AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/07/2021

SolarWinds hackers have a whole bag of new tricks for mass compromise attacks

Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies. Nobelium—the name Microsoft gave to the intruders—was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.


Hackers take $196 million from crypto exchange Bitmart, security firm says

Hackers have taken $196 million from crypto trading platform Bitmart, a security firm said Saturday. Bitmart confirmed the hack in an official statement Saturday night, calling it “a large-scale security breach” and writing that hackers withdrew about $150 million in assets. However, blockchain security and data analytics firm Peckshield estimates that the loss is closer to $200 million. Bitmart added in a statement that all withdrawals had been temporarily suspended until further notice and said a thorough security review was underway. Peckshield was the first to notice the breach on Saturday, noting that one of Bitmart’s addresses showed a steady outflow of tens of millions of dollars to an address which Etherscan referred to as the “Bitmart Hacker.”


Microsoft seizes 42 websites from a Chinese hacking group

Microsoft said Monday that it had seized 42 websites from a Chinese hacking group in an effort to disrupt the group’s intelligence-gathering operations. The company said in a news release that a federal court in Virginia had granted Microsoft’s request to allow its digital crimes unit to take over the U.S.-based websites, which were being run by a hacker group known as Nickel or APT15. The company is redirecting the websites’ traffic to secure Microsoft servers to “help us protect existing and future victims while learning more about Nickel’s activities.” Microsoft said it has been tracking Nickel since 2016 and had found that its “highly sophisticated” attacks intended to install unobtrusive malware that allowed for surveillance and data theft.


US military officially confirms action against ransomware groups

Tackling ransomware operators in the US is no longer just a job for the police, but the military and national intelligence officers and spies, government officials have revealed. Speaking to the New York Times, US General Paul M. Nakasone, the head of Cyber Command and the director of the National Security Agency explained that nine months ago the US government considered ransomware threats a job for law enforcement agencies. However, as ransomware groups started targeting crucial national infrastructure (think Colonial Pipeline, JBS, and the likes), it became clear that the destructive power could undermine national security. As a result, the military took over.


The Popular Family Safety App Life360 Is Selling Precise Location Data on Its Tens of Millions of Users

Life360, a popular family safety app used by 33 million people worldwide, has been marketed as a great way for parents to track their children’s movements using their cellphones. The Markup has learned, however, that the app is selling data on kids’ and families’ whereabouts to approximately a dozen data brokers who have sold data to virtually anyone who wants to buy it. Through interviews with two former employees of the company, along with two individuals who formerly worked at location data brokers Cuebiq and X-Mode, The Markup discovered that the app acts as a firehose of data for a controversial industry that has operated in the shadows with few safeguards to prevent the misuse of this sensitive information. The former employees spoke with The Markup on the condition that we not use their names, as they are all still employed in the data industry. They said they agreed to talk because of concerns with the location data industry’s security and privacy and a desire to shed more light on the opaque location data economy. All of them described Life360 as one of the largest sources of data for the industry. 


Germany warns of ransomware attacks over Christmas, citing Emotet return, unpatched Exchange servers

The German cybersecurity authority has told German organizations to expect ransomware and other cyber-attacks over the Christmas and end-of-year holidays, citing the return of the Emotet botnet and the large number of Microsoft Exchange email servers that have been left unpatched. The Emotet gang, which began rebuilding its botnet two weeks ago, has often rented access to infected systems to ransomware gangs to serve as springboards for attacks. Numerous vulnerabilities discovered in Microsoft Exchange email servers this year have been abused throughout 2021 to allow ransomware gangs—such as DearCry, BlackKingdom, Babuk, and BlackByte—to enter corporate networks and encrypt internal servers. “Holidays, vacation times and weekends in particular have been used repeatedly for such attacks in the past, as many companies and organizations are less responsive then,” BSI President, Arne Schönbohm, said on Thursday, urging companies to patch systems and take steps to block Emotet spam.

Related Posts