Sunburst shows code matches with Russian-associated malware
Researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a .NET backdoor associated with the Russian cybercriminal group, Turla (also known as Venomous Bear and Waterbug), which specializes in information theft and cyber espionage. These data support the attribution of the compromise to a Russian-linked APT (starting to be called UNC2452 and DarkHalo), confirmed by the FBI, CISA and NSA last week. Crowdstrike investigators, in collaboration with other firms and SolarWinds itself, claim to have identified the entry vector for injecting the malicious code into the Orion software development process. The malware used for this purpose is called Sunspot. It has the ability to monitor running processes to detect those involved in Orion packaging and then inject the Sunburst backdoor into the source code before it has even been read by the compiler.
New Trojan for Android
Hispasec researchers warn of the detection of a new family of banking malware for Android devices. The warning follows the detection last Thursday, January 7, of a sample on the VirusTotal and Koodus platforms, which, according to the researchers, did not appear to belong to any banking malware family already identified. Shortly afterwards, the MalwareHunterTeam account reported this sample, indicating that some forms of antivirus were already detecting it but that they were doing so with generic signatures of banking malware or making reference to families such as Cerberus or Anubis Bankbot. From Hispasec they indicate that they do not observe any relationship with any of these two families. The aim of this new trojan would be, as usual, to steal credentials by activating them as soon as the opening of a banking application is detected on the device. To this end, the malware takes advantage of the accessibility permissions, which requires as soon as the user executes the malware after its installation. The target of the developers of this new malware would be Spanish entities, since most of the affected entities are Spanish, although some German entities would also have been affected to a lesser extent.
Microsoft Security Newsletter
Microsoft has published its monthly security update newsletter for the month of January, in which they have corrected a total of 83 vulnerabilities, including 10 classified as critical and the rest as important. Among the critical vulnerabilities are a 0-day bug (CVE-2021-1647) in remote code execution in the Microsoft Defender antivirus software that is being actively exploited, and a privilege elevation vulnerability (CVE-2021-1648) in the splwow64 service, previously published by Google’s Project Zero team. In addition, it is worth mentioning a security feature omission flaw (CVE-2021-1674) in Windows Remote Desktop and five RCE flaws in Windows Remote Procedure Call Runtime.
Critical flaw in Thunderbird
Mozilla has released a security update that fixes a critical vulnerability (CVE-2020-16044) in Thunderbird and affects all versions previous to the last release. This bug is a use-after-free writing problem resulting from the way cookies are handled in the browser, which is why it does not directly affect the Thunderbird desktop client but can be exploited by different browsers. Eventually, it could allow the attacker to execute malicious code on the affected device. Both CISA and INCIBE have warned of the need to update Thunderbird to the latest version available, which by default is done automatically.
Notices from US agencies
Two of the main US security agencies have published alerts on different issues:
- The US Cybersecurity Agency (CISA) issued a statement (AR21-013A) warning that it was aware of several commitments for corporate cloud services protected by multi-factor authentication (MFA). To gain access, threat actors are using different techniques such as phishing campaigns, brute force attacks and pass-the-cookie attacks, among others. The campaign is part of the situation generated by the COVID-19 where multiple employees combine the use of personal and corporate devices to access business services in the cloud. CISA has also pointed out that these attacks are not linked to the threat agents behind the SolarWinds supply chain compromise.
- The National Security Agency warned about the need to avoid using third-party DNS resolvers to block attempts by threat actors to manipulate DNS traffic. The agency recommends that traffic from a business network, whether encrypted or not, should only be sent to the designated company’s DNS resolution system through its own servers or through external services with built-in support for encrypted DNS requests such as DoH.
- The Cybersecurity and Infrastructure Agency (CISA) last Thursday urged federal agencies to deploy ad-blocking software and standardize the use of web browsers on their computers to prevent malware ads. It also recommended that other agencies consider isolating web browsers from operating systems, as the Department of Defence already does.
All the details: