FireEye reports finding a second-stage backdoor in one of the victims of the SolarWinds compromise, and the company’s Mandiant unit thinks it possible that the backdoor, which they’re calling “SUNSHUTTLE,” is connected with the threat actor they track as UNC2452. UNC2452 has been associated with the SolarWinds supply chain exploitation, but FireEye stresses that its researchers “have not fully verified” a connection with SUNSHUTTLE.
FireEye is also tracking exploitation of the Microsoft Exchange Server zero days patched this week. “The activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms.” Their investigation continues.
Indian media outlets (including Hitvada and ANI) continue to warn of alleged Chinese cyberattacks on India’s infrastructure. The reports center on conclusions reported by Recorded Future, which yesterday confirmed that it had found no evidence of Chinese cybersabotage in the power outages Mumbai sustained in October. Recorded Future is quoted by CNBC as saying that it is tracking the threat group RedEcho, which is targeting “India’s oil and gas assets, electricity sector, maritime assets and critical rail infrastructure.” The motive appears to be staging. Recorded Future said, “This is not for any economic espionage opportunity, but it is targeted at future disruptive cyber operations.”
Zimperium warns that unsecured cloud configurations are exposing data from a large number of mobile apps. Both Android and iOS apps are affected.