SolarWinds backdoor gang pwned Microsoft support agent to turn sights on customers

In Brief The spies who backdoored SolarWinds’ Orion software infiltrated Microsoft’s support desk systems last month and obtained information to use in cyber-attacks on some of the Windows giant’s customers, it was reported.

Redmond said it traced this latest intrusion to a member of a team it calls Nobelium, the suspected Kremlin-run crew that used tainted Orion updates to snoop on organizations around the world. Russia insists it had nothing to do with the supply-chain attack on SolarWinds.

Microsoft customers targeted by the support desk intruder have been alerted. The caper was detected during what sounds like an investigation into a wider phishing campaign that, as it turned out, hooked a Microsoft support agent, who had access to customers’ contact information, lists of their cloud subscriptions, and other records.

“A sophisticated nation-state associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the IT giant told those clients, Reuters reported first on Friday.

“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign.”

Mercedes-Benz USA this week said 1,000 or so customers’ sensitive personal information – such as credit card, driving license, and social security numbers, and dates of birth – were accidentally left out in the open on an insecure cloud storage system that has since been fixed. The data was collected from its website between January 2014 and June 2017.

It seems the exposed database had as many as 1.6 million unique records in it, and the majority of those were slightly less sensitive: names, home and email addresses, phone numbers, and some purchased vehicle info.

Earlier this month, Volkswagen and its subsidiary Audi told 3.3m people their personal info had been obtained by miscreants after a third-party supplier left the data facing the public internet. Again, most of the records were contact information and details of purchased vehicles, and for 90,000 folks, more sensitive info.

AWS buys Wickr

Amazon Web Services announced on Friday it has bought Wickr, the popular encrypted messaging system, for an undisclosed sum.

Wickr started out as a secure smartphone chat app for NGOs, with end-to-end encrypted messages that could be auto-deleted. Then it branched out to the desktop, and enterprise versions appeared for on-prem and cloud servers. It’s also used by the US military and law enforcement, not to mention an Australian Prime Minister.

“The need for this type of secure communications is accelerating,” said AWS chief information security officer Stephen Schmidt. “With the move to hybrid work environments, due in part to the COVID-19 pandemic, enterprises and government agencies have a growing desire to protect their communications across many remote locations.

“Wickr’s secure communications solutions help enterprises and government organizations adapt to this change in their workforces and is a welcome addition to the growing set of collaboration and productivity services that AWS offers customers and partners.”

Wickr is also popular with some journalists, though one wonders if they’ll keep using the software seeing as it’s now owned by a corporation that seems to relish badgering and nitpicking reporters and editors. The accountants at Juniper Networks may be happy: the Silicon Valley biz was a seed funder for Wickr, and one assumes it got a good return on its investment from this acquisition.

Mozilla starts Rally for privacy

In a somewhat quixotic move, Mozilla is asking its users to send their data to third parties in the hope that it’ll one day be better protected.

The scheme, dubbed Rally, will let Firefox users install a plugin that lets them share some of their user data and personal information with academics researching how people use the internet and what data they are actually having to share to do so. Users choose how much info they send and to which project, with teams at Princeton and Stanford are already signed up to participate.

“Quantitative research is essential for understanding tech policy problems and for holding platforms accountable. Here’s the problem: methods and data often aren’t adequate,” said Jonathan Mayer, a professor of computer science at Princeton.

“Platforms could help with these research barriers. But platforms, unsurprisingly, haven’t been very interested in enabling research that examines their own problems and misconduct. Rally doesn’t depend on platform gatekeepers — it’s entirely independent, powered by users.”

Moz also released a tool called WebScience for other academics that want to get involved. Now we may actually get some realistic data, if enough people take part.

Cryptomining malware Crackonosh targets gamers

The perils of piracy were highlighted yet again this week, this time in a report on Crackonosh, a malware outbreak among gamers that netted millions in Monero.

The Windows software nasty, Avast said, was hidden in cracked versions of popular games like Far Cry 5, NBA 2K19 and, somewhat ironically, Grand Theft Auto V. Once installed, the code shut down any security software it could find, and installed a Monero miner called XMRig, which takes advantage of gamers’ rigs.

“Crackonosh has been circulating since at least June 2018 and has yielded over $2,000,000 USD for its authors in Monero from over 222,000 infected systems worldwide,” Avast claimed.

“As long as people continue to download cracked software, attacks like these will continue to be profitable for attackers. The key take-away from this is that you really can’t get something for nothing and when you try to steal software, odds are someone is trying to steal from you.”

Oklahoma! where the data goes blowing on the web

The City of Tulsa, Oklahoma, has admitted that files snatched from its police department computers have been released onto the web by extortionists.

Over 18,000 police citations and internal department files were leaked, it said, and “out of an abundance of caution, anyone who has filed a police report, received a police citation, made a payment with the City, or interacted with the City in any way where PII was shared,” should check their bank accounts.

Tulsa got hit by a major ransomware infection on May 6. Mayor G.T. Bynum refused to pay up, saying: “Know that your tax dollars are not going to go into the hands of criminals,” and vowed the city wouldn’t pay “a nickel.”

Canadian Navy bests the rest in military cyber contest

US Cyber Command’s annual war games were held this week and, despite America fielding the majority of the players, it was its upstairs neighbor who scooped the top prize.

This year’s Cyber Flag 21-2, or “Big Flag,” contest saw a simulated computer attack on a major logistics facility (sound familiar?) by two adversaries. The 430 military and civilian keyboard warriors from the US, Canada, and UK scored points for thwarting these infections, defending against threats, and shoring up unsafe systems.

“Cyber Flag 21-2 tested the best and brightest cyber protection teams. This exercise assessed their tactical cyber skills while collectively improving our cyber resiliency. I’d also like to congratulate the Royal Canadian Navy’s Cyber Protection Team, the winner of this year’s event,” said General Paul Nakasone, US Cyber Command commander, presumably through slightly gritted teeth. ®

READ MORE HERE