CrowdStrike late yesterday announced the discovery of a malware implant, "Sunspot," associated with the Sunburst backdoor that's afflicted SolarWinds' Orion platform. They see Sunspot as malware that's been used since September 2019 to insert the Sunburst backdoor into Orion software builds. Sunspot "monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code," and in doing so takes care to keep Orion builds from failing, lest the compromise betray itself to developers. CrowdStrike hasn't reached any firm conclusions about attribution (they're tracking the incursions as the "StellarParticle" activity cluster).
Mimecast warns that "a sophisticated threat actor" has compromised a Mimecast-issued certificate used to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services. The compromise affects about ten percent of Mimecast's customers, who've been asked to replace the certificate.
IoT and Wi-Fi vendor Ubiquiti yesterday disclosed a data breach, saying that its IT systems were accessed through a third-party cloud provider. Ubiquiti recommends that customers change their passwords and enable two-factor authentication.
Europol announced this morning that an international law enforcement operation has taken down DarkMarket, generally held to have been the Internet's largest dark web contraband souk. German authorities took the lead in the investigation, with partners from Europol, Australia, Denmark, Moldova, Ukraine, the United Kingdom (the National Crime Agency), and the USA (DEA, FBI, and IRS). DarkMarket's wares consisted mostly of drugs, counterfeit currency, paycard information, and malware.