Security Snacks #14 – Google Titan 2FA keys cloned, Microsoft Exchange’s unpatched RCE & Mimecast supply chain attack

By Anna Hammond

January 15, 2021

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

This week, we heard of yet another supply chain attack involving Mimecast certificates and Microsoft 365 accounts. Researchers cloned Google Titan keys, a feat that was supposed to be impossible. The now habitual SolarWinds news are continuing to unfold. Microsoft Office 365 has an unpatched critical vulnerability. And this is not all… Read on for more details!

Intigriti News

Notable Security News

Hackers can clone Google Titan 2FA keys using a side channel in NXP chips

NinjaLab researchers discovered a side-channel vulnerability that allowed them to clone Google Titan 2FA keys. Some Yubico and Feitian devices are also vulnerable. Though the attack is impractical, costly, and requires physical access to the device, it is still a feat as it shows that transferring secrets from the device is not impossible.

Critical zero-day RCE in Microsoft Office 365 awaits third security patch

Exchange Online has an unpatched Remote Code Execution vulnerability. Steven Seeley reported to Microsoft CVE-2020-16875, a bug that allowed him to execute commands on Microsoft’s cloud and could have been used by malicious attackers to access millions of corporate email accounts. Microsoft patched twice and the researcher came up with a new bypass each time, eventually disclosing the unresolved vulnerability.

Intigriti launches EU-backed bug bounty program for Matrix secure communications tool

As part of the ISA² Sharing and Re-use action, Intigriti launched a new bug bounty program funded by the European Commission for the open source secure communication tool Matrix. The scope includes source code, binaries, and mobile applications of Matrix, with bounties up to € 5,000 plus a possible 20% bonus.

Third malware strain discovered in SolarWinds supply chain attack

Here is the latest we know on the SolarWinds hack:

SolarWinds and CrowdStrike revealed that the SUNBURST backdoor was injected into builds of the Orion Platform, with particular care from attackers to avoid alerting developers of the malicious code added at build time.

Kaspersky found code overlaps between SUNBURST and the Turla APT group. However, this does not mean that Turla is behind SUNBURST as the similarities can be explained in many different ways.

CISA says that the threat actor behind the SolarWinds hack also breached other targets using password guessing and password spraying.

SolarWinds Hired Chris Krebs and Alex Stamos to help improve their security.

A site dubbed SolarLeaks claims to sell data stolen in SolarWinds attacks. It is not confirmed whether it is legitimate or a hoax as no proof has been provided.

Mimecast says hackers abused one of its certificates to access Microsoft accounts

Yet another supply chain attack… A “sophisticated threat actor” stole digital certificates from the email management company Mimecast. They allowed attackers to access some clients’ Microsoft 365 account. Mimecast are investigating the hack after Microsoft noticed it and notified them.

Other Interesting News

Cybercrime

Vulnerabilities

Reports

Responsible disclosure

Tech

Misc.

You may also like