A Second SolarWinds Attack Group, a FDA Appointment, and a New Cybersecurity House Committee

Your Weekly Cybersecurity News Recap

Thought we were done talking about the massive SolarWinds hack? You thought wrong. We’ve got yet another aftershock from the cybersecurity earthquake that rocked 2020.

But that’s not all! Our top cybersecurity headlines from the week include BOTH a new cybersecurity FDA appointment and a new House committee formed on cybersecurity. Additionally, you’ll hear about some of the biggest vulnerabilities and attacks from the week.

As always, this series isn’t intended to provide readers with details on every story and topic but rather to fill busy professionals in on only the most compelling developments in the field.

More assessments. More insights. More security. Do more with PlexTrac. Learn more here.

Second SolarWinds Attack Group Breaks into USDA Payroll

A second APT, potentially linked to the Chinese government, could be behind the Supernova malware, Threatpost reports.

There have been many hints in the past few months that a second group of malware actors may have exploited a SolarWinds bug to install the Supernova backdoor. Of note, Microsoft reported back in December that this was the case. Now sources are telling Reuters that there’s evidence that a separate advanced persistent threat (APT), likely China-backed, is behind the malware.

Reuters also reported that said group targeted a Department of Agriculture payroll system, called the National Finance Center (NFA). According to Reuters, the APT infrastructure in the USDA attack matches one known to be used by government-backed Chinese actors.

The group uses an entirely separate vulnerability from the Sunburst backdoor that erupted onto the security scene and dominated headlines in late 2020. The original vulnerability, which has been reported to be linked to a Russian APT, used trojanized software updates from the SolarWinds Orion platform.

To learn more about the second SolarWinds attack group from Threatpost, click here.

House Armed Service Leaders Announce New Subcommittee on Cybersecurity

The United Post International reports that a pair of House Democrats announced a new armed services subcommittee focused on cybersecurity and information technology.

House Armed Services Committee Chairman Adam Smith (D-WA) and Rep James Langevin (D-RI) issued a joint statement this week announcing the formation of the Subcommittee on Cyber, Innovative Technologies, and Information Systems.

“As technology continues to advance at an incredibly rapid rate — from artificial intelligence to biotechnology and everything in between — it is critical that the Armed Services Committee redoubles our efforts to bridge the gap between current capabilities and future requirements,” the pair wrote.

The formation of the subcommittee follows a widespread cybersecurity attack on SolarWinds network security software, which intelligence agencies have attributed to Russia. President Joe Biden has pledged to make cybersecurity a top priority and work to “disrupt and deter our adversaries” from launching cyberattacks after the Cybersecurity and Infrastructure Security Agency warned the scope of the attack was greater than initially thought.

To learn more about the formation of the Cyber, Innovative Technologies, and Information Systems Subcommittee from UPI, click here.

FDA Appoints First Medical Device Cybersecurity Chief

Med Tech Drive reports that the Food and Drug Administration (FDA) has named Kevin Fu, an associate professor at the University of Michigan, to serve a one year term as acting director of medical device cybersecurity at the agency’s Center for Devices and Radiological Health.

Fu, a long-time security advocate and researcher, will serve as an “expert in residence” and the FDA’s first ever medical device cyber chief. His role also includes an appointment with the Digital Health Center of Excellence, which was launched back in September of 2020 to better coordinate policy and regulatory approaches tailored for fast-growing technologies.

Many cybersecurity experts around the industry applauded this decision by the FDA. For example, Chris Gates, director of product security at medical device engineering firm Velentium, said that Fu can help the FDA make major regulatory strides in 2021 with the release of the second draft of the premarket cybersecurity guidance.

To learn more about Kevin Fu and the FDA’s decision to hire him from Med Tech Drive, click here.

‘ValidCC,’ a Major Payment Card Bazaar and Looter of E-Commerce Sites, Shuttered

Krebs on Security brings us our next headline, a story discussing “ValidCC,” a dark web bazaar run by a cybercrime group that for more than six years hacked online merchants and sold stolen payment card data, which abruptly closed up shop last week.

The owners of the popular dark web store said their servers were seized as a part of a coordinated law enforcement operation designed to disconnect and confiscate the infrastructure. There are dozens of these online shops that sell “card not present” (CNP) payment card data stolen from e-commerce sites. The difference between these and ValidCC is that most sites get this data from other criminals, whereas ValidCC was actively involved in the hacking and pillaging of their data.

Cybersecurity firm Group-IB published a report last year detailing the activities of ValidCC, noting that the gang behind the crime shop was responsible for plundering nearly 700 e-commerce sites. Group-IB dubbed this gang “UltraRank,” which the firm says has compromised at least 13 third-party suppliers whose software components are used by countless online stores across Europe, Asia, North America, and Latin America.

ValidCC’s demise comes on the heels of the shuttering of Joker’s Stash, by some accounts the largest underground shop for selling stolen credit cards and identity data. Back in December of 2020 several of Joker’s long-held domains began displaying notices that the sites had been seized by the U.S. Department of Justice and Interpol. Additionally, it was reported last week that authorities across Europe had seized servers used to operate Emotet.

It appears that authorities are on a seizing spree in the cybersecurity industry.

To read more about the closure of dark web store ValidCC by Krebs on Security, click here.

Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions

In our last story of the week from The Hacker News, new details have been reported about a vast network of rogue extensions for Chrome and Edge users that were found to hijack clicks to links in search results pages to arbitrary URLs, including phishing sites and ads.

The collection of extensions, now referred to as “CacheFlow” by Avast, include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VJ Unblock, and more. These extensions disguise themselves as useful tools to hide their true purpose: Leverage Cache-Control HTTP header as a covert channel to retrieve commands for an attacker-controller server.

All of these backdoor browser extensions have been taken down by Google and Microsoft as of December 2020 to prevent more users from downloading them from official stores. According to data provided in this story, the three countries most affected by these extensions include Brazil, Ukraine, and France.

This JavaScript malware amassed birth dates, email addresses, geolocations, and device activity from the scam. The specific focus of these extensions was to collect data from Google.

To learn more about the latest browser extension malware from The Hacker News, click here.

Catch Up on More Byte Sized News