Defending the COVID-19 vaccine supply chain
In an editorial, IBM’s Global Lead for Threat Intelligence Nick Rossman makes the case that this supply chain should be treated on the same level as the electrical grid or air traffic control, arguing it is now a part of national critical infrastructure. He points out that pharmaceutical companies, medical manufacturers, and component suppliers in vaccine clinical trials have already been subject to cyberattacks, with a phishing campaign targeting suppliers of cold storage needed to transport the vaccines. The larger supply chain of suppliers, distributors, storage facilities, and packagers provide a number of vectors to impede the vaccine’s ultimate distribution. For Rossman, the key to defending the supply chain is collective action and a coordinated strategy with an organized approach to threat intelligence sharing.
Cellular aggregation tool detailed in police records
The tool is called CellHawk from Hawk Analytics and is often used by law enforcement. CellHawk collects information provided by cell providers into maps of people’s locations, movements, and relationships, claiming to be able to process a year’s worth of cellular data in 20 minutes. This can allow police departments to take information from so-called “tower dumps” that list all phones connected to a given tower, and create spreadsheets to track connected phones without a warrant. CellHawk can correlate this with GPS and other data generated by a smartphone to show how a person moved and used their phone over time, with the ability to continuously monitor specific phones and send alerts to law enforcement when some moves out of a geofenced area.
(source)
CISA releases malware detection tool for Azure and Microsoft 365
The PowerShell-based tool called Sparrow is designed for incident responders to look for unusual and potentially malicious activity. The tool was developed by CISA’s Cloud Forensics team and checks the unified Azure/M365 audit log for indicators of compromise (IoCs), lists Azure AD domains, and checks Azure service principals and their Microsoft Graph API permissions to discover potential malicious activity. Sparrow is CISA’s response to a rash of recent identity- and authentication-based attacks seen in multiple sectors.
Macro-based malware uses GitHub and Imgur in attacks
Word docs are a common attack vector for cyberattack. Researchers at Arkbird shared details about a new technique that uses macros in a Word file to download a Powershell script from GitHub. This script then initiates the download of a benign image file from image hosting service Imgur. The pixel values from that image are then used by the PowerShell script in calculating the next stage payload, ultimately decoding a Cobalt Strike script on Windows systems. After publishing their findings the researchers found the domain associated with the C2 server the script attempts to reach is no longer available.
Thanks to our episode sponsor, ReversingLabs
Vietnam hit with supply chain attack
An unknown threat actor inserted malicious code into an official government software toolkit, resulting in compromises across Vietnamese private companies and government agencies. The attackers targeted the Vietnam Government Certification Authority that issues digital certificates used to sign official documents, as well as providing client-apps to automate the process for Vietnamize organizations. The security firm ESETfound that from July 23 and August 5 malicious files inserted into two Windows client-apps contained a backdoor trojan named PhantomNet. This ultimately served as a wireframe to launch further attacks like bypassing corporate firewalls. When contacting the agency earlier this month, ESET said the VGCA was already aware of the malware. The agency has now published a tutorial to remove the malware laden versions.
(ZDNet)
Whirlpool hit with ransomware extortion scheme
Operators of the Nefilim ransomware gang claimed to have successfully hit the multinational corporation with a ransomware attack earlier this month, and are threatening to leak information exfiltrated in the attack if their ransom is not paid. The Nefilim operators leaked some initial data, after claiming negotiations with Whirlpool executives had failed. This year the ransomware gang has also hit the Italian eyewear giant Luxottica and the mobile operator Orange. Whirlpool confirmed the attack and that their systems have been fully restored.
FAA issues drone guidance on night flights and more
The new rules set up the requirements for small drones to fly at night and over groups of people, a requirement for drones to be used in local deliveries. The rules also require drones over 0.55 pounds to broadcast remote ID messages over radio frequency broadcast. This also applies to smaller drones flying over open-air assemblies as a security precaution. Previous rules required smaller drones to transmit location information over the internet. Drone makers have 18-months to begin producing drones with Remote ID systems, while drone operators have another year before being required to use Remote ID equipped drones.
(Reuters)
Finnish MPs get email hacked
The Finnish Parliament announced that their internal IT systems were compromised by malicious actors, with some MPs email accounts accessed. The attack occurred over the fall of 2020 and was discovered in December. The Finnish Central Criminal Police are investigating the activity as a “suspected espionage” incident. Investigators have not revealed how many MPs were impacted, only saying it was more than one, and are receiving international help with the investigation. Norway’s Parliament disclosed a similar email breach in September, which was eventually tied back to APT28, a group with ties to Russia’s GRU.
(ZDNet)