Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
Hackers (from both sides) have been busy this past week!
A bug hunter published a clever new attack technique against which you probably want to protect your company… Read on for details about this attack and about criminal hackers’ attempt to poison a US town’s water supply, Google’s promising vulnerability database, and a bundle of software bugs patched or exploited in the wild.
Notable Security News
Microsoft’s February Patch Tuesday fixes 56 vulnerabilities including a privilege escalation bug exploited in the wild to target Windows 10 and Windows Server 2019 users, and three vulnerabilities in the Windows implementation of TCP/IP that make all supported versions of Windows vulnerable to Denial of Service attacks and Remote Code Execution.
Adobe also patched a critical code execution flaw in Adobe Reader that’s been actively exploited.
Florida’s water treatment network was tampered with by unidentified attackers that tried to add a dangerous level of chemicals making the water poisonous.
The attempt failed as a staffer was monitoring the computer being hacked. However, the attack highlights weaknesses of water supply facilities and prompted the FBI to warn against using Windows 7, weak passwords and TeamViewer (the combination leveraged for this attack).
Three security issues relevant to Chrome users:
Google patched a critical zero-day vulnerability (heap buffer overflow) in Chrome V8 that had been exploited in the wild. Tenable researchers suspect it to be one of the bugs used to attack security researchers in the ZINC campaign.
A researcher discovered a malicious extension that attackers dropped on compromised systems. It used Chrome’s sync feature to exfiltrate victims’ data. Google considers this a “local attack” and isn’t planning to change their sync feature.
The Great Suspender, a popular extension was booted from the Chrome Web Store because “This extension contains malware”. Note that users have to uninstall it themselves, as Google only removed it from their store.
“Dependency confusion” is a new attack technique published by bug hunter Alex Birsan. It leverages a feature of package managers like npm, RubyGems, PyPI and others, used by developers to build apps inside enterprise environments. If an attacker creates a public library that has the same name as a package used internally, package managers would install the malicious external package instead of the internal one expected by developers. This leads to remote code execution inside the company’s network.
Microsoft’s whitepaper details three ways you can protect your company from this new attack.
Google launched Open Source Vulnerabilities (OSV), a database of open source vulnerabilities aimed at both open source maintainers and consumers.
OSV doesn’t replace other vulnerability databases like the CVE but complements them. It collects vulnerabilities from different sources and provides an API to fetch information on these vulnerabilities and determine if a precise version is vulnerable.
Other Interesting News
- With one update, this malicious Android app hijacked millions of devices
- CacheFlow: Malware hidden in popular browser extensions went undetected for years
- Android devices ensnared in DDoS botnet
- PyPI, GitLab dealing with spam attacks
- Cyberpunk 2077 developers held to ransom after cyber-attack, source code theft
- Security firm Stormshield discloses data breach, theft of source code
- Microsoft: Sophisticated cybersecurity threats demand collaborative, global response
- This old security vulnerability left millions of Internet of Things devices vulnerable to attacks
- Plex Media Servers Used to Amplify DDoS Threats
- Magento security: Multiple critical flaws give e-commerce sites ample reason to update
- WordPress security flaws: 800,000 sites running NextGen Gallery plugin potentially vulnerable to pwnage
- Skype ‘spoofing vulnerabilities’ are a haven for social engineering attacks, security researcher claims
- Zoombombing countermeasures are ineffective in the vast majority of cases
- Accellion to retire product at the heart of recent hacks
- Call for comments: European Data Protection Board lays out data breach notification guidelines for organizations
- Software supply chain attacks – everything you need to know