Security News > 2021

ESET has named this piece of malware Kobalos due to its small size and its many tricks - Kobalos is a mischievous creature from Greek mythology. The first known victim of Kobalos was spotted in late 2019 and ESET said the group operating the malware had remained active throughout 2020.

The Office of the Washington State Auditor has disclosed a cybersecurity incident in which the personal information of more than 1 million individuals might have been stolen. In its breach notification this week, SAO revealed that some of the files that were compromised in the incident contained "Personal information of Washington state residents who filed unemployment insurance claims in 2020.".

ESET researchers discovered Kobalos, a malware that has been attacking supercomputers - high performance computer clusters - as well as other targets such as a large Asian ISP, a North American endpoint security vendor, and several privately held servers. "Perhaps unrelated to the events involving Kobalos, there were multiple security incidents involving HPC clusters in the past year. Some of them hit the press and details were made public in an advisory from the European Grid Infrastructure CSIRT about cases where cryptocurrency miners were deployed. The EGI CSIRT advisory shows compromised servers in Poland, Canada and China were used in these attacks. Press articles also mention Archer, a breached UK-based supercomputer where SSH credentials were stolen, but does not contain details about which malware was used, if any," ESET researchers noted.

SonicWall has confirmed that the actively exploited zero-day vulnerability spotted by the NCC Group on Sunday affects its Secure Mobile Access 100 series appliances. On Friday, they shared that they received and analyzed several reports from their customers of potentially compromised SMA 100 series devices, but that they have only observed the use of previously stolen credentials to log into the SMA devices.

Security researchers at cybersecurity company ESET discovered the malware and named it Kobalos, after the misbehaving creature in Greek mythology. "On compromised machines whose system administrators were able to investigate further, we discovered that an SSH credential stealer was present in the form of a trojanized OpenSSH client. The /usr/bin/sshfile was replaced with a modified executable that recorded username, password and target hostname, and wrote them to an encrypted file" - ESET. The researchers believe that credential theft could explain how the malware spreads to other systems on the same network or other networks in the academic sector since students and researchers from multiple universities may have SSH access to supercomputer clusters.

SonicWall on Monday confirmed that its Secure Mobile Access 100 series appliances are affected by a zero-day vulnerability that has apparently already been exploited in attacks. SonicWall told SecurityWeek that a few thousand devices are exposed to attacks due to the zero-day vulnerability.

Apple this week released security updates to address multiple vulnerabilities in macOS and Safari, including a flaw that can be exploited for the recently disclosed NAT Slipstreaming 2.0 attack. Devised by Ben Seri and Gregory Vishnipolsky of IoT security company Armis, together with researcher Samy Kamkar, the attack is a variant of the NAT Slipstreaming attack that was detailed in October 2020, and which could be leveraged to target local network services.

Some of this just comes down to numbers: The more dependencies enterprises take on open source software, the more open source software will show up in audits like these. While Orion isn't open source, it shows how supply chain attacks have become increasingly critical to combat, and reflect what we've known since Heartbleed: As open source becomes a critical part of nearly all software, we need to improve how we secure it.

The ransomware incident that Netgain, a provider of managed IT services, had late last year rippled onto its customers. "Netgain determined that the ransomware incident affected data within an application used by Ramsey County's Family Health Division to document home visits" - Ramsey County Government.

When Google Chrome 90 arrives in April, visitors to websites that depend on TLS server authentication certificates from AC Camerfirma SA, a digital certificate authority based in Madrid, Spain, will find that those sites no longer present the secure lock icon. Mozilla, maker of Chrome rival Firefox, has been trying to decide whether Camerfirma's history of questionable certificate management practices - documented in a lengthy list - warrants banishing the Spanish company's certificates from its Root Store - the set of certificates Firefox recognizes as trustworthy by default.