US pins SolarWinds attack on Cozy Bear, boots 10 Russian diplomats
US and UK intelligence agencies have pinned the sprawling SolarWinds attack on Russia’s intelligence service. In a joint advisory posted on Thursday, they urged organizations to patch the top five, publicly known VPN and cloud vulnerabilities that are actively being exploited by Russia’s Cozy Bear advanced persistent threat actors: a group that’s also referred to as APT29 and The Dukes by security researchers. The vulnerabilities are in VPNs from Fortinet, Synacor, Pulse Secure, Citrix and VMware. President Biden also issued new sanctions, including expelling 10 diplomats, and blamed Russia for trying to undermine free elections in the US. The Kremlin threatened to retaliate for what it called “illegal” sanctions.
(ZDNet) (Bleeping Computer) (The Hill)
Second Google Chromium zero-day released on Twitter this week
Yet another Chromium zero-day remote code execution exploit has been released on Twitter this week. On Wednesday, a security researcher known as frust shared a proof of concept that causes the Windows Notepad application to open. The new zero-day comes only a day after Google released a patch for another Chromium zero-day that was publicly released on Monday. Both of the zero days were released following the Pwn2Own ethical hacking contest, which was held online last week. As we reported a week ago, Pwn2Own contestants took over Windows 10 three separate times, dismantled Google Chrome and the Chromium-based Microsoft Edge web browsers, and successfully owned Zoom Messenger.
Google rolls out Chrome 90 with HTTPS by default
It’s a day late, but that’s likely because the new, more-secure-by-default browser is sporting fixes for 37 security bugs, including the zero-day used at Pwn2Own on Friday and publicly released on Monday. The privacy update automatically adds HTTPS to a URL when it’s available. Chrome 90 also brings the first on/off controls for Google’s Privacy Sandbox, which includes Google’s controversial FLoC identifier replacement for third-party cookies. As we reported earlier in the week, FLoC has been disabled by rival browsers including DuckDuckGo, Brave and Vivaldi.
(ZDNet)
Whistleblower: Facebook left up fake accounts for Indian politician
A former data scientist for Facebook who uncovered a network of fake accounts has turned whistleblower, accusing the company of using a double standard when it comes to enforcing rules against the powerful. According to documents viewed by The Guardian and by the scientist, Sophie Zhang, Facebook had planned to remove fake accounts in India until it realized that an MP for the ruling party was probably involved. Facebook left up the accounts, which were used to pump up the politician’s popularity, for months after the problem came to its attention. This is just one of multiple examples Zhang has uncovered of how the company has failed to address how its platform is used to manipulate political discourse around the world.(The Guardian)
Thanks to our episode sponsor, Sonatype
WhatsApp status indicator is a boon to cyberstalkers
When you open up WhatsApp, your status flickers to “online.” It’s public information. Traced, which markets a tool that scans mobile apps and observes what they do, checked out WhatsApp status trackers and found that if you simply enter a mobile phone number of a WhatsApp user, these trackers provide the exact date and time they opened the app. Some trackers take it further by enabling cross-referencing with a second phone number so that tracker-app users— stalkers, in other words—can see how often multiple people have messaged each other. Unfortunately, there’s no way to turn off WhatsApp’s status broadcaster: a situation that the EFF has called “sloppy” work on the part of WhatsApp.
(Traced)
Threat actors poison the web with 100,000 boobytrapped PDFs
Researchers from eSentire discovered the huge cache of unique web pages, which contains popular business terms or keywords such as template, invoice, receipt, questionnaire, and resume. Those terms pump up the page rankings in search results. That increases the likelihood that the malicious files will be opened and that they’ll successfully unleash a remote access Trojan, or RAT. Once a RAT has been installed on a victim’s computer, the threat actors can send commands and upload additional malware, such as ransomware, a credential stealer, or a banking Trojan, eSentire said. Alternatively, the RAT can be used as a foothold into a victim’s network. The RAT in question is called SolarMarker, aka Yellow Cockatoo, Jupyter, and Polazert.
The top 3 most common cloud attacks & how to stop them
This opinion piece is a good read for businesses that use Amazon Web Services, Azure, or Google Cloud Platform. Problem numero uno: misconfiguration of storage buckets. There are many publicly published attack tools, most of which rely on the fact that storage buckets are easily enumerated and often have unintentionally lax access policies. Problem numero dos: Metadata service exploitation through server-side request forgery (SSRF), which allows attackers to force the server to submit a web request on their behalf. Finally, problem numero tres: Credential leakage and overly permissive access. Those risks aren’t exclusively found in the cloud, of course, but in some cases, access keys to cloud environments are unintentionally published with apps or committed in public spots like code repositories and even forum posts.
1-click bug in Telegram, OpenOffice, other popular desktop apps
Insufficient validation of URL input has left multiple popular desktop apps vulnerable to being exploited with a single click, according to researchers at Positive Security. The vulnerabilities could allow an attacker to craft a malicious link pointing to a piece of attack code, resulting in remote code execution. Most of the apps have released patches, but we’re still waiting on fixes in the upcoming versions of OpenOffice, VLC Player and the Xubuntu version of LibreOffice. Make sure to upgrade any of the apps that have already been patched if you use them. Hacker News has a list that includes Mumble, Dogecoin, Bitcoin Cash and more. (The Hacker News)