Security Stack Sheet #114

 Word of the Week

“Top Security predictions for 2021”


Geek Comic for December 22nd – The Santa Hack

  • Threat actors will turn home offices into their new criminal hubs
  • The Covid-19 pandemic will upend cybersecurity priorities as it proves to be fertile ground for malicious campaigns
  • Teleworking setups will force organizations to confront hybrid environments and unsustainable security architectures
  • The unprecedented need for contact tracing will have malicious actors directing their attention to users’ gathered data
  • Attackers will quickly weaponize newly disclosed vulnerabilities, leaving users with a narrow window for patching
  • Exposed APIs will be the next favoured attack vector for enterprise breaches
  • Enterprise software and cloud applications used for remote work will be hounded by critical class bugs
  • Automation Drives Tidal Wave of Spear Phishing Campaigns
  • Cloud-Hosting Providers Finally Crack Down on Cyber Abuse
  • Hackers Infest Home Networks With Worms
  • Booby-Trapped Smart Chargers Lead to Smart Car Hacks
  • Users Revolt Over Smart Device Privacy
  • Attackers Swarm VPNs and RDPs as the Remote Workforce Swells
  • Attackers Pinpoint Security Gaps in Legacy Endpoints
  • Every Service Without MFA Will Suffer a Breach
  • Pandemic workforce disruption will drive a greater focus on endpoint security and the zero-trust model
  • Supply chain attacks mean that the bad guys won’t just hack your organization — they’ll hack your stuff
  • Faster-moving digital transformation will include more artificial intelligence in the SOC
  • APT threat actors will buy initial network access from cybercriminals
  • More countries will use legal indictments as part of their cyber-strategy
  • More Silicon Valley companies will take action against zero-day brokers
  • Increased targeting of network appliances
  • The emergence of 5G vulnerabilities
  • Demanding money “with menaces”
  • More disruptive attacks
  • Attackers will continue to exploit the COVID-19 pandemic

Links HERE and HERE and HERE and HERE and HERE

Word of the Week Special

“Cyber reckoning”

A moment of reckoning: the need for a strong and global cybersecurity response

Text Description automatically generated

The final weeks of a challenging year have proven even more difficult with the recent exposure of the world’s latest serious nation-state cyberattack. This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. As much as anything, this attack provides a moment of reckoning.

Text Description automatically generated

It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.

cybersecurity chart

The evolving threats

The past 12 months have produced a watershed year with evolving cybersecurity threats on three eye-opening fronts.

The first is the continuing rise in the determination and sophistication of nation-state attacks.

All this is changing because of a second evolving threat, namely the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries.  This phenomenon has reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place.

There is a third and final sobering development worth noting from what has obviously been a challenging year. This comes from the intersection between cyberattacks and COVID-19 itself

The vast majority of these victims are US government agencies, such as:

The US Treasury Department

The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)

The Department of Health’s National Institutes of Health (NIH)

The Cybersecurity and Infrastructure Agency (CISA)

The Department of Homeland Security (DHS)

The US Department of State

The National Nuclear Security Administration (NNSA)

The US Department of Energy (DOE)

Three US states

City of Austin

Up to 18,000 SolarWinds customers installed poisoned update that could allow state-sponsored attack

“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks. The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged”

“Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.”

“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging”

Links HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE



Analysing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

Solorigate attack chain diagram


Link HERE – thanks to G


Graphical user interface, text Description automatically generated


No alternative text description for this image


Text Description automatically generated


A picture containing text, person, posing Description automatically generated


Graphical user interface, text, application Description automatically generated


Text Description automatically generated


Text Description automatically generated

Thread HERE



Graphical user interface, text, application, email Description automatically generated


Crypto challenge of the week

HV20.18 Santa’s lost home – HARD

Santa has forgotten his password and can no longer access his data. While trying to read the hard disk from another computer he also destroyed an important file. To avoid further damage he made a backup of his home partition. Can you help him recover the data.

When asked he said the only thing he remembers is that he used his name in the password… I thought this was something only a real human would do…

Hints: It’s not rock-science, it’s station-science!, Use default options



  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

Sanctions Explorer


  • 1st January 2020 – The California Consumer Privacy Act (CCPA) became effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit (properly) Finalised?

A group of people sitting around a table Description automatically generated with medium confidence

  • 1st of July 20201 – Freedom from viruses?

Hackers accessed vaccine documents in cyber-attack on EMA

Papers relating to Pfizer/BioNTech vaccine reportedly targeted in attack on European Medicines Agency


  • November 3rd 2020: Trump’s second term start

A picture containing text, book Description automatically generated


Trump says the SolarWinds hack is under control — where have we heard that before? - The Verge

  • 20226 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • December 31st, 2020 Flash End-of-Life
  • US Government Websites Will be Accessible Through HTTPS Only, After September 1

Book of the month

Supporting Delivery of Resilient Software, or “The Jenga View of Threat Modelling” by Adam Shostack


Comic of the week

Bruce Plante Cartoon: Russian hack attack | Columnists |

##Some OWASP stuff first

–The Threat Modelling Manifesto – Part 2


–ZAP 2.10.0 – The 10 Year Anniversary Release

As you hopefully already know ZAP was released on September 6th 2010.

ZAP 2.10.0 has just been released and is now available to download via the Downloads page so we’re treating this as a belated 10 year anniversary release!


–Defence in Depth: Why You Need DAST, SAST, SCA, and Pen Testing


–SSRF Mindmap


–How Password Hashing Algorithms Work and Why You Never Ever Write Your Own


–Building Security In Maturity Model (BSIMM) compared to Software Assurance Maturity Model (SAMM)

“The BSIMM is not a traditional maturity model where a set of activities are repeated at multiple levels of depth and breadth—do something at level 1, do it more at level 2, do it better at level 3, and so on. Instead, the BSIMM comprises a set of unique activities, with activity levels used only to distinguish the relative frequency with which the activities are observed in organizations.

For SAMM, each of the security practices has three defined maturity levels and an implicit starting point at zero. They generally represent:
0) Implicit starting point representing the activities in the practice being unfulfilled
1) Initial understanding and ad-hoc provision of security practice
2) Increase efficiency and/or effectiveness of the security practice
3) Comprehensive mastery of the security practice at scale


–Portable Data exFiltration: XSS for PDFs


–Demystifying the Server Side


–XS-Leaks Wiki 

Cross-site leaks (aka XS-Leaks, XSLeaks) are a class of vulnerabilities derived from side-channels 1 built into the web platform. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms 2 to infer information about the user. One way of looking at XS-Leaks is to highlight their similarity with cross-site request forgery (CSRF 3) techniques, with the main difference being that instead of allowing other websites to perform actions on behalf of a user, XS-Leaks can be used to infer information about a user





Root Causes 136: 2020 Lookback – Quantum Safe Certificates

Quantum Supremacy

Link HERE – thanks to A



Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

NSA urging VMWare patch action

The NCSC is supporting an NSA advisory detailing how Russian state-sponsored actors have been exploiting a vulnerability in VMware® products.

The US’ National Security Agency (NSA) has urged organisations to patch a vulnerability affecting VMware® products

Leading cyber security firm reports attacks

Earlier this week, cyber security firm FireEye said it had been hacked in what they suspect to be a state-sponsored attack.

The breach was disclosed in a blog post from FireEye’s CEO, Kevin Mandia, in which he stated that hackers stole “red team tools”, which are used to test the defences of its clients.

However, Mr Mandia also confirmed that they have seen no evidence that the attacker exfiltrated data from their primary systems that store customer information.

Alongside the blog, FireEye have also published hundreds of countermeasures to enable the broader security community to protect their organisations and their customers

Guidance issued as SolarWinds compromised

SolarWinds, a popular IT system management platform has been compromised and could be used for further attacks on connected systems.

As a result of a cyber attack of their systems, an attacker was able to add a malicious modification to SolarWinds Orion products which allows them to send administrator-level commands to any affected installation. This modification causes the Orion products to connect to an attacker-controlled server to request instructions and does not rely on the attacker being able to directly connect from the internet to the Orion server.

Not all customers who have an installation with the unauthorised, malicious modification will have been seriously affected, but all should take immediate action.

The NCSC has been working closely with international partners as well as FireEye – a cyber security organisation who discovered the compromise. In a statement issued earlier this week, we recommended that organisations ensure any affected instances of SolarWinds Orion are installed behind firewalls disabling internet access (both outbound and inbound) for the instances.

The NCSC has now also published full guidance highlighting immediate actions for all organisations using the SolarWinds Orion suite of IT management tools.

We would also recommend further reading:

  • SolarWinds have published a security advisory on this incident including details of affected software and the vendor’s advice.
  • FireEye has published a blog on its investigation. This includes extensive technical details which may help in investigation of a suspected server compromise.
  • Microsoft has also published a blog on this attack which includes other potential routes for investigation of compromise.

Spotify reset passwords following data breach

Users of the music streaming platform, Spotify, may have had their passwords reset after personal data was exposed to a third party businesses.

Spotify admitted to the breach in a notification to US officials and confirmed that a vulnerability in their systems had now been fixed. The issue had been in place since April with it only being discovered last month

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 114: SolarWinds and PickPoint breaches, GitHub Code Scanning review, GraphQL security

Breach: SolarWinds

The SolarWinds hacking reported this weekend was not API-related as such. It was a supply chain attack in which hackers (likely a state actor) managed to add their backdoor in one of the DLL files of SolarWind’s IT monitoring and management software, Orion. After a dormant period, the malicious code would contact the command and control center (C2) to get further instructions and execute them. This was in turn used against SolarWinds’ customers, including multiple US government agencies.

What did catch our eye was the API angle to the story:

The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications.

The attackers made an effort to make their traffic look like normal SolarWinds API traffic. This allowed them to mask the activity and avoid getting detected by any anomaly detection systems, like machine learning or artificial intelligence



Incidents & events detail

Zero-day exploit used to hack iPhones of Al Jazeera employees


The Great iPwn

Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit


CVE-2020-28360: npm private-ip SSRF Bypass (IP Phone Home)


NSA warns of cloud attacks on authentication mechanisms


Hacking group’s new malware abuses Google and Facebook services


Starbucks Mobile Platform Vulnerability Could Lead To Remote Code Execution


How I hacked Facebook: Part One


Former Cisco engineer sentenced to prison for deleting 16k Webex accounts

Former Cisco engineer accessed Cisco’s AWS accounts, and deleted 456 virtual machines, which resulted in the loss of 16k Webex accounts


“Important, Spoofing” – zero-click, wormable, cross-platform remote code execution in Microsoft Teams

“During an earnings call with investors today, Microsoft CEO Satya Nadella revealed Microsoft Teams now has 115 million daily active users” 2020-10-27

“Security and Microsoft Teams”

“Our commitment to privacy and security in Microsoft Teams”

“In fiscal year 2020, Microsoft Corporation reported a net income of over 44.28 billion U.S. dollars”

Reported critical remote code execution bugs in Microsoft Teams, August 31st, 2020

Microsoft rates them “Important, Spoofing” – one of the lowest in-scope ratings possible, September 30, 2020

A new joke is born, immediately

Microsoft refuses to discuss impact in detail, final decision made on November 19th, 2020

“As for the CVE part, it’s currently Microsoft’s policy to not issue CVEs on products that automatically updates without user’s interaction.”, November 30, 2020

The bugs have been fixed since the end of October, 2020


Research of the week

Security Control Mappings: A Bridge to Threat-Informed Defense

Today, the Center for Threat-Informed Defense (Center) is releasing a set of mappings between MITRE ATT&CK® and NIST Special Publication 800–53 with supporting documentation and resources. These mappings provide a critically important resource for organizations to assess their security control coverage against real-world threats as described in the ATT&CK knowledge base and provide a foundation for integrating ATT&CK-based threat information into the risk management process


Privilege Management Program – Governance

I can’t recall having seen an overview of a systematized privilege management program. There are lots of great articles on specific authorization management techniques and guidance for identity/access management configuration on-premise and in the cloud. There is also a lot of technical guidance for the implementation of specific policy enforcement mechanisms, but not much on overall enterprise-wide access governance. So, here’s a short post that might be useful


Hacking AI

A Primer for Policymakers on Machine Learning Cybersecurity

Machine learning systems’ vulnerabilities are pervasive. Hackers and adversaries can easily exploit them. As such, managing the risks is too large a task for the technology community to handle alone. In this primer, Andrew Lohn writes that policymakers must understand the threats well enough to assess the dangers that the United States, its military and intelligence services, and its civilians face when they use machine learning


Results of the 2020 AWS Container Security Survey

Overall, we notice a positive trend in terms of good practices concerning container security. Almost all key areas, from scanning to policies enjoy positive adoption rate changes compared to 2019. Two things stand out:

There seems to be a decrease of uptake around supply chain management; further investigations are necessary to reveal the underlying reason, that is, if it is related to the survey question or if there’s a deeper underlying reason for this.

The adoption rate for signing container images has not changed and remains around 10% (same as in 2019). We would expect that with the work around Notary 2 this to change in 2021; we’re contributing to the upstream efforts and looking forward to see this topic receiving more attention.

Native ECR scanning got 62 responses, followed by using open source Clair in a self-managed setup (21 responses), and open source Trivy self-managed (18). What stands out compared to 2019 is that the number of people responding that they do not (yet) scan their container images dropped from 38% to 24.8%, that’s good progress!


While still some 70% say they do not (yet) scan their containers at runtime, that is, in the context of their container orchestrator such as ECS or EKS, we see some positive trends compared to 2019. First, the number of people not scanning decreased from 83% to 70%, and second, we see CNCF Falco (27 responses), Twistlock (10 responses for each Prisma Cloud and Twistlock Defender), as well as Aqua Security (7 responses) gaining traction


What we can see in above responses is that AWS Secrets Manager is leading (78 responses), followed by HashiCorp Vault (59 responses), and AWS Parameter Store (41 responses). The percentage of folks who say they do not encrypt sensitive data decreased slightly from 11% last year to 9.7% this year


Helping Reach a Zero Trust Network Using an Istio Service Mesh

Link HERE and Envoy HERE

Monitoring & securing AWS with Microsoft

Link HERE and AWS Defence Strategies HERE

Security Kill Chain Stages in a 100K+ Daily Container Environment with Falco


Deep Dive into Site Isolation (Part 1)

Back in 2018, Chrome enabled Site Isolation by default, which mitigates attacks such as UXSS and Spectre. At the time, I was actively participating in the Chrome Vulnerability Reward Program, and I was able to find 10+ bugs in Site Isolation, resulting in $32k rewards



Tool of the week

Keeping your GitHub Actions and workflows secure: Preventing pwn requests


How to setup a Canarytoken and receive incident alerts on Azure Sentinel



Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)


How to choose the right API Gateway auth method


Diagram Description automatically generated

Link HERE and Azure to AWS Services comparison HERE

Cloudflare’s privacy-first Web Analytics is now available for everyone


Other interesting articles 

##Security Ratings: Love, Loathe or Live With Them?

Security ratings services tend to be loved or loathed. Loved if you consume them and it makes your job easier, especially if you have no other method of assessing the security of organizations that you need to review. Loathed if you’re on the receiving end and have to continuously respond to questions on your rating and deal with the potential inaccuracies. Or, perhaps, you live with them and get some marginal benefit but mostly just tolerate their existence



##Applying DevSecOps to your software supply chain

Applying DevSecOps means you can have a better understanding of what’s in your supply chain. By using DevSecOps, it should be simpler to manage your dependencies, with a change to a manifest or lockfile easily updating a single artifact in use across multiple teams, and automation of your CI/CD pipeline ensuring that changes developers make quickly end up in production



##Analysis of the RECON/Attack Surface Management Space

  • Attack Surface Management: The overall management of a company’s entire attack surface, whether that’s internal, external, cloud, or legacy/on-prem.
  • Asset Inventory: The creation of an interactive database of all your online assets. Notable players: BitDiscovery, Expanse (Now Palo Alto).
  • Bounty Researcher Tooling: These are sets of tools, or platforms, that help security researchers—especially in the Bug Bounty space—to discover more and better bugs in customer systems.
  • Discovery, Monitorin, and Alerting: These are platforms focused less on maintaining and displaying inventories of discovered systems, but that focus on letting the customer know as fast as possible—via multiple methods—that there is an issue with their attack surface that needs to be fixed.
  • Reporting and Remediation: These are platforms most focused on integration with customer systems so that issues can be routed and fixed internally as quickly as possible, usually through integration with SOAR tools like Swimlane, Demisto, etc.
  • Vulnerability Discovery and Management: These are RECON-oriented platforms that are largely focused around emulating traditional Vulnerability Management platforms, except facing the internet, using discovery techniques, and across the entire stack—including AppSec



##7 Security Tips for Gamers

Gamers can expect to be prime targets over the holidays as COVID-19 rages on. Here’s some advice on how to keep hackers at bay



##And finally, The smarter you are, the harder this is

Making methodical decisions can lead to higher-quality outcomes, but the smarter you are, the harder it is to do, according to former poker champ-turned-corporate advisor Annie Duke. “Smart people tend to rely on their intuition more,” says Duke. But she believes trusting your gut is a precarious way to make choices, especially for those who’ve experienced a streak of luck and expect future success. “People in general don’t do enough reflecting on their own decision processes,” says Duke. “They don’t think about the range of potential outcomes, and they definitely don’t look back on their past decisions objectively.”



Can too many brainy people be a dangerous thing?

Some academics argue that unhappy elites lead to political instability.

…enlightened elites can prevent the emergence of political instability in more effective ways. In the early 20th century American reformers raised inheritance taxes to prevent the emergence of a hereditary aristocracy, and engaged in massive trust-busting. Modernising urban-planning systems could lower housing costs, and deregulating labour markets would help create good jobs for “excess” elites. Mr Turchin’s analysis of the structural forces governing societies is an intriguing explanation of political unrest. But cliodynamics need not be destiny



AppSec Ezine

Must see


Description: Portable Data exFiltration: XSS for PDFs.


Description: Privilege Escalation in Postgresql (CVE-2020-25695).

Links HERE and HERE and credits to HERE



Leave a Reply

Your email address will not be published.