25% of Zero-Days are Variants of Known Vulnerabilities 🩹, Let’s Encrypt’s Major Upgrade 🔐, Attempted Hack on European Internet Registry 🌐

CyberLite Feb 23, 2021

Welcome to all the new CyberLite readers who’ve joined since the last issue! If you haven’t joined them yet, you can get the most impactful news in cybersecurity delivered to you each week by subscribing here.

See a term you don’t understand in this issue? Any word that’s in italics and underlined is explained in a guide that accompanies each issue. Just click on them and you’ll be taken to the guide!

🩹 25% of Zero-Days are Variants of Already Patched Vulnerabilities

Google Project Zero carried out an analysis on zero-day exploits and found that 25% of them were just revised versions of exploits that had previously been fixed. In some cases, malicious actors only needed to tweak a few lines of code to get an exploit working again.

This highlights the issue with developers being incentivized to fix vulnerabilities as fast as possible and move on rather than uncovering and fixing the root cause of the issue. Thorough analysis that searches for variants of new vulnerabilities should be encouraged.

Exploit vs. Vulnerability

  • A vulnerability is a weakness a malicious actor could take advantage of to compromise a resource.
  • An exploit is code malicious actors use to take advantage of a certain vulnerability.

🔐 Let’s Encrypt’s Major Upgrade

Let’s Encrypt are a free certificate authority set up by the Internet Security Research Group that secures nearly 250 million websites. If you haven’t heard of certificate authorities before, here’s a quick explainer I wrote for a recent issue.

This week they announced that they are undergoing an infrastructure upgrade that would allow them to re-issue up to 200 million certificates within 24 hours. This would only be necessary if they experienced a large cyber attack on their systems or found a vulnerability that affected a majority of their certificates; this upgrade would allow them to more easily recover from one of these events.

These upgrades are being funded by donations from companies including Facebook and Amazon Web Services, with hardware being provided by Cisco. This will be a great boon for the security of the open web and showcases some of the awesome collaboration that we see in the security community.

🍎 Apple Releases 2021 Platform Security Guide

As part of Apple’s 2021 Platform Security Guide, it announced the Apple security research device. It’s an iPhone that allows researchers to perform security research on iOS without having to defeat or disable security features that normally prevent research. Apple also announced a whole host of security improvements they’ll be making over the next year.

This is the kind of support that big tech should be giving to security researchers if they want to encourage them to keep searching for vulnerabilities in their products.

🌐 Attempted Hack on European Internet Registry

There was an attempted credential stuffing attack against the regional internet registry RIPE NCC last week. RIPE NCC doesn’t believe that any accounts were compromised, but it’s worth understanding what could’ve happened if they had been and why they were targeted in the first place.

RIPE NCC is responsible for allocating IPv4 and IPv6 addresses for Europe and Western Asia. Each device connected to the internet gets a numerical label called an Internet Protocol address (IP address). IPv4 and IPv6 stand for Internet Protocol Version 4 and Version 6 respectively. Most of the internet uses IPv4 however in November 2019 RIPE ran out of IPv4 addresses as all possible numerical combinations had been issued. This is a problem that has been anticipated for a long time, hence the development of IPv6 which supports 1028 times more addresses than IPv4 does.

High demand for IPv4 addresses has fueled a black market for hijacked respected addresses that hackers can use to launch attacks. If attackers had been able to access RIPE NCC accounts they could have put in requests to transfer addresses to new owners. An attack like this did occur in 2019 when 4.1 million South African IPv4 addresses were transferred to new owners.

🔥 Rapid Fire

Some shorter stories…

💕 Data from the Federal Trade Commission shows that romance scams raked in £304 million last year, up from 50% from 2019. Link.

🌞 Microsoft claims that the SolarWinds attack took more than 1000 engineers to create. Microsoft president Brad Smith branded it the “largest and most sophisticated attack the world has ever seen” on CBSNews 60 minutes. Link.

🎖 The military in Myanmar proposed a cybersecurity bill that would give them access to a user’s data if they were identified as inciting hate or disrupting peace with "fake news", "disinformation, or comments that violated existing laws; so essentially, whenever the military felt like it. This would also make Myanmar an unviable option for off-shore data services as they wouldn't be compliant with international data protection rules. So as well as just being draconian, it would cause economic damage. Link.

💻 The US filed an indictment against three North Korean hackers from the state-sponsored Lazerous hacker group. The crimes they're being accused of go back to 2013 and include the hack of Sony Pictures Entertainment and the creation of the Wannacry ransomware that hit the British National Health Service in May 2017. Link.

📱 Last week a popular barcode scanner app hit the headlines as users reported that their devices were covered in unwanted ads. It’s been reported this week that the app was sold to a new owner who deployed the malicious update. Bad actors purchasing or using social engineering to gain control of popular software is a trend we’re going to see continue. Another notable example of this type of attack is the 2018 takeover of the “event-stream” npm package; “event-stream” is a javascript package that gets over 2.6 million downloads a week. Link.

🎯 New Vulnerabilities

The most interesting new vulnerabilities disclosed this week.

A vulnerability in the ShareIt file sharing app would allow attackers to run their own malicious code and intercept files being shared. Researchers disclosed this vulnerability to the developers three months ago but never heard back so they’ve released it publically to draw attention to it. Link.

This week in Wordpress plug-ins you should update - Ninja forms. The vulnerability would allow password reset links to be intercepted by an attacker. Link.

Agora is a popular video chat software kit. A vulnerability could have allowed hackers to intercept audio and video from calls. Agora is used to add video chat functionality to many popular healthcare applications as well as dating apps like e-harmony. The apps all use Agora differently making some apps more vulnerable than others. The bug remained in the code for 8 months after researchers disclosed it. It was finally fixed in December 2020 and the vulnerability has only just been publicly disclosed. Another example of a vulnerability in software you've never heard of that has a huge number of users. Link.

Details of a potential unpatched bug in Internet Explorer have been uncovered. Earlier this month North Korean hackers targetted security researchers, but how they were compromising their victims was somewhat unclear. The leading theory is a zero-day vulnerability in Internet Explorer that Microsoft is investigating. Link.

💭 Anything Else?

Other news, ideas and insights from around the web that you might enjoy.

Supply chain attacks have been center stage since SolarWinds. This week Bloomberg published a follow-up to a supply chain story they first reported in 2018 about China tampering with motherboards that were being exported to the US. Link.

Simply Cyber is a repository of tons of useful free cybersecurity resources. There are links to courses, podcasts, tools, and cheat sheets - I’m sure you’ll find something helpful here. Link.

Bruce Schneider discusses a report on the incredibly poor state of browser security. Link.

Ben Evans on the death of the newsfeed. Link.

❤ Liked what you read?

Nothing helps me out more than sharing CyberLite with a friend who might enjoy it. If you do please tag me so I can say thanks!

If you’re that friend… Sign up here to receive CyberLite every week!

🎁 Wrapping Up

If you’ve got questions, comments or just fancy a chat then shoot me an email or send me a message on Linkedin/Twitter. I’d love to hear from you!

Thanks for reading, I’ll catch you next week!


Oliver Kitchin

Cybersecurity consultant. Passionate about people, technology and the great outdoors. He/Him.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.