backdoors – Page 5 – WindowsTechs.com

US to publish details on suspected Russian hacking tools used in SolarWinds espionage

Posted on March 31, 2021 by Sean Lyngaas

U.S. military and security officials are preparing to publish one of their most detailed analyses yet of the hacking tools used by suspected Russian spies in a campaign that the Biden administration has labeled a national security threat. The “malware analysis report” from U.S. Cyber Command and the Department of Homeland Security, which CyberScoop obtained, spotlights 18 pieces of malicious code allegedly used by Russian hackers, who exploited software made by the federal contractor SolarWinds and other vendors on their way to infiltrating nine U.S. government agencies and 100 companies. The report, slated for public release Wednesday afternoon, sheds light on a historic espionage campaign that U.S. officials have, at times, been cautious to publicly detail. It’s an analysis from U.S. government cybersecurity specialists of how the alleged Russian operatives moved from network to network, and builds on private sector reporting. Cyber Command and DHS’s Cybersecurity and Infrastructure Security Agency […]

The post US to publish details on suspected Russian hacking tools used in SolarWinds espionage appeared first on CyberScoop.

Continue reading US to publish details on suspected Russian hacking tools used in SolarWinds espionage→

Encryption Backdoor Debate, Microsoft Exchange Attacks, Airline Supplier Data Breach

Posted on March 15, 2021 by Tom Eston

Why is federal law enforcement (still) asking Congress for encryption backdoors? Attacks on Microsoft Exchange servers seem to have gotten worse, details on an airline supplier data breach, and the real reason Kevin hasn’t replaced his Chewbacca manneq… Continue reading Encryption Backdoor Debate, Microsoft Exchange Attacks, Airline Supplier Data Breach→

Chinese Supply-Chain Attack on Computer Systems

Posted on February 13, 2021 by Bruce Schneier

Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It’s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:

China’s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the …

Continue reading Chinese Supply-Chain Attack on Computer Systems→

Another SolarWinds Orion Hack

Posted on February 4, 2021 by Bruce Schneier

At the same time the Russians were using a backdoored SolarWinds update to attack networks worldwide, another threat actor — believed to be Chinese in origin — was using an already existing vulnerability in Orion to penetrate networks:

Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.

[…]

Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies…

Continue reading Another SolarWinds Orion Hack→

After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case

Posted on January 29, 2021 by Sean Lyngaas

As the U.S. investigation into the SolarWinds hacking campaign grinds on, lawmakers are demanding answers from the National Security Agency about another troubling supply chain breach that was disclosed five years ago. A group of lawmakers led by Sen. Ron Wyden, D-Ore., are asking the NSA what steps it took to secure defense networks following a years-old breach of software made by Juniper Networks, a major provider of firewall devices for the federal government. Juniper revealed its incident in December 2015, saying that hackers had slipped unauthorized code into the firm’s software that could allow access to firewalls and the ability to decrypt virtual private network connections. Despite repeated inquiries from Capitol Hill— and concern in the Pentagon about the potential exposure of its contractors to the hack — there has been no public U.S. government assessment of who carried out the hack, and what data was accessed. Lawmakers are […]

The post After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case appeared first on CyberScoop.

Continue reading After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case→

Police Have Disrupted the Emotet Botnet

Posted on January 28, 2021 by Bruce Schneier

A coordinated effort has captured the command-and-control servers of the Emotet botnet:

Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware. Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware regular themes include invoices, shipping notices and information about COVID-19.

Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including …

Continue reading Police Have Disrupted the Emotet Botnet→

SVR Attacks on Microsoft 365

Posted on January 21, 2021 by Bruce Schneier

FireEye is reporting the current known tactics that the SVR used to compromise Microsoft 365 cloud data as part of its SolarWinds operation:

Mandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud using a combination of four primary techniques:

Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism…

Continue reading SVR Attacks on Microsoft 365→

Injecting a Backdoor into SolarWinds Orion

Posted on January 19, 2021 by Bruce Schneier

Crowdstrike is reporting on a sophisticated piece of malware that was able to inject malware into the SolarWinds build process:

Key Points

SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWind… Continue reading Injecting a Backdoor into SolarWinds Orion→

Backdoor in Zyxel Firewalls and Gateways

Posted on January 6, 2021 by Bruce Schneier

This is bad:

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

[…]

Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.

“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a report published before the Christmas 2020 holiday…

Continue reading Backdoor in Zyxel Firewalls and Gateways→

Russia’s SolarWinds Attack

Posted on December 28, 2020 by Bruce Schneier

Recent news articles have all been talking about the massive Russian cyberattack against the United States, but that’s wrong on two accounts. It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US,… Continue reading Russia’s SolarWinds Attack→