SolarWinds impact broader than first thought: Emergency national webcast

Hackers believed to be part of a Russian advanced persistent threat (APT) group managed to infiltrate the SolarWinds software update system and "trojanize" updates sent to customers. The backdoor installed on infected networks waited at least two weeks before contacting command and control systems, which helped the intruders evade detection. FireEye, which was one of the companies targeted, noted the operation's tactics included "some of the best operational security." The threat actors were operating from March until this past weekend, which provided lots of opportunity for information gathering. It will take a while to get a picture of what information the attackers harvested and what they left inside occupied systems. (Please note that the WSJ story is behind a paywall.)

Read more in

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal civilian agencies to disconnect from SolarWinds systems. Agencies that use SolarWinds products were required to submit a completion report to CISA by mid-day Monday, December 14. Agencies are also ordered to wait for CISA guidance before applying any fixes from SolarWinds.

Read more in

In a filing with the US Securities and Exchange Commission (SEC) regarding the compromise of its software update system, Austin, Texas-based SolarWinds said it "has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020." The company notified 33,000 customers of the compromise and noted that it "believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000."

Read more in

A supply chain attack has leveraged compromise of the SolarWinds software update system to infiltrate systems at numerous organizations around the world, including FireEye and the US Treasury, Commerce, and Homeland Security departments. The Register notes "that SolarWinds' Orion is used widely across the British public sector, ranging from the Home Office and Ministry of Defence through NHS hospitals and trusts, right down to local city councils."

Read more in

A US district judge in California has sentenced a man to two years in prison for deleting thousands of WebEx accounts. Sudhish Kasaba Ramesh pleaded guilty earlier this year to accessing a protected computer without authorization and recklessly damaging Cisco's network. Ramesh resigned from his position at Cisco in April 2018 after being with the company for 21 months. In September 2018, he accessed Cisco's cloud infrastructure and deleted more than 450 virtual machines hosting the WebEx Teams application, which resulted in the temporary deletion of more than 16,000 WebEx accounts.

Read more in

A vulnerability in Easy WP SMTP WordPress plugin is being actively exploited to reset admin account passwords. The plugin is installed in more than 500,000 WordPress sites. An update has been available since Monday, December 7. Users are urged to update to the most recent version of the plugin, Easy WP SMTP 1.4.4.

Read more in

Manufacturers of two widely-used point-of-sale (PoS) terminals have issued security updates for their products. Researchers found vulnerabilities in Verifone and Ingenico PoS terminals that could be exploited to steal payment card information, clone terminals, and conduct other sorts of financial fraud. The Verifone VX520 and Verifone MX series, and the Ingenico Telium 2 series devices ship with default manufacturer passwords for service modes. The service modes have "undeclared functions" which can be exploited to execute arbitrary code. Ingenico prevents users from changing the default passwords. Both Verifone and Ingenico have released patches.

Read more in

Several Google applications were temporarily unavailable on Monday morning, December 14. The outage was due to an internal storage quota issue with Google's authentication system. The outage affected YouTube, Gmail, and Google Docs. The authentication system outage began about 6:45AM ET; services were restored by 9:00AM ET.

Read more in

Norwegian cruise line Hurtigruten has acknowledged that its systems were hit with a cyberattack over the weekend. The incident appears to have affected the company's global infrastructure. Hurtigruten says it was likely ransomware. The website and email systems are down as of Monday, December 14.

Read more in

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of a trio of serious vulnerabilities in some Medtronic MyCareLink medical devices. The flaws could be exploited to modify or fabricate data from certain implanted cardiac devices and remotely execute code to gain control of cardiac devices paired to vulnerable MCL Smart patient Reader devices. Medtronic has developed a firmware update to address the flaws.

Read more in

The US Federal Trade Commission (FTC) has sent orders to nine social media and video streaming companies, seeking details about "how [they] use, track, estimate, or derive personal and demographic information; how they determine which ads and other content are shown to consumers; whether they apply algorithms or data analytics to personal information; how they measure, promote, and research user engagement; and how their practices affect children and teens." The companies that received the orders must reply within 45 days.

Read more in