Information Technology

Image: ZDNet
The hackers behind the SolarWinds supply chain attack managed to escalate access inside Microsoft’s internal network and gain access to a small number of internal accounts, which they used to access Microsoft source code repositories, the company said on Thursday.

The OS maker said the hackers did not make any changes to the repositories they accessed because the compromised accounts only had permission to view the code but not alter it.
The news comes as an update to the company’s internal investigation into the SolarWinds incident, posted today on its blog.
Microsoft emphasized that despite viewing some source code, the threat actors did not escalate the attack to reach production systems, customer data, or use Microsoft products to attack Microsoft customers.
The Redmond-based company said its investigation is still ongoing.
Microsoft previously admitted on December 17 that it had used SolarWinds Orion, an IT monitoring platform, inside its internal network.
Days earlier, news broke that hackers breached IT software maker SolarWinds and inserted malware inside updates for the Orion platform. The malware was then used to gain an initial foothold on the internal networks of private companies and government agencies across the world.

Microsoft was one of the thousands of companies[1, 2, 3] that discovered evidence of malware on their networks, planted via tainted Orion updates.
Microsoft downplays incident
The OS maker downplayed today the fact that hackers viewed its internal source code repositories, claiming this was no big deal.
“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the company said.
“This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk,” it added.
Microsoft made this approach to source code secrecy clear in previous years after the source code of several Microsoft products leaked online — such as Windows 10, Windows XP, Windows 2000, Windows Server 2013, Windows NT, and Xbox. More

US federal agencies must update by the end of the year or take all SolarWinds Orion apps offline. More

Image via matthrono (Flickr/CC2.0)The US Federal Bureau of Investigation says pranksters are hijacking weakly-secured smart devices in order to live-stream swatting incidents.
“Recently, offenders have been using victims’ smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks,” the FBI said in a public service announcement published today.
Officials say pranksters are taking over devices on which owners created accounts but reused credentials that previously leaked online during data breaches at other companies.
Pranksters then place calls to law enforcement and report a fake crime at the victims’ residence.
“As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers,” the FBI said.
“In some cases, the offender also live streams the incident on shared online community platforms.”
These types of incidents, called swatting, have increased across the US in recent years and have even resulted in people’s deaths through accidental shootings.

The first known cases of a swatting incident being live-streamed online date back to the mid-2010s. The difference between what the FBI is reporting now and those initial incidents is that devices weren’t being hacked.
Pranksters would identify social events that were being streamed online and would arrange the event to be swatted, such as weddings, church meetings, and more.

Many of these swatting calls are being placed through online services that provide anonymous calling capabilities — such as Discord bots and dark web services.

To counteract with this new rising hack&swat cases, bureau officials said they are now working with device vendors to advise customers on how they could select better passwords for their devices.
Furthermore, the FBI said it’s also working to alert law enforcement first responders about this new swatting variation, so they may respond accordingly.
As for device owners, the same advice remains valid: Use complex and unique passwords for each of your online accounts. Use two-factor authentication where available. More

Consumers in Brazil are mostly unaware of the country’s data protection rules and fail to question companies’ personal data management practices, a new study has found.
The survey carried out by Brazilian credit intelligence company Boa Vista with over 500 consumers between August and September 2020 suggests that over 70% of those polled do not know what the General Data Protection Regulations are.

more on GDPR

The vast majority of the consumers polled (90%) feel their personal information is not protected appropriately by the companies requesting them, while 77% have expressed concerns over potential misuse of their data. Of the Brazilian consumers surveyed, 40% said they have been victims of fraud.
On the other hand, 53% of the Brazilian consumers surveyed said they don’t always take measures to protect their privacy before informing their personal data to companies. While 88% of respondents said they don’t feel comfortable informing data such as their taxpayer registration number, 55% don’t challenge companies when asked for such personal information.
Brazil’s data protection regulations were sanctioned by president Jair Bolsonaro on September 18, after nearly a month of uncertainty over the actual go-live date of the rules. The board members of the body responsible for enforcing the regulations, the National Data Protection Authority, were appointed in late October.
A survey carried out by the Brazilian Association of Software Companies (ABES) in partnership with EY soon after the introduction of the rules found that most Brazilian companies still needed to adjust to the rules. A subsequent study by ABES and EY found the technology sector fared better, but 56% of companies in the sector still needed to comply with the new regulations. More

Muurman said
Image: Joakim Honkasalo
The Finnish Parliament said on Monday that hackers gained entry to its internal IT system and accessed email accounts for some members of Parliament (MPs).

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Government officials said the attack took place in the fall of 2020 and was discovered this month by the Parliament’s IT staff. The matter is currently being investigated by the Finnish Central Criminal Police (KRP).
In an official statement, KRP Commissioner Tero Muurman said the attack did not cause any damage to the Parliament’s internal IT system but was not an accidental intrusion either.
Muurman said the Parliament security breach is currently being investigated as a “suspected espionage” incident.
“At this stage, one alternative is that unknown factors have been able to obtain information through the hacking, either for the benefit of a foreign state or to harm Finland,” Muurman said.
“The theft has affected more than one person, but unfortunately, we cannot tell the exact number without jeopardizing the ongoing preliminary investigation.

“This case is exceptional in Finland, serious due to the quality of the target and unfortunate for the victims,” the official added.
The KRP also said that “international cooperation has taken place in the investigation,” but did not provide additional details.
Norway disclosed a similar incident this fall
But while government officials didn’t mention it, the incident is eerily similar to a similar hack disclosed in a neighboring Scandinavian country.
Earlier this fall, Norway’s Parliament disclosed a similar breach of its internal email system, with hackers accessing some officials’ email accounts.
This month, after a months-long investigation, the Norwegian police secret service (PST) attributed the intrusion to APT28, a group of hackers linked to Russia’s military intelligence service, the GRU.
A recent Microsoft report highlighted a recent trend in APT28 tactics towards targeting email accounts with credential stuffing and brute-force attacks. More

Image: T.H. Chia
A group of mysterious hackers has carried out a clever supply chain attack against Vietnamese private companies and government agencies by inserting malware inside an official government software toolkit.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The attack, discovered by security firm ESET and detailed in a report named “Operation SignSight,” targeted the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents.
Any Vietnamese citizen, private company, and even other government agency that wants to submit files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate.
The VGCA doesn’t only issue these digital certificates but also provides ready-made and user-friendly “client apps” that citizens, private companies, and government workers can install on their computers and automate the process of signing a document.
But ESET says that sometime this year, hackers broke into the agency’s website, located at ca.gov.vn, and inserted malware inside two of the VGCA client apps offered for download on the site.
The two files were 32-bit (gca01-client-v2-x32-8.3.msi) and 64-bit (gca01-client-v2-x64-8.3.msi) client apps for Windows users.
ESET says that between July 23 and August 5, this year, the two files contained a backdoor trojan named PhantomNet, also known as Smanager.

The malware wasn’t very complex but was merely a wireframe for more potent plugins, researchers said.
Known plugins included the functionality to retrieve proxy settings in order to bypass corporate firewalls and the ability to download and run other (malicious) apps.
The security firm believes the backdoor was used for reconnaissance prior to a more complex attack against selected targets.
ESET researchers said they notified the VGCA earlier this month but that the agency had already known of the attack prior to its contact.
On the day ESET published its report, the VGCA also formally admitted to the security breach and published a tutorial on how users could remove the malware from their systems.
PantomNet victims also discovered in the Philippines
ESET said that it also found victims infected with the PhantomNet backdoor in the Philippines but was unable to say how these users got infected. Another delivery mechanism is suspected.
The Slovak security firm didn’t formally attribute the attack to any particular group, but previous reports linked the PhatomNet (Smanager) malware to Chinese state-sponsored cyber-espionage activities.
The VGCA incident marks the fifth major supply chain attack this year after the likes of:
SolarWinds – Russian hackers compromised the update mechanism of the SolarWinds Orion app and infected the internal networks of thousands of companies across the glove with the Sunburst malware.
Able Desktop – Chinese hackers have compromised the update mechanism of a chat app used by hundreds of Mongolian government agencies.
GoldenSpy – A Chinese bank had been forcing foreign companies activating in China to install a backdoored tax software toolkit.
Wizvera VeraPort – North Korean hackers compromised the Wizvera VeraPort system to deliver malware to South Korean users. More

Image: ZDNet
Russian cryptocurrency exchange Livecoin posted on message on its official website on Christmas Eve claiming it was hacked and lost control of some of its servers, warning customers to stop using its services.
According to posts on social media, the attack seems to have happened on the night between December 23 and December 24.
Hackers appear to have taken control of the Livecoin infrastructure and then proceeded to modify the exchange rates to gigantic and unrealistic values.
Before Livecoin admins managed to gain back access to some of their systems during late December 24, the Bitcoin exchange rate had ballooned from the regular $23,000/BTC to more than $450,000/BTC, Ether grew from $600/ETH to $15,000, and Ripple price increased from $0.27/XRP to more than $17/XRP.

Once the exchange rates were modified, the mysterious attackers began cashing out accounts, generating gigantic profits.
In the message posted on its website, Livecoin admins described the incident as a “carefully planned attack, which has been prepared, as we assume, over the last few months.”
“We lost control of all of our servers, backend and nodes. Thus, we were not able to stop our service in time. Our news channels were compromised as well,” the company said.

“At the moment, we partially control frontend, and so we’re able to place this announcement,” it added.
While the main web-based exchange portal si down, Livecoin is now urging users to stop depositing funds and making transactions through other interfaces like the site’s API and mobile apps.
As it happens with most cryptocurrency hacks, several users have cried foul play and are now claiming the entire hack was an inside job.
Livecoin said it notified local law enforcement.
According to CoinMarketCap, Livecoin is ranked as the 173rd cryptocurrency exchange on the internet, with roughly $16 million in daily transactions. The site has been active since March 2014. More

Images: Citrix // Composition: ZDNet
Threat actors have discovered a way to bounce and amplify junk web traffic against Citrix ADC networking equipment to launch DDoS attacks.

While details about the attackers are still unknown, victims of these Citrix-based DDoS attacks have mostly included online gaming services, such as Steam and Xbox, sources have told ZDNet earlier today.
The first of these attacks have been detected last week and documented by German IT systems administrator Marco Hofmann.
Hofmann tracked the issue to the DTLS interface on Citrix ADC devices.
DTLS, or Datagram Transport Layer Security, is a more version of the TLS protocol implemented on the stream-friendly UDP transfer protocol, rather than the more reliable TCP.
Just like all UDP-based protocols, DTLS is spoofable and can be used as a DDoS amplification vector.
What this means is that attackers can send small DTLS packets to the DTLS-capable device and have the result returned in a many times larger packet to a spoofed IP address (the DDoS attack victim).

How many times the original packet is enlarged determines the amplification factor of a specific protocol. For past DTLS-based DDoS attacks, the amplification factor was usually 4 or 5 times the original packet.
But, on Monday, Hofmann reported that the DTLS implementation on Citrix ADC devices appears to be yielding a whopping 35, making it one of the most potent DDoS amplification vectors.
Citrix confirms issue
Earlier today, after several reports, Citrix has also confirmed the issue and promised to release a fix after the winter holidays, in mid-January 2020.
The company said it’s seen the DDoS attack vector being abused against “a small number of customers around the world.”
The issue is considered dangerous for IT administrators, for costs and uptime-related issues rather than the security of their devices.
As attackers abuse a Citrix ADC device, they might end up exhausting its upstream bandwidth, creating additional costs and blocking legitimate activity from the ADC.
Until Citrix readies officials mitigations, two temporary fixes have emerged.
The first is to disable the Citrix ADC DTLS interface if not used. 

Citrix ADCIf you are impacted by this attack you can disable DTLS to stop it. Disabling the DTLS protocol will lead to limited performance degradation, a short freeze and to a fallback.Run following CLI command on Citrix ADC: set vpn vserver  -dtls OFF https://t.co/Tpdnp8k9y3
— Thorsten E. (@endi24) December 24, 2020

If the DTLS interface is needed, forcing the device to authenticate incoming DTLS connections is recommended, although it may degrade the device’s performance as a result.

If you are making use of Citrix ADC and have enabled DTLS/EDT (UDP via port 443) you might need to run this command: “set ssl dtlsProfile nsdtls_default_profile -helloVerifyRequest ENABLED”. This will prevent you from future UDP amplification attacks. #NetScaler #CitrixADC
— Anton van Pelt (@AntonvanPelt) December 21, 2020

Actually the vast majority of deploys will become unstable with that. To be safe until January, better block UDP.
— Thorsten Rood (@ThorstenRood) December 22, 2020 More