OSN February 10, 2021

by | Feb 11, 2021 | Open Source News

Title: Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple

Date Published: February 10, 2021

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Also See: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

Excerpt: “An ethical hacker has demonstrated a novel supply-chain attack that breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla and Uber, by exploiting public, open-source developer tools. The attack, devised by security researcher Alex Birsan, injects malicious code into common tools for installing dependencies in developer projects which typically use public depositories from sites like GitHub. The malicious code then uses these dependencies to propagate malware through a targeted company’s internal applications and systems.”

Title: Microsoft Fixes Windows 10 Bug Letting Attackers Trigger BSoD Crashes

Date Published: February 10, 2021

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-bug-letting-attackers-trigger-bsod-crashes/

Excerpt: “Microsoft has fixed a bug that could allow a threat actor to create specially crafted downloads that crash Windows 10 simply by opening the folder where they are downloaded. Last month, we reported on a bug in the Windows 10 console multiplexer driver, condrv.sys, that caused a blue screen of death crash (BSOD) when attempting to connect to the following path. When connecting to the device, developers are meant to pass the ‘attach’ extended attribute. However, a lack of error checking allowed you to access the path without the attribute and crash Windows.”

Title: 5 Critical Questions Raised by Water Treatment Facility Hack

Date Published: February 9,  2021

https://www.databreachtoday.com/5-critical-questions-raised-by-water-treatment-facility-hack-a-15955

Excerpt: “The hacker apparently used TeamViewer to gain remote access to the water treatment facility’s network. TeamViewer has long been an attractive target for attackers, because the software can give administrators full, remote access to and control of systems. As a result, if TeamViewer is not properly secured, or a hacker manages to obtain credentials, the intruder can achieve remote control over systems (see: TeamViewer Bolsters Security After Account Takeovers).”

Title: Investor Data Breach ‘Fatigue’ Reduces Wall Street Punishment for Cybersecurity Failures

https://www.zdnet.com/article/investor-data-breach-fatigue-reduces-wall-street-punishment-for-cybersecurity-failures/

Date Published: February 10, 2021

Excerpt: “Over the past decade, the rush to harness data to improve business operations, management, and customer relationships did not occur in tandem with improving cybersecurity hygiene in order to protect this data — and organizations are still courting huge risks to their share prices to this day as a result.  According to IBM’s latest Cost of a Data Breach report, the enterprise sector can expect an average bill of $3.86 million — but in the case of large security incidents involving consumer records, this may rise to up to $392 million — to remedy a breach.”

Title: Credential Theft Attacks Doubled Between 2016 and 2020

Date Published: February 10,  2021

https://www.infosecurity-magazine.com/news/credential-theft-attacks-doubled/

Excerpt: “The number of attacks resulting in large-scale credential theft has almost doubled over the past four years, although the volume of breached login pairs declined, according to F5. The security vendor’s 2021 Credential Stuffing Report warned that although average breach volumes declined from 63 million records in 2016 to 17 million in 2020, poor security practice is driving downstream risk exposure. Perhaps unsurprisingly, plaintext storage of passwords was responsible for by far the greatest number of spilled credentials (43%), followed by unsalted SHA-1 hashed passwords (20%), while discredited hashing algorithm MD5 still remains surprisingly common.”

Title: LodaRAT Windows Malware Now Also Targets Android Devices

Date Published: February 10,  2021

https://thehackernews.com/2021/02/lodarat-windows-malware-now-also.html

Excerpt: “A previously known Windows remote access Trojan (RAT) with credential-stealing capabilities has now expanded its scope to set its sights on users of Android devices to further the attacker’s espionage motives. “The developers of LodaRAT have added Android as a targeted platform,” Cisco Talos researchers said in a Tuesday analysis. “A new iteration of LodaRAT for Windows has been identified with improved sound recording capabilities”.”

Title: Apple Patches 10-Year-Old macOS SUDO Root Privilege Escalation Bug

Date Published: February 10,  2021

https://thehackernews.com/2021/02/apple-patches-10-year-old-macos-sudo.html

Excerpt: “The vulnerability, which was introduced in the code back in July 2011, impacts sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1.9.0 through 1.9.5p1, following which the maintainers released 1.8.32 and 1.9.5p2 to resolve the issue. While the weakness can only be exploited by an attacker already having access to a vulnerable host, the barrier could be easily bypassed by planting malware on a device or brute-forcing a low-privileged service account.”

Title: Zero-Day and Six Publicly Disclosed CVEs Fixed by Microsoft

Date Published: February 10,  2021

https://www.infosecurity-magazine.com/news/zeroday-six-publicly-disclosed/

Excerpt: “Microsoft has fixed 56 CVEs as part of this month’s Patch Tuesday, including several already publicly disclosed and one zero-day being actively exploited in the wild. Although the workload is relatively light for sysadmins this month, there’s plenty to be concerned about. The zero-day is CVE-2021-1732, a Windows Win32k.sys elevation of privilege vulnerability affecting Windows 10 and Windows Server 2019. Although rated as “important” rather than critical by Microsoft, its active exploitation should push it up to the top of the priority list.”

Title: North Korean Attacks on Crypto Exchanges Reportedly Netted $316m in Two Years

Date Published: February 10,  2021

https://www.theregister.com/2021/02/10/north_korea_cryptocurrency/

Excerpt: “North Korean attacks on crypto exchanges reportedly netted an estimated $316m in cryptocurrency in 2019 and 2020, according to a report by Japan’s Nikkei. The outlet says it saw that figure in a draft of a United Nations report destined for the desk of the Security Council’s North Korea Sanctions Committee. That Committee’s web page lists numerous reports that mention North Korea’s interest in acquiring cryptocurrency by illegitimate means. The August 2020 interim report [PDF] by the Panel of Experts that monitors North Korea states: “One Member State reported that [North Korean] attacks against virtual currency exchange houses have produced more illicit proceeds than attacks against financial institutions”.”

Title: Huawei Requests US Courts to Overturn Its National Security Threat Designation

Date Published: February 10,  2021

https://www.zdnet.com/article/huawei-requests-us-courts-to-overturn-its-national-security-threat-designation

Excerpt: “Huawei has once again filed a lawsuit against the United States government, this time picking a fight with the Federal Communications Commission (FCC) for its decision to designate the company as a national security threat. According to the legal complaint, Huawei is seeking a review of the designation on the grounds that the execution of the order was beyond the FCC’s scope of powers; violated federal law and the Constitution; arbitrary, capricious, and an abuse of discretion; and not supported by substantial evidence.”