Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

This week in #SecuritySnacks: Microsoft Exchange Server has four zero-days to urgently patch, the Spectre vulnerability is making a come back, JSON parsing and Go packages have risks you probably want to know if you use them!

Notable Security News

Microsoft fixes four zero-day flaws in Exchange Server exploited by China’s ‘Hafnium’ spies to steal victims’ data

Microsoft detected and patched four zero-days that were used to attack on-premise versions of Exchange Server. The attack is attributed “with high confidence” to Hafnium, a Chinese state-sponsored group. It was initially thought to be targeted but Huntress researchers discovered several victims, indicating that the Microsoft Exchange Server breaches are more widespread than originally though.

Suspicious finds: Researcher discovers Go typosquatting package that relays system information to Chinese tech firm

Developers, beware of malicious Go packages! A GitLab security engineer analyzed Go packages available on Github and Gitlab, in the light of all the recent supply chain attacks. They arrived to the conclusion that Go is less exposed than other languages and the recently published “Dependency confusion” attack technique isn’t an issue for Go. However, it is not totally safe from typosquatting attacks as shown by some 7 suspicious packages identified during the research.

First Fully Weaponized Spectre Exploit Discovered Online

A French researcher discovered the first working Spectre exploits (for Windows and Linux) leaked on VirusTotal. They are suspected to be modules for CANVAS, a penetration testing tool by Immunity Inc. This is a reminder to patch against this three-year-old vulnerability before threat actors copy the exploits and adapt them to attack unpatched systems.

Accellion Attack Involved Extensive Reverse Engineering

Following Accellion’s FTA hack, FireEye’s Mandiant was tasked with assessing the software. This is a report of their findings including technical details on how the attack was performed and its level of sophistication.

On a related note, Cybersecurity firm Qualys was also added to the list of Accellion hacks victims.

Research: How JSON parsers can create security risks when it comes to interoperability

Bishop Fox researchers analyzed 49 JSON parsers and found that for each language, at least one parser had weaknesses that could break business logic or lead to injection vulnerabilities. Knowing of these issues is important for developers and defenders, as parsing inconsistencies are more and more common across different technologies.

Other Interesting News

Cybercrime

• Researchers uncover three more malware strains linked to SolarWinds hackers & SolarWinds security fiasco may have started with simple password blunders

• France investigates leak of almost 500,000 medical records, including HIV and fertility status

• Search crimes – how the Gootkit gang poisons Google searches

• Ryuk Ransomware Updated With ‘Worm-Like Capabilities’

• Hackers Tied to Russia’s GRU Targeted the US Grid for Years, Researchers Warn

Vulnerabilities

• Microsoft account hijack vulnerability earns bug bounty hunter $50,000

• Proof of concept code published for latest Saltstack CVE: Don’t be an update laggard

• Hackers release a new jailbreak tool for almost every iPhone

• Google patches actively exploited Chrome browser zero-day vulnerability

• Cybercriminals Adapt to Bypass 3D Secure

• Hard-coded key vulnerability in Logix PLCs has severity score of 10 out of 10

• Google shares PoC exploit for critical Windows 10 Graphics RCE bug

• Google looks at bypass in Chromium’s ASLR security defense, throws hands up, won’t patch garbage issue

Reports

• Google: Bad bots are on the attack, and your defence plan is probably wrong (Direct link to the report)

• More Zero-Days Have Been Linked to Private Companies Than Any Nation State

• This chart shows the connections between cybercrime groups

Tech

• Prime-factor mathematical foundations of RSA cryptography ‘broken’, claims cryptographer

• NSA Releases Guidance on Zero Trust Security Model

• Is Your Browser Extension a Botnet Backdoor?

• Why would you ever trust Amazon’s Alexa after this?

• What are these suspicious Google GVT1.com URLs?

Misc.

• Hacking is not a crime – and the media should stop using ‘hacker’ as a pejorative

• NCSC’s Small Business Guide: Cyber Security

• Perl.com theft blamed on social engineering attack: Registrar ‘convinced’ to alter DNS records by miscreants

• Universal Health Services reports $67 million in losses after apparent ransomware attack