Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Remember last week’s FireEye breach? It is now slowly unfolding as a massive global campaign and maybe the most consequential publicly known hack of US government systems.

Add to that “unpatchable” authentication bypass vulnerabilities in Golang, a Remote Code Execution in Cisco Jabber, a simple yet effective ransomware campaign targeting MySQL server, and you have this week’s explosive cybersecurity news!

Notable Security News

FireEye Stories: Global Intrusion Campaign Leverages Software Supply Chain Compromise

Last week’s FireEye hack turned out to be just the tip of the iceberg. It is now confirmed as the result of a supply chain attack spread via a trojan named SUNBURST in SolarWinds’ Orion software.

State-sponsored attackers suspected to be Russia’s APT29 (aka Cozy Bear) injected a backdoor into this software that was installed by roughly 18,000 SolarWinds customers. The list of compromised systems include multiple US government systems (The U.S. Department of Homeland Security, Treasury and commerce departments, Pentagon, the US Nuclear Agency…), telecoms, company networks, Microsoft and many more.

The good news is that SolarWinds published a hotfix and a ‘killswitch‘ was created to prevent the malware from continuing to operate.

Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10

Cisco rolled out new patches for several critical vulnerabilities in Cisco Jabber. One of them is a Cross-Site Scripting bug that was disclosed in September but not sufficiently mitigated at the time. Installing the new patches is highly recommended as this XSS is wormable, doesn’t require user interaction and can lead to remote code execution.

Zero-day XML mutation flaws in Go programming language can lead to authentication bypass

The Go language’s XML parser has 3 critical vulnerabilities that can lead to a complete bypass of SAML authentication but have no patch. Though the root cause cannot be addressed, some changes are on the road (e.g. deprecating the vulnerable functionality) and the three major open source Go-based SAML implementations affected were patched. Researchers who found this bug advise anyone who maintains “a Go-based project that relies on XML integrity” to read their findings carefully.

‘Malwareless’ ransomware campaign operators pwned 83k victims’ MySQL servers, 250k databases up for sale

This new ransomware campaign targets MySQL database servers that have weak credentials. Any MySQL server found is bruteforced for credentials, its databases content is stolen and erased in a typical double-extortion attack. Then a ransom note is left and the stolen databases offered for purchase. This shows that not all ransomware attacks are targeted. This one is automated, untargeted and simple yet terribly effective.

Report on the 2020 FOSS Contributor Survey

The Internet relies on Free and open-source software (FOSS) such as Curl, OpenSSL, OpenSSH, etc. Who are the people behind such critical projects? This report brings insights into their motivations (money is not in the top 3!), efforts needed to improve the security of FOSS, and concrete actions companies can make to support the development and security of FOSS projects.

Other Interesting News

Cybercrime

• Microsoft exposes Adrozek, malware that hijacks Chrome, Edge, and Firefox
• Facebook links APT32, Vietnam’s primary hacking group, to local IT firm
• Zero-day in WordPress SMTP plugin abused to reset admin account passwords
• PgMiner botnet exploits disputed CVE to hack unsecured PostgreSQL DBs
• Subway email weirdness: Suspicion grows over apparent Trickbot trojan delivery campaign
• U.S. warns of increased cyberattacks against K-12 distance learning

Vulnerabilities

• Academics turn RAM into Wi-Fi cards to steal data from air-gapped systems
• F5 warns over ‘critical’ XSS flaw in BIG-IP
• 45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware
• Update now: Researchers warn of security vulnerabilities in these widely used point-of-sale terminals
• Proof-of-concept exploit code published for new Kerberos Bronze Bit attack

Reports

• A Data-Driven Guide to Whether a Machine Will Be Doing Your Job By 2025
• State of Software Security: Flaw Frequency by Language

Responsible disclosure

• Google makes it easier to qualify for higher payouts for Chrome browser engine bugs
• Dutch officials say Donald Trump really did protect his Twitter account with MAGA2020! password

Tech

• Adobe to block Flash content from running on January 12, 2021

Misc.

• Romania to host the EU’s new cybersecurity research hub
• The California Privacy Rights Act (CPRA)
• Twitter fined by EU data protection watchdog for GDPR breach
• Swedish university fined $66,000 for GDPR violations
• Apple’s app store is an illegal monopoly, rival Cydia claims in suit
• Exclusive: Israeli Surveillance Companies Are Siphoning Masses Of Location Data From Smartphone Apps