backdoors – Page 5 – WindowsTechs.com

Chinese Supply-Chain Attack on Computer Systems

Posted on February 13, 2021 by Bruce Schneier

Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It’s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:

China’s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the …

Continue reading Chinese Supply-Chain Attack on Computer Systems→

Another SolarWinds Orion Hack

Posted on February 4, 2021 by Bruce Schneier

At the same time the Russians were using a backdoored SolarWinds update to attack networks worldwide, another threat actor — believed to be Chinese in origin — was using an already existing vulnerability in Orion to penetrate networks:

Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.

[…]

Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies…

Continue reading Another SolarWinds Orion Hack→

After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case

Posted on January 29, 2021 by Sean Lyngaas

As the U.S. investigation into the SolarWinds hacking campaign grinds on, lawmakers are demanding answers from the National Security Agency about another troubling supply chain breach that was disclosed five years ago. A group of lawmakers led by Sen. Ron Wyden, D-Ore., are asking the NSA what steps it took to secure defense networks following a years-old breach of software made by Juniper Networks, a major provider of firewall devices for the federal government. Juniper revealed its incident in December 2015, saying that hackers had slipped unauthorized code into the firm’s software that could allow access to firewalls and the ability to decrypt virtual private network connections. Despite repeated inquiries from Capitol Hill— and concern in the Pentagon about the potential exposure of its contractors to the hack — there has been no public U.S. government assessment of who carried out the hack, and what data was accessed. Lawmakers are […]

The post After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case appeared first on CyberScoop.

Continue reading After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case→

Police Have Disrupted the Emotet Botnet

Posted on January 28, 2021 by Bruce Schneier

A coordinated effort has captured the command-and-control servers of the Emotet botnet:

Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware. Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware regular themes include invoices, shipping notices and information about COVID-19.

Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including …

Continue reading Police Have Disrupted the Emotet Botnet→

SVR Attacks on Microsoft 365

Posted on January 21, 2021 by Bruce Schneier

FireEye is reporting the current known tactics that the SVR used to compromise Microsoft 365 cloud data as part of its SolarWinds operation:

Mandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud using a combination of four primary techniques:

Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism…

Continue reading SVR Attacks on Microsoft 365→

Injecting a Backdoor into SolarWinds Orion

Posted on January 19, 2021 by Bruce Schneier

Crowdstrike is reporting on a sophisticated piece of malware that was able to inject malware into the SolarWinds build process:

Key Points

SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWind… Continue reading Injecting a Backdoor into SolarWinds Orion→

Backdoor in Zyxel Firewalls and Gateways

Posted on January 6, 2021 by Bruce Schneier

This is bad:

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

[…]

Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.

“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a report published before the Christmas 2020 holiday…

Continue reading Backdoor in Zyxel Firewalls and Gateways→

Russia’s SolarWinds Attack

Posted on December 28, 2020 by Bruce Schneier

Recent news articles have all been talking about the massive Russian cyberattack against the United States, but that’s wrong on two accounts. It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US,… Continue reading Russia’s SolarWinds Attack→

Microsoft identifies second hacking group affecting SolarWinds software

Posted on December 21, 2020 by Sean Lyngaas

Microsoft revealed that a second hacking group had deployed malicious code that affects software made by SolarWinds, the federal contractor at the center of a suspected Russian espionage campaign against multiple U.S. government agencies. “[T]he investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” a Microsoft research team said in a blog post on Friday. The discovery underscores the extent to which Texas-based SolarWinds, whose software is used throughout Fortune 500 companies, is a valuable target for hackers. The newly revealed malware, known to researchers as Supernova, differs from the alleged Russian tampering because it does not appear to involve a compromise of the supply chain, Microsoft said. The Supernova code does, however, allow an attacker to send and execute […]

The post Microsoft identifies second hacking group affecting SolarWinds software appeared first on CyberScoop.

Continue reading Microsoft identifies second hacking group affecting SolarWinds software→

Well-developed backdoor can harvest information from restaurants, bars and hotels, researchers say

Posted on November 12, 2020 by Joe Warminsky

Restaurants, bars and hotels are taking a big hit from the coronavirus pandemic, but they still can be inviting targets for cybercriminals. A point-of-sale-system widely used in the hospitality industry to process credit card payments and other transactions — ORACLE MICROS Restaurant Enterprise Series (RES) 3700 — is vulnerable to a backdoor that allows attackers to see some of the information in the system’s databases, according to researchers at Slovakia-based cybersecurity company ESET. The researchers stress that highly sensitive pieces of information — such as credit card numbers and expiration dates – do not appear to be vulnerable to the malware, which they’re calling ModPipe. The malicious software, for now, harvests only “data stored in the clear,” ESET says, including cardholder names. But ModPipe potentially could be the conduit for more harmful malware, given that it is modular — meaning that it’s designed for attackers to swap features in and out. […]

The post Well-developed backdoor can harvest information from restaurants, bars and hotels, researchers say appeared first on CyberScoop.

Continue reading Well-developed backdoor can harvest information from restaurants, bars and hotels, researchers say→