Cyber Security Headlines – April 14, 2021

Chrome zero-day exploit posted on Twitter

A researcher has dropped working exploit code for a zero-day remote code execution (RCE) vulnerability on Twitter, which he said affects the current versions of Google Chrome and potentially other browsers like Microsoft Edge that use the Chromium framework. On Monday security researcher Rajvardhan Agarwal tweeted a GitHub link to the exploit code following the Pwn2Own ethical hacking contest held online last week. Pwn2Own contest rules require that the Chrome security team receive details of the code so they can patch the vulnerability as soon as possible, which they did; but that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge and others, leaving them potentially vulnerable to attacks. 

(ThreatPost)

April Patch Tuesday patches 114 bugs including NSA’s two at 9.8 severity

Yesterday, Microsoft revealed 114 vulnerabilities fixed in the monthly security release, over half of which could potentially be exploited for remote code execution by attackers. Four new Exchange Server vulnerabilities were fixed and because of the severity of these issues, Microsoft has joined with the U.S. National Security Agency (NSA) to urge the immediate deployment of the new fixes which carry a CVSS score of 9.8 because of the risk of pre-auth code execution attacks without user interaction. TippingPoint’s ZDI believes these bugs may be wormable between Exchange servers.

(Sophos and Security Week)

Cyberattacks are the number-one threat to the global financial system, Fed chair says

In an interview that aired on CBS’s “60 Minutes” on Sunday, Federal Reserve Chairman Jerome Powell said cyberattacks are now the foremost risk to the global financial system, even more so than the lending and liquidity risks that led to the 2008 financial crisis. He cited examples of large firms losing the ability to track payments they are disbursing, thus hamstringing the flow of money from one financial institution to another. That could shut down sectors or even broad swaths of the financial system, he said. The comments were made in the context of his predictions of a rebounding post-pandemic economy balanced against the prospect of additional economic hardships from another resurgence of the COVID-19 virus.

(CNN)

NAME:WRECK DNS vulnerabilities affect over 100 million devices

Security researchers on Monday disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices. Collectively referred to as NAME: WRECK, the flaws could be leveraged to take affected devices offline or to gain control over them. The vulnerabilities were found in widespread TCP/IP stacks that run on a wide range of products, from high-performance servers and networking equipment to operational technology (OT) systems that monitor and control industrial equipment.

(Naked Security)

Thanks to our episode sponsor, Sonatype

With security concerns around software supply chains ushered to center stage in recent months, organizations around the world are turning to Sonatype as trusted advisors. The company’s Nexus platform offers the only full-spectrum control of the cloud-native software development lifecycle including third-party open source code, first-party source code, infrastructure as code, and containerized code.

Intel partners with DARPA to build ‘state-of-the-art’ security chips

Intel will develop customized chips embedded with novel hardware-based security protections as part of a three-year partnership with the R&D wing of the US Department of Defense (DoD). Dubbed SAHARA, the chipmaker’s agreement with the US Defense Advanced Research Projects Agency (DARPA) will see it develop a specialized version of its Application-Specific Integrated Circuits (ASICs). The agreement comes only a week after Intel struck a separate partnership with DARPA to develop a next-gen form of encryption, known as fully homomorphic encryption (FHE). ASICs are silicon chips designed for a specific purpose, created to perform a repeated function highly effectively. This is opposed to general-purpose CPUs which can perform a variety of functions but with much less efficiency. Once built, they cannot be reprogrammed or reconfigured to perform another function.

(source)

Tax season phishing scam adds new twist

In a report by email security firm ArmorBlox, researchers outline a tax season phishing scam with a twist: A W-2 tax document shared via Microsoft OneDrive named ‘2020_TaxReturn&W2.pdf ‘ is shared with the user. When entering their credentials, the form will repeatedly state that the credentials are incorrect until it ultimately displays a message saying the service was “Unable to verify your identity.” ArmorBlox researchers believe that these repeated failed login messages are simply a cover for the threat actors trying to capture as many credentials as they can while the recipient tries various user name and password combinations.

(Bleeping Computer)

7 new social engineering tactics threat actors are using now

CSO Online has released a list of seven social engineering techniques on the rise in 2021, complied from interviews with industry experts. They are: 1. malicious QR codes, 2. the hacking of the “allow this site to send you notifications” dialog box, 3. requests for collaborations on projects often including Visual Studio files, 4. supply chain partner impersonation including vendor email compromise attack (VEC), as happened with SolarWinds, 5. deepfakes using face or voice, 6.fraudulent text SMS messages, and 7. typosquatting or lookalike domains. 

(CSO Online)

Hackers use website’s contact forms to deliver IcedID malware

Microsoft has warned organizations of a “unique” attack campaign that abuses contact forms published on websites to deliver malicious links to businesses via emails containing fake legal threats. “The emails instruct recipients to click a link to review supposed evidence behind their allegations, but are instead led to the download of IcedID, a Windows-based banking trojan that’s used for exfiltration of banking credentials, alongside remote command-and-control (C2) features to deploy payloads such as credential stealing credentials, and moving laterally across affected networks.

(The Hacker News)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.