Daily Perk 3/8/2021

We make the difference today and everyday

Cheering on the excellent work done by The Diana Initiative today to support women and diversity in our field. The CFP is open!

QNAP storage devices used to mine cryptocurrency per Bleeping Computer

Network-attached storage devices aka NAS have vulnerabilities, can be left internet facing with default settings, and are searched for online using Shodan. QNAP devices have specifically been targeted by ransomware made for them. Two remote code execution vulns from 2020 are being exploited- not a problem if you patched back then but a lot of boxes are neglected and connected. Like 4,297,426 found online by 360 Netlab.

Check your networks – you may be surprised to find some boxes connected you didn’t know about. If cryptominers are able to get in, then you might be a stepping stone in a bigger campaign to someone you have access to.

Chinese APT group “Spiral” linked to Supernova malware in SolarWinds attack per ZDNet

2021 is the year of supply chain attacks and discovering Chinese cyber espionage as we dig deeper. Securework’s researchers are seeing similarities between the use of a compromised SolarWinds server to deploy Supernova malware and other intrusions by the “Spiral” group.

Spiral has been exploiting CVE-2020-10148 in SolarWinds Orion’s API for authentication bypass and remote code execution. Supernova is “an advanced web shell” written in.NET that maintains persistence and does dirty deeds without leaving tracks. It gives the attackers both high privileges and a lot of visibility into the victim’s network. While this is not part of the actual SolarWinds attack, it highlights the opportunistic skills of advanced attackers to slip in undetected through an already open door. We can expect more lessons ahead.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s