To end the year, Microsoft published an update of its findings regarding the impact of the SolarWinds incident on its systems. In this release, it emphasizes that neither production services nor customer data have been affected by unauthorized access, and that there are no evidence of the use of counterfeit SAML tokens to access proprietary cloud resources or that the infrastructure was used to attack customers. However, Microsoft has revealed that attackers were able to compromise a limited number of internal accounts, one of them with proprietary source code reading permissions. Through this account, several code repositories would have been accessed. According to Microsoft’s investigation, no changes were made, as this account did not have the necessary writing permissions to perform such actions.
Also, on Tuesday, January 5th, the U.S. Department of Justice issued a statement confirming that its systems have been breached as a result of the supply chain attack involving SolarWinds Orion software. The internal investigation would have revealed that the threat agents had moved between the network systems, gaining access to the email accounts of about 3% of the entity’s employees, or more than 3000 individuals. The governmental agency says that no impact on any classified systems has been detected. On the same day, the FBI, CISA, ODNI and the NSA published a joint statement formally blaming an APT linked to Russia for the attack. Lastly, a recent hypothesis involving the project management software TeamCity as an entry point into SolarWinds systems has been discussed in the media. JetBrains, the company that owns the software, has denied these speculations, stating that it is unaware of any investigation into the matter.
Analysis on Malicious C2 Infrastructure on 2020
Recorded Future’s Insikt Group has published the results of a research on the infrastructure of malicious Command and Control (C2) servers identified on its platforms through 2020. The research has provided interesting details such as that more than half of the detected servers were not referenced on public sources, or that these servers have an overall lifespan of 55 days within the malicious scheme. On the other half, it has been also revealed that the hosting providers where most malicious servers were detected, are those which have a bigger infrastructure, such as Amazon or Digital Ocean, contrary to common belief that the most suspicious hosting providers are the ones that host these fraudulent activities. The data also shows a tendency to use open source tools during malware infection operations. Among this tools, Insikt Group has pointed out that offensive security tools such as Cobalt Strike or Metasploit are the main responsible for being present in at least one quarter of all the analysed servers. Finally, it must be stated that the researchers link almost all of their findings to APTs or threat actors with strong financial capabilities.
Zyxell Fixes a Critical Vulnerability In its Devices
Network device manufacturer Zyxel has released a security adevisory that addresses a critical vulnerability in its firmware. This flaw, tracked as CVE-2020-29583 with CVSS 7.8, would allow a threat agent to access vulnerable machines with administrator privileges via ssh, due to the existence of a secret account (zyfwp) that was not documented and whose password, stored in plaintext in the firmware, was hardcoded. This vulnerability allows attackers to change the firewall configuration, intercept traffic or create VPN accounts to access the network where the device is located. The flaw, discovered and reported in December by EYE researchers, affects the Zyxel USG and USG FLEX, ATP and VPN devices with firmware version V4.60, as well as the NXC2500 AP access point drivers with firmware versions between V6.00 and V6.10, all of which have been updated and fixed in versions V4.60 Patch1 and V6.10 Patch1.
More information: https://www.zyxel.com/support/CVE-2020-29583.shtml
Remote Code Execution Vulnerability in Zend Framework
Cybersecurity researcher Ling Yizhou has revealed a deserialization vulnerability in Zend Framework that could be exploited by attackers to achieve remote code execution on PHP sites. The flaw, tracked as CVE-2021-3007, apart from affecting Zend Framework 3.0.0, could impact some instances of Zend’s successor, Laminas Project. A vulnerable application could deserialize and process data received in an inappropriate format, which could trigger everything from a denial of service to the possibility of the attacker executing arbitrary commands in the context of the application.
Google Publishes its Security Bulletin for Android
Google has released January security update for its Android operating system which addresses 42 vulnerabilities, including four critical ones. The most critical severity vulnerability is CVE-2021-0316, which corresponds to a system error that could be exploited to execute code remotely. Another three vulnerabilities addressed in Android’s System component have a high severity score. These include two elevation of privilege issues and one information disclosure bug. In addition, security patch 2021-01-01 also fixes 15 vulnerabilities in Framework, including one critical denial of service (DoS) flaw, eight high severity elevation of privilege flaws, four high-severity information disclosure issues, one high-severity DoS flaw and one medium-severity remote code execution vulnerability. The second part of the security update addresses a total of 19 vulnerabilities in Kernel (three high severity vulnerabilities), MediaTek (one high-severity vulnerability) and Qualcomm components (six high-severity vulnerabilities). Patches for nine flaws in Qualcomm’s closed source components (two critical and seven high-severity bugs) were also included in this month’s update set. Finally, a security patch has been released for Pixel devices, corresponding to another four vulnerabilities.
All the information: https://source.android.com/security/bulletin/pixel/2021-01-01