyWeb cMT, Rockwell Automation MicroLogix 1400 (Update A), Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers (Update A), Ovarro TBox, and GE Reason DR60. Claroty published its own research on one system’s vulnerabilities, Ovarro TBox, which the researchers believe illustrates the risks of connecting unprotected control systems to the Internet.
Crime and punishment.
A Russian national and a Macedonian citizen have each pleaded guilty in the District of Nevada to racketeering conspiracy for their role in running the Infraud cybercriminal organization. The Russian, Sergey Medvedev, has been sentenced to ten years in prison, while the Macedonian, Marko Leopard, will serve five years. The Justice Department stated, “Infraud was a criminal enterprise that existed to enrich its members and associates through a myriad of criminal acts of identity theft and financial fraud. Infraud facilitated the sale of contraband by its members, including counterfeit documents, stolen bank account and credit account information, and stolen personal identifying information. Members and associates of Infraud operated throughout the world and the United States, to include Las Vegas. The enterprise, which boasted over 10,000 members at its peak and operated for more than seven years under the slogan “In Fraud We Trust,” is among the largest ever prosecuted by the Department of Justice. Infraud was responsible for the sale and/or purchase of over 4 million compromised credit and debit card numbers. The actual loss associated with Infraud was in excess of $568 million USD.”
Courts and torts.
The US Supreme Court has turned down Facebook’s appeal in a $15 billion class-action lawsuit concerning the company’s non-consensual tracking of users outside of Facebook itself via website plugins, Reuters reports. The lawsuit accuses the company of violating the Wiretap Act.
Policies, procurements, and agency equities.
The Business Standard reports that India’s Ministry of Road Transport and Highways on Sunday alerted the country’s transportation sector to expect cyberespionage. The Hindu BusinessLine quotes a note they obtained from CERT-In: “CERT-In has observed continued targeted intrusion activities from Chinese state-sponsored actors towards Indian transport sector with the possible intention to collect intelligence and conduct cyber espionage. The notable threat actors such as APT41/Barium, Tonto Team, APT101 StonePanda, APT15/K3yChang, APT27/Emissary Panda, Winnti groups & RedEcho have been targeting organisations across a range of industries aligned with the national strategic goals of the Chinese national policy priorities.”
- “the plans to create a network of security operation centres across the EU to monitor and anticipate signals of attacks on networks
- “the definition of a joint cyber unit which would provide clear focus to the EU’s cybersecurity crisis management framework
- “its strong commitment to applying and swiftly completing the implementation of the EU 5G toolbox measures and to continuing efforts made to guarantee the security of 5G networks “and the development of future network generations
- “the need for a joint effort to accelerate the uptake of key internet security standards, as they are instrumental to increase the overall level of security and openness of the global internet “while increasing the competitiveness of the EU industry
- “the need to support the development of strong encryption as a means of protecting fundamental rights and digital security, while at the same time ensuring the ability of law enforcement and judicial authorities to exercise their powers both online and offline”
The Wall Street Journal quotes acting CISA director Wales as saying that Hafnium and Holiday Bear have distracted the agency from its public-private intelligence-sharing efforts. “Frankly, some of the recent cyber incidents have prevented us from spending as much time on that,” Wales said at a Cyber Initiatives Group conference.
For more, see the CyberWire Pro Policy Briefing.