Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

The security industry is buzzing about unprecedented attacks and vulnerabilities involving MS Exchange, Azure, Verkada, Cloudflare, Tesla, F5 and others.

Because it can be confusing to keep up when you are already busy, we spent time dissecting all noteworthy news so you won’t have to!

Notable Security News

Everything you need to know about the Microsoft Exchange Server hack

The Hafnium hack initially thought to be targeted turned out to be a large scale attack affecting tens of thousands organizations including the European Banking Authority, Norway parliament and US organizations.

Microsoft’s Patch Tuesday includes patches for the Exchange Server vulnerabilities it used (dubbed ProxyLogon), for Internet Explorer vulnerabilities that were recently used to attack security researchers, and five critical DNS vulnerabilities that lead to Remote Code Execution. This is one of those cases where the emphasis on patching ASAP isn’t just FUD. As a sign, Microsoft even released patches for obsolete versions of Exchange Server and Internet Explorer.

The flaws are actively being exploited by threat actors worldwide. At least 10 APT groups were detected by ESET and more criminals, state-sponsored actors and ransomware groups are expected to join the party.

However, note that patching is not enough. You need to also check if your systems were compromised as recommended by CISA which points to Microsoft’s IOC Detection Tool for Exchange Server Vulnerabilities.

Moreover, a researcher published a Proof of Concept for ProxyLogon on GitHub. It was removed for violating terms of service which stirred a debate amongst industry experts since Microsoft owns GitHub.

New critical vulnerabilities found in F5 devices

F5 announced 21 CVEs including four critical vulnerabilities that attackers can use to remotely take over BIG-IP and BIG-IQ systems. Considering the severity of these flaws, the vendor recommends patching as soon as possible. However, according to security researcher Maria Markstedter, they could’ve been prevented if basic exploit mitigations were used.

Hacktivists access security cameras inside Cloudflare, jails, and hospitals

A group of hacktivists breached the cloud-based camera service Verkada that counts amongst its clients Cloudflare, Tesla, Okta, hospitals, prisons, schools and police stations. The attackers found hardcoded Jenkins credentials that allowed them to access live feeds of more than 150,000 surveillance cameras, and to execute shell commands (as root) on some cameras.

From a defender’s perspective, Okta’s CSO offers an interesting perspective on the cyber attack, including measures Okta took that limited the attack’s impact on their systems.

Hackers Waging ‘Living Off the Land’ Attacks on Azure

Microsoft is warning about Azure “Living off the land Binaries” (LoLBins), a set of techniques attackers use to escalate privileges and evade detection on Azure using only built-in legitimate tools. Microsoft’s article provides guidance to Azure users to understand the threat and how to mitigate it.

Linux community project aims to thwart dependency confusion attacks with easy code signing and verification

It’s not all bad news! The Linux foundation launched “sigstore”, a new project that aims to prevent supply chain attacks involving open source code. It provides certificates and tooling for developers to sign code and users to verify it, just like Let’s Encrypt but for Code Signing.

Other Interesting News

Cybercrime

• Researchers Describe a Second, Separate SolarWinds Attack

• Oh SITA: Airline IT provider confirms passenger data leaked after major ‘cyber-attack’

• ZIPX files that aren’t: Keep a weather eye out for disguised malware in email attachments

• Why Does EternalBlue-Targeting WannaCry Remain at Large?

• Open source software repositories play ‘whack-a-mole’ as ‘dependency confusion’ copycats exceed 5,000

Vulnerabilities

• iPhone, iPad and Mac security: Apple releases fixes for bug that could allow code execution via malicious web content

• VMware Patches Vulnerability on View Planner

• Remote code execution vulnerability patched in Micro Focus Operations Bridge Reporter

• Git vulnerability could enable remote code execution attacks during clone process

• All mapped out: Researchers uncover hidden flaws in Apple’s offline ‘find my device’ feature

Reports

• Mark of Ransomware’s Success: $370 Million in 2020 Profits

• UK cybersecurity spending on the rise despite pandemic-induced budget cuts

Tech

• Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world

• NSA, CISA issue guidance on Protective DNS services

• Microsoft Edge is dead—long live Microsoft Edge

• Microsoft: We’re cracking down on Excel macro malware

Misc.

• Abuse.ch creator launches ThreatFox, a platform for sharing malware indicators of compromise

• Dispute rages over ModSecurity 3 WAF ‘bypass risk’