Security News

Researchers from the Microsoft Threat Intelligence Center have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services servers. Once a server is compromised, the threat group deploys FoggyWeb "To remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificates and token-decryption certificates," he said, which can be used to penetrate into users' cloud accounts.

Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with "High confidence" to a threat actor operating out of China. "The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team said in a detailed write-up describing the exploit.

Autodesk, makers of computer-aided design software for manufacturing, has told the US stock market it was targeted as part of the the supply chain attack on SolarWinds' Orion software. In a filing with the American Stock Exchange Commission, Autodesk said it had identified a compromised server in the wake of public reporting of the SolarWinds breach.

Autodesk has confirmed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion supply-chain attack, almost nine months after discovering that one of its servers was backdoored with Sunburst malware. "We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents," Autodesk said in a recent 10-Q SEC filing.

Robert Chesney wrote up the Solar Winds story as a case study, and it’s a really good summary.

Bart McDonough: I think when people hear the term financial services? I think that the lay person thinks of banking, and they're right to be concerned about cybersecurity at banks, but candidly, those organizations are really well-equipped. So I think that right there should be a wake-up call to the regulatory bodies, certainly to the industry about the risks that are facing these kind of other financial services.

SolarWinds is urging a US federal judge to throw out a lawsuit brought against it by aggrieved shareholders who say they were misled about its security posture in advance of the infamous Russian attack on the business. Financial newswire Reuters reported that the suit was originally filed over allegations that former SolarWinds chief exec Kevin Thompson cut cybersecurity efforts in the hope of driving greater dividends into the pockets of major investors, Silver Lake and Thoma Bravo, who each reportedly held around 40 per cent of SolarWinds' stocks at the time.

The US Department of Justice says that the Microsoft Office 365 email accounts of employees at 27 US Attorneys' offices were breached by the Russian Foreign Intelligence Service during the SolarWinds global hacking spree. Even though other districts were also affected by the attacks to a lesser degree, the Russian SVR state hackers managed to breach the O365 email accounts of at least 80 percent of employees from US Attorneys' offices located in the Eastern, Northern, Southern, and Western Districts of New York.

Microsoft on Tuesday disclosed that the latest string of attacks targeting SolarWinds Serv-U managed file transfer service with a now-patched remote code execution exploit is the handiwork of a Chinese threat actor dubbed "DEV-0322.". While it was previously revealed that the attacks were limited in scope, SolarWinds said it's "Unaware of the identity of the potentially affected customers."

Microsoft said on Tuesday that a recently patched SolarWinds Serv-U zero-day vulnerability has been exploited by a Chinese threat group. IT management solutions provider SolarWinds over the weekend informed customers that its Serv-U Managed File Transfer and Serv-U Secure FTP products are affected by a remote code execution vulnerability that has been exploited in targeted attacks.