Security Wrap-Up (February 23rd, 2021)

Hello! Sorry about the lack of security wrap-up last week, it was a bit of a doozy. But, I’m back this week with some interesting articles that might just send you down a rabbit hole (especially the last one) -

FireEye links zero-day attacks on FTA servers and extortion campaign to FIN11 group
Yesterday, FireEye has stated that the zero-day attacks in Accellion FTA servers have been carried out by a cybercrime group known as FIN11. During the attacks, hackers exploited four security flaws to attack FTA servers, install a web shell named DEWMODE, which the attackers then used to download files stored on the victim’s FTA appliances. “Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack,” Accellion said in a press release. “Within this group, fewer than 25 appear to have suffered significant data theft.” Now, FireEye says that some of these 25 customers have now received ransom demands following the attacks on their FTA file-sharing servers. The attackers reached out via email and asked for Bitcoin payments, or they’d publish the victims’ data on a “leak site” operated by the Clop ransomware gang.

SolarWinds attackers previously downloaded Microsoft Azure and Exchange code
According to Microsoft, attackers downloaded some Microsoft Exchange and Azure code repositories during the SolarWinds supply-chain attack but did not use the company’s internal systems or products to attack other victims. Microsoft came out as one of the victims of the massive SolarWinds breach in December, acknowledging that malicious SolarWinds binaries were detected in its environment and began an investigation. Ultimately, attackers were able to access and download source code from a “small number of repositories” but were unable to access privileged credentials or attack corporate domains.

30,000 Macs infected with new Silver Sparrow malware
Named Silver Sparrow, the malware was discovered by security researchers from Red Canary and analyzed together with researchers from Malwarebytes and VMware Carbon Black. Once Silver Sparrow infects a system, the malware just waits for new commands from its operators, commands that never arrived during the time researchers analyzed it. Although it managed to infect nearly 30,000 systems, details about how the malware was distributed are still scarce and researchers are still unsure what the final goal is. But, this shouldn’t be interpreted as a failed malware strain. It may be possible that the malware is capable of detecting researchers analyzing its behavior and is avoiding delivering its second-stage payloads to these systems. Additionally, the malware can also infect macOS systems running on Apple’s M1 chip architecture, confirming that this is a novel and well-maintained threat.

APT31 cloned and used NSA hacking tool
APT31, an attack group affiliated with China, copied and used a National Security Agency (NSA) hacking tool years before Microsoft patched the vulnerability, according to Check Point Research. Researchers have evidence revealing APT31 was able to access and clone a Windows hacking tool linked to the Equation Group, an operation discovered by Kaspersky in 2015. Both the American-affiliated and Chinese-affiliated versions of the hacking tool exploit CVE-2017-0005, a Windows privilege escalation vulnerability that was unknown at the time and previously attributed to APT31. The APT group has used its own version of the tool since at least 2015 and until Microsoft patched the vulnerability in 2017. Researchers are now reporting that the APT tool, called “Jian,” was actually a reconstructed version of the Equation Group tool, called “EpMe.”

Got any other good security updates from the past couple of weeks? Leave them below!