Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
Supply chain attacks seem to be the new normal. Just this week… 1.6 million US unemployment claims were exposed because of vulnerabilities in legacy software used by the Washington State Auditor’s Office. In parallel to the campaign attributed to Russian state-sponsored hackers, suspected Chinese attackers also targeted SolarWinds to hack a US government agency. And a bug in an encryption library used by GnuPG could’ve had serious impact if it weren’t for a Google Project Zero researcher.
Read on for details!
Notable Security News
SolarWinds patches vulnerabilities that could allow full system control
Three new vulnerabilities were discovered in SolarWinds products by a Trustwave SpiderLabs researcher. The most serious bug results in unauthenticated remote code execution.
CISA director announced that 30% of “SolarWinds hack” victims didn’t actually use SolarWinds.
Investigations revealed that independently from the previously disclosed operations, suspected Chinese hackers also exploited SolarWinds vulnerabilities to hack at least one US government agency.
Last, members of US Congress are asking the NSA to share what it knows about the 2015 Juniper Networks supply chain attack. They want to know whether an encryption backdoor introduced in Juniper by the NSA played any role in the hack.
SonicWall fixes actively exploited SMA 100 zero-day vulnerability
SonicWall is warning about a zero-day in its SMA 100 devices reported by NCC Group and exploited in the wild. The vulnerability allows attackers to gain admin privileges to the device’s management interface then remote code execution. The good news is that patches are already available.
The Accellion Mess: What Went Wrong?
Several unpatched vulnerabilities in Accellion’s legacy File Transfer Appliance resulted in multiple data breaches. After New Zealand’s Reserve Bank, the latest victim is the Washington State Auditor’s Office. The personal information of 1.6 million people who filed for unemployment benefits was exposed.
Knock, knock. Who’s there? NAT. Nat who? A NAT URL-borne killer
Researchers at Armis developed a new variant of the NAT Slipstreaming attack first disclosed in October by Samy Kamkar. The original attack, triggered by JavaScript running on a malicious site, allowed remote access from the Internet to victims’ machines bypassing NAT and firewall defenses. Nat Slipstream v2 allows access not only to a victim’s device but also any internal IP on the network. This means that any embedded, unmanaged devices like printers or IP cameras would be reached by attackers.
Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code
Google Project Zero’s Tavis Ormandy found a critical heap buffer overflow vulnerability in Libgcrypt, the open-source encryption library used by GnuPG. It leads to remote code execution and is “easily exploitable”.
Other Interesting News
The good
- Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands
- Apple Fixes One of the iPhone’s Most Pressing Security Risks
- Google funds project to secure Apache web server with new Rust component
- Google bans another misbehaving CA from Chrome
- Open source: Google wants new rules for developers working on ‘critical’ projects
The bad
- Trickbot malware now maps victims’ networks using Masscan
- This Linux malware is hijacking supercomputers across the globe
- Spies target gamers with malware inserted into software updates, ESET says
- Scams, terror, and national security: Problems with Chinese microloan apps in India
- Recent root-giving Sudo bug also impacts macOS
- Google: Proper patching would have prevented 25% of all zero-days found in 2020
And some ethically reported bugs
- Azure Functions vulnerability proves cloud users not always in control
- Playing Fetch: New XS-Leak exploits browser redirects to break user privacy
- Vue to a kill: XSS vulnerability in Vue.js revealed
