A Review of the Best News of the Week on Cyber Threats & Defense
VMware Flaw a Vector in SolarWinds Breach? (Krebs on Security, Dec 18 2020)
“U.S. government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. According to sources, among those was a flaw in software virtualization platform VMware, which the U.S. National Security Agency (NSA) warned on Dec. 7 was being used by Russian hackers to impersonate authorized users on victim networks.”
Powerful tradecraft’: how foreign cyber-spies compromised America (Reuters, Dec 21 2020)
Seven government officials have told Reuters they are largely in the dark about what information might have been stolen or manipulated — or what it will take to undo the damage.
3 million users hit with infected Google Chrome and Microsoft Edge extensions (SC Media, Dec 17 2020)
Google Chrome, specifically, accounts for about 70 percent of the browser market share, making its extensions an efficient mechanism for targeting users with malware.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Hackers last year conducted a ‘dry run’ of SolarWinds breach (Yahoo, Dec 19 2020)
Hackers who breached federal agency networks through software made by SolarWinds appear to have conducted a test run of their broad espionage campaign last year, sources with knowledge of the operation said.
Microsoft Confirms Its Network Was Breached With Tainted SolarWinds Updates (Dark Reading, Dec 18 2020)
Attack on thousands of other companies as “moment of reckoning” for governments and industry, company president says.
Microsoft and 40+ Customers Hit in Russian Espionage Attack (Infosecurity Magazine, Dec 18 2020)
Tech firms, not governments, form the largest group of victims
Security experts warn of long-term risk tied to Energy Department breach (SC Media, Dec 21 2020)
The department formally confirmed the hackers’ tentacles had reached into the agency, but that the malware injected had been isolated to its business networks. Some security experts argue, however, that visibility into the IT network may give hackers a path to the OT network.
Former NSA security chief details what’s happening inside DoD to respond to SolarWinds hack (SC Media, Dec 18 2020)
Former NSA Chief Security Officer Chris Kubic, now CSO at Fidelis, spoke with SC Media about what’s happening behind the scenes in the CIO and CISO offices of the Pentagon.
Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’ (Krebs on Security, Dec 16 2020)
“A key malicious domain name used to control potentially thousands of computer systems compromised via the months-long breach at network monitoring software vendor SolarWinds was commandeered by security experts and used as a “killswitch” designed to turn the sprawling cybercrime operation against itself, KrebsOnSecurity has learned.”
NSA on Authentication Hacks (Related to SolarWinds Breach) (Schneier on Security, Dec 18 2020)
The NSA has published an advisory outlining how “malicious cyber actors” are “are manipulating trust in federated authentication environments to access protected data in the cloud.” This is related to the SolarWinds hack I have previously written about, and represents one of the techniques the SVR is using once it has gained access to target networks.
US government bans tech exports to top drone maker DJI (Ars Technica, Dec 18 2020)
Chinese smartphone firms Huawei and ZTE have been on the list for several years.
High-risk vulnerabilities discovery increased 65% in 2020 (Help Net Security, Dec 14 2020)
2020 has been a record year for crowdsourced cybersecurity adoption, with enterprises across all industries implementing crowdsourced cybersecurity programs to keep up with the evolving threat landscape. High-risk vulnerabilities discovery Bugcrowd saw a 50% increase in submissions on its platform in the last 12 months, including a 65% increase in Priority One (P1) submissions, which refer to the most critical security vulnerabilities.
Why Secure Email Gateways Rewrite Links (and Why They Shouldn’t) (Dark Reading, Dec 16 2020)
Redirecting a user to a trusted server buys a secure email gateway company some time while it decides whether a URL is malicious — but there are avoidable drawbacks to this approach.
Attackers Leverage IMAP to Infiltrate Email Accounts (Dark Reading, Dec 16 2020)
Researchers believe cybercriminals are using a tool dubbed Email Appender to directly connect with compromised email accounts via IMAP.
Corporate Credentials for Sale on the Dark Web: How to Protect Employees and Data (Dark Reading, Dec 16 2020)
It’s past time to retire passwords in favor of other methods for authenticating users and securing systems.
A Challenging Exploit: The Contact Form 7 File Upload Vulnerability (Wordfence, Dec 17 2020)
File Upload vulnerability in Contact Form 7 may be difficult to exploit, but you should still update as soon as possible.
FBI Warns of DoppelPaymer Attacks on Critical Infrastructure (Dark Reading, Dec 18 2020)
The operators behind DoppelPaymer have begun calling victims to pressure them into paying ransom, officials say.
Script for detecting vulnerable TCP/IP stacks released (Help Net Security, Dec 21 2020)
Just as ICS-CERT published a new advisory detailing four new vulnerabilities in the Treck TCP/IP stack, Forescout released an open-source tool for detecting whether a network device runs one of the four open-source TCP/IP stacks (and their variations) affected by the Amnesia:33 vulnerabilities.
Disruption in 2020 paves the way for threat actors in 2021 and beyond (Help Net Security, Dec 21 2020)
There’s no doubt that 2020 will be remembered for the uncertainty and rapid change it brought. As the global pandemic accelerated trends like remote working and digital transformation, it has also created new cybersecurity challenges. However, although much of 2020 was unpredictable, it’s still possible to step back and look at infosecurity developments that will point the way forward. Sophisticated social engineered attacks on the horizon
Addressing the Manufacturing Threat Landscape (Infosecurity Magazine, Dec 21 2020)
Connected manufacturing has introduced sophisticated threats to data, IP and operations