I hope this e-mail finds you well :-)
This one is a bit later than usual, but there sure is a lot of interesting news to read up on. Enjoy!
Breaches and leaks
- Popular Codecov code coverage tool hacked to steal dev credentials: link.
- 1.3M Clubhouse users’ data dumped in hacker forum for free: link.
- ParkMobile breach exposes license plate data, mobile numbers of 21M users: link.
- Celsius email system breach leads to phishing attack on customers: link.
- Swinburne University confirms over 5,000 individuals affected in data breach: link.
- Cyberattack on UK university knocks out online learning, Teams and Zoom: link.
- Dutch supermarkets run out of cheese after ransomware attack: link. That explains why I found myself staring at an empty shelve and a piece of paper about "technical issues" this week. Should have known it was ransomware.
- White House formally blames Russian intelligence service for SolarWinds hack, adds sanctions: link.
- SolarWinds hack affected six EU agencies: link.
- US also sanctions cryptocurrency addresses linked to Russian cyberactivities: link.
Exchange hacks continued
- The FBI has undertaken a campaign to actively remove web shells from infected Exchange servers. It's a bold and rather gray-hat move, but I think it makes sense. They do stress that they just removed the web shells, not patch them or remove any other infections like malware: link.
They warn that the Russian SVR is actively exploiting these issues. A high-level version of the list:
- Fortinet FortiOS
- Synacor Zimbra Collaboration Suite
- Pulse Connect Secure
- Citrix ADC and Gateway
- VMware One Access, Identity Manager, Cloud Foundation, Vrealize Suite
It's so unsurprising that it's almost boring, but here's yet another set of issues found in IoT TCP/IP stacks that will impacts hundreds of millions of devices. This set deals specifically with how the stacks deal with DNS traffic.
Speaking of IoT, the Internet of Secure Things Alliance (ioXt) launched a new security certification program for mobile apps and VPN's, backed by the likes of Google and Amazon. Assuming that buyers will start caring about these (or that governments make them mandatory, probably more likely), these are probably one of the better bets at making progress.
A security researcher has published details about a zero-day vulnerability impacting Chromium-based browsers. It was the exploit that was used during Pwn2Own last week, and they reverse-engineered it based on the patches that were seen being submitted to Chromium.
It highlights a well known issue where attackers can learn about new exploits from upstream patch efforts, before the patch makes it into browsers itself. It's a tricky situation.
A second Chromium zero day was dropped a few days later: link. Fortunately, both do require a sandbox escape to be weaponised.
That sure is a lot, holy crap. Most of them are designated as UNC (uncategorised). Quite a few are FINs (financially motivated) or APTs (nation-state sponsored). There were also 500 new malware familiies discovered. Interesting to see that the top five of most encountered "malware" strains aren't malware at all but legit tools: Beacon, Empire and Metasploit. Worth sharing with your intrusion detection people.
Speaking of IDS: Uptycs have been a bit of a revelation to me. Instead of ingesting logfiles and asking you to write IDS rules in a custom query language, they leverage osquery to expose your entire infrastructure as SQL. Everything you want to know or alert on is just as straight forward as querying a database. It's fantastic. (Sponsored)
The package was called "web-browserify", imitating the popular Browserify library. It was downloaded 50 times before being taken down.
Where usually they'd publicly disclose as soon as the patch came out (or after 90 days) they'll now add 30 days so that end-users have enough time to patch everything on their end.
Nice write-up of how IceID is trying to fill the void that Emotet has left behind.
Loosely related: one way how IceID is being spread is by contact form messages, for example by sending legal threats. I hadn't seen those before: link.
After last week's news on adding Rust support to Android, they're now backing the initiative to do the same in the Linux kernel. Not to re-write it all in Rust, mind you, but provide the ability to write new code in Rust and have it work together smoothly with the existing C codebase. Some deeper diving can be done in their own blog post: link.
One of the more awesome features of 1Password Business is the ability to get reports on things like: who has access to which vaults, which devices are authorised, who in your team has 2fa enabled, and even who accessed which item when. Super powerful for forensics and audits. (Sponsored)