By Anna Hammond
December 25, 2020
Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
Happy holidays to all! This is the last edition of 2020, an already eventful year that ends with a bang. More and more information is emerging about the SolarWinds hack. We hear names like Sunburst, Solorigate, SUPERNOVA, CosmicGale, UNC2452, Dark Halo… Read on to quickly find out what these terms refer to, and what are the latest development in this supply chain attack that seems full of surprises.
A second hacking group has targeted SolarWinds systems
More information is surfacing everyday about the SolarWinds attacks dubbed Sunburst (or Solorigate). A second threat actor has hacked SolarWinds to plant another unrelated backdoor named SUPERNOVA/CosmicGale. Sunburst hackers also targeted CrowdStrike to create another attack vector but weren’t successful. Security experts have decoded Sunburst’s domain generation algorithm (DGA) and published lists of breached subdomains/organizations. The reason the SolarWinds intrusion was noticed by FireEye is that they used Multi-Factor Authentication.
On the defensive side, CrowdStrike published a free tool to identify and help mitigate risks in Azure Active Directory. TrustedSec shared a response playbook that is a checklist of recommended actions for victims of the SolarWinds backdoor. Qualys is offering a free 60-day service to help patch all vulnerabilities that can be exploited with the stolen FireEye tools. They estimate that more than 7.5 million devices are potentially exposed!
NSA warns of federated login abuse for local-to-cloud attacks
The NSA is warning about two techniques used recently to escalate attacks from on-premise networks to cloud infrastructure, along with technical detection and hardening recommendations. Incidentally, these techniques were used in the SolarWinds hack though it is not explicitly mentioned in this advisory.
A moment of reckoning: the need for a strong and global cybersecurity response
This is an excellent piece by Microsoft’s President on the global state of cyber security in 2020. It goes over how the threats have evolved and which new strategy is needed in the light of recent nation-state attacks such as the SolarWinds hack.
DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors
The threat actors behind the SolarWinds supply chain attack are referred to as UNC2452 (sometimes also Dark Halo). If you’re wondering what UNC groups (or “uncategorized” groups) are, this is an enlightening read on the topic by FireEye.
Unpatched, Unprepared, Unprotected: How Critical Device Vulnerabilities Remain Unaddressed
Despite many warnings by NSA, CISA, FBI and others, “97% of the OT devices impacted by URGENT/11 have not been patched; and 80% of those affected by CDPwn remain unpatched” as Armis found out. Millions of devices (including medical and enterprise devices, ICS and OT systems…) remain at risk months after the disclosure of these vulnerabilities.
“Evil mobile emulator farms” used to steal millions from US and EU banks
Three million users installed 28 malicious Chrome or Edge extensions
Cyberpunk 2077 Headaches Grow: New Spyware Found in Fake Android Download
Malicious RubyGems packages used in cryptocurrency supply chain attack
Windows zero-day with bad patch gets new public exploit code
Bcrypt implementation flaw in Bouncy Castle crypto library laid bare
Report: long-standing vulnerabilities threaten 5G Smartphone users
P2P mobile file transfer apps open to attacks, researchers find
Signal: Cellebrite claimed to have ‘cracked’ chat app’s encryption & No, Cellebrite cannot ‘break Signal encryption.’
Weak authentication created backdoor risk for D-Link routers
Nintendo 3DS digital certificate vulnerability earns researcher $12,000 bug bounty
Vulnerabilities in Treck TCP/IP stack open the door to DoS, remote code execution exploits
FBI’s dark web investigations hampered by inefficiencies, overlapping objectives of different units
Universities urged to review remote learning software in order to minimize security risks
Dark Web Pricing Skyrockets for Microsoft RDP Servers, Payment-Card Data
IBM Releases Fully Homomorphic Encryption Toolkit for MacOS and iOS; Linux and Android Coming Soon
Passwords begone: GitHub will ban them next year for authenticating Git operations
Ad-blocker AdGuard deploys world’s first DNS-over-QUIC resolver
Let’s Encrypt comes up with workaround for abandonware Android devices
Firefox continues cracking down on tracking with cache partitioning
Apple, Google, Microsoft, and Mozilla ban Kazakhstan’s MitM HTTPS certificate