This is Frankfurt calling: Scattered outbreaks of hot crunchiness

A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

Black Hat Asia Software made unsafe by dependencies should be fixed without users needing to interact with the source of the problem, according to US National Cyber Director Chris Inglis, who serves in the Executive Office of the President.

Speaking to The Register at the Black Hat Asia conference in Singapore on Friday, Inglis said that when a faulty component in a car needs to be replaced, the manufacturer who chose that component takes responsibility for securing safe parts and arranging their installation. He contrasted that arrangement with the fix for the Log4j bug, which required users to seek assistance from both vendors that used the open-source logging code and source software from the Log4j project itself.

Inglis wants vendors to take responsibility for their choices so that addressing security issues is easier and users' systems – and the US – can achieve better resilience with less effort.

The United States Department of Justice has unsealed a pair of indictments that detail alleged Russian government hackers' efforts to use supply chain attacks and malware in an attempt to compromise and control critical infrastructure around the world – including at least one nuclear power plant.

The documents detail two conspiracies said to have run from 2012 to 2018 and "targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries."

One of the indictments, United States v. Pavel Aleksandrovich Akulov, et al [PDF] describes a campaign undertaken by individuals the DoJ has characterized as "three officers of Russia's Federal Security Service (FSB)" who worked in teams code-named "Berzerk Bear" and "Energetic Bear".

Stor-a-File, a British data capture and storage company, suffered a ransomware attack in August that exploited an unpatched instance of SolarWinds' Serv-U FTP software.

The company informed its clients about the September attack, and told The Register that it refused to pay. We understand some data has been leaked by ransomware criminals on a Tor blog.

At least one of Stor-a-File's clients is a medical company, one of whose customers got in touch with El Reg last week.

Russia's SVR spy agency made off with information about US counterintelligence investigations in the wake of the SolarWinds hack, according to people familiar with the American government cleanup operation.

The alarming snippet was reported by financial newswire Reuters. The SVR was named and shamed in April by Britain and the US as the organisation that compromised the build systems of SolarWinds' network monitoring software Orion, used by 18,000 customers across the world. Those customers included the UK and US governments, among many, many others.

The attack is said to have led to the Russian foreign intelligence service making off with "information about counterintelligence investigations, policy on sanctioning Russian individuals and the country's response to COVID-19," according to people involved in the US government's investigation who spoke to Reuters.

The head of the UK's secretive Military Intelligence Section 6 agency – popularly known as MI6 – has delivered a rare speech in which he has warned that China, Iran, and Russia use information technology to destabilise rivals, and that the agency he leads can no longer rely on in-house innovation to develop the technologies the UK needs to defend itself.

MI6 boss Richard Moore (whose initial, one notes, is 'M') delivered a speech on Thursday at the International Institute for Strategic Studies, and opened with an explanation of why the normally reclusive agency had taken the unusual step of allowing its leader to speak in public.

His argument was that "the changing nature of the threats that we face requires a greater degree of openness from a modern intelligence agency" meaning that "to stay secret, we are going to have to become more open".

Updated SolarWinds is urging a US federal judge to throw out a lawsuit brought against it by aggrieved shareholders who say they were misled about its security posture in advance of the infamous Russian attack on the business.

Insisting that it was "the victim of the most sophisticated cyberattack in history" in a court filing, SolarWinds described a lawsuit from some of its smaller shareholders as an attempt to "convert this sophisticated cyber-crime" into an unrelated securities fraud court case.

"The Court should dismiss the Complaint because it fails to satisfy the heightened standards for pleading a Section 10(b) claim imposed by the Private Securities Litigation Reform Act," it said [PDF].

Autodesk, makers of computer-aided design (CAD) software for manufacturing, has told the US stock market it was targeted as part of the the supply chain attack on SolarWinds' Orion software.

In a filing with the American Stock Exchange Commission, Autodesk said it had identified a compromised server in the wake of public reporting of the SolarWinds breach.

According to the US and UK governments, the attack saw spies from Russia's SVR agency (the equivalent of Britain's MI6) compromise systems used to compile new builds of network monitoring software Orion.

Microsoft has warned of a new tool designed to exfiltrate credentials and introduce a backdoor into Active Directory servers that is under active use by the Nobelium threat actor group.

The FoggyWeb malware, Microsoft has declared, is designed to target Microsoft Active Directory Federation Services (AD FS) servers, exfiltrating credentials, configuration databases, decrypted token-signing and token-decryption certificates, and to download additional components to set up a permanent backdoor and attack the network more widely.

"Because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations," Ramin Nafisi, Microsoft Threat Intelligence Centre researcher, wrote in an analysis of the malware.

SolarWinds has issued an emergency patch after a critical security hole in its Serv-U Managed File Transfer and Serv-U Secure FTP was spotted being exploited in the wild.

The vulnerability, discovered by Microsoft's Threat Intelligence Center (MSTIC) and Offensive Security Research teams, can be exploited by an attacker to achieve remote code execution, and is present in Serv-U version 15.2.3 HF1 and all prior builds. The Redmond crew also said a "single threat actor" was abusing the programming blunder (CVE-2021-35211) though it's not known how many customers are affected.

"This attack is a Return Oriented Programming (ROP) attack," said SolarWinds in an advisory. "When exploited, the vulnerability causes the Serv-U product to throw an exception and then intercepts the exception handling code to run commands. Please note, several reasons exist for exceptions to be thrown, so an exception itself is not necessarily an indicator of attack."