Security Wrap-Up (April 20th, 2021)

We’re here with another week of security news and updates for you! There’s some great info to be had, so let’s get started -

Google Project Zero cuts bug disclosure timeline to a 30-day grace period
In a new disclosure policy revealed last week, Google Project Zero will give organizations a 30-day grace period to patch zero-day flaws. The goal of this policy change is to encourage faster patch adoption. Project Zero is changing its previous tactic slightly, delaying disclosure of technical details of the vulnerability until 30 days after the patch is issued, if that patch is created within the 90-day period. Moving to this “90+30 model” will allow researchers and the industry as a whole to “decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” explained Project Zero’s Tim Willis in a recent blog post.

Attackers test weak passwords in Purple Fox malware attacks
Weak passwords used over the Windows Server Message Block (SMB) protocol are often part of the attacks that result in the spread of Purple Fox malware, Specops researchers report. Purple Fox traditionally used phishing emails and various privilege escalation exploits to target Internet Explorer and Windows devices. However, starting in late 2020 and early 2021, a new infection vector began to infect Internet-facing Windows devices through SMB password brute force. Researchers with Specops say these attacks created a global honeypot system to collect information on what these SMB attacks look like and the kind of passwords attackers are using. After analyzing over 250,000 attacks on the SMB protocol over a period of 30 days, they discovered the word “password” was seen in attacks more than 640 times!

White House closes SolarWinds, Microsoft Exchange focus groups
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger announced on Monday morning that the White House would be closing its coordinating groups for the SolarWinds and Exchange hacking campaigns. It’s a move that may signal a return to normalcy. Neuberger credited the speed of mitigation to a number of factors, including Microsoft’s efforts to make patching simpler and a DoJ move to hijack malware on privately owned systems.

5 security bugs under active nation-state cyberattack
The NSA is warning that nation-state actors are once again after US assets, this time in a spate of cyberattacks that exploit 5 vulnerabilities that affect VPN solutions, collaboration-suite software, and virtualization technologies. According to the NSA, the following are under widespread attack in cyber-espionage efforts:

  • CVE-2018-13379: Fortinet FortiGate SSL VPN (path traversal)

  • CVE-2019-9670: Synacor Zimbra Collaboration Suite (XXE)

  • CVE-2019-11510: Pulse Secure Pulse Connect Secure VPN (arbitrary file read)

  • CVE-2019-19781: Citrix Application Delivery Controller and Gateway (directory traversal)

  • CVE-2020-4006: VMware Workspace ONE Access (command injection)

Note: I would highly recommend reading the above link with more details about each of the vulnerabilities. They share a ton of info!

Any news to share on your end? Leave it in the comments below!