A Review of the Best News of the Week on Cyber Threats & Defense

How a VPN vulnerability allowed ransomware to disrupt two manufacturing plants (Ars Technica, Apr 07 2021)
The ransomware, known as Cring, came to public attention in a January blog post. It takes hold of networks by exploiting long-patched vulnerabilities in VPNs sold by Fortinet. Tracked as CVE-2018-13379, the directory transversal vulnerability allows unauthenticated attackers to obtain a session file that contains the username and plaintext password for the VPN.

With an initial toehold, a live Cring operator performs reconnaissance and uses a customized version of the Mimikatz tool in an attempt to extract domain administrator credentials stored in server memory. Eventually, the attackers use the Cobalt Strike framework to install Cring. To mask the attack in progress, the hackers disguise the installation files as security software from Kaspersky Lab or other providers.

CISA Launches New Threat Detection Dashboard (Dark Reading, Apr 09 2021)
The tool, called Aviary, is a new dashboard that helps visualize and analyze outputs from CISA’s recently-released Sparrow detection tool.. Sparrow aims to help network defenders detect possible compromised accounts and applications in Azure and Microsoft 365 environments.

Fed Chair Says Cyberattacks Main Risk to US Economy (SecurityWeek, Apr 12 2021)
Federal Reserve chairman Jerome Powell said he was more worried about the risk of a large-scale cyberattack than another financial crisis like that of 2008.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Backdoor Added — But Found — in PHP (Schneier on Security, Apr 09 2021)
Unknown hackers attempted to add a backdoor to the PHP source code. It was two malicious commits, with the subject “fix typo” and the names of known PHP developers and maintainers. They were discovered and removed before being pushed out to any users. But since 79% of the Internet’s websites use PHP, it’s scary.

Ransomware Attacks Grew by 485% in 2020 (Infosecurity Magazine, Apr 06 2021)
Report assesses how cyber-criminals have exploited the COVID-19 crisis

Congress Says Foreign Intel Services Could Abuse Ad Networks for Spying (VICE, Apr 06 2021)
A group of bipartisan lawmakers asked Google, Twitter, and others about the transfer of bidstream data to foreign entities.

SAP applications are getting compromised by skilled attackers (Help Net Security, Apr 07 2021)
Newly provisioned, unprotected SAP applications in cloud environments are getting discovered and compromised in mere hours, Onapsis researchers have found, and vulnerabilities affecting them are being weaponized in less than 72 hours after SAP releases security patches. Internet-exposed systems are more likely to be exploited and compromised, but there are also threats out there that are equipped to compromise SAP systems from the inside, they noted.

Hackers rush to new doc builder that uses Macro-exploit, posing as DocuSign (SC Media, Apr 06 2021)
It’s use in Trickbot and BazarLoader campaigns puts EtterSilent at the front end of attack chains for two of the most popular ransomware precursors in the world.

Hackers Are Exploiting Discord Links to Serve Up Malware (Wired, Apr 07 2021)
Beware of links from platforms that got big during quarantine.

Rethinking Cyberattack Response: Prevention & Preparedness (Dark Reading, Apr 07 2021)
The SolarWinds incident is the starkest reminder yet that complacency can exact a terrible price.

Cloud-native watering hole attack: Simple and potentially devastating (Help Net Security, Apr 08 2021)
In this era of increasing technological complexity, watering hole attacks build on a model of simplicity. Just like predatory animals that hover near sources of water favored by their prey, attackers systematically infect websites likely to be visited by their targets.

Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration (SecurityWeek, Apr 09 2021)
Threat actors are increasingly abusing collaboration platforms for nefarious purposes, including malware delivery and data exfiltration, security researchers with Cisco’s Talos division report.