Google has released new details about four zero-day security vulnerabilities that were exploited in the wild earlier this year. Discovered by Google’s Threat Analysis Group (TAG) and Project Zero researchers, the four zero-days were used as part of three targeted malware campaigns that exploited previously unknown flaws in Google Chrome, Internet Explorer, and WebKit, the browser engine used by Apple’s Safari.

Google’s researchers also noted that 2021 has been a particularly active year for in-the-wild zero-day attacks. So far this year, 33 zero-day exploits used in attacks have been publicly disclosed — 11 more than the total number from 2020. Google attributes some of the uptick in zero-days to greater detection and disclosure efforts, but said the rise is also due to the proliferation of commercial vendors selling access to zero-day vulnerabilities as compared to the early 2010s.”0-day capabilities used to be only the tools of select nation states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” Google said in a blog post. “In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise, now they just need resources. Three of the four 0-days that TAG has discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors.”As for the zero-days discovered by Google, the exploits include CVE-2021-1879 in Safari, CVE-2021-21166 and CVE-2021-30551 in Chrome, and CVE-2021-33742 in Internet Explorer.With the Safari zero-day campaign, hackers used LinkedIn Messaging to target government officials from western European countries, sending malicious links that directed targets to attacker controlled domains. If the target clicked on the link from an iOS device, the infected website would initiate the attack via the zero-day.”This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP,” Google TAG researchers said. “The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.”

Google researchers said the attackers were likely part of a Russian government-backed actor abusing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7). Google’s security team reported the zero-day to Apple, which issued a patch on March 26 through an iOS update. The two Chrome vulnerabilities were renderer remote code execution zero-days and are believed to have been used by the same actor. Both of the zero-days were targeting the latest versions of Chrome on Windows and were delivered as one-time links sent via email to the targets. When a target clicked the link, they were sent to attacker-controlled domains and their device was fingerprinted for information that the attackers used to determine whether or not to deliver the exploit. Google said all of targets were in Armenia. With the Internet Explorer vulnerability, Google said its researchers discovered a campaign targeting Armenian users with malicious Office documents that loaded web content within the browser.”Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world,” Google said.Google also published root cause analysis for all four zero-days: More

When you think of important open-source projects you almost certainly recall Linux, the Apache Web Server, LibreOffice, and so on. And, that’s true. These are vital, but beneath these are the critical software libraries that empower hundreds of thousands of other programs. These are far less well known. That’s why the Harvard Laboratory for Innovation Science (LISH) and the Linux Foundation’s Open Source Security Foundation (OpenSSF), recently put together a comprehensive survey, Census II of Free and Open Source Software – Application Libraries, of these under-the-hood critical programs.

Open Source

This is the second such study. The first, 2020’s “Vulnerabilities in the Core,’ a preliminary report and Census II of open-source software, focused on the lower level critical operating system libraries and utilities. This new report aggregates data from over half a million observations of free and open-source (FOSS) libraries used in production applications at thousands of companies.The data for this report came from the Software Composition Analysis (SCA) scans of codebases of thousands of companies. This data was provided by Snyk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA.The purpose of this, besides simply wanting to know what were indeed the most popular, open-source application libraries, packages, and components, is to help secure these projects. Until you know that’s important, you can’t know what you need to secure first. For example, the heretofore relatively unknown log4j logging package became a massive security problem when the Log4Shell zero-day was revealed. Jen Easterly, the director of the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) called it  “the most serious vulnerability I’ve seen in my decades-long career.” This bug affected tens or hundreds of millions of devices and programs. Kevin Wang, FOSSA’s Founder and CEO observed, The ubiquitous nature of OSS means that severe vulnerabilities — such as Log4Shell — can have a devastating and widespread impact. Mounting a comprehensive defense against supply chain threats starts with establishing strong visibility into software.” Only by understanding our “open source dependencies can we improve transparency and trust in the software supply chain.”Mike Dolan, the Linux Foundation’s senior vice president of Projects, added, “Understanding what FOSS packages are the most critical to society allows us to proactively support projects that warrant operations and security support. Open-source software is the foundation upon which our day-to-day lives run, from our banking institutions to our schools and workplaces. ” This census breaks down the 500 most used FOSS packages in eight different areas. These include different slices of the data including versioned/version-agnostic, npm/non-npm package manager, and direct/direct and indirect package calls. For example, the top 10 version-agnostic npm JavaScript packages that are called directly are:lodashreactaxiosdebug@babel/coreexpresssemveruuidreact-domjqueryThese, and the other top libraries, need to be closely watched for any security issues. Besides simply listing them, the survey’s authors, from Harvard University, made five overall findings:1) There’s a need for a standardized naming schema for software components. As it is, the names aren’t random, but there’s not a lot of rhyme or reason to them either. 2) We need to clean up the complexities of package versioning. Can you tell at a glance what version a package is? You can if you work on that program, but if you just use it as a brick in your higher-level software, it can be a mystery. 3) Much of the most widely used FOSS is developed by only a handful of contributors. Everyone knows the XKCD cartoon of a giant software stack that all depends on a single developer in Nebraska. The sad and funny thing about this is that it’s not a joke. We still depend on code that relies on a sole programmer.  4) Improving individual developer account security is becoming critical. With hacking attacks on developers becoming more common, we must protect their accounts like the crown jewels of development they are.5) Legacy software in the open-source space needs to be cleaned up. Usually, we think of legacy software in terms of that one guy we all know who’s still running Windows XP. But, old, crufty code lives on in open-source repositories as well.  That said, while this survey is useful, the work is far from done. More and continuing work needs to be done. All the participants in this report are planning on working on another study. This is only a precursor to more exhaustive studies to come to better understand these critical pillars of our information infrastructureRelated Stories: More

Image via Mohammad Rezaie
Microsoft said it identified more than 40 of its customers that installed trojanized versions of the SolarWinds Orion platform and where hackers escalated intrusions with additional, second-stage payloads.
The OS maker said it was able to discover these intrusions using data collected by Microsoft Defender antivirus product, a free antivirus product built into all Windows installations.
Microsoft President Brad Smith said his company is now in the process of notifying all the impacted organizations, 80% of which are located in the United States, with the rest being spread across seven other countries —namely Canada, Mexico, Belgium, Spain, the UK, Israel, and the UAE.
While the current list of known victims of the SolarWinds hack mostly includes US government agencies, Smith said the government sector is only a small portion of the victim list, with 44% being IT companies, such as software firms and equipment providers.

Image: Microsoft
The Microsoft President also said the attack is ongoing, with the hackers trying to compromise new companies still, despite the incident being public and actively investigated.
“It’s certain that the number and location of victims will keep growing,” Smith said.
The latest victim on this list is Microsoft itself, which, hours before Smith’s analysis, admitted to having installed trojanized version of the SolarWinds app inside its own infrastructure.

Reuters reported that hackers accessed Microsoft’s internal network, but Microsoft denied that they were able to reach production systems and impact its business customers and end-users.
SolarWinds hack summary and fallout
Five days later, the breadth of the SolarWinds hack continues to grow.
This entire incident began last week when security firm FireEye said that a state-sponsored hacking group accessed its internal network, stole pen-testing tools and tried to access documents on its government contracts.
While investigating the breach, FireEye tracked down the intrusion to a malware-laced version of SolarWinds Orion, a network monitoring tool used inside large enterprise networks.
Notified by FireEye, SolarWinds admitted on Sunday to getting hacked, disclosing that several Orion app updates released between March and June contained a backdoor trojan.

SolarWinds Coverage

A day later, SolarWinds admitted in SEC documents that around 18,000 customers had installed the trojanized updates, triggering a massive search inside enterprise networks, with IT personnel looking to see if they had installed the malware-laced Orion app version and if second-stage malware payloads were used to escalate attacks.
This proved a cumbersome and difficult task, as the malware, named SUNBURST, or Solorigate, contained a decoupled design between the first and second-stage payloads that made it tricky to determine on what and how many systems the hackers escalated their access.
Nonetheless, on Wednesday, Microsoft took steps to protect users and seized the web domain that the first-stage SUNBURST malware was used to report to attackers. Together with GoDaddy and FireEye, Microsoft turned the domain into a kill switch in order to prevent the SUNBURST malware from pinging back to its creators and downloading second-stage payloads.
Nonetheless, companies that had already been infected before this kill switch was set up now need to be discovered.
According to Smith, this number is currently at around 40, but the number will most likely grow as investigators learn more about these second-stage payloads, some of which have been identified by Symantec under the name of Teardrop.
Below is a map showing the current distribution of systems infected with the first-stage SUNBURST malware, per Microsoft Defender telemetry.

Image: Microsoft
Smith, which has often called for governments to stop attacking the private sector as part of their cyber-espionage operation, did not attribute the attack to any particular country, but it did criticize the attackers.
“This is not ‘espionage as usual,’ even in the digital age,” Smith said. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”
“In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
Smith called for stronger international rules for dealing with the countries that carry out such reckless attacks.
Reporting from the Washington Post claimed that Russia’s APT29 hacking group is behind the SolarWinds hack, but no government or security firm has backed up the paper’s claim. APT29 has been previously linked by US and Estonian intelligence agencies to the Russian Foreign Intelligence Service (SVR). More

While we usually see some of the best gaming deals around the holiday season, Amazon’s annual Prime Day sale is another great opportunity to save big on everything from games and accessories to consoles and PCs. Although you might have to wait until the sale officially kicks off tomorrow to find what you really want, Amazon is offering early deals already, and other retailers like Best Buy More

Apple Watch Ultra 3 <!–> ZDNET’s key takeaways Apple’s rugged smartwatch is now available to preorder. The watch gets an additional six hours of battery life for a total of 42 hours of wear. Sleeping with the smartwatch is difficult. –> Follow ZDNET: Add us as a preferred source<!–> on Google. If the new Apple Watch Series […] More