go to sections menu

What is going on in the security landscape, news ending January 8, 2021 from blog The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: article commentary > What is going on in the security landscape, news ending January 8, 2021

Go to Homepage, contents or to navigation menu

What is going on in the security landscape, news ending January 8, 2021

Hello folks, welcome to a wrapup of what is going on in the landscape of security. In no way is this going to be a complete rundown, however, some of what I’ve read or come across, or even news that I didn’t see that comes across my desk through a digest from Trend Micro.

Let us get started with “This week in Security News” from Trend Micro. I really like covering these posts because they cover a lot, some I may have read, some I still need to read, yet others may just be interesting but yet not worth talking about in the long term.

There are two articles I’ve been meaning to cover that are in my rundown from this news digest that I mise well cover here. The first is Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration and I had to read it from the web version. This is very dangerous because it relies on people using webmail to access their mail. I’ve ditched webmail many, many, many years ago because I personally find it to be something that doesn’t interest me. Even when I signed up for gmail and I finally decided on it for youtube and even now an off site email address, I was not using the website to check my mail.

The good news is that I think that most of us who read this aren’t using this site at all that is referenced. The web site is mail2000tw[.]com or any kind of sub domain. I can’t tell what language it is, I did visit the site via private browsing to see what language it is.

Trend Micro writes:

We discovered a new campaign that has been targeting several organizations — including government organizations, research institutions and universities
in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that
is widely-used in Taiwan.  With no clear connection to any previous attack group, we gave this new threat actor the name “Earth Wendigo.”
Additional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians
and activists, who support movements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of attacks from their operation in Taiwan,
which this report covers. 

Other headings within this article include but are not limited to:

  • Initial Access and Propagation
  • Exfiltration of the mailbox
  • Infection of email accounts
  • Service Worker script exploitation
  • and Email exfiltration

The article here is very detailed and I think people need to read this, as it could come to a web mail service near us. Luckily, it hasn’t happened as of yet, but it is definitely something that could eventually happen.

The other thing in this week’s digest of the news is also something that I wanted to cover An Overview of the DoppelPaymer Ransomware is the article and it is also a good one.

The article starts out:

DoppelPaymer uses a fairly sophisticated routine, starting off with network infiltration via malicious spam emails containing spear-phishing links or attachments
designed to lure unsuspecting users into executing malicious code that is usually disguised as a genuine document. This code is responsible for downloading
other malware with more advanced capabilities (such as Emotet) into the victim’s system.

I believe I’ve talked about Emotet on the technology podcast, and it definitely isn’t going anywhere with this new project. This also uses the Dridex malware family (website) which will either download the DoppelPaymer directly or something else.

This is definitely something that is stealthy, troublesome, and something that we should all know about.

The article goes on and says:

Once Dridex enters the system, the malicious actors do not immediately deploy the ransomware. Instead, it tries to move laterally within the affected system’s
network to find a high-value target to steal critical information from. Once this target is found, Dridex will proceed in executing its final payload,
DoppelPaymer. DoppelPaymer encrypts files found in the network as well as fixed and removable drives in the affected system.

Finally, DoppelPaymer will change user passwords before forcing a system restart into safe mode to prevent user entry from the system. It then changes
the notice text that appears before Windows proceeds to the login screen.

The new notice text is now DoppelPaymer’s ransom note, which warns users not to reset or shut down the system, as well as not to delete, rename, or move
the encrypted files. The note also contains a threat that their sensitive data will be shared to the public if they do not pay the ransom that is demanded
from them.

According to the FBI notification, DoppelPaymer’s primary targets are organizations in the healthcare, emergency services, and education. The ransomware
has already been involved in a number of attacks in 2020, including disruptions to a community college as well as police and emergency services in a city
in the US during the middle of the year.

DoppelPaymer was particularly active in September 2020, with the ransomware targeting a German hospital that resulted in the disruption of communication
and general operations. It also fixed its sights on a county E911 center as well as another community college in the same month.

The following is what is recommended by Trend Micro in regards to this one:

  • Refraining from opening unverified emails and clicking on any embedded links or attachments in these messages.
  • Regularly backing up important files using the 3-2-1 rule: Create three backup copies in two different file formats, with one of the backups in a separate physical location.
  • Updating both software and applications with the latest patches as soon as possible to protect them from vulnerabilities.
  • Ensuring that backups are secure and disconnected from the network at the conclusion of each backup session. 
  • Auditing user accounts at regular intervals — in particular those accounts that are publicly accessible, such as Remote Monitoring and Management accounts.
  • Monitoring inbound and outbound network traffic, with alerts for data exfiltration in place.
  • Implementing two-factor authentication (2FA) for user login credentials, as this can help strengthen security for user accounts
  • and Implementing the principle of least privilege for file, directory, and network share permissions.

As with all things troublesome, making sure we have our backups is the most important thing. I personally pay for dropbox for that purpose, and I am sure glad I have!

The Hacker News has an article entitled: FBI, CISA, NSA Officially Blame Russia for SolarWinds Cyber Attack which I have not read. Cyberscoop has articles dealing with Solar Winds and some fall out. They are:

The last two go hand in hand, but all in the above list are interesting, saying that Russia has been to blame in varying paragraphs. That is why I link all of them in this section because it is the latest we have, and I can only imagine Trump going ape over his accounts being suspended. With what has gone on, its about time that the companies do something to curve his behavior, even if it indirectly was responsible for the attacks that have been in the news as of late. Read all of these articles linked above in the above list because they are all good and vary in content. several of these articles may be linked in podcast content in passing for news notes, but its all informative. articles will

Another article that is worth talking about is protecting your kids while learning at home. This article How to Protect Your Kid’s Privacy While At-Home Learning goes in to detail on this.

The beginning of this article says:

Why Trend Micro
navigation region end
Privacy & Risks
Privacy & Risks
How to Protect Your Kid’s Privacy While At-Home Learning
Many kids now have school-supplied computer equipment away from the school network. However, with this come privacy and security concerns. Some are easy
to avoid, but others need some modifications to ensure safety.
By: Stephen Hilt, Erin Johnson December 22, 2020Read time: 5 min (1381 words)
main region
With the pandemic forcing many people to work and attend school from home, there has been a major shift in the use of technology for many businesses and
learning institutions. And this has brought a lot of interesting findings, at least from my own.
My kids have been attending school virtually this year, and I’m glad that schools can offer options and provide a high level of education virtually during
the Covid-19 pandemic. One of these options is the use of Chromebooks. While many US school districts have been providing Chromebooks to children at school
for some time, the scale of this need changed significantly in 2020. Fortunately, some school districts have found the ability to get more computers for
students who need them at home.

While I applaud the schools for providing people who need them the computers, the article talks about how schools are locking down even the network at home because it is signed in to the same google account even though the provided computer is not even being used. This goes beyond the reach of my understanding, please read Trend Micro’s article on this.

One of the things I heard in a new podcast I just subscribed to called The CyberWire Daily mentioned software called JetBrains, another piece of software that may have been compromised. I have not read Investigation Launched into Role of JetBrains Product in SolarWinds Hack: Reports but it is interesting that yet another company may be involved in one of the biggest breaches we’ve ever known.

Here is what the clip of this article states. Again, i’ve not read this, so I have no more info except what I heard on the podcast.

Cybersecurity experts and government agencies are trying to determine whether the hackers that targeted SolarWinds may have abused software created by
JetBrains to achieve their goal. JetBrains is a software development company based in the Czech Republic that has offices in Europe, Russia and the United
States. The company claims its solutions are used by over 9 million developers across 300,000 companies around the world.

We can’t forget phishing. Email threats are going to rise, and with that legitimate domains may be used. Also, RYUK is still being used more than ever, something called Hastebin is being used to deliver fileless malware called Hastebin and much more. To read the entire article of what is going on this week from Trend Micro, please go on over to Trend Micro’s blog: This Week in Security News – Jan 8, 2021 to read all of the details.

Finally, we’ve got some great news I always like to cover. Russian man sentenced to 12 years in prison for massive JPMorgan data heist and that i good news because J.P. Morgan’s breach was one of the biggest to date for its time.

Tyurin’s breach of JPMorgan Chase alone saw data on 80 million customers stolen, according to prosecutors. The Russian man made $19 million altogether
from the hacking, the Justice Department said in a statement.

We should back up and start at the beginning though: The article states in part: A U.S. federal judge on Thursday sentenced Andrei Tyurin, a 37-year-old Russian man, to 12 years in prison for his role in a hacking scheme that prosecutors
say involved the theft of personal data from over 100 million customers of big U.S. financial firms.

The brazen hacking operation, which ran from 2012 to 2015, is one of the biggest to hit Wall Street in recent memory. It involved Tyurin allegedly working
with an Israeli man named Gery Shalon, among others, to breach big-name companies like JPMorgan Chase, ETrade and The Wall Street Journal. The scammers
then sought to inflate stock prices by marketing them to people whose data they had stolen.

There is definitely more, and more that I need to get out in regards to Solar Winds but I’ll do that in a separate article as Solar Winds is just as interesting alone as it would be in a roundup like this.

This completes the news notes, did you find something of interest? Why not get in touch? Comment on the blog! Write an Email! Use whats app, email/imessage or any other contact info you want! We’ll be waiting.

Informazioni sull'articolo

What is going on in the security landscape, news ending January 8, 2021 was released on January 8, 2021 at 4:30 pm by tech in article commentary.
Last modified: January 8, 2021.

Comments (0)

No comments yet.

Leave a comment

You must be logged in to post a comment.

go to sections menu

navigation menu

go to sections menu