A Review of the Best News of the Week on Cyber Threats & Defense

Attackers tried to insert backdoor into PHP source code (Help Net Security, Mar 29 2021)
The PHP development team has averted an attempted supply chain compromise that could have opened a backdoor into many web servers. What happened? “[On Sunday, March 28] two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” developer Nikita Popov explained…

CISA Adds Two Web Shells to Exchange Server Guidance (Dark Reading, Mar 25 2021)
Officials update mitigation steps to include two new Malware Analysis Reports identifying Web shells seen in Exchange Server attacks.

Securing APIs: Modern API Security (Securosis Blog, Mar 29 2021)
“As we started the API Security series, we went through how application architecture evolves and how that’s changing the application attack surface. API Security requires more than traditional application security. Traditional application security tactics like SAST/DAST, WAF, API Gateway, and others are necessary but not sufficient. We need to build on top of the existing structures of application security to protect modern applications.”

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

‘Browser Isolation’ Takes On Entrenched Web Threats (Wired, Mar 23 2021)
Cloudflare says it’s possible to build a version of the notoriously slow and buggy tool without compromising on speed.

Inside the Web Shell Used in the Microsoft Exchange Server Attacks (Dark Reading, Mar 23 2021)
The history and details of China Chopper – a Web shell commonly seen in the widespread Microsoft Exchange Server attacks.

OpenSSL fixes high-severity flaw that allows hackers to crash servers (Ars Technica, Mar 25 2021)
The widely used code library is also purged of a certificate verification bypass.

Hacking Weapons Systems (Schneier on Security, Mar 26 2021)
“Lukasz Olejnik has a good essay on hacking weapons systems.

Basically, there is no reason to believe that software in weapons systems is any more vulnerability free than any other software. So now the question is whether the software can be accessed over the Internet. Increasingly, it is. This is likely to become a bigger problem in the near future. We need to think about future wars where the tech simply doesn’t work.”

CISA Builds Out Defensive Tools for Security Teams (Dark Reading, Mar 29 2021)
Need a tool to hunt for attacks in your network? The DHS agency bolsters the offerings in its open source toolbox.

Microsoft Shares Exchange Server Post-Compromise Attack Activity (Dark Reading, Mar 26 2021)
Microsoft shares the details of post-exploitation attack activity, including multiple ransomware payloads and a cryptocurrency botnet.

No, I Did Not Hack Your MS Exchange Server (Krebs on Security, Mar 28 2021)
“New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name.
Let’s just get this out of the way right now: It wasn’t me.”

Tackling cross-site request forgery (CSRF) on company websites (Help Net Security, Mar 23 2021)
Everyone with half a mind for security will tell you not to click on links in emails, but few people can explain exactly why you shouldn’t do that (they will usually offer a canned ‘hackers can steal your credentials if you do’ explanation) Cross-Site Request Forgery (CSRF) is that reason.

For remote workforces, don’t overlook printer security (SC Media, Mar 23 2021)
Today’s columnist, Eric McCann of Lexmark, advises security pros that they should make locking down remote printers part of their work-from-home strategies.

How to Protect Our Critical Infrastructure From Attack (Dark Reading, Mar 24 2021)
Just how worried should we be about a cyber or physical attack on national infrastructure? Chris Price reports on how the pandemic, the growth of remote working, and IoT are putting assets at risk.

Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins (SecurityWeek, Mar 25 2021)
Over 100,000 WordPress websites could be exposed to attacks targeting a couple of recently addressed vulnerabilities affecting Thrive Theme plugins, warns the Wordfence Threat Intelligence Team at WordPress security company Defiant.

FBI Issues Mamba Alert (Infosecurity Magazine, Mar 26 2021)
Feds flag danger of ransomware that weaponizes DiskCryptor

Severe Flaws in Official ‘Facebook for WordPress’ Plugin (SecurityWeek, Mar 26 2021)
A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.

Critical Flaw in Jabber for Windows Could Lead to Code Execution (SecurityWeek, Mar 26 2021)
Cisco this week announced the release of software updates that address several vulnerabilities in Jabber for desktop and mobile platforms, the most severe of which could be abused to execute arbitrary code with elevated privileges.

New Code Execution Flaws In Solarwinds Orion Platform (SecurityWeek, Mar 25 2021)
Solarwinds has shipped a major security update to fix at least four documented security vulnerabilities, including a pair of bugs that be exploited for remote code execution attacks.

More Ransomware Gangs Targeting Vulnerable Exchange Servers (SecurityWeek, Mar 29 2021)
The Black Kingdom/Pydomer ransomware operators have joined the ranks of threat actors targeting the Exchange Server vulnerabilities that Microsoft disclosed in early March.