Russian cybersecurity firm Group-IB discovered login credentials for over 40,000 accounts that unlock government services in more than 30 countries. The credentials were harvested via phishing attacks that distributed spyware tools such as Pony Formgrabber, AZORult, and Qbot. It is believed the logins may have already been sold on underground hacking forms.
As the researchers pointed out, “Even one compromised government employee’s account can lead to the theft of commercial or state secrets.”
Other cybersecurity news:
Seedworm group backdoors telecoms, IT firms and more; 131 victims so far
A cyber-espionage group dubbed Seedworm managed to compromise 131 victims with its Powermud backdoor from late September to mid-November. The backdoor, part of the group’s MuddyWater campaign, steals credentials. Symantec researchers revealed that telecommunications providers and IT services sectors were hit the hardest, although oil and gas production, embassies, universities, and public health agencies were also targeted.
City in Oregon and German manufacturer recover from ransomware attack
The City of North Bend, Oregon, was hit with a ransomware attack. In October, the city’s police department was initially targeted, but the infection quickly spread from the cops’ server to a server for other interconnected departments. North Bend opted not to pay the $50,000 in bitcoin ransom and instead contacted the FBI. The FBI reportedly traced the ransomware attack back to Romania, but agents were unable to identify any cyber thugs who were directly involved with placing the ransomware. North Bend has since recovered from the attack and has decided to add firewall security.
Meanwhile, KraussMaffei, a German manufacturer of injection molding machines, is also recovering from a ransomware attack that hit on Nov. 21. The plant in Munich, with 1,800 employees, was hit the hardest, although the company had to scale back production at several plants. Like the city in Oregon, KraussMaffei didn’t name the ransomware variant, but a Xinhua article points out that the German feds recently issued a warning about Emotet malware.
Saipem Engineering Energy hit with cyber attack
Italian oil services company Saipem Engineering Energy admitted (pdf) that 400 of its servers were hit with a cyber attack on Dec. 10. The attack came out of India on Monday and primarily affected Saipem’s servers in the Middle East. Reuters reported, “Servers in Saudi Arabia, the United Arab Emirates, and Kuwait had been attacked, as too, partially, had infrastructure in Aberdeen in Scotland.” The servers of the main operating centers in Italy, France, and Britain were not affected. Saipem’s biggest client is Saudi Aramco, which was the victim of a huge hack back in 2012, followed by several more over the years.
Variants of Satan ransomware can exploit 10 server-side flaws
Researchers warned that variants of Satan ransomware can exploit 10 server-side flaws. Windows and Linux systems are vulnerable to the self-propagating Lucky malware, a new variant of Satan.
Researchers find Certificate Authorities to be weak point in web crypto
On another depressing note, a BlackHat Europe presentation (pdf) found that five out of 17 Certificate Authorities are vulnerable to spoofed Domain Validation via IP fragmentation attacks.
Super Micro audit found no malicious chips in motherboards
Super Micro said an audit found absolutely no evidence of any malicious chips in its current or older-model motherboards. Super Micro sent a letter about the investigation findings to its customers. The audit is the latest attempt by Super Micro to deny allegations made by Bloomberg in October. Bloomberg claimed Chinese spychips had been planted in Super Micro’s motherboards — allegations that were also hotly denied by Super Micro customers Apple and Amazon.
DoD considers cybersecurity certification for its contractors
Within the next year, the Pentagon hopes to come up with a method to certify the cybersecurity of Defense Department vendors. Kevin Fahey, assistant secretary of defense for acquisition, said as it is now, vendors are just asked if they are NIST compliant. But he asked, “Is there a way that we certify industry to be cyber-compliant to protect our data? We need to figure it out, and we need to figure it out fast.”
Google+ to shut down early due Google+ API breach that put 52.5M users at risk
Google+ will shut down in April 2019 instead of August 2019, since there was another Google+ API breach. For six days in November, developers could have been able to access profile information that was not set to public. The vice president of Google’s G Suite claimed there is no evidence the bug, which impacted 52.5 million users, was exploited.
Rapid7 released Industry Cyber Exposure Index report
With the Marriott breach, one of the biggest in Fortune 500 history, fresh in our minds, Rapid7 researchers released its “Industry Cyber Exposure Index” report, which reveals the level of exposure represented by Fortune 500 organizations. The findings divulge that these companies often leave up to 2,500 or more devices or systems exposed and potentially vulnerable. Those with higher attack surfaces include business services, financials, technology, aerospace, chemicals, and retail. The top five industries that have not adopted anti-phishing defenses (DMARC) are chemicals, aerospace, household products, engineering/construction, and energy.
Other highlights include third-party risk exposure via social media, advertising, analytics, and CDN, as well as Fortune 500 companies with the most DNS and WannaCry attacks.