RDP used for DDoS amplification. Critical dnsmasq vulnerabilities. Solarwinds continued.  

News

Hi everyone!

I'm a day late on this one, sorry about that.

Plenty of reading material this week. I had to trim down the breaches section to a "mere" 11 items to keep it somewhat manageable.

Also plenty of news on Solarwinds. If you're into intrusion detection, indicators of compromise (IOC), that sort of jam, definitely check out the articles on the tactics used.

I hope you all have a lovely week!

Dieter Van der Stock

Breaches and leaks

  • Intel: Hackers stole unpublished earnings info from corporate site: link.
  • OpenWRT Forum user data stolen in weekend data breach: link.
  • Hacker leaks data of millions of Teespring users: link.
  • Dutch COVID-19 patient data sold on the criminal underground: link.
  • MyFreeCams site hacked to steal info of 2 million paying users: link.
  • Hacker leaks data of 2.28 million MeetMindful dating site users: link.
  • Bonobos clothing store suffers a data breach, hacker leaks 70GB database: link.
  • IObit forums hacked to spread ransomware to its members: link.
  • Hacker posts 1.9 million Pixlr user records for free on forum: link.
  • Hacker leaks full database of 77 million Nitro PDF user records: link.
  • Australian securities regulator discloses security breach: link.
Dieter Van der Stock

Solarwinds continued

  • Malwarebytes said it was hacked by the same group who breached SolarWinds: link.
  • Fourth malware strain, dubbed Raindrop, discovered in SolarWinds incident: link.
  • Microsoft shares how SolarWinds hackers evaded detection: link.
  • FireEye shares tactics used in breaching 365 cloud: link.
  • Sunspot malware technical analysis: link.
  • FSB warns of US cyberattacks after Biden administration comments: link.
Dieter Van der Stock

Windows RDP servers are being abused to amplify DDoS attacks

As if RDP wasn't enough of a headache, it is now being used for DDoS amplification attacks, with an amplification factor of 85.9. They can only be used for this purpouse if they also listen on UDP, next to the standard TCP. Still, apparently there are about 33.000 of such servers to be found online.

zdnet.com

DNSpooq bugs let attackers hijack DNS on millions of devices

A security firm has disclosed seven vulnerabilities in Dnsmasq, ranging from DoS to cache poisoning and remote code execution. If you run Dnsmasq, you know what to do.

bleepingcomputer.com

Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data

For the longest time I had the though that "the best mitigation against ransomware impact is functional backups". This article drives home that that is no longer the case, neccesarily (although backups are still important :)). Plenty of victims that do have backups, still pay up to prevent data leakage. On top of that, some ransomware actors are adding additonal pressure by performing DDoS attacks on their victims to force payout.

zdnet.com

(Sponsored) Security Risk Management Aide-Mémoire goes online

If you want to learn more about risk management, this is a great place to go. You can find a (free) copy of the book, Security Risk Management Aide-Mémoire, written by Julian Talbot, under 'Where can I get a copy'. You'll also find risk management related templates and graphics under the 'Resources' tab. And you can get access to the Security Risk Management SaaS platform SECTARA with a free tier.

srmam.com

SonicWall firewall maker hacked using zero-day in its VPN device

If you use their Secure Mobile Access (SMA) VPN device or their NetExtender VPN client, you better look in to this.

bleepingcomputer.com

Automated exploit of critical SAP SolMan vulnerability detected in the wild

I don't know much about SAP, but if you run this you should definitely check it out.

zdnet.com

VLC Media Player 3.0.12 fixes multiple remote code execution flaws

We all know and probably love VLC. There were a bunch of issues fixed that could allow for RCE when opening a malicious file, so patch up if you need to.

bleepingcomputer.com

Microsoft Edge and Google Chrome roll out password protection tools

Microsoft Edge will generate alerts if a user password is found in an online leak. Chrome can already do this, but they are making it easier to let the user perform a check for breached or weak passwords.

threatpost.com

A Chinese hacking group is stealing airline passenger details

They are specifically out to get Passenger Name Records (PNR), presumably in order to track persons of interest.

zdnet.com

Singapore widens security labelling to include all consumer IoT devices

Singapore has a labelling scheme that shows how much security hardening a product has gone through. A system like this, mandatory and deployed in all major markets, is my personal best hope of actually improving our security posture in this area, so every bit of progress is good news in my book.

zdnet.com

New website launched to document vulnerabilities in malware strains

This is something you don't see every day: a vulnerability tracker specifically for malware. There's plenty of debate though whether or not this is a good thing to have. It can be used to "hack back", which by itself is controversial, but of course it also tips off the malware authors. You can visit the site itself here.

zdnet.com

(Sponsored) 1Password: Awesome password manager with, for me, the best UX

First of all: please use a password manager. Since you're a subscriber here I'm pretty sure you already do, but just in case. Second: if you're not using 1Password yet, give them a try. I've been using them for many years professionally and migrated my personal Vault over two years ago. The experience was super smooth, and I haven't looked back ever since.

1password.com

No spam, ever. We'll never share your email address and you can opt out at any time.