By Anna Hammond
January 22, 2021
Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
This week in cybersecurity news: A bunch of critical vulnerabilities were found in Cisco products that we may soon see exploited in-the-wild. Attackers could hijack DNS of millions of IoT devices. NSA warns of pitfalls of misusing encrypted DNS. We also take a look back at 2020’s key threats and vulnerabilities, and at new details on the Solorigate attack that are insightful for both offensive and defensive sides of security.
DNSpooq lets attackers poison DNS cache records
Researchers disclosed seven vulnerabilities in dnsmaq, a popular open source DNS forwarding sotfare used in products of more than 40 IT vendors. The bugs are tracked as DNSpooq and expose over 1 million devices to a range of attacks such as remote code execution, DNS cache poisoning and denial of service. While vendor are rolling out patches, there are also different mitigations that end-users can put in place themselves.
NSA warns against using DoH inside enterprise networks
The NSA issued recommendations for companies that want to adopt encrypted DNS securely. Though DoH enhances the privacy of home networks, it is not always the best option for enterprise networks. The biggest pitfall is using third-party DNS services which must be avoided even if it means blocking DoH until encryption capabilities are added to the enterprise DNS infrastructure.
Microsoft: This is how the sneaky SolarWinds hackers hid their onward attacks for so long
Microsoft shared interesting new details on techniques used by Solorigate hackers to hide the attack. This includes using unique custom implants, renaming tools to blend into the hacked environment, and separating the components used (the Solorigate DLL backdoor and Cobalt Strike loader) to remain undetected. These advanced techniques show the level of sophistication of the attack and efforts put on evading detection.
In other news, Malwarebytes was also targeted by the same threat actor. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments.
Symantec researchers found that a fourth malware dubbed Raindrop was used to deliver Cobalt Strike and spread the attack to other computers in victims’ networks.
FireEye published an excellent technical paper on four techniques used by Solorigate hackers and other threat actors to move laterally from on-premises networks to the Microsoft 365 cloud. They also released their auditing script, Azure AD Investigator.
Finally, Microsoft shared recommendations on how to protect against sophisticated attacks like Solorigate using Zero Trust principles.
Cisco has patched multiple critical vulnerabilities in their SD-WAN products. Unauthenticated attackers can remotely exploit the vulnerabilities to execute arbitrary command on vulnerable devices. Though attacks in the wild haven’t been noticed by Cisco, it is probably just a matter of time.
This advisory comes only a week after another unrelated set of vulnerabilities were disclosed: Bugs that allow authenticated users of Cisco CMX and Cisco AnyConnect to escalate their privileges, as well as arbitrary code execution and denial of service in discontinued Cisco RV routers. The company advises customers to install patches for supported devices and to migrate to more recent supported RV models.
TL;DR: The Tenable Research 2020 Threat Landscape Retrospective
Tenable’s 2020 Threat Landscape Retrospective provides an interesting overview of 2020’s vulnerability and threat landscape, especially considering the eventful year that was 2020. The report is based on public information, events and alert by US government agencies, and goes over the key vulnerabilities / CVEs / Zero-Days and trends in ransomware and breaches.
A Chinese hacking group is stealing airline passenger details
Hackers alter stolen regulatory data to sow mistrust in COVID-19 vaccine
Telegram-based phishing service Classiscam hits European marketplaces
Verified Twitter accounts hacked in $580k ‘Elon Musk’ crypto scam
FreakOut malware exploits critical bugs to infect Linux hosts
Hacker blunder leaves stolen passwords exposed via Google search
Bugs in Signal, Facebook, Google chat apps let attackers spy on users
Pwnable Document Format: Windows PDF viewers outperformed by browser, macOS, Linux counterparts
Automated exploit of critical SAP SolMan vulnerability detected in the wild
How Law Enforcement Gets Around Your Smartphone’s Encryption
VoIP vulnerability: CoTURN patches access control protection bypass
A security researcher commandeered a country’s expired top-level domain to save it from hackers
Security researchers earn $50k after exposing critical flaw in Apple travel portal