By Anna Hammond
February 5, 2021
Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.
Supply chain attacks seem to be the new normal. Just this week… 1.6 million US unemployment claims were exposed because of vulnerabilities in legacy software used by the Washington State Auditor’s Office. In parallel to the campaign attributed to Russian state-sponsored hackers, suspected Chinese attackers also targeted SolarWinds to hack a US government agency. And a bug in an encryption library used by GnuPG could’ve had serious impact if it weren’t for a Google Project Zero researcher.
Read on for details!
SolarWinds patches vulnerabilities that could allow full system control
Three new vulnerabilities were discovered in SolarWinds products by a Trustwave SpiderLabs researcher. The most serious bug results in unauthenticated remote code execution.
CISA director announced that 30% of “SolarWinds hack” victims didn’t actually use SolarWinds.
Investigations revealed that independently from the previously disclosed operations, suspected Chinese hackers also exploited SolarWinds vulnerabilities to hack at least one US government agency.
Last, members of US Congress are asking the NSA to share what it knows about the 2015 Juniper Networks supply chain attack. They want to know whether an encryption backdoor introduced in Juniper by the NSA played any role in the hack.
SonicWall fixes actively exploited SMA 100 zero-day vulnerability
SonicWall is warning about a zero-day in its SMA 100 devices reported by NCC Group and exploited in the wild. The vulnerability allows attackers to gain admin privileges to the device’s management interface then remote code execution. The good news is that patches are already available.
The Accellion Mess: What Went Wrong?
Several unpatched vulnerabilities in Accellion’s legacy File Transfer Appliance resulted in multiple data breaches. After New Zealand’s Reserve Bank, the latest victim is the Washington State Auditor’s Office. The personal information of 1.6 million people who filed for unemployment benefits was exposed.
Knock, knock. Who’s there? NAT. Nat who? A NAT URL-borne killer
Researchers at Armis developed a new variant of the NAT Slipstreaming attack first disclosed in October by Samy Kamkar. The original attack, triggered by JavaScript running on a malicious site, allowed remote access from the Internet to victims’ machines bypassing NAT and firewall defenses. Nat Slipstream v2 allows access not only to a victim’s device but also any internal IP on the network. This means that any embedded, unmanaged devices like printers or IP cameras would be reached by attackers.
Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code
Google Project Zero’s Tavis Ormandy found a critical heap buffer overflow vulnerability in Libgcrypt, the open-source encryption library used by GnuPG. It leads to remote code execution and is “easily exploitable”.
Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands
Apple Fixes One of the iPhone’s Most Pressing Security Risks
Google funds project to secure Apache web server with new Rust component
Open source: Google wants new rules for developers working on ‘critical’ projects
This Linux malware is hijacking supercomputers across the globe
Spies target gamers with malware inserted into software updates, ESET says
Scams, terror, and national security: Problems with Chinese microloan apps in India
Google: Proper patching would have prevented 25% of all zero-days found in 2020