News
Hi everyone,
As always, I hope this e-mail finds you well :-)
Thanks to those who gave feedback and/or showed interest in my project! Plenty of work left to do, I'll keep you posted :-)
I would also like to welcome a new sponsor, the appsec testing platform StackHawk. Thank you for the support!
Breaches and leaks
- Global Accellion data breaches linked to Clop ransomware gang: link.
- Transport for NSW confirms data taken in Accellion breach: link.
- Ransomware gang extorts jet maker Bombardier after Accellion breach: link.
- VC giant Sequoia Capital discloses data breach after failed BEC attack: link.
- Ransomware gang hacks Ecuador's largest private bank, Ministry of Finance: link.
- T-Mobile discloses data breach after SIM swapping attacks: link.
- Over 8 million COVID-19 test results leaked online: link.
- Ukraine reports cyber-attack on government document management system: link.
- Ukraine: DDoS attacks on govt sites originated from Russia: link.
- Finnish IT services giant TietoEVRY discloses ransomware attack: link.
Solarwinds continued
- NASA and the FAA were also breached by the SolarWinds hackers: link.
- Microsoft shares CodeQL queries to scan code for SolarWinds-like implants: link.
- Senate hearing on SolarWinds hack lays bare US shortcomings, remaining mysteries: link.
- SolarWinds cybersecurity spending tops $3 million in Q4, sees $20 million to $25 million in 2021: link.
More than 6,700 VMware servers exposed online and vulnerable to major new bug
There's a remote code execution bug in VMware vCenter, exploitable by a single cURL command. There are plenty of attacks underway already, so if you run these please double check if you're patched.
Google shares PoC exploit for critical Windows 10 Graphics RCE bug
The issue was shared with Microsoft in November, and fixed in February. It seems like a pretty serious bug, where just visiting a malicious website can cause a crash or even remote code execution. Best make sure you have them updates installed.
Zapcon - conference on security testing tool ZAP
ZAPCon, the first-ever user conference for the open source application security testing tool ZAP, is set to take place March 9, 2021. Over 1,000 attendees are slated to join the virtual event that will be keynoted by ZAP founder and project lead, Simon Bennetts. Get your free ticket! (Sponsored)
Powerhouse VPN products can be abused for large-scale DDoS attacks
They run a so-far unidentified service on UDP port 20811 that can amplify packets 40 times, making it useful for DoS attacks. Good to know about if you want to pro-actively prevent any impact by blocking that port until they fix the issue.
This botnet is abusing Bitcoin blockchains to stay in the shadows
This is kind of clever and disturbing. When the primary command-and-control servers for this botnet are (inevitably) taken down, orphaned malware will look at specific bitcoin transactions where the botnet operators disclose the backup servers. I suppose it then becomes a cat and mouse game of taking down the c2 servers the moment they are published, but the publishing itself can't be supressed. I wouldn't be surprised if this becomes far more widely used.
Google funds Linux kernel developers to work exclusively on security
A nice read on general security efforts in Linux, and how Google and the Linux Foundation are going to employ two full-time maintainers with a pure focus on security improvements.
Common Nginx misconfigurations that leave your web server open to attack
This seems like a very valuable thing to read through if you're responsible for any Nginx config. Hackernews discussion here.
On Chinese-owned technology platforms
Schneier co-authored a report on how to frame risk when dealing with Chinese platforms. I haven't read it yet but it seems interesting. You can find the report itself here.
Opinion | America Has a GPS Problem - The New York Times
A nice high-level article of how vulnerable the GPS system is and what some alternatives might be, like something called eLoran.
NSA, Microsoft promote a Zero Trust approach to cybersecurity
The Zero Trust / Beyondcorp approach remains very promising to me, but definitely challenging. I also worry a bit about replacing one single point of failure (the VPN) with another (the authentication engine). Still, it's definitely where we have to move to, hopefully with some nice robust implementations we can all build upon.
A Cyber Threat Intelligence self-study plan: part 1
If you want to dive deeper into CTI (hacker groups, ongoing campaigns, indicators of compromise, all that good stuff), then this post by Katie Nickels feels like a great place to start.
1Password: what to do when you get a data breach notification
A nice post by 1Password on using their built-in Watchtower feature to see if any of the websites you use were in a recent data breach, and what to do if they were. (Sponsored)