#AxisOfEasy 176: Anybody Who Hasn’t Been Hacked By STARBURST, Please Raise Your Hand


Weekly Axis Of Easy #176


Last Week’s Quote was “The persistent trick of modern politics – that appears to fool us repeatedly – is to disguise economic and political interests as cultural movements.” Was George Monbiot. It was suggested by Anne B (thanks) and answered via email by somebody who didn’t want to post to the blog.

This Week’s Quote: “I’d rather have questions that can’t be answered than answers that can’t be questioned”, Bonus prize this week: the first person to answer gets a renewal and a promo code for a free copy of the audiobook version of Charle Hugh Smith’s A Hacker’s Teleology.

THE RULES: No searching up the answer, must be posted to the blog. The place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.

 

Unless something completely unhinged happens, this will be the last edition of #AxisOfEasy for 2020. 
 
We wish one and all a very Merry Christmas, a Happy New Year and we look forward to seeing you again in 2021.
 
Here are our holiday season hours over the next few weeks.
 
24 December – we are closing at 3:00 pm Eastern 
25 December – CLOSED 
26 December – open from 12 pm-6 pm Eastern 
31 December – we are closing at 3:00 pm Eastern
01 January – CLOSED
 
 
In this issue:

  • FireEye and US Treasury Department hacked, Russia blamed
  • Solarwinds Hacked and was attack vector for all of the above and more
  • Google falls out of bed with Monday morning outage
  • Microsoft reports malware campaign for ad injection
  • The anti-trust hammer falls on Facebook (maybe)
  • Subway’s email CRM hacked, used to send malware
  • Euro regulator hacked, documents on Pfizer vaccine breached
  • Magecart embedded in CSS files
  • AoE Salon #34: Taking back our Capital and Agency
 
FireEye and US Treasury Department hacked, Russia blamed

Security consulting company FireEye has been hacked and their “Red Team” tools, which was their proprietary intrusion detection and testing toolkit has been stolen. In a blog post about the incident the company attributed the breach to a highly skilled nation state actor possessing “world class capabilities.” FireEye’s clients include agencies at all levels of government and Fortune 500 companies globally.

“The stolen “red team” tools — which amount to real-world malware — could be dangerous in the wrong hands,”

FireEye in an effort to mitigate the damage potential of the toolkits being in the wild, giving security teams the ability to build out defences against them.

The attack is being widely attributed to Russia (which I have to admit, kinda gets an eyeroll from me)

As I was writing this, a Washington Post article also trotted out Russian hackers in a piece about a breach at the US Treasury Department which cited, as its source material a one sentence report from Reuters. The entire Reuters report is as follows:

“A sophisticated hacking group backed by a foreign government stole information from the U.S. Treasury Department and a U.S. agency responsible for deciding policy around the internet and telecommunications, according to people familiar with the matter.”

From this sentence, Washington Post ran a story that starts out with “Russian government hackers breached the Treasury and Commerce departments”  attributing the allegation to  “people familiar with the matter.”

Read: https://www.reuters.com/article/usa-cyber-amazoncom-idUSL1N2IT0HS

I find it frustrating that the mainstream media bias is always quick to blame things on Russia and slow to acknowledge documented hostile behaviour from China. It’s just kind of strange.


Solarwinds Hacked and was attack vector for all of the above and more

The last 12 hours was one of those times when big news came out that caused me to update or alter the contents of this newsletter (most of the time, if a big story breaks on the day I’m writing this, I can usually slot it for next week and have the benefit of more context by then, but this time it seemed to all come out as part of the same breaking story.)

Tulsa-based Solarwinds, a publicly traded company (NASDAQ:SWI), with over 4B market cap that sells network management software used by a lot of other, large companies and organizations, was hacked.

Their supply-chain management suite known as Orion was compromised by hackers and used to deploy malware known as Sunburst inside client networks, including the aforementioned US Treasury department and FireEye. This was the attack vector.

The attacks were not confined to these two targets either, more companies have also been hit including Microsoft, and according to that WaPo article, more US government agencies.

By the time this story started circulating the attribution to the attack was refined to APT29, a code name used for the Russian Foreign Intelligence Service (SVR), and based on unnamed sources.

I do note that FireEye, in their report on the SolarWinds hack (separate from their announcement of their own compromise above), did not attribute to APT29 and assigned a new code label to this threat actor of UNC2452  

The US Cybersecurity and Infrastructure Agency (CISA), issued Emergency Directive 21-01 about SUNBURST late Sunday evening.  

Read: https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html

And: https://cyber.dhs.gov/ed/21-01/


Google falls out of bed with Monday morning outage

As if all this wasn’t enough to deal with on a weekend headed into the holiday season, in the early hours of Monday morning Google looks to have experienced a total system outage across most services, worldwide that lasted the better part of an hour, starting at about 6:45am ET and resolving by 7:30am.

According to CNN, the Google services dashboard displayed red across all services. Among those affected where Gmail (everybody just loves it when they can’t access their email), Youtube, and Google Classroom, which affected remote learning sessions.


Microsoft reports malware campaign for adware injection

Microsoft has issued a report on an ongoing malware campaign that injected bogus ads into multiple web browsers. This is a separate incident from their being hacked by SUNBURST mentioned above.

In this case, they report that:

“A persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages. The threat affects multiple browsers—Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox—exposing the attackers’ intent to reach as many Internet users as possible.”

The article contains a screen grab of a browser with legit ads beside one with the injected ones using a malware strain called Adrozek

Those attackers are monetizing their exploits by hijacking search terms and overlaying the intended ads with their own ads which route clicks to affiliate sites, thereby earning them income for traffic.


The anti-trust hammer falls on Facebook (maybe)

This was supposed to be the lead story in this week’s AxisOfEasy and look where we are now, well below the fold. Facebook anti-trust is so last week. Anyhoo. AGs from 46 US states, the territory of Guam and the District of Columbia banded together in a massive anti-trust suit against Facebook, alleging that the social media giant suppressed competition by acquiring challengers such as Instagram and WhatsApp.

The news sphere was alight with talk about a breakup of the company, somewhat as if it was a done deal, however, as we discussed in our last AxisOfEasy salon, this could drag out for a long time and the outcome is far from certain.

The lawsuit can be read here and alleges that:

“the company bought competitors “illegally” and in a “predatory manner” in order to grow and preserve its market power.”

The suit asks that Facebook be restrained from making any acquisitions in excess of $10 million dollars without seeking prior approval (I guess they won’t be buying TikTok then?)


Subway (UK’s) email CRM hacked, used to send malware (SolarWinds)

https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

It looks like Subway’s UK division had their marketing email CRM hacked. Attackers then used the system to send out fake order confirmation emails that contained “view details” type link that led to Excel spreadsheets infected with TrikBot. TrikBot is one of the more prevalent pieces of malware out there that, once infected, scoops out saved login credentials in your web browser, VNC applications and spreads through your network. It frequently also lays the basis for a later ransomware attack.

Subway UK customers suspected a breach because some of them used canary emails (unique emails that afford the user to create a distinct email address for each vendor, highly recommended).

Marketing CRMs frequently live outside the core networks of the companies that use them and are prone to being overlooked in maintenance and updates. We had a marketing CRM of ours hacked once a few years ago. Fortunately, it was only used to send a plain ole fashioned phishing email and not malware. It was so badly done that nobody fell for it. We got lucky, and it was detected quickly because our automated RBL monitors detected that it had been added to a email blocklist rather quickly. A feature we included in Domainsure for exactly this reason.


Euro regulator hacked, documents on Pfizer vaccine breached

Last week Pfizer announced that documents related to their COVID-19 vaccine had been illegally accessed when the European Medicines Agency (EMA), the regulator that oversees the use of medicines across the EU was hacked. One wonders if they were using Solarwinds Orion software.

The regulator says that the documents that had been accessed included the regulatory approval filing from Pfizer and its European partner, BioNTech.

Neither Pfizer nor BioNTech themselves have been breached. Just an EMA server.

In other pandemic related news, a whistleblower in Florida was arrested for releasing non-official data about COVID infections and fatalities. Jesse Hirsh also covered this over in Metaviews in his issue about the FireEye hack which predated the info that came out later.

Tangentially related to all this is a piece via Global News about the ethics (or not) 
of mandatory vaccinations in Ontario, and everywhere else I suppose.


Magecart embedded in CSS files

Last week we reported on how Magecart, that credit card stealing malware that targets Magento servers, was being embedded in innocuous looking social media sharing icons. Now comes the news that it’s being hidden away in website stylesheets as well.

“By hiding their payment info stealer script within CSS code, this skimmer’s creators successfully bypassed detection by automated security scanners and avoided raising any flags even when examined in manual security code audits.”

The new technique was uncovered by Dutch security researchers at Sansec who found it in three online e-commerce stores (so far) and were the same team who discovered the social media sharing icons technique mentioned last week.


AoE Salon #34: Taking back our Capital and Agency

In our weekly salon, Jesse, Charles and I discussed the reclaiming of our capital and agency in a world increasingly driven by black-box algorithms (and empty-headed policy makers):

Watch: https://axisofeasy.com/podcast/salon-34-reclaiming-capital-and-agency/

 

6 thoughts on “#AxisOfEasy 176: Anybody Who Hasn’t Been Hacked By STARBURST, Please Raise Your Hand

  1. You asked to hear from us. I look forward to your podcast every week. It helps me keep up to date on the drive into work.

Leave a Reply

Your email address will not be published. Required fields are marked *