Hackers Increasingly Infiltrate Software While It's Still in Development—Before Guard Is Up

Imagine a lauded restaurant that attracts government officials and corporate elite. One day, someone sneaks into the kitchen and puts cyanide into a pot of stock used in its signature dish. The sitting U.S. president happens to be a guest that evening and consumes it. Now, the president is dead.

“That’s kind of what’s happened here, where SolarWinds are the cooks in the kitchen, and somebody has snuck in and put some malicious code into their software as they’re building it. And nobody noticed,” said Dan Draper, technologist and founder of Australia-based cybersecurity and governance platform CipherStash.

Register Now

Already have an account? Sign In Now

*May exclude premium content

Unattributed cyberespionage campaigns, and notes on the C2C underground market.

Ukraine at D+666: Kyivstar attack may represent a new cyber phase of the hybrid war. (CyberWire) Unattributed cyberespionage campaigns afflict both sides. The Kyivstar cyberattack is now regarded as the most effective Russian cyber operation since its attack against Viasat ground stations in the opening hours of the invasion.

The case of al-Shifa: Investigating the assault on Gaza’s largest hospital (Washington Post) Weeks before Israel sent troops into al-Shifa Hospital, its spokesman began building a public case.

Hamas leader says hostage deal is ‘all or nothing’ (The Telegraph) Yahya Sinwar has reportedly insisted on a lasting ceasefire and the release of all Palestinian prisoners, including high-profile figures

Israel Mostly Excluded From Talks as America Signals Support for UN Resolution Seeking Increase in Gaza Humanitarian Aid (The New York Sun) The scheme being considered has been tried before — under the now-infamous name of oil-for-food.

Israel’s Muddled Strategy in Gaza (Foreign Affairs) Time to make hard choices.

Opposition to Israel’s war for survival fails to understand Hamas’s goals (Atlantic Council) Calls for an immediate and permanent ceasefire, beyond humanitarian pauses, are implicitly advocating for a Hamas victory.

In Dealing With the Israeli-Palestinian Conflict, America Has No Easy Way Out (Foreign Affairs) Biden must take risks, talk straight, and act boldly.

Distortion by design (Atlantic Council) Almost as soon as the Israel-Hamas war began, it collided with the engineering and policy decisions of social media companies. On Telegram, terrorist content spread mostly uncontested; on X, false claims proliferated. Accusations of anti-Palestinian bias at Meta and pro-Palestinian bias at TikTok added to the confusion. Can the platforms thread this needle?

Opinion How the battle for democracy will be fought — and won (Washington Post) In September last year, three days after widespread protests broke out across Iran over the death of a young woman detained for not fully covering her hair with a hijab, the authorities blocked the internet.

Kyiv Targeted By Mass Russian Drone Attack (RadioFreeEurope/RadioLiberty) The Ukrainian capital, Kyiv, was targeted by more than two dozen drones launched by Russia early on December 22, injuring two people.

Analysts say Ukraine's forces are pivoting to defense after Russia held off their counteroffensive (AP News) A British military analysis says Ukraine’s armed forces are taking up a more defensive posture, after their summer counteroffensive failed to achieve a major breakthrough against Russia’s army and as winter weather sets in after almost 22 months of war.

Ukrainian spies vow to stab Russia ‘with a needle in the heart’ (POLITICO) Chief of SBU intelligence service warns Putin to expect ‘surprises’ in 2024.

Ukraine in Europe: One Hard-Earned Step Closer (Wilson Center) On December 14, 2023, the European Council adopted an historic decision to open membership negotiations with Ukraine and Moldova, and to grant candidate status to Georgia.

Orban acknowledges EU can provide aid to Ukraine without Hungary’s (EMEA Tribune) Hungarian Prime Minister Viktor Orban has acknowledged that European Union member states have the autonomy to provide assistance to Ukraine independently, bypassing the need for consensus within the

Orban Says He Accepted Zelenskiy's Invitation To Discuss Ukraine's EU Membership Hopes (RadioFreeEurope/RadioLiberty) Hungarian Prime Minister Viktor Orban says he has accepted an invitation from Ukrainian President Volodymyr Zelenskiy to hold a bilateral meeting, which would be the first between the two leaders since Russia launched its full-scale invasion of Ukraine.

Putin scents historic victory amid growing signs of Western weakness (Atlantic Council) Recent indications of growing Russian confidence in victory over Ukraine owe much more to Western weakness than to the Kremlin’s own military might, writes Peter Dickinson.

Europe Must Ramp Up Its Support for Ukraine (Foreign Affairs) Abandoning Kyiv would embolden Russia—and lead only to more war.

Ukraine Should Take a Page out of Finland’s Fight With Stalin (Real Clear Defense) Helsinki had to sacrifice territory for autonomy, but its pride and prosperity soared.

A majority of Congressmen want more military aid for Ukraine (The Economist) They are being prevented from voting for it in the name of phoney populism

Threat Actor 'UAC-0099' Continues to Target Ukraine (Deep Instinct) Deep Instinct’s Threat Research team explores recent activities by threat actor "UAC-0099," including recent attacks on Ukrainian targets. It also examines common tactics, techniques, and procedures (TTPs), including the use of fabricated court summons to bait targets in Ukraine into executing malicious files.

Ukrainian remote workers targeted in new espionage campaign (Record) A group tracked as UAC-0099 exploited a high-severity vulnerability in WinRAR software to target Ukrainians outside the country, researchers at Deep Instinct said.

Cyber-espionage group Cloud Atlas targets Russian companies with war-related phishing attacks (Record) The hacker group known as Cloud Atlas targeted a Russian agro-industrial enterprise and a state-owned research company in a new espionage campaign, researchers have found.

Fog of cyber war: spies from Cloud Atlas attack Russian companies under the guise of supporting SVO participants (FACCT) FACCT experts analyzed new attacks by the Cloud Atlas spy group

Kyivstar Restores Full Services After Massive Hacker Attack (KyivPost) Ukraine’s largest mobile telephone operator is running again after a huge cyber-attack. Kyivstar will also cancel the plan fee for its users and allocate millions of dollars for the AFU.

Ukrainian telecoms hack highlights cyber dangers of Russia's invasion (Atlantic Council) An unprecedented December 12 cyber attack on Ukraine's largest telecoms operator Kyivstar left tens of millions of Ukrainians without mobile services and underlined the cyber warfare potential of Russia's ongoing invasion, writes Mercedes Sapuppo.

U.S. and Europe Eye Russian Assets to Aid Ukraine as Funding Dries Up (New York Times) Despite legal reservations, policymakers are weighing the consequences of using $300 billion in Russian assets to help Kyiv’s war effort.

The pitfalls of seizing Russian assets to fund Ukraine (Financial Times) Moscow must be made to pay, but without risking harm to global financial stability

Russia Adds Two Of Navalny's Self-Exiled Associates To Its Wanted List (RadioFreeEurope/RadioLiberty) The Russian Interior Ministry on December 21 added two self-exiled associates of imprisoned opposition politician Aleksei Navalny to its wanted list on unspecified charges.

Russia Launches Probe Against Self-Exiled Opposition Politician Leonid Gozman (RadioFreeEurope/RadioLiberty) Sources in Russian law enforcement on December 22 said a probe had been launched against self-exiled opposition politician Leonid Gozman on charge of spreading "fake" information about Russia's armed forces involved in Moscow’s ongoing invasion of Ukraine.

Kazakhstan To Extradite U.S.-Wanted Russian Cybersecurity Expert To Moscow (RadioFreeEurope/RadioLiberty) Russia's Prosecutor-General's Office said on December 21 that the Kazakh authorities would extradite Russian cybersecurity expert Nikita Kislitsin to Moscow, although he is also wanted in the United States for allegedly buying illegally obtained personal data.

Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector (The Hacker News) Iranian threat actor targets Defense Industrial Base sector with a new backdoor called FalseFont.

‘Today FBI Got Him, Tomorrow They Will Get Me’: LockBit, BlackCat Unite to Form Cyber Cartel (The Cyber Express) In the aftermath of a successful takedown of Alphv ransomware infrastructure, an unexpected alliance has emerged. LockBit and BlackCat/APLHV, two

Bandook - A Persistent Threat That Keeps Evolving (Fortinet Blog) FortiGuard Labs has uncovered a fresh threat - the latest generation of Bandook is being distributed via a Spanish PDF file. Learn more.…

BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates (Proofpoint) Overview  Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybe...

8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack (Hackread) The 8220 gang, believed to be of Chinese origins, was first identified in 2017 by Cisco Talos when they targeted Drupal, Hadoop YARN, and Apache Struts2 applications for propagating cryptojacking malware.

BidenCash darkweb market gives 1.9 million credit cards for free (BleepingComputer) The BidenCash stolen credit card marketplace is giving away 1.9 million credit cards for free via its store to promote itself among cybercriminals.

Android malware Chameleon disables Fingerprint Unlock to steal PINs (BleepingComputer) The Chameleon Android banking trojan has re-emerged with a new version that uses a tricky technique to take over devices — disable fingerprint and face unlock to steal device PINs.

Instagram users targeted in elaborate backup code phishing scheme (9to5Mac) A new strain of Instagram phishing emails has been detected, in which attackers attempt to trick victims into forking over...

An iPhone Thief Explains How He Steals Your Passcode and Bank Account (Wall Street Journal) Thieves are stealing iPhones, passcodes and thousands of dollars from their victims’ bank accounts. WSJ’s Joanna Stern sat down with a convicted thief in a high-security prison to find how—and how you can protect yourself. Photo illustration: The Wall Street Journal

Patient data stolen in ransomware attack affecting millions of healthcare victims (TechRadar) Supply chain attack resulted in the theft of sensitive patient data

Kansas City-area hospital transfers patients, reschedules appointments after cyberattack (Register) "We expect this process to take time," Missouri's Liberty Hospital said earlier this week as it began responding to a disruption to its systems.

Data stolen in cyber attack on St Vincent's Health network (ABC) St Vincent's Health says there is evidence that "some data" has been removed from its system, but it is still working to determine what information had been stolen.

Title insurance giant First American offline after cyberattack (BleepingComputer) First American Financial Corporation, the second-largest title insurance company in the United States, took some of its systems offline today to contain the impact of a cyberattack.

First American is the latest cybersecurity attack victim (HousingWire) First American suffers cybersecurity attack less than a month after the firm agreed to pay New York $1 million in cybersecurity settlement.

Breach exposed data of more than 1,400 detainees and 400 staff members, Wyatt detention facility says (Boston Globe) The Wyatt detention facility in Central Falls said it discovered a data breach on Nov. 2, and that personal data has been posted on the dark web, including financial and medical information.

What Hacked Files Tell Us About The Studio Behind Spider-Man 2 (Kotaku) Internal documents show how a big PlayStation studio plans its future

CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-49897 FXC AE1021, AE1021PE OS Command Injection Vulnerability CVE-2023-47565 QNAP VioStor NVR OS Command Injection Vulnerability

OpenAI rolls out imperfect fix for ChatGPT data leak flaw (BleepingComputer) OpenAI has mitigated a data exfiltration bug in ChatGPT that could potentially leak conversation details to an external URL.

Google Rushes to Patch Eighth Chrome Zero-Day This Year (SecurityWeek) Google warns of in-the-wild exploitation of CVE-2023-7024, a new Chrome vulnerability, the eighth documented this year.

ESET Patches High-Severity Vulnerability in Secure Traffic Scanning Feature (SecurityWeek) ESET has patched CVE-2023-5594, a high-severity vulnerability that can cause a browser to trust websites that should not be trusted.

ESET fixed a high-severity bug in the Secure Traffic Scanning Feature of several products (Security Affairs) ESET fixes flaw in Secure Traffic Scanning Feature that could have been exploited to cause web browsers to trust untrustworthy sites

Microsoft deprecates Defender Application Guard for some Edge users (BleepingComputer) Microsoft is deprecating Defender Application Guard (including the Windows Isolated App Launcher APIs) for Edge for Business users.

CISA Releases Microsoft 365 Secure Configuration Baselines and SCuBAGear Tool (Cybersecurity and Infrastructure Security Agency | CISA) CISA has published the finalized Microsoft 365 Secure Configuration Baselines, designed to bolster the security and resilience of organizations’ Microsoft 365 (M365) cloud services. This guidance release is accompanied by the updated SCuBAGear tool that assesses organizations’ M365 cloud services per CISA’s recommended baselines.

CISA Releases Two Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency | CISA) CISA released two Industrial Control Systems (ICS) advisories on December 21, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

NCC Group Monthly Threat Pulse - November 2023 (NCC Group) Ransomware attacks in November rise 67% from 2022

Cyber Threat Intelligence Report - November 2023 (NCC Group) Welcome to NCC Group’s monthly Cyber Threat Intelligence Report, bringing you exclusive insight into the latest Threat Intelligence, updates on recent and emerging advances in the threat landscape and a deep understanding of the latest Tactics, Techniques and Procedures (TTPs) of threat actors.

Twitter’s Demise Is About So Much More Than Elon Musk (The Atlantic) TikTok is eating microblogging as we’ve always known it.

America’s Spam-Call Scourge (The Atlantic) How robocalls disturbed a nation

Cisco to Acquire Isovalent, Add eBPF Tech to Cloud Portfolio (SecurityWeek) Isovalent raised about 70 million in funding from prominent investors including Microsoft’s venture fund, Google, and Andreessen Horowitz.

Cisco to acquire cloud-native networking and security startup Isovalent (TechCrunch) Cisco is acquiring cloud native networking and security startup Isovalent, giving it a key set of cloud native technologies.

Is Microsoft The Answer To Cybersecurity Risks Or The Problem? (Investor's Business Daily) Its cybersecurity business is booming. So what about those hacks that gave it a black eye?

DeNexus expands re/insurance and Insurance-Linked Securities expertise with new senior hire (PR Newswire) DeNexus Inc, a provider of second-generation cyber risk quantification and management services to industrial enterprises and critical...

GCA Announces Three New Appointments for its Board of Directors (Global Cyber Alliance) The Global Cyber Alliance (GCA), an international nonprofit that builds communities to deploy tools, services, and programs that provide cybersecurity at global scale, announced the appointment of three new Board Members: Michael Lashlee, Executive Vice President, Deputy Chief Security Officer at Mastercard, who has been a long term strategic advisor to GCA with Mastercard being a valued Premium Partner and sponsor of our Cybersecurity Toolkit for Small Business; Kiersten Todt, former Chief of Staff of the Cybersecurity and Infrastructure Security Agency (CISA), and Greg Kapfer, formerly Board Member of the Public Interest Registry (PIR).

Socure Eliminates More Than 200K Synthetic Identities in 2023 (PR Newswire) Socure, the leading provider of artificial intelligence for digital identity verification, sanction screening, and fraud prevention, today...

NetSPI Celebrates Momentous Year for its Partner Program, Achieves 30% Growth in 2023 (PR Newswire) NetSPI, the global leader in proactive security, today celebrates the achievements of its Partner Program in 2023, which experienced...

QuSecure™ Launches QuProtect™ Post-Quantum Cryptography Cybersecurity Software in AWS Marketplace (Yahoo Finance) QuSecure™, Inc., a leader in post-quantum cryptography (PQC), today announced the availability of its cutting-edge cybersecurity software QuProtect™ in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that makes it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS). This strategic move marks a significant milestone not only for QuSecure but also for the PQC market...

DOD Issues Civilian Harm Mitigation, Response Instruction (U.S. Department of Defense) Defense Department officials have completed work on a DOD instruction that incorporates the direction of the department's civilian harm mitigation and response action plan.

DOD INSTRUCTION 3000.17: CIVILIAN HARM MITIGATION AND RESPONSE (U.S. Department of Defense) Consistent with Section 936 of Public Law 115-232, also known and referred to in this issuance as the “John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019”, as amended and codified as a note in Section 134 of Title 10, United States Code (U.S.C.), this issuance: • Establishes policy, assigns responsibilities, and provides procedures for civilian harm mitigation and response (CHMR). • Helps implement U.S. Government (USG) policy prescribed in Executive Order 13732. • Helps implement the August 25, 2022 DoD Civilian Harm Mitigation and Response Action Plan (CHMR-AP). • Will be implemented through the phased approach established by the CHMR-AP.

As British Library faces fallout of cyber attack—what can arts bodies do to combat ransomware threats? (The Art Newspaper) A hack that has limited the British Library’s access to its digital systems is the latest in a series of online raids on cultural institutions

How to Build Trust in Artificial Intelligence (The Information) Last month, OpenAI fired and then rehired CEO Sam Altman. When the dust settled, Open AI emerged looking even more like a for-profit corporation than a nonprofit, with a board that is indistinguishable from those of other tech startups—right down to the lack of diversity. This is a clear ...

The Premature Quest for International AI Cooperation (Foreign Affairs) AI regulation must start with national governments.

Can AI be creative? Global copyright laws need an answer. (Atlantic Council) Advances in generative artificial intelligence have revealed serious shortcomings in global copyright laws.

New rules in UK could reimburse fraud victims up to £415,000 ($525,000) (Record) Expected in October 2024, the new rules represent a radical change to who is liable for losses incurred in fraud such as romance and investment scams.

Cyber Security Association of India Emphasizes Importance of Cyber Security in Power Sector (India Technology News) Cyber Security Association of India (www.ncsai.in) under the chairmanship of Lt Gen (Dr.) Rajesh Pant, Former National Cyber Security Coordinator organised Power Sector

Congress wants spy agencies to hire more experts in financial intelligence, emerging technology (Federal News Network) Congress wants spy agencies to hire more experts in financial intelligence, emerging technology

Turkey’s ‘disinformation law’ weaponized to target journalists: int’l NGOs (Turkish Minute) A new report released jointly by several international NGOs details the worsening press freedom environment in Turkey, accusing the government of instrumentalizing the recently passed “disinformation law” to harass and silence journalists, the Stockholm Center for Freedom reported, citing the Evrensel newspaper.

Teen Who Leaked ‘Grand Theft Auto VI’ as Part of Lapsus$ Gang Put in Secure Hospital by UK Judge (Bloomberg) Arion Kurtaj placed in hospital to protect public from harm. Two teens sentenced for hacking, blackmailing tech firms.

Teenage Lapsus$ hacker sentenced to indefinite hospital confinement (Computing) An 18-year-old hacker associated with the cybercrime group Lapsus$ has been sentenced to an indefinite stay in a secure hospital after being involved in high-profile data breaches and extortion attempts.

U.S. appeals court finalizes mandate for forfeiture of Silk Road bitcoin (The Block) A U.S. appeals court finalized a mandate on Wednesday that formalizes the forfeiture of 69,370 bitcoin connected to the Silk Road.

Darknet site “Kingdom Market” has fallen (Cybernews) Law enforcement has taken down the illegal marketplace known as “Kingdom Market,” which specialized in drug trade and malware.

Infected SolarWinds Updates Used To Compromise Multiple Organizations: FireEye

Nation-state hackers gained access to government, consulting, technology and telecom firms around the world through trojanized updates to SolarWinds’ Orion network monitoring tool, according to FireEye .

A highly sophisticated attack on SolarWinds’ Orion network monitoring product has allowed nation-state hackers to compromise the networks of public and private organizations, FireEye said.

FireEye has identified multiple organizations where it sees indications of compromise dating back to spring 2020, and is in the process of notifying those organizations, CEO Kevin Mandia wrote in a blog post Sunday.

FireEye said Tuesday that it was also breached in a nation-state attack designed to gain information on some of its government clients but did not say whether it was one of the organizations to have its network compromised by the SolarWinds Orion attack.

SolarWinds confirmed in a security advisory issued late Sunday that it experienced a manual supply chain attack on versions of Orion released between March and June of this year.

“The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” Mandia said. “Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.”

[Related: US Calls On Federal Agencies To Power Down SolarWinds Orion Due To Security Breach]

The victims have included government, consulting, technology, telecom firms in North America, Europe, Asia and the Middle East, FireEye threat researchers wrote in a blog posted Sunday. The researchers said they anticipate there are additional victims in other countries and verticals.

SolarWinds said customers should upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure their environment is safe. An additional hotfix release that both replaces the compromised component and provides several additional security enhancements is expected to be made available Tuesday.

The company’s managed services tools appear to be uncompromised, as the company said it isn’t aware of any impact to its RMM, N-Central and SolarWinds MSP products.

“Security and trust in our software is the foundation of our commitment to our customers,” SolarWinds said in a security advisory issued late Sunday. “We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security process, procedures and standards designed to protect our customers.”

Attacks conducted as part of this campaign share several common elements, according to Mandia. First, Mandia said the attacks insert malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment.

In addition, Mandia said the hackers went to significant lengths to observe and blend into normal network activity and maintained a light malware footprint to help avoid detection. Finally, Mandia said the adversaries patiently conducted reconnaissance, consistently covered their tracks, and used difficult-to-attribute tools.

FireEye has already updated its products to detect the known altered SolarWinds binaries, Mandia said. The company is also scanning for any traces of activity by this actor and reaching out to both customers and non-customers if potential indicators are spotted, according to Mandia.

Hackers gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion software, the threat researchers wrote in their blog post. Post compromise activity following the compromise has included lateral movement and data theft, according to the threat researchers.

“This campaign may have begun as early as Spring 2020 and is currently ongoing,” FireEye’s threat researchers said. “The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”

The malware masquerades its network traffic and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity, according to FireEye threat researchers. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers, they said.

The hackers use a variety of techniques to disguise their operations while they move laterally, according to threat researchers. They prefer to maintain a light malware footprint, instead opting for legitimate credentials and remote access to get into a victim’s environment, the threat researchers said.

Hostnames were set by the hackers on their command and control infrastructure to match a legitimate hostname found within the victim’s environment, allowing the adversary to blend into the environment, avoid suspicion, and evade detection, FireEye said. The attacker’s choice of IP addresses was also optimized to evade detection, using only IP addresses originating from the same country as the victim.

Once the attacker gained access to the network with compromised credentials, they moved laterally using credentials that were always different from those used for remote access, the threat researchers said. And once legitimate remote access was achieved, FireEye found that the hackers routinely removed their tools, including removing backdoors.

“Our ongoing investigation uncovered this campaign, and we are sharing this information consistent with our standard practice,” Mandia wrote in his blog post. “We believe it is critical to notify all our customers and the security community about this threat so organizations can take appropriate steps.”