••• All important news related to new attacks and see the solutions we can offer you •••
SUNBURST backdoor - SolarWinds supply chain attack
FireEye has uncovered a widespread campaign, that we are tracking as UNC2452.
The actors behind this campaign gained access to numerous public and private organizations around the world.
They gained access to victims via trojanized updates to SolarWind's Orion IT monitoring and management software.
This campaign may have begun as early as Spring 2020 and is currently ongoing.
Post compromise activity following this supply chain compromise has included lateral movement and data theft.
The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
Israel-Based Shirbit Still Refuses to Pay $3.8 Million RansomLees het originele artikel hier
One of the largest insurance companies in Israel has been hit by a ransomware attack, and the threat actors started to release sensitive data, as the firm doesn’t pay the requested ransom in bitcoin (BTC).
According to The Jerusalem Post, the Black Shadow group is the mastermind of the ransomware deployed on the IT infrastructure of Shirbit on December 1, 2020, who requested a ransom of 200 BTC (over $3.8 million as of press time).
Initially, the hackers asked for 50 BTC, but the insurance company refused to comply with the attackers’ demands. Afterward, the Black Shadow announced through their Telegram channel that the amount would be increased with the past of the time.
On December 3, 2020, the attackers kept their promise to leak sensitive data and published a bulk of files containing employees’ and customers’ private information. They promised to stop leaking if the ransom is paid. Among its customers, Shirbit has business relations with government entities, including the Tel Aviv District Court president.
Apache Unomi CVE-2020-13942: RCE Vulnerabilities DiscoveredLees het originele artikel hier
“Apache Unomi is a Java Open Source customer data platform, a Java server designed to manage customers, leads and visitors’ data and help personalize customers experiences,” according to its website. Unomi can be used to integrate personalization and profile management within very different systems such as CMSs, CRMs, Issue Trackers, native mobile applications, etc. Unomi was announced to be a Top-Level Apache product in 2019 and is made with high scalability and ease of integration in mind.
Given that Unomi contains an abundance of data and features tight integrations with other systems, making it a highly desired target for attackers, the Checkmarx Security Research Team analyzed the platform to uncover potential security issues.
What Checkmarx Found:
Apache Unomi allowed remote attackers to send malicious requests with MVEL and OGNL expressions that could contain arbitrary classes, resulting in Remote Code Execution (RCE) with the privileges of the Unomi application. MVEL and OGNL expressions are evaluated by different classes inside different internal packages of the Unomi package, making them two separate vulnerabilities. The severity of these vulnerabilities is heightened since they can be exploited through a public endpoint, which should be kept public by design for the application to function correctly, with no authentication, and no prior knowledge on the attacker’s part.
Both vulnerabilities, designated as CVE-2020-13942, have a CVS Score of 10.0 (Critical) as they lead to complete compromise of the Unomi service’s confidentiality, integrity, and accessibility, in addition to allowing access to the underlying OS.