Security News

Pangu Lab in China just published a report of a hacking operation by the Equation Group (aka the NSA). It noticed the hack in 2013, and was able to map it with Equation Group tools published by...

Pangu Lab's incident analysis involved three servers, one being the target of an external attack and two other internal machines - an email server and a business server. According to the researchers, the threat actor pivoted established a connection between the external server and the email server via a TCP SYN packet with a 264-byte payload. "At almost the same time, the [email] server connects to the [business] server's SMB service and performs some sensitive operations, including logging in to the [business] server with an administrator account, trying to open terminal services, enumerating directories, and executing Powershell scripts through scheduled tasks" - Pangu Lab.

Pangu Lab has identified what it claims is a sophisticated backdoor that was used by the NSA to subvert highly targeted Linux systems around the world for more than a decade. The China-based computer-security outfit says it first spotted the backdoor code, or advanced persistent threat, in 2013 when conducting a forensic investigation on a host in "a key domestic department" - presumably a Chinese company or government agency.

Cybersecurity authorities from Australia, the U.K., and the U.S. have published a joint advisory warning of an increase in sophisticated, high-impact ransomware attacks targeting critical infrastructure organizations across the world in 2021. "Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors' growing technological sophistication and an increased ransomware threat to organizations globally," the agencies said in the joint bulletin.

MIT Technology Review published an interview with Gil Herrera, the new head of the NSA's Research Directorate. The math department, often in conjunction with the computer science department, helps tackle one of NSA's most interesting problems: big data.

Amid renewed tensions between the U.S. and Russia over Ukraine and Kazakhstan, American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors. To that end, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and National Security Agency have laid bare the tactics, techniques, and procedures adopted by the adversaries, including spear-phishing, brute-force, and exploiting known vulnerabilities to gain initial access to target networks.

Cybersecurity agencies from Australia, Canada, New Zealand, the U.S., and the U.K. on Wednesday released a joint advisory in response to widespread exploitation of multiple vulnerabilities in Apache's Log4j software library by nefarious adversaries. "Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. These vulnerabilities are likely to be exploited over an extended period."

CISA and the NSA shared guidance on securing cloud-native 5G networks from attacks seeking to compromise information or deny access by taking down cloud infrastructure. The two federal agencies issued these recommendations for service providers and system integrators that build and configure 5G cloud infrastructure, including cloud service providers, core network equipment vendors, and mobile network operators.

The Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the National Security Agency published today an advisory with details about how the BlackMatter ransomware gang operates.The joint cybersecurity advisory from CISA, the FBI, and the NSA shares the tactics, techniques, and procedures associated with BlackMatter activity that could help organizations protect against the BlackMatter ransomware gang.

In a document released last week, the agency provides mitigations against the risks that come with the use of wildcard certificates. A wildcard digital certificate can be used with multiple subdomains on the same domain, so it can cover multiple servers, while a multi-domain certificate is used for multiple domains on a single IP address.