A Review of the Best News of the Week on Cyber Threats & Defense
Chinese Supply-Chain Attack on Computer Systems (Schneier on Security, Feb 13 2021)
“Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It’s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:
China’s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the Foreign Intelligence Surveillance Act, or FISA, according to five of the officials.
There’s lots of detail in the article, and I recommend that you read it through.
This is a follow on, with a lot more detail, to a story Bloomberg reported on in fall 2018. I didn’t believe the story back then, writing:
I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.
I seem to have been wrong. From the current Bloomberg story:
Mike Quinn, a cybersecurity executive who served in senior roles at Cisco Systems Inc. and Microsoft Corp., said he was briefed about added chips on Supermicro motherboards by officials from the U.S. Air Force….”
Microsoft: web shell attacks have doubled over the past year (SC Media, Feb 12 2021)
While they’re easy for attackers to set up, web shells can be difficult for defenders to detect, since they’re often targeted to specific servers and can hide in the noise of internet traffic, scanning, probing and unsuccessful attacks that most organizations see on a daily basis.
New research reveals who’s targeted by email attacks (Google Cloud Blog, Feb 09 2021)
Every day, we stop more than 100 million harmful emails from reaching Gmail users. Last year, during the peak of the pandemic crisis we saw 18 million daily malware and phishing emails related to COVID-19. This is in addition to more than 240 million COVID-related daily spam messages. Our ML models evolve to understand and filter new threats, and we continue to block more than 99.9% of spam, phishing, and malware from reaching our users.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Fighting Fileless Malware, Part 2: Countermeasures (Dark Reading, Feb 09 2021)
Why do fileless attacks persist? Let’s break down the strengths and weaknesses of the existing mitigations.
U.S. Gov Warning on Water Supply Hack: Get Rid of Windows 7 (SecurityWeek, Feb 12 2021)
On the heels of last week’s lye-poisoning attack against a small water plant in Florida, the U.S. government’s cybersecurity agency is pleading with critical infrastructure defenders to rip-and-replace Windows 7 from their networks as a matter of urgency.
Multivector Attacks Demand Security Controls at the Messaging Level (Dark Reading, Feb 10 2021)
As a Google-identified attack reveals, security teams need to look beyond VPNs and network infrastructure to the channels where social engineering takes place.
Researchers identify 223 vulnerabilities used in recent ransomware attacks (SC Media, Feb 11 2021)
Ransomware groups – and APTs – are leveraging an expanding list of vulnerabilities, misconfigurations and technologies to overwhelm IT security teams.
Microsoft patches actively exploited Windows kernel flaw (WeLiveSecurity, Feb 11 2021)
This month’s relatively humble bundle of security updates fixes 56 vulnerabilities, including a zero-day bug and 11 flaws rated as critical
A Windows Defender Flaw Lurked Undetected for 12 Years (Wired, Feb 11 2021)
Microsoft has finally patched the bug in its antivirus program after researchers spotted it last fall.
Ransomware Attackers Set Their Sights on SaaS (Dark Reading, Feb 11 2021)
Ransomware has begun to target data-heavy SaaS applications, open source, and Web and application frameworks.
Microsoft Launches Phase 2 Mitigation for Zerologon Flaw (Dark Reading, Feb 11 2021)
The Netlogon remote code execution vulnerability, disclosed last August, has been weaponized by APT groups.
Accellion to retire enterprise file-sharing product targeted in recent attacks (Help Net Security, Feb 12 2021)
U.S.-based cloud solutions company Accellion will soon retire FTA, its legacy enterprise file-sharing solution, vulnerabilities in which have recently been exploited by attackers to breach a variety of organizations, including the Australian Securities and Investments Commission, the Washington State Auditor Office, and Singapore telecom Singtel. What is Accellion FTA? Accellion FTA (File Transfer Appliance) is a file-sharing product that allows organizations to “transfer large and sensitive…
Successful BEC attacks become 56% more costly (Help Net Security, Feb 12 2021)
The number of phishing attacks grew through 2020, fully doubling over the course of the year. Attacks peaked in October 2020, with a high of 225,304 new phishing sites appearing in that month alone, breaking all previous monthly records, according to APWG.
Vulnerabilities in TCP/IP Stacks Allow for TCP Connection Hijacking, Spoofing (SecurityWeek, Feb 12 2021)
Improperly generated ISNs (Initial Sequence Numbers) in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout.
100+ Financial Services Firms Targeted in Ransom DDoS Attacks in 2020 (Dark Reading, Feb 15 2021)
Consumer banks, exchanges, payment firms, and card issuing companies around the globe were among those hit.
Have we put too much emphasis on protecting the network? (Help Net Security, Feb 15 2021)
Recently, much of the cybersecurity commentary and blogs have talked about new approaches for protecting the network, especially beyond the perimeter. For the past few years, the industry has focused on conditional access (i.e., identity as the new perimeter) and even zero trust. We talk about the perimeter becoming porous and traditional “network” defenses — like firewalls — as no longer being effective.
Copycats emerge after researcher exploits design flaw to breach Microsoft, Apple, Tesla (SC Media, Feb 12 2021)
Pseudonymous authors published more than 150 copycat packages just three days after Sonatype published research around a software supply chain flaw, attempting to exploit the vulnerabilities in the brief window before a patch.
The Untold History of America’s Zero-Day Market (Wired, Feb 14 2021)
The lucrative business of dealing in code vulnerabilities is central to espionage and war planning, which is why brokers never spoke about it—until now.
On Vulnerability-Adjacent Vulnerabilities (Schneier on Security, Feb 15 2021)
“At the virtual Enigma Conference, Google’s Project Zero’s Maggie Stone gave a talk about zero-day exploits in the wild. In it, she talked about how often vendors fix vulnerabilities only to have the attackers tweak their exploits to work again. From a MIT Technology Review article:
Soon after they were spotted, the researchers saw one exploit being used in the wild. Microsoft issued a patch and fixed the flaw, sort of. In September 2019, another similar vulnerability was found being exploited by the same hacking group.”