Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

FireEye, one of the world top cybersecurity firms, was hacked probably by a nation-state actor. Researchers found vulnerabilities impacting millions of smart and industrial devices. A pesty malware capable of remotely bricking devices was seen. Plus a whirlwind of Covid-19 related attacks. And interesting findings on the security of Docker images. What a strange week…

Notable Security News

FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community

The cybersecurity firm FireEye was hacked and had its Red Team tools stolen by “a highly sophisticated state-sponsored attacker utilizing novel techniques”. The tools in question do not include zero-day exploits, but only scripts and frameworks leveraging public techniques. So, FireEye released its Red Team Tool Countermeasures to help organizations in case the stolen tools are used in the wild. This story shows that anyone can be hacked and, when it happens, transparency is admirable.

One of the Internet’s most aggressive threats could take UEFI malware mainstream

TrickBot, the malware Microsoft and others are relentlessly trying to take down, came back with a nasty new module. TrickBoot, as it is called, has the rare capability of attacking the boot process. It can inspect the UEFI/BIOS firmware of targeted systems, bypass security controls, check for well-known vulnerabilities and remotely brick a device by erasing its firmware. This last feature is the worst as it could be used by ransomware gangs as revenge against victims who refuse to pay them.

Android devs: If you’re using the Google Play Core Library, update it against this remote file inclusion CVE. Pronto

CVE-2020-8913 is a serious vulnerability (local arbitrary code execution) in Google Play Core Library that was disclosed in August. It shouldn’t have made the news again since Google patched it in April months before its disclosure. The problem is that many apps are still running the vulnerable version of the library. Check Point found out this was surprisingly the case for Cisco Teams, Viber, Grindr, Booking, Edge and others.

Amnesia:33 vulnerabilities impact millions of smart and industrial devices

Amnesia:33 is a set of 33 vulnerabilities affecting four open source TCP/IP stacks used by millions of connected devices from more than 150 vendors. This includes all sorts of smart and industrial devices, with a range of impacts from denial of service, information leaks, memory corruption, or remote code execution. The vulnerable stacks are so widely used that it is difficult to assess the impact, and to identify and patch all vulnerable devices.

Analysis of 4 Million Docker Images Shows Half Have Critical Vulnerabilities

The cybersecurity company Prevasio scanned 4 million container images hosted at Docker Hub. Dynamic analysis showed that 51% had critical vulnerabilities, 6432 were malicious/potentially harmful images, and 44% of these malicious images had crypto-miners. The report has more eye-opening results. Developers and users of container images must be aware of these risks.

Other Interesting News

Cybercrime

• NSA warns of Russian state-sponsored hackers exploiting VMWare vulnerability
• Johnson & Johnson CISO: Healthcare orgs are seeing nation-state attacks every single minute of every single day
• COVID-19 vaccine data has been unlawfully accessed in hack of EU regulator
• IBM Uncovers Global Phishing Campaign Targeting the COVID-19 Vaccine Cold Chain
• Fake websites and false cures: Interpol warns of Covid-19 vaccine scams

Vulnerabilities

• DHS-CISA urges admins to patch OpenSSL DoS vulnerability
• GE puts default password in radiology devices, leaving healthcare networks exposed
• Unfixable Kubernetes Security Hole Means Potential Man-in-the-Middle Attacks
• Microsoft issues guidance for DNS cache poisoning vulnerability
• Hey Alexa, what’s my PIN? Researchers show voice assistants can hear the taps made on a smartphone keyboard

Reports

• The 2020 State of the OCTOVERSE
• Crowdstrike CYBER FRONT LINES REPORT

Responsible disclosure

• Disputed bug in Microsoft Teams posed RCE risk, researcher warns
• Dropbox: Protecting Security Researchers
• UK Ministry of Defence: We won’t prosecute bug bounty hunters – oh btw, we now have one of those

Tech

• GitHub offers tighter integration of security to development workflows
• Chinese Breakthrough in Quantum Computing a Warning for Security Teams
• PasswordsCon 2020: Authentication expert expresses skepticism about ‘passwordless’ future
• Oblivious DoH: Cloudflare supports new privacy, security-focused DNS standard

Misc.

• German court forces encrypted email provider Tutanota to create backdoor for blackmail case
• EU Parliament Supports Your Right to Repair
• Timnit Gebru’s team at Google is going public with their side of the story
• UK National Cyber Security Centre’s Zero trust principles – beta release

Intigriti News