Morphisec Cybersecurity Blog

Security News In Review: Third SolarWinds Malware Strain

Written by Matthew Delman | January 20, 2021 at 2:00 PM

Risk mitigation in cybersecurity is a fast-changing target for companies of all sizes. Each week, the team at Morphisec reads dozens of news sites to keep up with the stories that matter so you can stay on top of the changing threat landscape and better secure your critical infrastructure. 

In this edition of Security News in Review, you’ll find news about a third malware strain researchers uncovered in the SolarWinds supply chain attack, take a look at what Microsoft has resolved in the first Patch Tuesday of 2021, and find some new guidance from CISA about securing the cloud among other impactful news. 

Read on for the news you need to know:

Third malware strain discovered in SolarWinds supply chain attack -- Security firms investigating the SolarWinds supply chain attack recently revealed the existence of a malware strain, named Sunspot, that ran on the SolarWinds build server starting in September 2019. The malware’s goal was to watch the build server for commands that assembled the Orion IT resources management platform.  

Ransomware Disrupts Scottish Environment Protection Agency -- The Scottish Environmental Protection Agency (SEPA) is dealing with an ongoing ransomware attack from the Conti gang. They’re still currently responding to the threat, and it looks like some of SEPA’s data has already been leaked online. The attack was originally disclosed on December 24, 2020; thus far, the attackers have exfiltrated 1.2 GB of SEPA data. SEPA has been sending out updates via their Twitter account.

FreakOut botnet target 3 recent flaws to compromise Linux devices -- Security researchers at Check Point recently uncovered attacks targeting multiple unpatched flaws in applications running on top of several Linux systems. The attacks target the TerraMaster TOS, Zend Framework, and Liferay Portal, with the goal of using the infected systems as attack platforms. 

Intel unveils ransomware-fighting CPUs -- At this year’s CES, Intel unveiled new anti-ransomware functionality for its 11th generation Core vPro processors. According to SC Magazine, the two new anti-ransomware capabilities are “access to processor-level data to determine ransomware attacks in progress, and the use of GPUs for machine learning to bolster defenses.” The logic here from Intel is that it’s nearly impossible to hide the processor-level activity required to bulk-encrypt documents, so they’re making that data more accessible to security products to detect ransomware attacks in-flight. 

FIN11 e-crime group shifted to clop ransomware and big game hunting -- The FIN11 threat group, who increasingly used the CL0P ransomware in their attacks in 2020, appear to rely on low effort / high volume techniques like mass phishing emails according to a new report from Deutsche Telekom. 

Ransomware attacks now to blame for half of healthcare data breaches -- According to new research, ransomware attacks comprised half of all hospital data breaches in 2020. Most of those could also be resolved by deploying patches in a timely manner. One of the main avenues for compromise is via a pair of VPN vulnerabilities found in the Citrix ADC controller, both of which had patches available at the beginning of 2020 but many organizations still haven’t deployed the new patches. 

Microsoft fixes Defender zero-day in January 2021 Patch Tuesday -- For the first Patch Tuesday of 2021, Microsoft fixed 83 security bugs across its products. The biggest patch by far is CVE-2021-1647, a zero-day vulnerability in Microsoft Defender AV that was exploited in the wild before the patch was released. It’s a remote code execution bug that allows threat actors to execute code on vulnerable machines where Defender AV is installed. Microsoft noted that the technique is not functional in all situations, and is still at the proof of concept level. Despite this, they updated the Microsoft Malware Protection Engine with a fix that will be pushed automatically without the need for user interaction. 

Microsoft Implements Windows Zerologon Flaw ‘Enforcement Mode’ -- Microsoft is taking matters into its own hands with regards to the Windows Zerologon flaw. From February 9, they’re going to enable Active Directory domain controller “Enforcement Mode” by default to mitigate the threat. By auto-enabling enforcement mode, Microsoft will block vulnerable connections from non-compliant devices to help better secure companies against the Zerologon flaw

CISA issues recommendations to strengthen cloud security -- The Cybersecurity and Infrastructure Security Agency has issued new guidance for how to strengthen the security of cloud services. As more people work from home, the security of these services becomes critical for business continuity. Among the recommendations are establishing a baseline for normal network activity, reviewing user-created email forwarding rules, enforcing multi-factor authentication, and creating blame-free employee reporting for suspicious activity.