Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

This week, we heard of yet another supply chain attack involving Mimecast certificates and Microsoft 365 accounts. Researchers cloned Google Titan keys, a feat that was supposed to be impossible. The now habitual SolarWinds news are continuing to unfold. Microsoft Office 365 has an unpatched critical vulnerability. And this is not all… Read on for more details!

Intigriti News

Notable Security News

Hackers can clone Google Titan 2FA keys using a side channel in NXP chips

NinjaLab researchers discovered a side-channel vulnerability that allowed them to clone Google Titan 2FA keys. Some Yubico and Feitian devices are also vulnerable. Though the attack is impractical, costly, and requires physical access to the device, it is still a feat as it shows that transferring secrets from the device is not impossible.

Critical zero-day RCE in Microsoft Office 365 awaits third security patch

Exchange Online has an unpatched Remote Code Execution vulnerability. Steven Seeley reported to Microsoft CVE-2020-16875, a bug that allowed him to execute commands on Microsoft’s cloud and could have been used by malicious attackers to access millions of corporate email accounts. Microsoft patched twice and the researcher came up with a new bypass each time, eventually disclosing the unresolved vulnerability.

Intigriti launches EU-backed bug bounty program for Matrix secure communications tool

As part of the ISA² Sharing and Re-use action, Intigriti launched a new bug bounty program funded by the European Commission for the open source secure communication tool Matrix. The scope includes source code, binaries, and mobile applications of Matrix, with bounties up to € 5,000 plus a possible 20% bonus.

Third malware strain discovered in SolarWinds supply chain attack

Here is the latest we know on the SolarWinds hack:

SolarWinds and CrowdStrike revealed that the SUNBURST backdoor was injected into builds of the Orion Platform, with particular care from attackers to avoid alerting developers of the malicious code added at build time.

Kaspersky found code overlaps between SUNBURST and the Turla APT group. However, this does not mean that Turla is behind SUNBURST as the similarities can be explained in many different ways.

CISA says that the threat actor behind the SolarWinds hack also breached other targets using password guessing and password spraying.

SolarWinds Hired Chris Krebs and Alex Stamos to help improve their security.

A site dubbed SolarLeaks claims to sell data stolen in SolarWinds attacks. It is not confirmed whether it is legitimate or a hoax as no proof has been provided.

Mimecast says hackers abused one of its certificates to access Microsoft accounts

Yet another supply chain attack… A “sophisticated threat actor” stole digital certificates from the email management company Mimecast. They allowed attackers to access some clients’ Microsoft 365 account. Mimecast are investigating the hack after Microsoft noticed it and notified them.

Other Interesting News

Cybercrime

• CISA: Hackers bypassed MFA to access cloud service accounts

• Google reveals sophisticated Windows and Android hacking operation

• Some ransomware gangs are going after top execs to pressure companies into paying

• Ryuk ransomware Bitcoin wallets point to $150 million operation

• What happens when a Chrome extension with 2m+ users changes hands, raises red flags, doesn’t document updates? Let’s find out

• Police took down DarkMarket, the world’s largest darknet marketplace

• Ubiquiti urges password reset in response to third-party breach

• Data breach at New Zealand’s Reserve Bank after third-party service hack

• macOS malware used run-only AppleScripts to avoid detection for five years

Vulnerabilities

• Microsoft fixes Defender zero-day in January 2021 Patch Tuesday

• Misconfigurations in Spring Data projects could leave web apps open to abuse

• Windows 10 bug corrupts your hard drive on seeing this file’s icon

• Introducing Malvuln.com – the first website ‘exclusively dedicated’ to revealing security vulnerabilities in malware

Reports

• Adversary Infrastructure Report 2020: A Defender’s View

• December 2020’s Most Wanted Malware: Emotet Returns as Top Malware Threat

Responsible disclosure

• Bug bounty isn’t dying. It’s the future.

Tech

• Browser security briefing: Google and Mozilla lay the groundwork for a ‘post-XSS world’

• Encrypted Client Hello: Upcoming Firefox 85 rollout builds momentum for ESNI successor

• Apple removes feature that allowed its apps to bypass macOS firewalls and VPN

• Microsoft Sysmon adds support for detecting Process Herpaderping attacks

Misc.

• French cybersecurity non-profit Luatix strengthens its open source development capabilities with ANSSI partnership

• Aliens and UFOs: A Final Frontier for Social Engineers