Security Snacks #10 – SolarWinds whirlwind, Malwareless ransomware & Cisco 9.9/10 bug

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Remember last week’s FireEye breach? It is now slowly unfolding as a massive global campaign and maybe the most consequential publicly known hack of US government systems.

Add to that “unpatchable” authentication bypass vulnerabilities in Golang, a Remote Code Execution in Cisco Jabber, a simple yet effective ransomware campaign targeting MySQL server, and you have this week’s explosive cybersecurity news!

Notable Security News

FireEye Stories: Global Intrusion Campaign Leverages Software Supply Chain Compromise

Last week’s FireEye hack turned out to be just the tip of the iceberg. It is now confirmed as the result of a supply chain attack spread via a trojan named SUNBURST in SolarWinds’ Orion software.

State-sponsored attackers suspected to be Russia’s APT29 (aka Cozy Bear) injected a backdoor into this software that was installed by roughly 18,000 SolarWinds customers. The list of compromised systems include multiple US government systems (The U.S. Department of Homeland Security, Treasury and commerce departments, Pentagon, the US Nuclear Agency…), telecoms, company networks, Microsoft and many more.

The good news is that SolarWinds published a hotfix and a ‘killswitch‘ was created to prevent the malware from continuing to operate.

Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10

Cisco rolled out new patches for several critical vulnerabilities in Cisco Jabber. One of them is a Cross-Site Scripting bug that was disclosed in September but not sufficiently mitigated at the time. Installing the new patches is highly recommended as this XSS is wormable, doesn’t require user interaction and can lead to remote code execution.

Zero-day XML mutation flaws in Go programming language can lead to authentication bypass

The Go language’s XML parser has 3 critical vulnerabilities that can lead to a complete bypass of SAML authentication but have no patch. Though the root cause cannot be addressed, some changes are on the road (e.g. deprecating the vulnerable functionality) and the three major open source Go-based SAML implementations affected were patched. Researchers who found this bug advise anyone who maintains “a Go-based project that relies on XML integrity” to read their findings carefully.

‘Malwareless’ ransomware campaign operators pwned 83k victims’ MySQL servers, 250k databases up for sale

This new ransomware campaign targets MySQL database servers that have weak credentials. Any MySQL server found is bruteforced for credentials, its databases content is stolen and erased in a typical double-extortion attack. Then a ransom note is left and the stolen databases offered for purchase. This shows that not all ransomware attacks are targeted. This one is automated, untargeted and simple yet terribly effective.

Report on the 2020 FOSS Contributor Survey

The Internet relies on Free and open-source software (FOSS) such as Curl, OpenSSL, OpenSSH, etc. Who are the people behind such critical projects? This report brings insights into their motivations (money is not in the top 3!), efforts needed to improve the security of FOSS, and concrete actions companies can make to support the development and security of FOSS projects.

Other Interesting News

Cybercrime

Vulnerabilities

Reports

Responsible disclosure

Tech

Misc.