Solarwinds supply-chain attack breaches several US gov departments, Microsoft, Cisco. I'm sure some other stuff happened too.  

News

Hey everyone,

This is mostly a minimal issue, although all my newsfeeds were dominated this week by the Solarwinds hack anyway :-/

To my more recent subscribers: something went wrong with the signup process while I was on paternity break, causing you to miss last week's issue when I restarted. My apoligies, you can catch up on that one here.

Dieter Van der Stock

Breaches and leaks

  • The Solarwinds hack definitely falls under this category, but without a doubt deserves an item all of its own.
  • Ledger, the crypto hardware wallet, had a breach of its e-commerce system last July. That database has now been put online for everyone to see, and it includes 1 million e-mail addresses and about 270.000 addresses of customers, even though Ledger at the time said it was only 9500: link.
Dieter Van der Stock

The SolarWinds cyberattack: The hack, the victims, and what we know

This was definitely the big one this week, my goodness. Turns out that the FireEye hack was just the tip of a very big iceberg. Solarwinds Orion, a network management platform, was compromised. And with it about 18.000 customers like Microsoft and Cisco, and a bunch of US governement departments (Treasury, State, Health, Homeland Security, Energy, Nuclear Security and more).

This article seems to nicely sum up what we know so far, although more is definitely to come. There is so much more to read on it though, so I've added a few more articles to get you going if you want to dive deeper:

  • A detailed technical writeup of the Sunburst malware by FireEye: link.
  • Three articles from Brian Krebs on the hacks, in chronologic order: Dec 14th, Dec 15th, Dec 16th.
  • Sunburst’s C2 secrets reveal second-stage SolarWinds victims: link.

Besides the obvious reason it definitely doesn't look great for Solarwinds. For one it sounds like (part of?) the compromise was due to a hardcoded password "solarwinds123", which is so insanely stupid I have trouble believing it but then again, sure. And apparently their management team was seen selling millions of dollars of shares before the news of the compromise broke out. Tsk tsk.

bleepingcomputer.com

WordPress sites running 'Contact Form 7' plugin open to remote compromise

About 5 million sites are apparently vulnerable.

threatpost.com

HPE discloses critical zero-day in server management software

bleepingcomputer.com

Zero-click iOS zero-day found deployed against Al Jazeera employees

zdnet.com

Apple, Google, Microsoft, and Mozilla ban Kazakhstan's MitM HTTPS certificate

zdnet.com

Three million users installed 28 malicious Chrome or Edge extensions

zdnet.com

Europol launches new decryption platform for law enforcement

bleepingcomputer.com

FBI & Interpol disrupt Joker's Stash, the internet's largest carding marketplace

zdnet.com

Trump Twitter account hacker won't be punished

The Dutch authorities decided that he had met the criteria to be treated as an ethical hacker performing responsible disclosure.

secalerts.co

Twitter fined €450k by EU data protection watchdog for GDPR breach

It relates to a bug in the Android app that could expose the tweets of protected accounts. They were fined because they failed to inform the commision within 72 hours.

bleepingcomputer.com

No spam, ever. We'll never share your email address and you can opt out at any time.