New evidence suggests #SolarWinds hackers likely compromised the software build infrastructure of Orion platform & added malicious code, which was then eventually delivered within new updates that the company compiled, signed, and delivered.
SolarWinds attackers mimic the software developers' coding style and naming standards to blend in their malicious code with the rest of the code.
Although first version containing the backdoor was traced to 2019.4.5200.9083, new report says version 2019.4.5200.8890, from October 2019, included an empty .NET class that attackers added to verify if their modifications to the codebase were being delivered into new updates.
While it's not immediately clear how the attackers got access to the code base, Vinoth Kumar's disclosure about SolarWinds' update server being accessible with the password "solarwinds123" assumes new significance given the overlap in timelines.
In a separate development, a security researcher decoded the DGA domain names and disclosed at least 4000 domains suspected to be attacked in the #SolarWinds hack—including #Intel, #NVIDIA, Kent State University, and Iowa State University.
Malicious code may have gone unnoticed on targeted systems because #SolarWinds' own support advisory suggests customers to exempt its software's directories from #antivirus scans to work properly.
Hackers exploit #Solorigate supply-chain backdoor in #SolarWinds enterprise monitoring software to breach US Treasury, Commerce Department, other government agencies, and cybersecurity firm #FireEye.
Citing unnamed sources, media said the latest cyberattacks against #FireEye and U.S. government agencies were the work of Russian state-sponsored #APT29 or Cozy Bear #hacking group.
According to FireEye, attackers tampered with a #software update released by #SolarWinds, which eventually led to the compromise of numerous public and private organizations around the world with #SUNBURST backdoor.
Many popular #cryptocurrency-related verified Twitter accounts got simultaneously compromised and tweeted an identical "Crypto For Health" #SCAM message.
Hacked people and organizations include Gemini, #Binance, Binance's CEO, #Coinbase, CoinDesk, and KuCoin.
Elon Musk's account has also been compromised, tweeting a similar cryptocurrency scam.
A critical 17-year-old 'wormable' RCE #vulnerability affects Windows DNS Servers (2013 to 2019 editions) that could let unauthenticated hackers gain 'Domain Admin' privileges on the targeted servers.
Researchers confirm the new #Windows vulnerability, dubbed 'SigRed,' is a wormable bug, allowing attackers to launch #malware attacks that can spread from one vulnerable computer to another without any human interaction.
If exploited, #SigRed Windows Server #vulnerability enables hackers to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials, and eventually compromise an organization's entire IT infrastructure.
A new unpatched #vulnerability — dubbed Strandhogg — in Android could let malicious apps take extensive control over your device & steal your login credentials.
#Strandhogg task hijacking vulnerability can be exploited to display a fake user interface (UI) while tricking users into thinking they are using a legitimate app, making it easy for the malware to steal their credentials using spoofed login interfaces.
A malicious app can also escalate its capabilities significantly by tricking users into granting sensitive device permissions while posing as a legitimate app.
All the attacker needs to do is… interrupt the network connectivity of a targeted client system and Tadaaaa...! the lock screen will disappear
Starting with Windows 10 1803 and #Windows Server 2019, this flaw exists when login over #RDP requires the clients to authenticate with Network Level Authentication, an option that #Microsoft recently recommended as a workaround against the critical #BlueKeep RDP vulnerability.
Moreover...
"Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed." @wdormann confirmed.
EXCLUSIVE — A hacker who previously claimed to have hacked massive databases [millions of records] from multiple websites and then put them online for sale in 3 rounds has now come back with a new set of databases breached from 6 other websites
(story coming shortly, stay tuned)
[ROUND 4] List of breached sites:
1) Youthmanual — Indonesian college and career platform 2) GameSalad — Online learning platform 3) Bukalapak — Online Shopping Site 4) Lifebear — Japanese Online Notebook 5) EstanteVirtual — Online Bookstore 6) Coubic — Appointment Scheduling
[Story] Round 4 — Hacker Puts 26 Million New Accounts Up For Sale On the Dark Web
If you have an account with any of the above-listed sites, you should change your passwords immediately and also on other services if you re-use the same password.