CyberScoop Wrote:Microsoft said Thursday that the SolarWinds hackers were able to access company source code, although the technology giant described the incident as largely harmless in an update to an internal investigation.
The initial reports that Microsoft suffered a breach via updates to the SolarWinds Orion software generated some partial denials, but the investigation update helps illuminate what happened, and what didn’t, in an apparent cyber-espionage operation that also hit the federal government and other major companies.
Microsoft has dubbed the SolarWinds cyberattack Solorigate, something cybersecurity firm FireEye has called Sunburst.

Microsoft\s Official Blog Wrote:We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories.
The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.
[We] found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others.

Fox Business Wrote:Parler will likely go offline for "a while" Sunday evening given Amazon Web Services' decision to suspend the upstart social media platform after Wednesday's U.S. Capitol riot, executives said Sunday.
“We are clearly being singled out,” Chief Policy Officer Amy Peikoff told Fox & Friends Weekend one day after Apple suspended Parler from its App Store even as it surged to the No. 1 spot in the free apps section earlier in the day.

Epoch Times Wrote:A website “dedicated to exposing people supporting tyranny and dictatorship in Hong Kong” started receiving reports overnight on Jan. 6 that Hong Kong users were unable to access the site.
Hong Kong Chronicles is a primarily Cantonese site that has been collating a database of information related to the Hong Kong protests, such as incidents of police brutality and the profiles of those allegedly complicit.
In an announcement made on Jan. 7, the site’s chief editor and operator Naomi Chan clarified that the site was not blocking users and had no plan of doing so.
The site’s team found that some Hong Kong Internet service providers (ISPs) had been dropping connections to the site’s server, effectively blocking users’ access to the site’s content. Chan listed Smartone, CMHK, HKBN, PCCW as some of the ISPs that were found to have participated in the blockage.

Epoch Times Wrote:Social media company Parler sued Amazon on Monday, alleging that the Seattle-based firm’s hosting service violated anti-trust laws and their contractual agreement.
The company, which was taken offline by Amazon’s services early Monday morning, asked a federal judge in Washington state to reject Amazon’s shutdown of its services.
Parler argued that Amazon’s move was “motivated by political animus” and designed to reduce competition to benefit Twitter. Twitter is a customer of Amazon Web Services’ division.
The emergency order asked a judge to reject Amazon’s shutdown of Parler’s account and said it is akin to “pulling the plug on a hospital patient on life support.”

Epoch Times Wrote:Parler, in a court filing, accused Amazon Web Services (AWS) of deliberately leaving open Amazon Route 53, a Domain Name System web service, that essentially provided a green light for hackers to attack its data centers.
Parler’s filing in a Washington state court stated that after AWS took Parler offline, “it did a very curious thing” and “left open Route 53.”
The move, according to Parler, “conveniently directed hackers to our backup datacenters and caused them to initiate a sizeable DNS attack.”
“In other words,” the filing read, “AWS essentially illuminated a large neon arrow directing hackers to Parler’s backup datacenters. And the hackers got the message, launching an extremely large attack” that was “250 times larger and 12 – 24 times longer than the average DDoS attack,” referring to a distributed denial-of-service.
Parler noted that Amazon later terminated its Route 53 link, “but the damage was done.”

New York Post Wrote:Twitter refused to take down widely shared pornographic images and videos of a teenage sex trafficking victim because an investigation “didn’t find a violation” of the company’s “policies,” a scathing lawsuit alleges.
The federal suit, filed Wednesday by the victim and his mother in the Northern District of California, alleges Twitter made money off the clips, which showed a 13-year-old engaged in sex acts and are a form of child sexual abuse material, or child porn, the suit states. 
The teen — who is now 17 and lives in Florida — is identified only as John Doe and was between 13 and 14 years old when sex traffickers, posing as a 16-year-old female classmate, started chatting with him on Snapchat, the suit alleges.
Doe and the traffickers allegedly exchanged nude photos before the conversation turned to blackmail: If the teen didn’t share more sexually graphic photos and videos, the explicit material he’d already sent would be shared with his “parents, coach, pastor” and others, the suit states.

Epoch Times Wrote:Cybersecurity firm Malwarebytes said Tuesday it believes that some of its emails were compromised by the same threat actors behind the hack of SolarWinds technology, which caused a breach of U.S. government systems late last year.
In a statement, Malwarebytes said that based on the tactics and techniques of the attack, the Santa Clara, California-based company believes it was “the same threat actor” that attacked SolarWinds, which is used by all five branches of the U.S. military and numerous government agencies.
The company said that while it didn’t use SolarWinds technology, it had been successfully targeted by the same hackers who were able to breach its Microsoft Office 365 and Microsoft Azure environments.
The attack, Malwarebytes said, gave the hackers access to “a limited subset of internal company emails.”
The company added that its internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments
“Our software remains safe to use,” the statement said.

CyberScoop Wrote:Attackers behind an espionage campaign that exploited software built by the federal contractor SolarWinds separated their most prized hacking tool from other malicious code on victim networks to avoid detection, Microsoft said Wednesday.
The findings make clear that, while the hackers have relied on a variety of tools in their spying, the tampered SolarWinds software functioned as the cornerstone of an operation that Microsoft described as “one of the most sophisticated and protracted” of the decade. Multiple U.S. federal agencies focused on national security have been breached in the campaign, which U.S. officials have linked to Russia.
The attackers “apparently deem[ed] the powerful SolarWinds backdoor too valuable to lose in case of discovery,” Microsoft researchers said in its latest blog post. And so the spies ensured that the malicious code they used to move through victim organization was “completely disconnected from the SolarWinds process,” the researchers said.
After the SolarWinds trojan was delivered to organizations, the attackers spent about a month pinpointing victims, according to Microsoft. As early as May 2020, the hackers were doing the “real hands-on-keyboard activity” of moving through victim networks for valuable data, Microsoft said.
The hackers were meticulous in covering their tracks. They prepared unique malicious code implants for each victim machine, according to Microsoft, and changed timestamps of the digital clues they left behind to complicate the recovery process for organizations. Microsoft called the former technique an “incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets.”

CyberScoop Wrote:Gamers are familiar targets for hackers, but those operations often are broadly aimed at stealing data, installing nuisances like adware or disrupting the games themselves.
Sometimes, though, attackers have other things in mind.
A malware operation in Asia appears to be “highly targeted” toward spying on only a handful of users of a popular piece of gaming software, according to cybersecurity researchers at Slovakia-based ESET. The attackers compromised the update mechanism for NoxPlayer, an emulator program that allows Android games to be played on PCs and Macs, ESET says.
It’s a supply-chain attack, not unlike others with much bigger footprints and much larger geopolitical effects. The perpetrators appear to have broken into infrastructure at Hong Kong-based BigNox, which makes NoxPlayer, to add the malware to the updates that go to customers.
...
Those victims are based in Taiwan, Hong Kong and Sri Lanka.
It’s unclear who’s running the spy campaign, which ESET is calling Operation NightScout, and what they might want.

CyberScoop Wrote:Three federal agencies teamed up with an organization that shares threat information between states to issue an alert late Thursday explaining how the breach, in which a hacker allegedly tried to raise sodium hydroxide levels to amounts that are harmful to humans, might have unfolded. Initial clues suggest the incident, which was detected before it amounted to a threat to public drinking water, was made possible by lax data protection strategies and exploitation of a software tool.

Several US Authorities Wrote:The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system.
Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system.

Several US Authorities Wrote:The unidentified actors accessed the water treatment plant’s SCADA controls via remote access software, TeamViewer, which was installed on one of several computers the water treatment plant personnel used to conduct system status checks and to respond to alarms or any other issues that arose during the water treatment process.
All computers used by water plant personnel were connected to the SCADA system and used the 32-bit version of the Windows 7 operating system.
Further, all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed.

CyberScoop Wrote:A spokesperson for the Massachusetts department said they had received the details from the EPA or Environmental Protection Agency.
Email addresses and passwords with the domains ci.oldsmar.fl.us and myoldsmar.com surfaced days before the breach in what’s being called the COMB data leak, for “Compilation of Many Breaches.” Credentials belonging to Oldsmar city employees were included in that leak as CyberNews first revealed and CyberScoop confirmed with Allan Liska, a senior security architect at Recorded Future who tracks dark web acitivity.

CyberScoop Wrote:President Joe Biden is giving a reprieve to Chinese apps that his predecessor’s administration had put on the defensive.
On Thursday, the Commerce Department said in a court filing that it was reviewing the Trump administration’s bid to ban WeChat. It comes one day after a similar court filing where Commerce said it was reviewing the proposed ban on TikTok, and after the Biden administration has reportedly “indefinitely” placed on hold the plans to force the sale of TikTok’s American division to Oracle and Walmart.
In Thursdays’ filing, the department asked the Ninth Circuit Court of Appeals to pause a court case challenging the WeChat ban, which the Trump administration sought to implement in response to what it deemed the national security threat the app posed.

Krebs on Security Wrote:Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Bill Demirkapi, an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.

Demirkapi encountered one lender’s site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API — a capability that allows lenders to automate queries for FICO credit scores from the credit bureau.

Quote:This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.

Quote:Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID. Constant Contact is a service used for email marketing. From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.

 Why did they do that?

Quote:First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

Quote:Our teams have continued to investigate the latest wave of phishing attacks launched by Nobelium. Based on what we currently know, the security community should feel good about the collective work done to limit the damage done by this wave of attacks. As we have notified our targeted customers and watched closely for other reports, we are not seeing evidence of any significant number of compromised organizations at this time.

Fox Business Wrote:REvil, aka Sodinokibi, was tagged by the FBI on Wednesday as the group behind the ransomware that forced meat producer JBS USA to temporarily shut down its operations.

In April, REvil (short for Ransomware Evil), demonstrated the use of a tactic called triple extortion, according to a research note from Check Point Research.

At that time, the gang launched an attack on Quanta Computer, a Taiwan-based laptop manufacturer which builds systems for U.S. companies such as Apple, Dell and Hewlett-Packard. The group went on to attempt to extort Apple directly, claiming to have confidential blueprints of future Apple products – adding yet another layer of ransom demands.

Darkside, the gang behind the Colonial Pipeline cyberattack, has also adopted the new ransomware tactic.

Quote:Double extortion goes further by tacking on threats to leak the data. This is meant to increase the pressure on victims to pay the ransom. In some cases, the data leak is a separate ransom, so the victim is being extorted for two payments.

Triple extortion expands the reach to customers, partners and other third parties related to the initial breach in an effort to extort even more money.

Also, the addition of a Distributed Denial of Service (DDoS) attack to the mix – overwhelming the victim organization with a flood of internet traffic in order to bring down its network – can also be a form of triple extortion.

Quote:While the Finnish psychotherapy clinic, with over 40,000 patients, suffered extensive patient data theft and a ransomware attack, smaller sums were also demanded from the patients, who individually received ransom demands. The attackers also threatened to publish their therapist session notes.

Quote:Scammers are continuing to target WhatsApp users and hijack their accounts, by posing as a friend and asking for SMS security codes.
The scam has existed for years but has continued to catch people out, with victims sharing their stories on social media.
WhatsApp says users should never hand over their security codes to anybody, even if they appear to be a friend.

Quote:You may be a target of the scam if you receive an SMS text message with a six-digit WhatsApp code that you were not expecting.
In the next step, the scammer sends you a WhatsApp message asking for the six-digit code.

BBC Wrote:...renting screens to gamers, allowing people to play their favourite games on screens that would normally be playing Hollywood blockbusters.