Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

Happy holidays to all! This is the last edition of 2020, an already eventful year that ends with a bang. More and more information is emerging about the SolarWinds hack. We hear names like Sunburst, Solorigate, SUPERNOVA, CosmicGale, UNC2452, Dark Halo… Read on to quickly find out what these terms refer to, and what are the latest development in this supply chain attack that seems full of surprises.

Notable Security News

A second hacking group has targeted SolarWinds systems

More information is surfacing everyday about the SolarWinds attacks dubbed Sunburst (or Solorigate). A second threat actor has hacked SolarWinds to plant another unrelated backdoor named SUPERNOVA/CosmicGale. Sunburst hackers also targeted CrowdStrike to create another attack vector but weren’t successful. Security experts have decoded Sunburst’s domain generation algorithm (DGA) and published lists of breached subdomains/organizations. The reason the SolarWinds intrusion was noticed by FireEye is that they used Multi-Factor Authentication.

On the defensive side, CrowdStrike published a free tool to identify and help mitigate risks in Azure Active Directory. TrustedSec shared a response playbook that is a checklist of recommended actions for victims of the SolarWinds backdoor. Qualys is offering a free 60-day service to help patch all vulnerabilities that can be exploited with the stolen FireEye tools. They estimate that more than 7.5 million devices are potentially exposed!

NSA warns of federated login abuse for local-to-cloud attacks

The NSA is warning about two techniques used recently to escalate attacks from on-premise networks to cloud infrastructure, along with technical detection and hardening recommendations. Incidentally, these techniques were used in the SolarWinds hack though it is not explicitly mentioned in this advisory.

A moment of reckoning: the need for a strong and global cybersecurity response

This is an excellent piece by Microsoft’s President on the global state of cyber security in 2020. It goes over how the threats have evolved and which new strategy is needed in the light of recent nation-state attacks such as the SolarWinds hack.

DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors

The threat actors behind the SolarWinds supply chain attack are referred to as UNC2452 (sometimes also Dark Halo). If you’re wondering what UNC groups (or “uncategorized” groups) are, this is an enlightening read on the topic by FireEye.

Unpatched, Unprepared, Unprotected: How Critical Device Vulnerabilities Remain Unaddressed

Despite many warnings by NSA, CISA, FBI and others, “97% of the OT devices impacted by URGENT/11 have not been patched; and 80% of those affected by CDPwn remain unpatched” as Armis found out. Millions of devices (including medical and enterprise devices, ICS and OT systems…) remain at risk months after the disclosure of these vulnerabilities.

Other Interesting News

Cybercrime

• Zero-Click Apple Zero-Day Uncovered in Pegasus Spy Attack

• “Evil mobile emulator farms” used to steal millions from US and EU banks

• Three million users installed 28 malicious Chrome or Edge extensions

• Cyberpunk 2077 Headaches Grow: New Spyware Found in Fake Android Download

• Malicious RubyGems packages used in cryptocurrency supply chain attack

• Safe-Inet, Insorg VPN services shut down by law enforcement

Vulnerabilities

• Windows zero-day with bad patch gets new public exploit code

• Bcrypt implementation flaw in Bouncy Castle crypto library laid bare

• Dell Wyse ThinOS flaws allow hacking think clients

• Report: long-standing vulnerabilities threaten 5G Smartphone users

• P2P mobile file transfer apps open to attacks, researchers find

• Signal: Cellebrite claimed to have ‘cracked’ chat app’s encryption & No, Cellebrite cannot ‘break Signal encryption.’

• Weak authentication created backdoor risk for D-Link routers

• Nintendo 3DS digital certificate vulnerability earns researcher $12,000 bug bounty

• Vulnerabilities in Treck TCP/IP stack open the door to DoS, remote code execution exploits

Reports

• FBI’s dark web investigations hampered by inefficiencies, overlapping objectives of different units

• Universities urged to review remote learning software in order to minimize security risks

• Dark Web Pricing Skyrockets for Microsoft RDP Servers, Payment-Card Data

Tech

• IBM Releases Fully Homomorphic Encryption Toolkit for MacOS and iOS; Linux and Android Coming Soon

• Passwords begone: GitHub will ban them next year for authenticating Git operations

• Ad-blocker AdGuard deploys world’s first DNS-over-QUIC resolver

• Let’s Encrypt comes up with workaround for abandonware Android devices

• Firefox continues cracking down on tracking with cache partitioning

• Apple, Google, Microsoft, and Mozilla ban Kazakhstan’s MitM HTTPS certificate

Misc.

• Microsoft, Google, Cisco, and others file amicus brief in support of Facebook’s NSO lawsuit

• Microsoft and McAfee headline newly-formed ‘Ransomware Task Force’

• Australia proposes Privacy Act 1988 reforms inspired by EU’s GDPR