Security News

Several U.S. lawmakers sent a letter to the National Security Agency last week in an effort to find out more about its role in the backdoor discovered in Juniper Networks products back in 2015, as well as the steps taken by the agency following the Juniper incident, and why those steps failed to prevent the recent SolarWinds hack. The VPN issue was related to the use of Dual Elliptic Curve Deterministic Random Bit Generator, a NIST-approved cryptographic algorithm that had been known to contain a backdoor introduced by the NSA. Juniper had made some changes to prevent abuse, but the malicious code enabled the backdoor.

European encrypted services providers ProtonMail, Threema, Tresorit and Tutanota on Thursday urged European Union policy makers to rethink plans that would require the implementation of encryption backdoors. The Council of the European Union in December adopted a resolution on "Security through encryption and security despite encryption." The council said it supports the development and use of strong encryption to protect citizens and organizations, but at the same time it believes law enforcement and judicial authorities need to be able to exercise their legal powers.

North Korea's hackers homed in on specific infosec researchers and infected their systems with a backdoor after luring them to a suspicious website, Google revealed on Monday. "The researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher's system and an in-memory backdoor would begin beaconing to an actor-owned command and control server," said Googler Adam Weidemann.

SUNSPOT is StellarParticle's malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product. SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.

Several vulnerabilities have been identified in Pepperl+Fuchs Comtrol IO-Link Master industrial gateways, including flaws that researchers claim can be exploited to gain root access to a device and create backdoors. A researcher at Austria-based cybersecurity consultancy SEC Consult discovered five types of vulnerabilities in Pepperl+Fuchs Comtrol industrial products, including cross-site request forgery, reflected cross-site scripting, blind command injection, and denial-of-service issues.

CrowdStrike, one of the cybersecurity companies called in by IT management firm SolarWinds to investigate the recently disclosed supply chain attack, on Monday shared details about a piece of malware used by the attackers to insert a backdoor into SolarWinds' Orion product. According to CrowdStrike, the threat group behind the attack on SolarWinds used a piece of malware named Sunspot to inject the previously analyzed Sunburst backdoor into the Orion product without being detected.

As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company's Orion network monitoring platform. "This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams," SolarWinds' new CEO Sudhakar Ramakrishna explained.

Kaspersky researchers found that the Sunburst backdoor, the malware deployed during the SolarWinds supply-chain attack, shows shared features with Kazuar, a.NET backdoor tentatively linked to the Russian Turla hacking group. Kazuar is one of the tools used during past Turla operations and, according to Kaspersky, it shares several of its features with the malware created by the group behind the SolarWinds hack.

A newly identified malware attack campaign has been exfiltrating emails from targeted organizations using a JavaScript backdoor injected into a webmail system widely used in Taiwan. As an initial attack vector, the group used spear-phishing emails containing obfuscated JavaScript code meant to load malicious scripts from an attacker-controlled remote server.

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel. Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the "Zyfwp" username and the "PrOw!aN fXp" password.