Security Wrap-Up (December 29th, 2020)

Welcome to the last Security Wrap-Up of 2020! I don’t know about you, but I think it’s just about time for 2020 to be over. So let’s get to the news!

Critical Google Docs bug has been patched
Google has patched a bug in its feedback tool which would have allowed attackers to steal screenshots of sensitive Google Docs documents simply by embedding them in a malicious website. The flaw was discovered on July 9th by Sreeram KL. Many of Google’s products, including Google Docs, come with a “Send Feedback” option that allows users to send feedback and the option to include a screenshot. The vulnerability lived within the iframe element that loads content from “feedback.googleusercontent.com” and allowed the attacker to modify the frame to an arbitrary, external website and hijack Google Docs screenshots which were meant to be uploaded to Google’s servers.

Hackers amp up COVID-19 IP theft attacks
Critical research of COVID-19 is being done across the globe, which means attackers are now looking to the healthcare space as a rich repository of valuable intellectual property (IP). Espionage attacks have recently zeroed in on the COVID-19 vaccine supply chain and Zebrocy malware continues to be used by hackers in vaccine-related cyberattacks. Unfortunately, with the immense growth of COVID-19 research and vaccine supplies increasing, those within the healthcare sector need to be on high alert for cyberattacks.

Vietnam targeted in complex supply chain attack
Hackers have inserted malware inside of an app offered for download by the Vietnam Government Certification Authority (VGCA), the government organization that issues digital certificates that can be used to electronically sign official documents. Any Vietnamese citizen, private company, and even other government agency that wants to submit files to the Vietnamese government must sign their documents with a VGCA-compatible digital certificate. Security firm ESET says that between July 23rd and August 5th, the two files contained a backdoor trojan called PhantomNet, also known as Smanager. The malware wasn’t very complex, but was a wireframe for more potent plugins.

Windows zero-day still circulating after faulty fix
A high-severity Windows zero-day that could lead to complete desktop takeover remains dangerous after a “fix” from Microsoft failed to adequately patch it. The local privilege-escalation bug in Windows 8.1 and Windows 10 (CVE-2020-0986) exists in the Print Spooler API. It could allow a local attacker to elevate privileges and execute code in the contest of the current user and rates 8.3 out of 10 on the CVSS vulnerability-severity scale. The issue remained unpatched for six months and Microsoft’s June patch was faulty. Microsoft has issues a new CVE, CVE-2020-17008, and researchers expect a patch in January.

Any news you want to share? Leave it in the comments!