By Anna Hammond
December 18, 2020
Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
Remember last week’s FireEye breach? It is now slowly unfolding as a massive global campaign and maybe the most consequential publicly known hack of US government systems.
Add to that “unpatchable” authentication bypass vulnerabilities in Golang, a Remote Code Execution in Cisco Jabber, a simple yet effective ransomware campaign targeting MySQL server, and you have this week’s explosive cybersecurity news!
FireEye Stories: Global Intrusion Campaign Leverages Software Supply Chain Compromise
Last week’s FireEye hack turned out to be just the tip of the iceberg. It is now confirmed as the result of a supply chain attack spread via a trojan named SUNBURST in SolarWinds’ Orion software.
State-sponsored attackers suspected to be Russia’s APT29 (aka Cozy Bear) injected a backdoor into this software that was installed by roughly 18,000 SolarWinds customers. The list of compromised systems include multiple US government systems (The U.S. Department of Homeland Security, Treasury and commerce departments, Pentagon, the US Nuclear Agency…), telecoms, company networks, Microsoft and many more.
The good news is that SolarWinds published a hotfix and a ‘killswitch‘ was created to prevent the malware from continuing to operate.
Wormable code-execution flaw in Cisco Jabber has a severity rating of 9.9 out of 10
Cisco rolled out new patches for several critical vulnerabilities in Cisco Jabber. One of them is a Cross-Site Scripting bug that was disclosed in September but not sufficiently mitigated at the time. Installing the new patches is highly recommended as this XSS is wormable, doesn’t require user interaction and can lead to remote code execution.
Zero-day XML mutation flaws in Go programming language can lead to authentication bypass
The Go language’s XML parser has 3 critical vulnerabilities that can lead to a complete bypass of SAML authentication but have no patch. Though the root cause cannot be addressed, some changes are on the road (e.g. deprecating the vulnerable functionality) and the three major open source Go-based SAML implementations affected were patched. Researchers who found this bug advise anyone who maintains “a Go-based project that relies on XML integrity” to read their findings carefully.
This new ransomware campaign targets MySQL database servers that have weak credentials. Any MySQL server found is bruteforced for credentials, its databases content is stolen and erased in a typical double-extortion attack. Then a ransom note is left and the stolen databases offered for purchase. This shows that not all ransomware attacks are targeted. This one is automated, untargeted and simple yet terribly effective.
Report on the 2020 FOSS Contributor Survey
The Internet relies on Free and open-source software (FOSS) such as Curl, OpenSSL, OpenSSH, etc. Who are the people behind such critical projects? This report brings insights into their motivations (money is not in the top 3!), efforts needed to improve the security of FOSS, and concrete actions companies can make to support the development and security of FOSS projects.
Microsoft exposes Adrozek, malware that hijacks Chrome, Edge, and Firefox
Facebook links APT32, Vietnam’s primary hacking group, to local IT firm
Zero-day in WordPress SMTP plugin abused to reset admin account passwords
PgMiner botnet exploits disputed CVE to hack unsecured PostgreSQL DBs
Subway email weirdness: Suspicion grows over apparent Trickbot trojan delivery campaign
U.S. warns of increased cyberattacks against K-12 distance learning
Academics turn RAM into Wi-Fi cards to steal data from air-gapped systems
Proof-of-concept exploit code published for new Kerberos Bronze Bit attack
Google makes it easier to qualify for higher payouts for Chrome browser engine bugs
Dutch officials say Donald Trump really did protect his Twitter account with MAGA2020! password