SolarWinds Started Earlier and is Looking Worse Than Previously Thought

More details about the SolarWinds supply chain attack are coming to light. It is now believed that at least 250 US government agencies and private businesses were affected. US Senator Mark Warner (D-Virginia), who serves as Vice-Chair of the Senate Intelligence Committee said that the attackers may have begun even earlier than March/April 2020. Warner also noted that "if FireEye had not come forward, I'm not sure we would be fully aware of [the attack] to this day."

Read more in

Microsoft says that the hackers behind the SolarWinds supply chain attack accessed Microsoft source code repositories. Microsoft said that the hackers did not alter the code because the compromised account they used to access the repositories had read-only permission. Microsoft is not concerned that the source code was viewed. In a December 31 blog post, the MSRC Team writes, "We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn't tied to elevation of risk."

Read more in

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its guidance regarding the SolarWinds supply chain attack. The update comes in response to the discovery of a new vulnerability in SolarWinds Orion - an authentication bypass flaw in the SolarWinds Orion API. Government agencies were instructed to update their SolarWinds Orion platforms to version 2020.2.1HF2 by the end of 2020. Agencies unable to update by the deadline were instructed to take all their Orion systems offline.

Read more in

Vancouver, BC, transportation agency TransLink says that as of January 4, most of its IT systems are still unavailable a month after they suffered a ransomware attack. Employees have been receiving pay advances rather than their regular paychecks. TransLink has acknowledged that the ransomware operators also compromised employee data.

Read more in

Researchers from Eye Control discovered an undocumented user account with administrative rights hardcoded in the firmware of Zyxel firewall and AP controller devices. The account can be accessed via SSH or web interface. Eye Control reported the vulnerability to Zyxel in late November. Zyxel has released updated firmware for affected devices.

Read more in

T-Mobile has disclosed a data breach that exposed some customers' call-related information. This is the fourth breach T-Mobile has acknowledged in the past three years. T-Mobile did not provide specifics about the attack, except to say its "cybersecurity team recently discovered and shut down malicious, unauthorized access to some" customer proprietary network information (CPNI).

Read more in

The FBI has released a public service announcement warning that vulnerable smart home security devices are being hijacked by attackers to use in swatting attacks. By hijacking devices with voice and camera features, the attackers can watch the arrival of law enforcement teams and interact with them. The FBI's announcement urges people "to use complex, unique passwords and enable two-factor authentication to help protect against "swatting" attacks."

Read more in

Japanese aerospace company Kawasaki Heavy Industries has disclosed that its network was hit by a data breach in June 2020. Kawasaki says that intruders may have accessed customer data. Separately, Kawasaki has warned that it has received reports of phony emails pretending to be from recruiters from Kawasaki heavy Industries Group in the US.

Read more in

Ticketmaster has agreed to pay a $10 million fine for accessing a competitor's computer systems without authorization. A Ticketmaster employee who formerly worked at the rival company retained access credentials, which were used to snoop on that company's activity with the intent of stealing business.

Read more in

Citrix has released an enhancement to prevent the Datagram Transport Layer Security (DTLS) feature in its ADC and Gateway devices from being used to amplify distributed denial-of-service (DDoS) attacks. Reports emerged last month about attacks taking advantage of vulnerable devices.

Read more in

Adobe Flash Player reached end-of-life status as of January 1, 2021. Windows users have begun receiving alerts from Adobe urging them to uninstall Flash. Adobe will block Flash from running as of January 12, 2021. Chrome 88 and Firefox 85, both scheduled for release this month, will remove support for Flash. Microsoft plans to release an update for Windows 10 that will permanently remove Flash. An optional Windows 10 update, released in October 2020, removes Flash Player that was installed by Windows in Internet Explorer, Edge, and Chrome; users who installed Flash Player manually can remove it using Adobe's uninstall instructions.

Read more in

New York-based medical testing company Apex Laboratory has disclosed that the operators responsible for a July 2020 ransomware attack against the company's network stole patient data. The compromised information includes patient names, dates of birth, test results, and in some cases, Social Security numbers.

Read more in