Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

This week in cybersecurity news: A bunch of critical vulnerabilities were found in Cisco products that we may soon see exploited in-the-wild. Attackers could hijack DNS of millions of IoT devices. NSA warns of pitfalls of misusing encrypted DNS. We also take a look back at 2020’s key threats and vulnerabilities, and at new details on the Solorigate attack that are insightful for both offensive and defensive sides of security.

Intigriti News

Notable Security News

DNSpooq lets attackers poison DNS cache records

Researchers disclosed seven vulnerabilities in dnsmaq, a popular open source DNS forwarding sotfare used in products of more than 40 IT vendors. The bugs are tracked as DNSpooq and expose over 1 million devices to a range of attacks such as remote code execution, DNS cache poisoning and denial of service. While vendor are rolling out patches, there are also different mitigations that end-users can put in place themselves.

NSA warns against using DoH inside enterprise networks

The NSA issued recommendations for companies that want to adopt encrypted DNS securely. Though DoH enhances the privacy of home networks, it is not always the best option for enterprise networks. The biggest pitfall is using third-party DNS services which must be avoided even if it means blocking DoH until encryption capabilities are added to the enterprise DNS infrastructure.

Microsoft: This is how the sneaky SolarWinds hackers hid their onward attacks for so long

Microsoft shared interesting new details on techniques used by Solorigate hackers to hide the attack. This includes using unique custom implants, renaming tools to blend into the hacked environment, and separating the components used (the Solorigate DLL backdoor and Cobalt Strike loader) to remain undetected. These advanced techniques show the level of sophistication of the attack and efforts put on evading detection.

In other news, Malwarebytes was also targeted by the same threat actor. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments.

Symantec researchers found that a fourth malware dubbed Raindrop was used to deliver Cobalt Strike and spread the attack to other computers in victims’ networks.

FireEye published an excellent technical paper on four techniques used by Solorigate hackers and other threat actors to move laterally from on-premises networks to the Microsoft 365 cloud. They also released their auditing script, Azure AD Investigator.

Finally, Microsoft shared recommendations on how to protect against sophisticated attacks like Solorigate using Zero Trust principles.

It’s 2021 and you can hijack a Cisco SD-WAN deployment with malicious IP traffic and a buffer overflow. Patch now

Cisco has patched multiple critical vulnerabilities in their SD-WAN products. Unauthenticated attackers can remotely exploit the vulnerabilities to execute arbitrary command on vulnerable devices. Though attacks in the wild haven’t been noticed by Cisco, it is probably just a matter of time.

This advisory comes only a week after another unrelated set of vulnerabilities were disclosed: Bugs that allow authenticated users of Cisco CMX and Cisco AnyConnect to escalate their privileges, as well as arbitrary code execution and denial of service in discontinued Cisco RV routers. The company advises customers to install patches for supported devices and to migrate to more recent supported RV models.

TL;DR: The Tenable Research 2020 Threat Landscape Retrospective

Tenable’s 2020 Threat Landscape Retrospective provides an interesting overview of 2020’s vulnerability and threat landscape, especially considering the eventful year that was 2020. The report is based on public information, events and alert by US government agencies, and goes over the key vulnerabilities / CVEs / Zero-Days and trends in ransomware and breaches.

Other Interesting News

Cybercrime

• A Chinese hacking group is stealing airline passenger details

• Attackers Steal E-Mails, Info from OpenWrt Forum

• Hackers alter stolen regulatory data to sow mistrust in COVID-19 vaccine

• Telegram-based phishing service Classiscam hits European marketplaces

• FBI warns of vishing attacks stealing corporate accounts

• Verified Twitter accounts hacked in $580k ‘Elon Musk’ crypto scam

• Magecart attacks in 2021: Cat-and-mouse game continues between cybercrooks, researchers, law enforcement

• FreakOut malware exploits critical bugs to infect Linux hosts

• Hacker blunder leaves stolen passwords exposed via Google search

Vulnerabilities

• Bugs in Signal, Facebook, Google chat apps let attackers spy on users

• Pwnable Document Format: Windows PDF viewers outperformed by browser, macOS, Linux counterparts

• Automated exploit of critical SAP SolMan vulnerability detected in the wild

• How Law Enforcement Gets Around Your Smartphone’s Encryption

• VoIP vulnerability: CoTURN patches access control protection bypass

• Two kids found a screensaver bypass in Linux Mint

Reports

• Privacy Fines: Total GDPR Sanctions Reach $331 Million

Responsible disclosure

• A security researcher commandeered a country’s expired top-level domain to save it from hackers

• Security researchers earn $50k after exposing critical flaw in Apple travel portal

Tech

• Microsoft Taking Additional Steps to Address Zerologon Flaw

Misc.

• Nintendo uses copyright claims to take down Game & Watch hacking videos

• Iconic BugTraq security mailing list shuts down after 27 years

• Thousands of Users Unknowingly Joined Signal Because of 12-Year-Old’s App