Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

As if 2020 wasn’t scary enough, DNS cache poisoning is back from the dead! 123456 is still the most common password. A researcher dropped 12 severe Cisco exploits you need to stop everything and go patch ASAP. A company is offering a bounty to criminals who hacked it, and another one paid a bounty to ethical hackers who helped it find the criminals who hacked it…

Notable Security News

NordPass’s Top 200 most common passwords of the year 2020

NordPass analyzed passwords leaked in recent data breaches and published this list of the 200 most common passwords of 2020. 123456 is disappointingly first, followed by 123456789 then picture1. So, this is that yearly reminder to use a password generator. It is also interesting to see the worst passwords by category (names, sports, random letters…).

Cisco reveals this critical bug in Cisco Security Manager after exploits are posted – patch now

Florian Hauser responsibly disclosed to Cisco 12 vulnerabilities, all unauthenticated and almost all resulting in Remote Code Execution. Since they weren’t patched 120 days later, he published his research. Attackers will probably start using his exploits in the coming days to take control of vulnerable systems. If you are using Cisco Security Manager, you need to patch as soon as possible!

SAD DNS: Researchers pull source code as DNS cache poisoning technique deemed ‘too dangerous’

The DNS cache poisoning attack was discovered in 2008 and fixed, but researchers found a way to bypass mitigations. Attackers can again poison the cache of DNS resolvers and cause them to return a malicious spoofed IP address instead of the real IP of a domain. It is so severe that the source code to reproduce it was pulled after its publication and DNS providers like Cloudflare are working on new mitigations.

Binance awar;ds $200,000 bounty after cyber-attackers indicted in US

A team of unnamed investogators helped Binance identify the cyber criminals behind phishing attacks against its users. So, Binance rewarded them with a $200,000 bounty, plus $50,000 that will be paid after the crooks are in custody. Contemporary bounty hunters, just like bounty hunters of the Old West!

Crypto company offers bounty to hackers that stole $2M – a slap in the face to threat researchers

Akropolis.io, a cryptocurrency company, lost $2 million to cyber criminals. Instead of going to law enforcement, they are now offering a $200,000 bounty to the hackers if they return the stolen funds. A sort of compensation for having found an exploit, except that this is not how bug bounties work! It sets a dangerous precedent for both companies and hackers.

Other Interesting News

Cybercrime

• Cult videogame company Capcom pays a big round $0.00 to ransomware crooks

• Magecart group 12 decloaked thanks to unique ‘Ant and Cockroach’ skimmer

• Origin Dollar cryptocurrency hacked to the tune of $7m less than two months after launch

• Microsoft says hackers backed by Russia and North Korea targeted COVID-19 vaccine makers

• Massive, China-state-funded hack hits companies around the world, report says

Vulnerabilities

• IBM Works With Cisco to Exorcise Ghosts From Webex Meetings

• Citrix patches RCE flaw in SD-WAN Center that could lead to network takeover

• New Platypus attack can steal data from Intel CPUs

Reports

• Play Store identified as main distribution vector for most Android malware

• Ransomware-as-a-service: The pandemic within a pandemic

• Cybercriminal ‘Cloud of Logs’

• Cybersecurity skills gap narrows for the first time

Responsible disclosure

• Binance awards $200,000 bounty after cyber-attackers indicted in US

• CNAs and CVEs – Can allowing vendors to assign their own vulnerability IDs actually hinder security?

• Meet the hackers who earn millions for saving the web, one bug at a time

Tech

• Experiment reveals differences in secret leak detection on Git code repositories

• Semgrep: Static code analysis tool helps ‘eliminate entire classes of vulnerabilities’

• Firefox 83 introduces HTTPS-Only Mode

• Chrome 87 released with fix for NAT Slipstream attacks, broader FTP deprecation

• Zoom pushes new tools meant to counter ‘Zoombombing’

• Some Apple Apps on macOS Big Sur Bypass Content Filters, VPNs

Misc.

• Microsoft: It’s Time to Hang Up on Phone Transports for Authentication

• Twitter names famed hacker ‘Mudge’ as head of security

• Youtube-dl is Back on Github: ‘Our Priority Is Supporting Open Source’

• Ticketmaster cops £1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal

Intigriti News

Yesterday, our CEO Stijn Jans and Intigriti were chosen as the winner in the Scale-Up category of De Bertjes. Congratulations!