Posted: 5 Min ReadFeature Stories

Symantec Security Summary – March 2021

SolarWinds, Accellion breach and schools

Biden administration vs. nation-state cyber attacks. It seems pretty clear that the Biden Administration is making cyber security a top priority after a pair of high-profile nation-state attacks reverberated across industries and government during the administration’s first months in office.

In December, Russian hackers compromised the SolarWinds Orion infrastructure monitoring and management platform, using the companies’ build system to push malicious updates to approximately 18,000 of the company’s corporate and government customers. Later, it became clear that China also targeted SolarWinds customers in what was billed as an entirely separate operation.

If that wasn’t enough to sound alarm bells, U.S. officials issued an emergency warning this month after Microsoft reported its Exchange mail and calendar server program was breached by a hacking group working for the Chinese government. Microsoft detected multiple Zero-day exploits used to access on-premises Exchange servers and email accounts while paving the way for installation of additional malware.

The Microsoft Threat Intelligence Center (MSTIC) singled out HAFNIUM for the attacks, a group assessed to be a state sponsor operating out of China, which primarily targets U.S. entities across a range of industry sectors, from higher education to defense contractors and infectious disease researchers. Reports were that the breach affected at least 30,000 public and private entities in the United States alone, although U.S. officials said there was no indications that federal agencies or major defense contractors were caught in the crosshairs.

It seems pretty clear that the Biden Administration is making cyber security a top priority after a pair of high-profile nation-state attacks reverberated across industries and government during the administration’s first months in office.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive requiring all government networks to upgrade to the latest Exchange software update to fend off the hackers. In a blog post updated on March 3, the software giant said it continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Servers. According to Krebs on Security reports, two unnamed cyber security experts who briefed U.S. national security advisors have credited the attack with seizing control over “hundreds of thousands” of Microsoft Exchange servers worldwide—each system representing one organization reliant on Microsoft Exchange for email.

A New York Times story said that the Biden administration was already preparing a response to the SolarWinds attack via a series of sanctions along with clandestine actions across Russian networks that will be apparent to President Vladimir Putin and his intelligence and military apparatus, but not the world at large. On the heels of the Chinese Microsoft Exchange attack, a “whole of government response” has been elevated and tasked to Anne Neuberger, appointed by the Biden administration to the new post of Deputy National Security Adviser for Cyber and Emerging Technologies.

* * *

Hunting bug bounties.  An independent security researcher scored a $50,000 bug bounty for his discovery of a vulnerability that could let anyone take over any Microsoft account without a user’s knowledge or consent. Laxman Muthiyah uncovered a flaw in Microsoft’s account recovery process that enabled him to brute-force the seven-digit security code sent to a user’s email address or mobile phone to confirm identity before a password reset that would recover access to their account. Although Microsoft imposes rate limits, encryption, and other checks to prevent such brute-force attacks, Muthiyah was able to “automate the entire process from encrypting the code to sending multiple concurrent requests.”

Muthiyah reported the glitch to Microsoft and a patch was issued last November. He got his bounty award on Feb. 9 via the Hacker One bug bounty platform.

* * *

The number of companies impacted by the Accellion breach continues to grow. Accellion, an IT provider that provides file transfer services to more than 3,000 clients, confirmed that UNC3546, a criminal attacker, had exploited multiple vulnerabilities in its software to install malware. When the breach was first discovered in December, multiple outlets linked the attack to a ransomware gang known as Clop along with another hacking group called FIN11.

Initially, a large grocery store chain reported that personal data from some of its pharmacy services customers might have been stolen, including Social Security numbers and some medical history. After that report, other companies confirmed similar attacks, including a prominent law firm Jones Day, a university, and bank in New Zealand, among others.

Social security numbers and home addresses of employees were allegedly posted on the Clop ransomware gang’s leaks site with the intention of extorting the bank to pay up.

Now, the second-largest savings bank in the United States, says it’s been affected and has started notifying customers. Social security numbers and home addresses of employees were allegedly posted on the Clop ransomware gang’s leaks site with the intention of extorting the bank to pay up.

Additionally another cyber security business has also been swept up in the latest wave of attacks with its files reportedly being leaked to the Clop ransomware site. Data published on the leaks site includes invoices, purchase orders, tax documents, and scan reports. It’s not yet known if Clop sent ransom notes to the company before leaking the data, but other victims have received them in the past.

* * *

School house hacks. It’s not just businesses who are experiencing a rise in cyber crime—a new analysis on the state of cyber security in K-12 schools in the United States found a record-breaking number of incidents occurred last year.

New research released at the K-12 Cyber Security Leadership Symposium recorded 408 publicly disclosed school incidents this past year, including student and staff data breaches, ransomware outbreaks, phishing, and social engineering. The report found that “school district responses to the COVID-19 pandemic also revealed significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem.” The surge in school cyber incidents were blamed for school closures, millions of dollars of stolen taxpayer dollars, and student data breaches connected to identity theft and fraud.

Symantec Enterprise Blogs
You might also enjoy
Video
Feature Stories5 Min Read

Symantec Security Summary – February 2021

Nation state attacks, Industrial IoT and more ransomware

Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence5 Min Read

Sunburst: Supply Chain Attack Targets SolarWinds Users

A number of Symantec customers affected by wide-ranging trawl for potential targets of interest.

About the Author

Beth Stackpole

Journalist

Beth is a veteran journalist covering the intersection of business & technology for more than 20 years. She's written for most of the leading IT industry publications and web sites as well as produced custom content for a range of leading technology providers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.