In brief Another form of malware has been spotted on servers backdoored in the SolarWinds' Orion fiasco.
The strain, identified as SUNSHUTTLE by FireEye, is a second-stage backdoor written in Go which uses HTTPS to communicate with a command-and-control server for data exfiltration, adding new code as needed. Someone based in the US, perhaps at an infected organization, uploaded the malware to a public malware repository in August last year for analysis, well before the cyber-spying campaign became public.
Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency, warned it could take 18 months to clean up this mess, and that's looking increasingly likely.
Play the world's tiniest violin
It appears there's no honor among thieves after an internal war in malware forums was followed by mass doxxings and Bitcoin thefts.
Threat analyst Intel471 noted that in this past week two cybercrime forums, Maza and Exploit, reported data loss of their members' personal information. Earlier in the year two more forums, Verified and Crdclub, suffered similar problems.
"The incidents show that even perpetrators of cybercrime aren't immune from experiencing the fallout that comes with personally identifiable information being made public," said the analyst. "Various cybercrime forums are alive with chatter following the breaches, with nefarious actors wondering if their real-world identities will be discovered thanks to the leaked data."
Law enforcement is not thought to be involved in the hacking, but will no doubt be looking at any information released very closely. A log of messages and transactions could be very useful in identifying and tracking down perpetrators.
Another week, another serious Cisco patch
A serious flaw in the Snort detection engine of Cisco's Ethernet Frame Decoder can effectively kill systems.
According to Switchzilla's advisory: "An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device. A successful exploit could allow the attacker to exhaust disk space on the affected device, which could result in administrators being unable to log in to the device or the device being unable to boot up correctly."
Any Snort system earlier than Release 2.9.17 is vulnerable, and that includes 1000 and 4000 series Integrated Services Routers and Catalyst 8000V, 8200 and 8300 Series Edge Platforms, as well as other products. Time to get patching again.
McAfee charged over cryptocurrency fraud
John McAfee, the security industry's equivalent of a wacky great-uncle who drinks too much at Christmas and goes off the rails, is now facing serious charges from the US Department of Justice.
Uncle Sam has accused McAfee and his advisor, Jimmy Gale Watson Jr, of conspiracy to commit commodities and securities fraud, conspiracy to commit securities and touting fraud, wire fraud conspiracy and substantive wire fraud, and money laundering conspiracy. Watson was arrested on Friday and McAfee remains in prison in Spain on separate charges.
"The defendants allegedly used McAfee's Twitter account to publish messages to hundreds of thousands of his Twitter followers touting various cryptocurrencies through false and misleading statements to conceal their true, self-interested motives," Manhattan US Attorney Audrey Strauss said.
"McAfee, Watson, and other members of McAfee's cryptocurrency team allegedly raked in more than $13m from investors they victimized with their fraudulent schemes. Investors should be wary of social media endorsements of investment opportunities."
The DoJ claimed that from December 2017 to October 2018, the two managed a pump-and-dump scheme for online currency, selling off their own holdings for a massive profit. This must put a bit of a brake on McAfee's presidential ambitions – but these days, who knows. ®