Security Wrap-Up (April 6th, 2021)

Welcome to another Security Wrap-Up! This week, we’re covering some more updates from the Ubiquiti saga and some other interesting security updates. Let’s take a look -

Apple Mail zero-click security vulnerability allows email snooping
A zero-click security vulnerability in Apple’s macOS Mail would allow a cyberattacker to add or modify any arbitrary file inside Mail’s sandbox environment, leading to a range of attack types, including - mail redirects and the ability to change the victim’s configuration. The bug was patched in macOS Mojave 10.14.6, macOS High Sierra 10.13.6, and macOS 10.15.5, so users should upgrade accordingly. Researcher Mikko Kenttälä discovered the bug (CVE-2020-9922) by sending test messages and following Mail process syscalls.

QNAP NAS devices still facing huge number of online attacks
Users are reporting that their QNAP NAS devices are being subject to brute-force attacks. Late last year, QNAP fixed a cross-site scripting vulnerability, and issued patches to neutralize malware that used the QNAP device to mine cryptocurrency, earlier this year. While these previous attacks exploited software vulnerabilities on devices, the ongoing campaign exploits human behavior. Attackers use simple tools to brute-force their way into devices such as a list of common passwords or a list of previously compromised credentials.

80% of global enterprises report firmware cyberattacks
According to a survey from Microsoft, 80% of enterprises have experienced at least one firmware attack in the past two years, but only 29% of security budgets goes to firmware security. The study polled 1,000 enterprise security decisionmakers in China, Germany, Japan, the UK, and the US. Firmware has become an attractive target for cyberattackers because this is the area where sensitive information like credentials and encryption keys are stored in memory, Microsoft explained. Which means it’s unfortunate that a full 21% of decisionmakers surveyed admitted that their firmware data goes unmonitored today.

Whistleblower claims Ubiquiti Networks data breach was "catastrophic"
A whistleblower involved in the response to a data breach suffered by Ubiquiti Networks has claimed the incident was downplayed and could be described as “catastrophic.” The company said that someone obtained “unauthorized access” to Ubiquiti systems, with names, email addresses, and salted/hashed password credentials being compromised, alongside home addresses and phone numbers if customers put the data within the ui.com portal. The whistleblower claimed that the third-party cloud provider explanation was a “fabrication” and the data breach was “massively downplayed” in an attempt to protect the firm’s stock value.

Any security updates you want to share? Let us know in the comments!