Security News > 2020 > December

As many as 25 private companies - including the Israeli company NSO Group and the Italian firm Hacking Team - have sold surveillance software to Mexican federal and state police forces, but there is little or no regulation of the sector - and no way to control where the spyware ends up, said the officials. The cyberweapons arms business is immoral in many ways.

As organizations become more hybrid and distributed, their security needs to be able to span across all environments. For these highly distributed, and highly dynamic hybrid environments, organizations also need a security strategy that is capable of spanning on-prem, multi-cloud, branch, home office, smart edge, and similar environments.

The US Cybersecurity and Infrastructure Security Agency said that the APT group behind the recent compromise campaign targeting US government agencies used more than one initial access vector. "CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available," the agency said.

The US Cybersecurity and Infrastructure Security Agency said that the APT group behind the recent compromise campaign targeting US government agencies used more than one initial access vector. "CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available," the agency said.

Two Ruby gems that were found to pack malware capable of running persistently on infected machines were removed recently from the RubyGems hosting service. The two gems, pretty color and ruby-bitcoin, contained malware that was targeting Windows machines and which was meant to replace any cryptocurrency wallet address in the clipboard with an attacker-supplied one.

Police forces were found by IPCO to be treating applications to use spying powers as a tickbox exercise, perhaps unsurprisingly given that these are self-authorisations rubberstamped by police managers themselves. "To provide oversight that satisfies this judgment, IPCO reviewed the use of bulk data at GCHQ and has now incorporated the sharing of bulk data with foreign partners into its regular oversight and inspection arrangements," said IPCO in a statement.

In the year ahead, organizations must prepare for the unknown, so they have the flexibility to endure unexpected and high impact security events. The insider threat is one of the greatest drivers of security risks that organizations face as a malicious insider utilizes credentials to gain access to a given organization's critical assets.

Iranian-backed hacking group Fox Kitten has been linked to the Pay2Key ransomware operation that has recently started targeting organizations from Israel and Brazil. "We estimate with medium to high confidence that Pay2Key is a new operation conducted by Fox Kitten, an Iranian APT group that began a new wave of attacks in November-December 2020 that entailed dozens of Israeli companies," threat intelligence firm ClearSky says.

A killswitch has been identified and activated for one of the pieces of malware delivered by threat actors as part of the attack targeting IT management and monitoring firm SolarWinds and its customers. FireEye, which disclosed the attack earlier this month after the threat actor managed to breach its systems and steal some Red Team tools, revealed that the attacker had compromised SolarWinds systems and used its access to deliver a piece of malware named SUNBURST. The malware, which is configured to remain dormant for a certain period after installation, is capable of collecting information about the infected computer, downloading and executing code, creating and deleting files, reading and manipulating registry entries, and rebooting the system.

Attackers will often launch secondary strikes by sending phishing emails from hijacked inboxes. Who wouldn't trust an email that came from a trusted colleague's account? This phase enables attackers to steal still more credentials from other victims, plant ransomware, or launch an especially convincing BEC attack.