SolarWinds Attack Vectors and US Federal Judiciary Actions; Attacks Targeting Cyber Researchers; SonicWall Zero-day Exploited; NoxPlayer Update Compromised

The acting director of the US Cybersecurity and Infrastructure Security Agency (CISA) says that “significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds.” The threat actors multiple attack vectors. (Please note that the WSJ story is behind a paywall.)

Read more in

The SolarWinds supply chain attack affected the US court system’s electronic files, prompting the federal Judiciary to adopt “new security procedures to protect highly sensitive confidential documents filed with the courts.” US courts have been instructed to issue standing or general orders that “highly sensitive court documents (HSDs) filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed HSDs will not be uploaded to” the Judiciary’s Case Management/Electronic Case Files system.

Read more in

Microsoft is sharing additional information about the North Korean hacking campaign targeting cybersecurity researchers. Google’s Threat Analysis Group released an initial warning about the campaign last week. In a January 28 blog post, Microsoft’s Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team write that over that past months, they have “detected cyberattacks targeting security researchers by an actor we track as ZINC.” The ZINC threat group has ties to the Lazarus Group. Microsoft’s report provides additional technical information about the threat actors’ use of Visual Studio as an attack vector. The campaign presently appears to be targeting only researchers who are using Windows.

Read more in

SonicWall says that threat actors are exploiting a critical, unpatched vulnerability in one of the company’s firewalls. The flaw affects SonicWall Secure Mobile Access 100 series firmware version 10.x. SonicWall is in the process of developing a patch for the vulnerability and expect to make it available by the end of the day on Tuesday, February 2. The company has listed mitigation that could be implemented until the fix is available.

Read more in

Researchers from Eset say that the NoxPlayer Android emulator was hit with a supply chain attack. The attackers compromised the BigNox software distribution system and sent malicious updates. The malware is installing surveillance software on users’ computers. While NoxPlayer has a reported 150 million users around the world, the attackers appear to be targeting only a very small number users, all located in Asia.

Read more in

UK Research and Innovation (UKRI), a UK government organization that manages research grants for UK organizations, has acknowledged that its network was hit with a ransomware attack. UKRI disclosed the incident on January 28. The attack affected a Brussels-based UK Research Office (UKRO) portal, and an extranet known as the BBSRC extranet; both have been taken offline. UKRI has reported the incident to authorities.

Read more in

Operators of the Fonix ransomware say they will cease operations and have made a decryption tool and the decryption key available so its victims can regain access to their data. The tool is what the operators have used to decrypt files as proof that they really can be decrypted, but it might not be useful to decrypt large quantities of data. The master decryption key could be used to build a more efficient decryptor.

Read more in

US legislators are seeking answers from the National Security Agency (NSA) about a 2012 supply-chain attack that affected Juniper Networks. A statement released by Senator Ron Wyden’s (D-Oregon) office notes, “In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers. Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor, and that the hackers modified the key to this backdoor.” A letter dated January 28, 2021, and signed by 10 US legislators asks the NSA to describe the actions it took “to protect itself, the Department of Defense, and the US government from future software supply chain attacks.” Renewed interest in the older case was prompted by the SolarWinds supply chain attack that came to light in December 2020.

Read more in

A critical heap overflow vulnerability in the Libgcrypt open-source cryptographic library and GNU Privacy Guard module could be exploited to write arbitrary data and execute code. The flaw affects Libgcrypt 1.9.0, which was released in mid-January. Developers have addressed the vulnerability in Libgcrypt 1.9.1.

Read more in

At least two vulnerabilities detected in the NITRO open source library could be exploited to allow remote code execution. The NITRO library is used by the US Department of Defense (DoD) and intelligence agencies to store, share, and send digital images taken by satellites. Researchers at GRIMM defected the flaws; they are working with the Cybersecurity and Infrastructure Security Agency (CISA) to make sure affected organizations are aware of the issue. The vendor has issued fixes for all the vulnerabilities.

Read more in

Vulnerabilities in the Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter plugin could be exploited to send newsletters, and delete or add newsletter subscribers. The plugin is installed on 200,000 WordPress sites. The vulnerability affects Popup Builder versions 3.71 and earlier. The issue is fixed in version 3.72 and the most recent version is 3.73.

Read more in

Five vulnerabilities affecting industrial control system products from Fuji Electric could be exploited to execute code. The flaws are not remotely exploitable. The vulnerabilities affect Fuji Electric’s Tellus Lite V-Simulator and V-Server Lite. The company recommends upgrading to version 4.0.10.0.

Read more in