Skip to Content

Cybersecurity and Infosec News Headlines Update on May 31, 2022

Careful who you trust – presentation at Nullcon

The presentation called Careful Who You Trust: Compromising P2P Cameras At Scale by E. Barzdukas and J. Valletta & D. Franke, was given at Nullcon Berlin 2022. I went through the presentation and my quick summary is as follows:

Spoofing the UID of camera devices on the ThroughTek’s Kalay P2P network, leads to disclosure of the device credentials, which allows compromise of audio and video data. This in turn allows IO control layer (IOCTRL), which exposes a lot of security issues. One of these vulnerabilities involves firmware updates and leads to remote code execution (RCE). Most of the talk is about the IOCTRL layer and exploitation and a great advert for Frida (which we also love) and they cover the custom authentication mechanisms in specific devices that use the Kalay Network.

As Tim Panton pointed out last month, some of what they talk about would have been made more secure by default, had the vendor used WebRTC standards and perhaps, libraries. This, in comparison with making use of a custom-made solution such as the Kalay platform, means that network transport encryption would be on by default and authentication should not be an afterthought. However, for something like this, WebRTC still isn’t a magic wand that solves all problems, and naturally, would introduce new ones. Having said that, I would still go with something more standard (i.e. WebRTC standards) for devices that do real-time stuff. The advantage is that the security and vulnerabilities are better understood and documented than with custom platforms, protocols and networks.

In terms of actual official solutions, to avoid the initial vulnerability, Device Impersonation (CVE-2021-28372), the vendor recommended updating the SDK/library and using “AuthKey” and “DTLS” features of Kalay network.

Video calling applications sometimes ignore mute

It turns out that that mute button on your favourite video conferencing app may not do what you would expect it to do! Researchers looked at the following apps:

  • Zoom (Enterprise)
  • Slack
  • MS Teams / Skype
  • Google Meet
  • Cisco Webex
  • BlueJeans
  • WhereBy
  • GoToMeeting
  • Jitsi Meet
  • Discord

The paper explicitly highlights Webex as a primary offender in its conclusion:

We discovered that while muted, Webex continuously reads audio data from the microphone and transmits statistics of that data once per minute to its telemetry servers.

The study is indeed interesting and the underlying issue is definitely cause of concern. But, honestly, I expected much worse.

Read more in

T-Pot, the Deutsche Telekom Honeypot

Dionis Shabani wrote a tutorial on how to get the Deutsche Telekom’s honeypot, naturally called T-Pot (love the name), running on Debian 11. This honeypot is interesting to us since it includes some RTC components by using Sentrypeer. It also includes Dionaea which has a SIP module too.

Give it a read here: Implementation of Deutsche Telekom Honeypot (T-Pot 22.04) on Debian 11 – VMware Workstation

And the blog post from the official Deutsche Telekom security team’s blog: T-Pot Version 22.04 released

Or go directly to the project at Github: telekom-security/tpotce

VoIP is used by Wizard Spider

The Hacker News has published an article called Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang. The part that caught my attention was the following:

What’s more, the group has invested in a custom VoIP setup wherein hired telephone operators cold-call non-responsive victims in a bid to put additional pressure and compel them into paying up after a ransomware attack.

This is not the first time the group has resorted to such a tactic. Last year, Microsoft detailed a BazarLoader campaign dubbed BazaCall that employed phony call centers to lure unsuspecting victims into installing ransomware on their systems.

Read more in

Security Code Audit – For Fun and Fails

Frycos – whose work was previously covered on this newsletter due to the excellent 3CX vulnerability report – published a new post. This one deals with the realities of security code audits and vulnerability research in general, which have a tendency to be quite different than what the movies allude to.

For this research piece, Frycos chose another PBX product, one called Starface Comfortphoning. This one is a valuable narrative that shows how one would go about scoping the target, choosing what to audit in terms of code, and the different points of view that could be taken.

In fact, the author did find a number of issues. One of which was a remote code execution that required authentication to an administrative interface. The vulnerability involved uploading a fake backup ZIP file with a malicious manifest.xml that basically executed the commands given in the XML contents. Another involved a dangerous file upload which could be done through an authenticated low privileged user. But it is not clear if the uploaded file is accessible to attackers, which is how it would be exploited to gain remote code execution.

As the author hints, perhaps only around 10% of the code was checked during this exercise. What I personally find slightly annoying is that only the web attack surface was checked. But a phone system, such as Starface’s, will have other areas that are exposed – most notably the signalling and media handling (i.e. SIP and RTP – which is done via Asterisk PBX). Oh and there’s a process called hfaxd that listens on 0.0.0.0 waiting to be poked and prodded!

Read more in

Pion DTLS vulnerabilities fixed

The Pion DTLS package was patched to fix 3 vulnerabilities, two of which cause denial of service and one affecting the integrity. The issues were reported by Juho Nurminen who, it seems, has been doing some interesting things related to the topic of RTC security.

Technical details were not published in the actual advisories for the DoS issues, although there are clear hints. So we looked at the code changes to get a better understanding of what is happening here.

Based on that, here’s our summary:

  • Header reconstruction method can be thrown into an infinite loop
    • Description: An attacker can send packets that will send Pion DTLS into an infinite loop when processing.
    • Our comment: those packets consist of a zero length fragment, which before the fix, would loop due to an if fragmentEnd != f.handshakeHeader.Length {} never returning; this one seems easy to exploit hence the CVSS rating of 7.5
    • Actual fix
    • Advisory
  • Buffer for inbound DTLS fragments has no limit
    • Description: A buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or times out. An attacker could exploit this to cause excessive memory usage.
    • Our comment: Of course this also has to do with fragments, and seems to be easy to exploit as well but, perhaps, may take a long time to exploit and maybe the timeout would prevent this issue from getting a high rating in terms of availability and CVSS scoring
    • Actual fix
    • Advisory
  • Client Certificates are accepted without CertificateVerify
    • Description: A DTLS Client could provide a Certificate that it doesn’t posses the private key for and Pion DTLS wouldn’t reject it.
    • Our comment: this is an authentication bypass and actually seems quite interesting. This one would be very interesting to try to reproduce.
    • Actual fix
    • Advisory

Congratulations to the Pion team for the fixes, and great work by Juho!

Wire XSS to RCE and account compromise

The Wire app fixed a cross-site scripting vulnerability that led to remote code execution on the desktop client. The vulnerability reporter posted a video on Twitter showing how they could use this issue to launch any application by abusing this XSS.

Check out the video:

The advisory from Wire is over here: Cross Site Scripting in Wire Messages

Tracked as CVE-2022-24799.

I guess this is just a reminder that for Electron apps, such as Wire, XSS can be really dangerous.

Yet another SIP ALG vulnerability – CVE-2022-26370

Another vulnerability which affects a SIP ALG (application layer gateway) implementation, this time in F5 BIG-IP versions 16.1.x. Abuse of this vulnerability is said to cause the Traffic Management Microkernel (TMM) to terminate.

Last month we covered similar issues in JunOS (CVE-2022-22198), while in February we covered another vulnerability (CVE-2022-23025) also in F5 BIG-IP.

Our recommendation remains:

If you’re running anything like a stateful firewall, disabling SIP ALG will reduce your attack surface.

Read more in

SQL and command injection in Grandstream PBX

Tenable, makers of Nessus vulnerability scanner, discovered that Grandstream UCM6200 have both an SQL injection and a command injection vulnerability. This is exploited through the web interface of the vulnerable PBX system.

It seems that the vulnerability was published and patched back in 2020 but detection was added in Nessus just in 2022 this month.

Read more in

Mitel 6800 and 6900 Series SIP phone devices “undocumented behavior”

The CVE details read as follows:

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have “undocumented functionality.” A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

The security bulletin does have a few more details:

A vulnerability has been identified in Mitel 6800 Series SIP Phones and 6900 Series SIP phones running SIP firmware, which could allow an unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control functionality during system start-up. A successful exploit could allow access to sensitive information and code execution within the context of the Mitel 6800 or 6900 SIP Phone (excluding the 6970).

The vulnerability is limited to a malicious actor that has physical access and can connect via local area network and requires restarting the phone.

The risk due to this vulnerability is rated as Medium

Read more in

Zoom client RCE with xmpp stanza smuggling

Google’s Project Zero published a vulnerability chain that affected Zoom chat. Essentially, it went like this:

  1. Smuggling of XML stanzas was possible due to XML parser differences between the Zoom client and server
  2. So an attacker could send control stanzas to Zoom clients that appear to be coming from Zoom’s XMPP server
  3. This could be abused to force the victim client to connect to an attacker controlled server, allowing for man-in-the-middle
  4. Which could be abused to bypass a signature check on the update installer
  5. Which allows attackers to install malicious software on vulnerable Zoom clients

Ivan Fratric does an excellent job in explaining the vulnerability chain at the official report here: Issue 2254: Zoom: Remote Code Execution with XMPP Stanza Smuggling

Very sneaky I must say.

The vulnerabilities exploited are tracked as:

  • CVE-2022-25235
  • CVE-2022-25236
  • CVE-2022-22784
  • CVE-2022-22785
  • CVE-2022-22786
  • CVE-2022-22787

Tigase XMPP stanza smuggling via unescaped quotes

Also by Google’s Project Zero / Ivan Fratric:

Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to “smuggle” (or, if you prefer, inject) arbitrary attacker-controlled stanza in the XMPP server’s output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server).

Read more in

Zoom Vulnerabilities Fixed

Zoom has fixed six vulnerabilities that were discovered by Google Project Zero. The vulnerabilities could be exploited by sending a message through Zoom chat over the Extensible Messaging and Presence Protocol (XMPP) to allow remote code execution; no user interaction is required. Users are urged to update to Zoom version 5.10.0.

Note

  • The client-side fix was out in April. All Zoom client software now supports auto-update for faster patching – make sure it is turned on for managed devices and encourage users to enable auto update on personal devices. Same advice applies to most PC/Mac client software these days.
  • A few things happening here: XMPP parsing inconsistencies allowed inclusion of malicious content, known as XMPP Stanza Smuggling) and could be used to cause the client to connect to another server which could be a MITM; the update installer didn’t fully check that what was being installed was really an update, allowing the client to be tricked into installing an older version with known vulnerabilities. The good news is Zoom has auto-update capabilities working on Mac and Windows now, the bad news is you may have to manually update to get to that version. Make sure your systems are running at least 5.10.0.
  • Enable the auto-update feature in your Zoom and every other piece of software that allows it. Do it for your friends and family as well.

Read more in

Verizon 2022 Data Breach Investigations Report

Verizon Business has released its 2022 Data Breach Investigations Report (DBIR). Key findings include: ransomware attacks increased 13 percent over the past year; roughly 80 percent of breaches are the work of organized crime; and “the human element accounts for 82 percent of analyzed breaches over the past year.”

Note

  • Verizon no longer includes the most valuable data they have from their investigations – what vulnerabilities enabled the attacks to succeed? They used to show this in a table mapping the exploited vulnerabilities to the Critical Security Controls. It was a great graphic to use in explaining the critical need to at least get to basic security hygiene levels and avoid 70% or more of those attacks. Another point: the DBIR and others often show phishing and “use of stolen credential” statistics separately, where a high percentage of stolen credentials were obtained through phishing. Don’t underestimate the urgency of reducing used of reusable passwords on high value accounts.
  • In 2022, we as security professionals should all reject the idea of “human element” as something that “accounts for” 82% of breaches, especially of a breach that is worthy of inclusion in the DBIR. Yes, individual people will click a link, or click an attachment, or enter their password into a fake form. That’s gonna happen, and the job of the security profession is to make those basically as low impact as possible. Security professionals are failing to properly architect and implement basic controls (in some cases, for legitimate reasons, such as lack of budget, etc), and then blame users for clicking links that make it through the corporate email filters, then saw through the entire network from an unprivileged user laptop… This is not a good statistic to bandy around. All the awareness training won’t remove the click, it just reduces the CLICK RATE, which, even if low, the click eventually happens. Then what? Controls beyond the user’s scope of work should kick in.
  • The human element, as in problem exists between keyboard and chair, is our greatest and best challenge. This doesn’t mean we need to stop raising the bar on technology to reduce the opportunities for error, it means we need to work just as diligently on relevant training and support. Pay attention to feedback. Don’t ignore reports of people checking out in the middle of a session, or questions of relevance to life the universe and everything, rather partner and pull the thread to find out why your message and their mission don’t match, then team up to fix it.
  • For the past 4 years the VZ DBIR has identified people as the primary attack vector and top driver of breaches. For the past two years they even put a number on it (over 80% of breaches for past two reports). Cybersecurity is no longer just a technology challenge but also a human one. Until we start also addressing the human side of cybersecurity, to include security culture, we are going to continue to lose this battle.
  • That 82% of breaches are due to human issues demonstrates how badly we are failing as an industry and highlights the fallacy that many vendors and security practitioners have on focusing on APT and/or zero day attacks. Similar to how modern automobile safety features protect drivers when they make a mistake, our security controls should act as the equivalent of crumple zones, seat belts, and airbags to protect people when they are duped into clicking on a link or an attachment.
  • Must reading. One of the best open sources of intelligence for security professionals. Other key findings: Insider risk is far greater from error than from malice. Credential compromise is far more likely from social engineering than from brute force attacks. Therefore, prefer strong authentication to strong passwords. I asked the authors if they could see the impact of Strong Authentication. They responded “Not really. If one is using MFA one is not likely to be in the database of breaches.” Finally, healthcare and finance stand out in the data. For different reasons, each industry may be better at reporting than others.

Read more in

Quanta Cloud Technology Servers Still Vulnerable to Critical Pantsdown BMC Vulnerability

The Pantsdown vulnerability affects baseboard management controllers (BMCs) from a variety of manufacturers. The flaw could be exploited to gain superadmin privileges for an entire data center. After the vulnerability was discovered in January 2019, vendors released patches and urged customers to apply them. However, researchers from Eclypsium found that data center solution from Quanta Cloud Technology remained unpatched as recently as April 2022. Quanta says it is providing fixes privately on a customer-by-customer basis.

Note

  • Do not assume that systems arrive from OEMs fully patched and “secure.” Sadly, in this case, you will not even be offered a patched firmware for update. What makes this worse is that attacks against BMCs can be very difficult to recover from (if you are even able to detect them).
  • Firmware security is a real thing and it’s underappreciated. Imagine a chip maker putting a null-auth webserver in the firmware, for example…. From 2017: www.intel.com: About the Intel manageability firmware critical vulnerability
  • Any procurements for cloud services, especially if going outside the major providers like Google, and Microsoft, should include questions about vendor patch status/practices and clauses for cloud service provider liability. None of that protects you or your customers but it raises the visibility of security to smaller/less expensive cloud services providers and can point out the danger of selecting them.
  • BMCs are leveraged to manage systems at scale, allow for raw-iron management for activities like a full OS reinstall, about as close as you can get to physically accessing the box, which makes certain attacks much easier. (Such as a single-user boot.) As such, addressing vulnerabilities and lifecycle replacements where updates are not available are critical. Quanta’s model of quietly working customer by customer is not sufficiently transparent for you to truly assess your risk envelope.

Read more in

Indian Stock Exchanges Must Report Breaches Within 10 Days

The Securities and Exchange Board of India says that stock exchanges, clearing corporations, and depositories must report cybersecurity incidents within 10 days of detection. The modification to the board’s Cyber Security and Cyber Resilience Framework also expands the definition of critical systems, which must undergo security reviews and testing.

Note

  • India’s businesses were already facing the task of implementing the new incident response orders within 60 days; this directive is focused on market infrastructure institutions (MIIs), aka stock exchanges, clearing corporations and depositories, which must have their board sign off on their critical systems and report status of the larger requirements in the circular within ten days. Most boards I know need significantly more time before voting on a significant issue, let alone reporting on the progress towards implementation. The intent of the framework is to raise the bar consistent with the modern threat landscape, which is to be commended, and a more realistic timeframe is appropriate, such as 100 or more days. We all should have accurate hardware, software, and vulnerability data, and be performing regular security testing and reviews to make sure we’re not overlooking.
  • I welcome the focus on detection and response vs. the goal of preventing an attack. Assume breach and focus on testing, measuring, and improving your people, process, and technology – make sure your team is trained in Purple Team processes and techniques.

Read more in

Ransomware Delayed SpiceJet Flights in India

India’s SpiceJet airline said that a ransomware attack was to blame for flight delays earlier this week. Customers reported that they could not reach SpiceJet customer service on the phone and that online booking was unavailable.

Note

  • Ransomware is the final action on objectives. You have multiple detection opportunities before the malicious actors get to that step. Tabletops are a great resource but go further with a data and evidence-based approach by actually testing yourself. Train like you will fight the adversaries.
  • Good news: they were able to contain and remediate the ransomware attack quickly. The bad news is interdependent systems were impacted, resulting in delays and confusion from passengers who were not aware of what was happening. Two takeaways – first, communicate fully and as comprehensively as possible when you know what is going on; second, make sure dependencies are not only documented but understood. Sometimes recovery of one system may need another to roll back transactions, or have transactions manually applied to achieve full recovery to operational status. Trust me, you don’t want to discover this during an incident.

Read more in

IBM Expands School Cybersecurity Program

IBM is expanding its Education Security Preparedness Grant that helps K-12 schools improve their cybersecurity posture. The grants, which are provided as in-kind support, went to six US schools this year. Next year, the program will provide help for 10 schools in the US, Costa Rica, Brazil, Ireland, and the United Arab Emirates.

Note

  • Last year applicants came from over 250 school districts, which is an indicator we have a gap that companies like IBM can fill. IBM is not just sending money, they are sending tools and resources, which not only aids success, but also is a model you could follow to help your local schools by leveraging existing staff, products, and processes, no matter which country you’re in.
  • I welcome this and other initiatives that teach security earlier in life. NewsBites readers: challenge yourself to share what you know to the next generation. Every little thing helps, from career day presentations to demos to teaching. We need a security focused culture from the beginning.

Read more in

UK ICO Fines Clearview, Orders Them to Delete Citizens’ Data

The UK’s Information Commissioner’s Office (ICO) has fined face recognition technology company Clearview £7.5 million ($9.4 million) for violations of the country’s data protection laws. The ICO has also ordered Clearview to stop collecting and using UK citizens’ data and to delete any UK citizens’ data it currently holds on its systems.

Note

  • Lesson here is to make sure that when scraping data make sure that operation is allowed by the sources you’re obtaining information from, and, more importantly, make sure that your use and storage of that data is consistent with the regulations in the area you’re operating in. As more privacy laws are enacted, their relevance/applicability is going to become increasingly important to avoid legal entanglements.

Read more in

Suspected Business eMail Compromise Operation Ringleader Arrested

Police in Nigeria have arrested an individual believed to be the head of a massive phishing and business email compromise (BEC) operation. The group has been active since 2015 and has been launching attacks in countries around the world.

Note

  • The team at Palo Alto’s Unit 42 have been tracking this individual since 2017, meaning that apprehending parties behind BEC can take a lot longer that you expect. In the meantime, double down on making sure you and your staff are prepared to recognize and avoid BEC attempts. Don’t forget to talk to your service providers, internal or external, to ensure you’re leveraging all the tools in their arsenal.
  • We don’t hear much about BEC even though it is one of the most profitable attacks by adversaries. Kudos to law enforcement for this arrest.
  • A big well done to all those involved in this operation and in making the online world a little bit safer.

Read more in

CISA adds 75 Vulnerabilities to Known exploited Vulnerabilities Catalog

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added more than 70 security issues to its Known Exploited Vulnerabilities catalog. The vulnerabilities include a Cisco IOS XR open port flaw and a pair of Android Linux Kernel flaws. The newly-added items have required mitigation dates between June 13 and 15.

Note

  • The trick is to filter both for products you’re using and for updates you’re already applying to spot gaps. Separately, you should be checking post-patch that the updates you think are applied are really applied.

Read more in

EPA Asks for Funds for Water Systems Cybersecurity

The US Environmental Protection Agency (EPA) is asking Congress for $4B to upgrade the country’s water infrastructure. More than $100M of the requested funds would go toward programs that provide support for resiliency and sustainability, establishing and building cyber capabilities, and technical assistance.

Note

  • This is a start, DHS CISA will also have to provide funds and expertise to make progress improving cybersecurity at state/local managed critical services like water, just as they had to do for election systems.
  • The trick is enlisting water companies both large and small. Small operations will need to leverage external services. If you don’t have sufficient support for your operation, reach out to your local ISAC or CISA branch to get connected with resources. Remember CISA services are taxpayer funded.

Read more in

Microsoft will enable better security defaults for all Azure AD tenants next month

Big news from Microsoft this week as the OS maker and cloud giant has announced plans to forcibly enable secure defaults for all Azure AD tenants next month.

These “secure defaults,” also known as Azure AD Conditional Access, will enable multifactor authentication (MFA) for all of an organization’s users and will block authentication on legacy protocols where MFA is not supported.

Microsoft began enforcing these requirements for all new Azure AD customers in October 2019, but it did not mess with the accounts of its existing customer organizations in order to prevent outages or downtime.

The company said that since late 2019, more than 30 million tenants now use its secure defaults and that these companies “experience 80 percent less compromise than the overall tenant population.”

But this will soon change, according to Alex Weinert, Director of Identity Security at Microsoft. Starting with late June 2022, Weinert says that Microsoft will start forcibly enabling “secure defaults” for the older customers as well.

“When complete, this rollout will protect an additional 60 million accounts (roughly the population of the United Kingdom!),” Weinert said.

Starting next month, Microsoft said it plans to prompt every of its old customers’ Global Admins with a pop-up about the new security defaults. Global admins will be able to enable the security defaults on the spot or delay the process for 14 days, at which point the feature will be forcibly enabled—if they like it or not. Once enabled, a tenant’s employees will be prompted to add an MFA solution to their accounts, and Microsoft hopes this will put a huge dent in the number of accounts that get compromised via brute-force or phishing attacks on its Azure platform.

Microsoft will enable better security defaults for all Azure AD tenants next month

Verizon employee breach

A hacker has obtained a database that includes the full name, email address, corporate ID numbers, and phone numbers of hundreds of Verizon employees. Motherboard reported that the threat actor got their hands on the data after tricking a Verizon employee into giving them remote access to their computer.

SpiceJet

Indian low-cost airline SpiceJet said it was hit by an “attempted” ransomware attack on Wednesday that disrupted some of its operations and delayed some flights.

MGM Resorts data dumped

The data of more than 142 million guests who stayed at MGM hotels in the past was released for free on a Telegram channel earlier this week. The data comes from a 2019 security breach, which came to light in early 2020 after a data broker began advertising the data on cybercrime forums.

CIS leak

A security researcher said he found an Elasticsearch server leaking the personal details of more than 10 million Russians, Ukrainians, and Kazakhs who applied for “microloans.” This included full names, dates of birth, home addresses, and even passport details.

FTC fines Twitter

The US FTC has fined Twitter $150 million for using phone numbers collected through its 2FA account security process for advertising purposes. The phone numbers of more than 140 million Twitter users were abused this way. The FTC said that Twitter’s actions violated a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices.

Lumos system

A team of academics from Carnegie Mellon University has developed a system they named Lumos that can run on laptops or smartphones and “enables users to identify and locate WiFi-connected hidden IoT devices and visualize their presence using an augmented reality interface.” The CMU team said they tested 44 different IoT devices of various types, brands, and models, across six different environments and achieved a 95% detection rate. The researchers will present more details about their project at the upcoming USENIX conference this summer.

Devices used as candidate hidden devices

UN sanctions on Lazarus Group

Despite a push from the US for additional economic sanctions on North Korea—including a package that would freeze assets owned by the Lazarus hacking group—China and Russia have signaled their intention to use their veto option to negate the vote on the grounds that additional sanctions would worsen the existing humanitarian crisis.

Kremlin decree on cybersecurity

The Russian government has ordered that all public and private organizations operating in critical sectors must have a cybersecurity team [PDF]. [via @lukOlejnik]

Very English Coop d’Etat

Reuters reported on Thursday that Russian state-sponsored hackers are behind a recently launched website named “Very English Coop d’Etat,” where they leaked emails of several pro-Brexit hardliners earlier this month. This includes emails from ex-MI6 boss Richard Dearlove, leading Brexit campaigner Gisela Stuart, and pro-Brexit historian Robert Tombs. Several of the victims confirmed the hack. Shane Huntley, Director of the Google Threat Analysis Group, said there are “clear technical links” between the website and a Russian group the company calls “Cold River.” Several security experts said the entire affair smells like Guccifer 2.0 and DCLeaks, two other politically-charged leaks orchestrated by Russian intelligence.

Dutch intelligence report

The Dutch intelligence & security services oversight board has published its annual report on Dutch intelligence activities. The oversight board found that the AIVD and the MIVD, the Netherlands’ two cyber-security agencies, made 3,071 data access requests last year, including some unlawful ones that targeted journalists and broad ones meant to intercept internet cable traffic. In addition, both agencies also said that since 2018, they had failed to inform the oversight board about their usage of vulnerabilities to access third-party systems.

SilverTerrier arrest

Interpol, Palo Alto Networks, and Group-IB announced on Wednesday the arrest of a 37-year-old Nigerian man who was the leader of the SilverTerrier (Team TMT) BEC gang. The man was arrested this week at the Lagos airport in Nigeria. This marks the third wave of SilverTerrier arrests after Interpol also helped track and catch three gang members in November 2020 and another 11 in January 2022.

Bablosoft

Team Cymru has published a report on Bablosoft, a tool advertised on cybercrime forums and meant to help threat actors to automate web browser actions in order to create bots for spamming, brute-forcing passwords, or checking the validity of stolen credentials. The tool has been around for years, and Team Cymru says that malware operations like Bumblebee, BlackGuard, and RedLine have deep integrations with Bablosoft.

Cl0p returns

NCC Group is reporting a surge in activity from the Cl0p ransomware gang, with the group listing 21 new victims on its leak site over the past month. Prior to April 2021, the gang had greatly reduced its operations after several of its members responsible for money laundering were detained in Ukraine in June 2021.

ERMAC reaches v2

ESET said that it has discovered what appears to be the next iteration of the ERMAC Android trojan, which the company dubbed ERMAC 2.0. The first version of this trojan was spotted last year by ThreatFabric.

Attacks on Apache CouchDB

Threat actors are exploiting a vulnerability tracked as CVE-2022-24706 to take over Apache CouchDB servers. The vulnerability can be exploited by using a cookie with the value of “monster” sent over port 5984. This allows a threat actor access to a CouchDB server’s admin user left over from its default installation without needing to provide a password—if the server owner has not removed that user or has not put the database behind a firewall. There are currently more than 81,000 CouchDB servers exposed online, although it’s unclear how many still run default installs.

REvil-themed DDoS extortions

Akamai has reported this week that a cybercrime group is using the name of the REvil ransomware gang to extort companies with threats of DDoS attacks. Akamai said this DDoS extortion campaign is far smaller than previous REvil-themed campaigns from previous months.

Versus shutdown

The administrators of the Versus dark web marketplace have shut down operations after a hacker published details last week about a vulnerability in its servers that could be used to access its database and obtain details about users and the IP addresses they used to access the site. The market previously suffered another security breach in the summer of 2020, when hackers also stole funds from some user wallets.

New BPFDoor report

After reports from PwC, Sandfly Security, Elastic, security researcher Kevin Beaumont, and ExaTrack [PDF], we now have one more from security firm CrowdStrike. The malware, which CrowdStrike calls JustForFun, is a dangerous Linux malware used by a threat actor the company calls DecisiveArchitect (also known as Red Menshen). As with the previous reports, Crowdstrike said this threat actor uses the BPFDoor malware as an initial entry point into victim networks by targeting their Linux and Solaris servers, from where it moves laterally to other systems, including Windows stations.

ChromeLoader

Red Canary has published a report on ChromeLoader, a browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites.

Cheerscrypt ransomware

Trend Micro has published a report on Cheerscrypt, a new strain of Linux ransomware used to encrypt data on VMWare ESXi servers.

Black Basta ransomware

IBM’s X-Force team has a technical report out on the Black Basta ransomware. Also, check out a similar report from Trend Micro.

Grandeiro

Trustwave has published a report on a spear-phishing campaign that spreads the Grandeiro banking trojan. The malware is known for mainly targeting banks in Latin American countries.

Earth Berberoka

Trend Micro has published a report on the activities of the Earth Berberoka (aka GamblingPuppet) APT. The company said the group uses tools previously seen used by Chinese state groups, and it primarily targeted the gambling industry catering to Asia, and more specifically, to Chinese-speaking users and the operators of gambling websites.

Gimmick macOS malware

CloudSek researchers have published a report on Gimmick, a new strain of macOS malware they discovered earlier this month. The company believes the malware is being used by a Chinese cyber-espionage group named Storm Cloud that has a history of targeting Asian regions. Also, see this report from Volexity.

LinkedIn goes public

After eight years of having a private bug bounty program, LinkedIn has finally decided to open its platform to all vulnerability researchers, taking its HackerOne program public.

Pantsdown vulnerability

Hardware security firm Eclypsium said in a report on Thursday that base management controllers (BMCs) manufactured by Quanta Cloud Technology (QCT) are still vulnerable to Pantsdown, a set of vulnerabilities disclosed in 2019. The vulnerabilities can be exploited by attackers to rewrite server firmware and take over unpatched systems, Eclypsium said. Bricking servers is also a possibility.

Python&PHP library hacks

A Turkey-based security researcher has come forward and taken credit for the hijacking of two very popular Python and PHP libraries (CTX and PHPass) in an incident widely reported earlier this week. In a blog post on Medium, Yunus Aydın said he was only conducting security research and that he never meant any harm. Aydın said that despite collecting a trove of sensitive environment variables, such as AWS access keys, he has since deleted the collected information. Allegedly.

Kubernetes whitepaper

Palo Alto Networks has published a whitepaper detailing the recent types of privilege escalation attacks against Kubernetes clusters across a variety of cloud platforms. This typically includes targeting excessive permissions and Role-Based Access Control (RBAC) misconfigurations. A small excerpt: “In 62.5% of the Kubernetes platforms reviewed, powerful DaemonSets distributed powerful credentials across every node in the cluster. As a result, in 50% of platforms, a single container escape was enough to compromise the entire cluster.”

Canon bugs at Pwn2Own

The Synactiv team have published their write-up on the vulnerabilities in Canon laser printers they exploited during the Pwn2Own hacking contest last year. The teams also exploited issues in HP and Lexmark printers too, but those write-ups have not yet been published.

Gin and Juice Shop

The team at PortSwigger has released an intentionally vulnerable web application—designed to look like an online shop & blog named “The Gin and Juice Shop“— on which security researchers can test their pen-testing skills.

HieuPC

France24 has published a profile on Ngo Minh Hieu, the Vietnamese hacker who was arrested and sentenced in the US back in the mid-2010s for selling the personal details of more than 200 million Americans. Hieu, who went online as HieuPC, says he’s now working with the Vietnamese government to educate people on cybersecurity, stopping cyberattacks, and catching other cybercriminals.

Lacework layoffs

According to a report from Protocol, cloud security firm Lacework has laid off more than 300 employees, which is around 20% of its workforce. The layoffs come following a $1.3 billion funding round at an $8.3 billion valuation in November 2021.

New CEOs

Cybersecurity firms McAfee and Binary Defense have both appointed new CEOs this week in Greg Johnson and Bob Meindl, respectively.

BlackByte threat actor goes global with its ransomware

The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Cisco Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently moved. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.

Read more in

NVIDIA fixes 10 vulnerabilities in graphics cards drivers

GPU maker NVIDIA released a round of security updates for several of its graphics cards last week, including four high-severity vulnerabilities. While the updates cover all active NVIDIA units, it also covers GTX 600 and GTX 700 Kepler-series cards, whose support ended in October 2021. Cisco Talos specifically discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file. These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments. We specifically tested these issues with a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host.

Read more in

Python and PHP libraries hijacked to steal AWS keys

Developers had a very bad day on Tuesday after news broke that two very popular Python and PHP libraries got compromised after a threat actor gained access to their respective developers’ accounts and pushed new versions containing malicious code.

The incidents impacted the CTX Python library on PyPI and hautelook/PHPass PHP library on the Packagist portal. Both are very popular libraries with tens of thousands of weekly downloads, according to DevOps security firm Sonatype.

The code added to new versions of both libraries would collect environment details from a developer’s computer, such as AWS and other server passwords, and upload the data to a remote Heroku app, hosted at:

https://anti-theft-web.herokuapp[.]com/hacked/

Because the exfiltration URL pointed to the same Heroku app, investigators believe both attacks were carried out by the same threat actor, who was most likely looking to collect AWS keys so they could hijack cloud resources and mine cryptocurrency.

Even if the security of supply chains for open source projects is nowhere near as good as some experts would want, the attack was detected rather quickly, mainly because both libraries were abandoned and did not receive any new versions in years, sparking concern for some of their more attentive users, some of which reported the rather unusual updates via Reddit.

The attack seems to have impacted Python developers more than PHP coders, as the hautelook/PHPass library had been abandoned and its releases deleted last September, so most devs had already moved to other libraries in the meantime.

Nevertheless, the incident did have a major impact in the Python community, where it was downloaded more than 27,000 times between May 14 and May 24, according to an IR report published by the Python security team on late Tuesday night.

The same report also concluded (and confirmed an ISC SANS report from earlier in the day) that the attacker gained access to the CTX developer account by identifying their email address and re-registering the email server domain after it had previously expired. This rather new account hijacking technique allowed the threat actor to reset the developer’s PyPI account password and then push the malicious versions two weeks ago.

GM cred-stuffing

General Motors said that the data of some of its customers was exposed following a credential stuffing attack that took place last month, according to a data breach notification letter the company filed with California’s Office of the Attorney General. In addition, the company also said that it “identified recent redemption of customer reward points for gift cards that may have been performed without the customers’ authorizations.”

Zola cred-stuffing

Wedding planning startup Zola said that hackers breached user accounts following credential stuffing attacks. The company disclosed the incident over the weekend after several users complained that hackers had depleted accounts, incurred huge charges on their cards, and even locked them out of their accounts days ahead of their weddings. According to a TechCrunch report, some of these accounts are being listed on underground Telegram channels. Zola said that only 0.1% of its users were impacted and that it will refund all users who lost funds in the incident.

Clearview AI fined in the UK

The UK Information Commissioner’s Office (ICO) has fined facial recognition company Clearview AI more than £7.5 million ($9.4 million) for breaching the UK GDPR and collecting users’ photos without permission. The ICO has also ordered Clearview AI to stop collecting and indexing the personal information of UK citizens and to delete existing UK-related databases.

Some Russian companies fire Ukrainian IT experts

Russian news outlet RBC is reporting that Russian companies have begun to fire or demote IT experts of Ukrainian nationality or descent. In addition, sources from Russian cybersecurity firms have also told the publication that they have been instructed to closely monitor employees of Ukrainian descent or those who have relatives in Ukraine. Moves to fire or demote IT workers with access to critical systems have been observed in companies with government contracts, and sources have described it as an “unspoken requirement” for continuing to work with government agencies.

Google geo-location data collection

A coalition of Democratic lawmakers have asked Google on Tuesday to stop the collection and retention of personal user data and geo-location information via its Android operating system pertaining to online inquiries about abortion access. Forty-one Democratic lawmakers signed the document, according to a NextGov report.

US Senate report

A report published on Tuesday by the US Senate Homeland Security and Governmental Affairs Committee has found that US law enforcement lacks comprehensive data and visibility into ransomware attacks due to poor reporting, which is fragmented across multiple federal agencies such as CISA, the FBI, the Treasury’s FinCEN, and others.

EU wants a “cyber posture”

The Council of the European Union agreed on a set of unified core principles meant to create a unified cyber posture for EU member states. This includes:

  1. strengthen resilience and capacities to protect;
  2. enhance solidarity and comprehensive crisis management;
  3. promote the EU’s vision of cyberspace;
  4. enhance cooperation with partner countries and international organisations;
  5. prevent, defend against and respond to cyber-attacks.

The Council called on EU agencies and member states to integrate these principles into upcoming directives and guidelines.

France

In March, ANSSI, France’s cybersecurity agency, published a report with an overview of threats against French companies throughout 2021. That report is now available in English.

Conti’s last breaths

After reports that it was shutting down, the Conti gang published eight new victims on its leak site over the weekend, in what security researchers are describing as its last breaths.

RansomHouse

Threat intelligence company CyberInt has published a report on a new data extortion group that was first seen earlier this year and calling itself RansomHouse. The group has one of the longest and more detailed terms of service of any extortion group that was seen operating over the past few years.

DeFi hacks

Threat intel firm BishopFox has a report out reviewing all the DeFi blockchain platform hacks from last year and the main methods used to breach their networks and exfiltrate funds.

jQuery scans

A threat actor is scanning the internet for websites that use the jQuery File Upload plugin, per ISC SANS. The organization believes the threat actor is attempting to fingerprint vulnerable systems in order to exploit security flaws in the plugin and upload malicious files (such as web shells) on web apps still using older versions of the plugin.

200 malicious npm packages

DevOps security firm Snyk found more than 200 malicious npm packages uploaded on the npm portal. All the packages had names similar to legitimate packages, in what security researchers call a dependency confusion attack, aimed at tricking developers into using and importing the malicious package into their projects instead of the legitimate one.

Account pre-hijacking

A duo consisting of an independent researcher and a Microsoft engineer have published a research paper this week on a new account hijacking technique that they called account pre-hijacking. The technique consists of a threat actor registering accounts on websites before the victim, using the victim’s email address. The attacker then connects their own email address, phone number, or federated identity to the victim’s account but never officially confirms the changes. When a victim tries to register an account, they are asked to reset their password. If the service fails to invalidate all previous sessions or purge older account details, the attacker still maintains access to the account they initially created. More in the research paper.

Account pre-hijacking

Web skimming attacks

Microsoft has a good review on web skimming attacks and the latest techniques these groups are using these days.

Yashma ransomware

The BlackBerry team published a report on the new Yashma ransomware. Just like SentinelOne in a recent report, BlackBerry researchers concluded that Yashma is based on the older Chaos ransomware.

Vulcan ransomware

According to SentinelOne, the operators of the Vulcan ransomware group are actively recruiting affiliates to help them breach networks and carry out intrusions.

Nokoyawa ransomware

Fortinet has published a report on the new Nokoyawa ransomware, which the company said borrows code from strains like Babuk, Karma, and Nemty.

GoodWill ransomware

CloudSek researchers said that a new ransomware strain named GoodWill—instead of requesting ransom payments—instructs victims to donate money to perform three acts of goodwill in order to receive a decryption key for their files. The three acts include:

  1. Donating new clothes to the homeless, recording the action, and posting it on social media.
  2. Taking five less fortunate children to Dominos, Pizza Hut, or KFC for a treat, taking pictures and videos, and posting them on social media.
  3. Providing financial assistance to anyone who needs urgent medical attention but cannot afford it, recording audio, and sharing it with the operators.

For now, this appears to be only a proof-of-concept ransomware, and no known victims have been identified. CloudSEK researchers said that based on current evidence, they believe the ransomware’s creator is located in India.

Turla

Cybersecurity firm Sekoia published a blog post on Monday detailing a recent reconnaissance and espionage campaign executed by the Turla APT group. Targets included the Baltic Defense College and the Austrian Economic Chamber.

Russia Today campaign

Malwarebytes said on Wednesday that after Russia’s invasion of Ukraine, an APT group began targeting employees of Russia Today with a malicious spear-phishing campaign. The company reports that the attacks infected RT employees with a remote access trojan and that the threat actor “had access to almost 100 RT TV employees’ email address.” The attacks also appear to have targeted the Rostec defense conglomerate as well.

Matryoshka Trap

A team of four Chinese academics has published a report called Matryoshka Trap [PDF], which describes how to use memory-mapped I/O (MMIO) calls to escape virtual machines. The vulnerabilities impact QEMU/KVM, a hypervisor widely used in cloud computing environments, and are tracked as CVE-2021-3929 and CVE-2021-3947. The paper was presented at the CanSecWest security conference last week, and proof-of-concept code was also made available on GitHub.

$10 million bounty

Cryptocurrency platform Wormhole paid one of the largest bug bounties ever recorded, awarding $10 million to a security researcher named satya0x for a bug that could have allowed a threat actor to steal funds from its inter-blockchain bridge implementation. Wormhole’s huge payout comes after the company was hacked and lost more than $322 million in an incident earlier this year, in February.

GitHub bug bounty program

GitHub said it awarded more than $800,000 in bug bounty rewards in 2021, bringing its total to more than $2.3 million awarded to security researchers since the creation of its bug bounty program in 2016.

Screencastify vulnerability

Security researcher Wladimir Palant has published a report about a vulnerability in Screencastify, a Chrome browser extension that could be used to record and share videos using a browser’s webcam API. Palant said attackers could abuse the bug to secretly record videos via a victim’s webcam. The researcher said that after notifying the extension’s developer earlier this year, in February, not only did they not fix the issue but also added a second vendor’s domain through which it could be exploited.

No patches

Netgear said that “due to technical limitations outside of [their] control,” they are unable to patch multiple security vulnerabilities in the BR200 and BR500 router models. The vulnerabilities can allow threat actors to execute malicious code against a victim’s router management panel when users visit a malicious site. Netgear has recommended that all users log off from the router control panel to prevent automated attacks.

Trend Micro zero-day

Trend Micro said it patched a vulnerability exploited by the Moshen Dragon APT in attacks reported earlier this month by SentinelOne.

Zoom fixes

Zoom has fixed four vulnerabilities reported by the Google Project Zero team that could have allowed threat actors to hijack user systems just by sending malicious instant messages to Zoom users. The root cause of the issue was identified as the Zoom clients and server software using different XML parsing libraries to handle XML data via the XMPP protocol, opening the door to hijacking conversations and connecting Zoom users to malicious servers.

ISaPWN

Kaspersky’s industrial security research team has published a report on ISaPWN, a set of vulnerabilities in ISaGRAF, a programming tool and execution environment used to create and run programs for programmable logic controllers (PLCs). The company said that since March 2020, it has worked with various vendors, such as Rockwell Automation, Schneider Electric, Xylem, GE, and Moxa, to test and release patches for various PLC and SCADA tools that make use of ISaGRAF. The vulnerabilities are considered critical as some can allow unauthenticated, remote attacks against industrial equipment, while others allow password brute-force attacks or device persistence.

Security funding news

One good newsletter to subscribe to is Security Funded, a weekly newsletter with news on recent funding rounds and market moves from cybersecurity companies. The newsletter is curated by Mike Privette. Sample newsletter here.

Verizon DBIR

The Verizon 2022 Data Breach Investigations Report (DBIR) is out. The report has built a well-deserved reputation for providing the most comprehensive view of the cybersecurity landscape across the world. Among this year’s main DBIR conclusions was that supply chain attacks were responsible for roughly 62% of the security incidents that took place last year and were analyzed for the report.

Linux XorDdos Trojan Use on the Rise

Researchers at Microsoft have noted a “254% increase in activity from a Linux trojan called XorDdos” over the past six months. XorDdos was first detected in 2014; it targets Linux endpoints and servers. In a blog post, the Microsoft 365 Defender Research team writes, “XorDdos uses evasion and persistence mechanisms that allow its operations to remain robust and stealthy. Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.”

Note

  • As endpoint detection and response (EDR) improves on Windows systems, we see a shift to Linux systems where EDR may not be running or is not detecting as well. We will see more focus on Linux now, with multiple solutions for detection. As usual, you can’t just set it and forget it. Detection engineering will be required to ensure the correct data/log sources, telemetry, tuned alerts, and people trained to respond.
  • As a CSO, or someone responsible for security in your organisation, do not be lured into a false sense of security if you think “This does not impact me as we don’t have Linux desktops.” Remember many devices have Linux embedded in them so you need to ensure they are part of your vulnerability management program.
  • XorDdos uses brute-force SSH attacks to get onto systems. At a minimum make sure that you’re not allowing password access for Internet facing Linux servers. Even better, don’t allow password authentication mechanisms, ideally disallowing root login over the network. Endpoint protection systems are able to detect and thwart this malware; the question is have you installed one on your Linux servers? If you have, make sure that the coverage is equivalent to other endpoint protection services deployed in your environment, to include centralized reporting and management. Many solutions are now cross platform.

Read more in

380,000 Kubernetes API Servers Accessible on Public Internet

ShadowServer says that when they scanned for accessible Kubernetes API instances, they found more than 380,000 that allowed some form of access on the public Internet. The scans identified 450,000 instances in all.

Note

  • This is very sad but not surprising. We just can’t seem to get the message across that new shiny technologies need to employ some of the same old boring security measures.
  • This reminds me of the amount of S3 buckets open to everyone on the public Internet until Amazon defaulted to non-public buckets. Kubernetes documentation provides multiple methods to secure your APIs including but not limited to ACLs, using TLS, API Authentication, and API Authorization.
  • Make sure that you’re controlling access to your Kubernetes APIs. Use authentication and firewall rules to limit access to only authorized devices and users. Think of your container orchestration as a back-end service which you protect like any other management interfaces.

Read more in

Google: Governments are Buying Android Zero-Days

According to Google’s Threat Analysis Group (TAG), state-sponsored threat actors have been using Android zero-day exploits to install spyware on targeted devices. The exploits were obtained from a company called Cytrox, which is based in North Macedonia. Governments in Armenia, Côte d’Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia, and Spain have used the exploits.

Note

  • Now defunct NSO Group has shown how lucrative mobile spyware can be. No surprise that governments are using new vendors to keep up their spying, and companies are setting up shop in countries with a less developed legal framework around commercial malware.
  • The CVE-2021-1048 exploit points out one of the problems of Android-based devices – the flaw had been fixed in 2020 but not flagged as a security issue, so not all of the cell phone vendors had incorporated the fix into their Android kernels. Samsung phones were vulnerable, but most Google Pixel phones were not. Google needs to make sure future security-relevant Android fixes get properly tagged; phone vendors need to speed up security-relevant fixes. The iPhone “monoculture” avoids this issue and has advantages for high value users to avoid this type of problem in the future.
  • The underground market for 0days is alive and well. If this topic interests you, I recommend reading This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth. It goes into the history of buying, selling, and brokering exploits.
  • Research indicates the attacks were highly targeted, as in tens of devices, and attempted to leverage the delays different manufacturers have in releasing Android updates. While the fastest update cycle will come from Google-provided devices, understand the release timing for both OS and security updates for your preferred Android device manufacturer as well as looking at user expectations for deploying those updates to see what your exposure is then adjust accordingly. Even with the smallest interval, users still need to be careful with unknown messages, email, application sources as well as their permissions. Make sure that your devices are managed to have visibility into any malfeasance and look for situations where it may be ideal for users to carry a loaner device.

Read more in

Malicious Package Uploaded to PyPI Registry

More than 300 users were tricked into downloading a malicious package that was uploaded to the Python Package Index (PyPI) registry. The malicious package infects Windows, macOS, and Linux systems with Cobalt Strike. Automated detection bots at Sonatype discovered the malicious package.

Note

  • These types of attacks keep happening. And for good reason – they work. Organizations need to recognize that no technology stack will fully mitigate such attacks. This should shift some focus to “assumed breach” assessments where endpoint and network controls are tuned to discover (and validated against) post-exploitation activity. The good news is that detecting post-exploitation activity is substantially easier than preventing exploitation in the first place, largely owed to the fact that the search space is so much smaller.
  • Grab those IOC’s from the Sonatype blog and make sure you’re not messing with the typo squatting PyMafka project (vs PyKafka). Getting projects working with components from the legitimate versions of software packages is hard enough already; now we need to arm our developers with tools to detect and block malicious versions. Which means the next thing you need to do is to get smart about services which amount to an open-source firewall that performs inline analysis of downloaded content to block bogus packages.

Read more in

School Management WordPress Plugin Vulnerability

Researchers found a backdoor in a WordPress plug-in designed for use by schools. The School Management plug-in helps schools send email and SMS notifications, manage attendance and notices and conduct other school-related business. The backdoor allows attackers to execute PHP code without authentication. The backdoor has been present in the plug-in since at least version 8.9, which was released in August 2021. The issue has been fixed in School Management version 9.9.7.

Note

  • No one said security was easy. If you update your WordPress Plugins quickly, you don’t have time to review for backdoors. I don’t expect schools to be doing that especially for the premium version which they pay for. Automated scanning of code may have helped here as it did for the PyPi Registry package.
  • The malicious code was heavily obfuscated, so you wouldn’t have spotted it if you went looking. To add insult to injury, this is their premium version, not the free version. Double check you’re running at least 9.9.7; now that the vulnerability is published it’s certain that attempts will be made to exploit it.
  • This plugin is widely used. If one is using a WordPress plugin, the minimum security requirement is to stay current.

Read more in

US Tackling Ransomware from Several Directions

The US government is establishing a Joint Ransomware Task Force, which will be overseen by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. In addition, the Justice Department will oversee two international initiatives focused on cryptocurrency issues related to ransomware.

Note

  • Ransomware is the final “action on objectives” phase of the cyber kill chain. Organizations have multiple opportunities to detect and respond to these attacks prior to exfiltration and encryption. CISA has been doing a lot on the ransomware front and I welcome this initiative. For a quick look, I worked with CISA to come up with the top Ransomware TTPs last year: www.scythe.io: Threat Thursday Top Ransomware TTPs
  • It is good to see this type of initiative happening. We cannot rely solely on end user organizations to have the appropriate security measures in place all the time. A coordinated and multi-disciplined approach by various government bodies will reduce the threat by ransomware gangs. I am glad to see there is also an international element in this, as countries acting alone will not have a major impact on this threat. We need international cooperation and the sharing of information to tackle this problem.
  • This takes the year-old CISA Ransomware Task force to the next level, bringing resources from the FBI to the table. They are also planning to leverage a partnership with the Department of State for overseas liaisons to help assist foreign law enforcement and prosecutors address cybercrime.

Read more in

Cisco Fixes Vulnerability in IOS XR Software

Cisco has released updates to fix an open port vulnerability in its IOS XR router software that is being actively exploited. The flaw “could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container.” Cisco also offers workarounds to mitigate the issue.

Note

  • The health check service, by default, opens port 6379 and allows for unauthenticated access to the Redis database, filesystem and execute remote code on the system. Follow the Cisco guidance to determine if you’re vulnerable. Workarounds include disabling the health check or adding ACLs to the service. The best fix is to update to a non-vulnerable version of the software and ensure that access to the health check is only from authorized devices.

Read more in

Senate Committee Hearing on Health and Education Sector Cybersecurity

The US Senate Committee on Health, Education, Labor, and Pensions (HELP) held a hearing last week to hear from experts on what is needed to improve cybersecurity in the Healthcare and Education sectors. Witnesses included Denise Anderson, President and CEO of Health ISAC; Joshua Corman, Founder of I am the Cavalry; Amy Mc Laughlin, Cybersecurity Program Director for the Consortium of School Networking; and Helen Norris, VP and CIO of Chapman University.

Note

  • There was a common missing element in the testimony – addressing the major cause of vulnerabilities that enable many attacks: poor IT practices that lead to use of unpatchable versions of software and missing patches on supported software and other basic security hygiene issues. Too much of the security budget is spent on reaction to/remediation of those issues. Talks of incentives for improving security need to include the root cause of the vulnerabilities.
  • There is a challenge with the pace of providing care, incorporating new devices which increase effectiveness of that care for both patients and doctors, which are all connected, without sufficient time to back off and really work the security. This was a trend even prior to the pandemic, but the last few years not only increased the demand for services but also shrunk the number of medical practitioners (per patient) to deliver them, which is a recipe for rapid adoption while fixing security later. While suppliers and regulators figure out the right balance needed to deliver secure devices, make sure that you’re consistently assessing your environment, applying fixes to discovered issues in a timely fashion. Don’t forget your back-office or other supporting services which may also have been re-engineered or reinvented.

Read more in

Greenland Healthcare Services Hobbled by Cyberattack

Healthcare services in Greenland are “severely limited” due to a cyberattack. The incident began on May 9. The communications manager for Naalakkersuisut, Greenland’s government, said “that it is most likely the same hackers who attacked the central administration network a few months ago. It can be traced in the procedure and the technical imprints left on the network.”

Note

  • Part of the challenge was restoring services after the attack crashed some components. While it can be difficult, make sure that you’ve got dependencies mapped out as well as startup order prior to needing a full restart. Then here’s the scary part: test it in production.

Read more in

ICE contractor breach

Trust Stamp, a contractor for the US ICE, left the personal information of several dozen people on an unsecured database. The information included names, birthdays, home addresses, and driver’s license data. The leaky server came to light after a security researcher notified BusinessInsider.

BfK breach

The Chicago Public Schools said that the data of 495,448 students and more than 56,000 staff was exposed last year after Battelle for Kids, an Ohio-based not-for-profit, suffered a ransomware attack last December. The incident is believed to have exposed the personal details of millions of children as the Ohio non-profit also caters to 250+ other schools, to which it provides data analytics services.

DeliveryClub

Russian food delivery platform DeliveryClub confirmed that it leaked more than 250 million data points containing information on past customer orders, including full names and delivery addresses, Interfax reported last week. And if that wasn’t bad enough, a Ukrainian security researcher found 10 million more additional records over the weekend with additional information such as chat messages sent by customers, and in some cases even email and geo-location data.

FairEmail shuts down

The developer of FairEmail, an open-source email client, shut down their applications after Google flagged its app as “spyware” without any explanation.

NATO meeting

Last week, the senior cyber coordinators from all NATO members and allies met in Brussels for the first time. They discussed topics of cyber defense and Russia’s invasion of Ukraine and its implications for the cyber threat landscape.

EU concerns on cybercrime treaty

The European Data Protection Supervisor (EDPS) has raised concerns that a cybercrime treaty proposed by Russia to the UN and up for a vote later this year would weaken digital rights and limit international cooperation in cybercrime cases. The criticism comes as several human rights activists raised similar concerns last month, arguing that the treaty would classify online free speech as a form of cybercrime and provide oppressive regimes a way to go after critics and dissidents.

Ransomware victims do an eye-roll

Nikolai Patrushev, Secretary of the Russian Security Council, said last week that “the anonymity of the US-supported Internet contributes to the spread of computer viruses and the activities of cybercriminals” and that “hackers financially motivated by Western countries” are increasingly conducting cyber-attacks against the Russian Federation.

Signs of altered emails

DDoSecrets, an investigative journalism organization, claimed over the weekend that it found signs of altered and implanted evidence in a collection of emails that supposedly came from Hunter Biden’s laptop. The organization said the supposedly altered email collection was being shared by members of the Republican Party and, more accurately, by “Trump allies and former staffers.”

PyPI library

DevOps security company Sonatype has discovered a malicious Python package on the PyPI portal that would install Cobalt Strike beacons and backdoors on developers’ systems. The package was named pymafka and tried to pass as PyKafka, a popular Python library for working with the Apache Kafka project.

Backdoored WP plugin

The Jetpack team said last week that versions before 9.9.7 of the WordPress plugin “The School Management Pro” from Weblizar contain a backdoor allowing an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed

Deadbolt attacks

Last week, QNAP warned of new attacks carried out with the Deadbolt ransomware. In a blog post over the weekend, IoT search engine Censys said it had already detected more than 500 infected QNAP NAS devices part of these recent attacks. That number is around 3,500 in the ZoomEye search engine.

Midas rebrand

Security firm CloudSek said it discovered a new ransomware group calling itself Axxes and which appears to be a rebrand of the older Midas ransomware operation.

Metastealer

Security firm NCC Group has published a report on Metastealer, a new information stealer advertised on underground forums and designed to fill the void following Racoon Stealer suspending operations in March of this year.

Fbot

Chinese security firm Qihoo 360 has reported on a series of DDoS attacks against Chinese government websites using the Fbot IoT malware/botnet.

ArguePatch

ESET said the Sandworm APT had continued its attacks against Ukrainian targets with a new malware strain named ArguePatch. ESET said the malware was disguised in a version of its own antivirus, commonly deployed across Ukraine.

Naming schemes

The Curated Intelligence group has published a blog post about how the APT naming schemes of various companies work and the thinking behind them.

Oracle emergency security update

Oracle has released an emergency security update to patch CVE-2022-21500, a pre-auth RCE in the Oracle E-Business Suite. The company says that “if successfully exploited, this vulnerability may result in the exposure of personally identifiable information (PII).”

Cisco IOS XR zero-day

Cisco released router updates last week to fix a zero-day vulnerability (CVE-2022-20821) that was exploited in some of its devices earlier this month. The company said the vulnerability can “allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container.”

Ghostrings

Security firm NCC Group has open-sourced Ghostrings, a collection of Ghidra scripts for recovering string definitions in Go binaries.

Costa Rica ‘at war’ after Conti called for government’s overthrow

Costa Rica’s new president said this week that the country was “at war” with the Conti ransomware group after an attack hobbled over two-dozen government agencies, including the country’s treasury, meaning civil servants won’t get paid on time. Adding to that, the Russia-linked ransomware group called on Costa Ricans to “go out on the street and demand payment,” adding that it is “determined to overthrow the government by means of a cyber attack.” That’s a major escalation from a ransomware group, but one that experts are concerned about hitting smaller governments. After making the $20M and overthrow demands, Conti allegedly shut down this week. But Conti’s demand stands: the country has until May 23 to pay up or have its decryption keys deleted.

Read more in

‘Multi-tasking doctor’ was mastermind behind Thanos ransomware builder, DOJ says

A French-Venezuelan doctor was moonlighting as a ransomware creator, according to the DOJ, which charged against 55-year-old Moises Luis Zagala Gonzalez for designing the Thanos ransomware builder tool, which gave cybercriminals the ability to launch their own ransomware attacks. The DOJ said that the doctor even bragged about how an Iran-backed threat group known as MuddyWater used his tools, the indictment said. The “name and shame” indictment was filed in absentia since the doctor remains in Venezuela and likely won’t be traveling to the U.S. any time soon. The indictment has a ton more details, including how the Thanos tool looked and worked.

A screenshot of the Thanos ransomware builder. Source in the indictment linked at the source.

Read more in

Spyware vendors target Android with zero-day exploits

We all know that iPhones get malware, specifically zero-click spyware that Apple has tried to combat. But spyware makers aren’t just targeting iPhones, as new research from Google’s Threat Analysis Group this week shows that Android users are also a major target. Cytrox, a North Macedonian spyware maker known for making the Predator spyware that’s targeted politicians and journalists in the past, exploited at least five zero-day vulnerabilities in Android to spy on their victims. In one case Cytrox is believed to have created a full bean-to-cup attack chain that could compromise fully up-to-date Samsung phones. @jsrailton makes an important point that NSO is just one of many spyware makers out there: “We can’t lose sight of the fact that NSO Group or any one of these vendors is just one piece of a broader ecosystem.”

Read more in

U.S. warns over risk of hiring North Korea IT workers

The U.S. government has warned that IT workers from North Korea are trying to get remote, freelance jobs by hiding their real identities. Their aim is to get jobs, gain access, and steal money that the isolated regime uses to fund its nuclear weapons program. According to the U.S. joint report, the North Koreans have “used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions.” The North Koreans use stolen or forged documents to trick their would-be employees. The Treasury has a full report [PDF] out.

U.S. warns over risk of hiring North Korea IT workers

Read more in

When your smart ID card reader comes with malware

Millions of U.S. government employees and contractors have to use personal identity verification (PIV) readers to log onto their systems. But many employees aren’t issued a card reader, prompting many to turn to low-cost readers that they find online. There’s just one problem: one popular brand of smart card reader is made by Saicoo with over 11,000 mostly positive listings. But the drivers needed for the reader, according to an analysis, contain the Ramnit trojan. Saicoo denied that there was a problem, which is in itself… is a problem.

Read more in

Personal information of 1.8M Texans exposed for 3 years

A bug in the website of the Texas Department of Insurance, a government agency that oversees the insurance industry in the state, exposed close to three years worth of insurance claims to the internet. The bug was discovered last year as part of a scheduled audit. In total, some 1.8 million Texans had information exposed, according to the state, including addresses, dates of birth, phone numbers, information about workers’ injury, and Social Security numbers.

Read more in

ICE contractor Trust Stamp exposed dozens of people’s data

Trust Stamp, a facial recognition company with a $7.2 million contract with U.S. immigration authority ICE, exposed the private data of dozens of people because credentials used for prospective clients to test the company’s system were posted publicly. The data didn’t appear to expose migrants’ data, and some of the data contained test data. But of the dozens of people’s information exposed, that included driver’s license data, dates of birth and home addresses — details that Insider independently verified as accurate. Starting to lose count of how many U.S. government contractors have exposed people’s data over the years…

Read more in

Water companies are increasingly uninsurable due to ransomware

Even though the water supply is considered critical infrastructure, most water companies are municipal and are owned by the private sector. But the massive underinvestment in cybersecurity means more water companies are increasingly uninsurable against ransomware because insurers require more stringent cybersecurity requirements.

Read more in

The U.S. Justice Department said it has a new policy for prosecuting cases under U.S. computer hacking laws

Which directs that good-faith security researchers “should not be charged.” This is a pretty monumental shift for the DOJ, which comes a year after the Computer Fraud and Abuse Act (CFAA), the law which prosecutes unauthorized access to a computer system, was challenged and limited by the Supreme Court. The DOJ’s policy change is geared towards not prosecuting research that helps get systems fixed, while still allowing prosecutors to charge malicious hackers who try to extort owners. Clearly a big difference, but the law doesn’t really differentiate between the two.

It’s a good start, but a policy that could change again in the future, nor does it do anything to stop state-level prosecutions or stop civil charges from being brought. Still, better late than never. Ask your lawmaker to reform CFAA for the better!

Read more in

NSA, FBI, CISA and Allied Nations Joint Press Release on Cybersecurity Weaknesses

Agencies focused on cybersecurity in the US, the UK, Canada, New Zealand, and the Netherlands have jointly published an advisory “to raise awareness about the poor security configurations, weak controls and other poor network hygiene practices malicious cyber actors use to gain initial access to a victim’s system.” The document includes technical details about weak security controls, configurations, and security practices that are often exploited as well as suggested mitigations.

Note

  • As is often the case, the recommendations have long been part of what is now the CIS Critical Controls, Implementation Groups 1 and some of IG 2, as well as the same requirements being long called out in the Australian “Essential 8.” If you are using security tools that provide those profiles, turn them on. If your tool does not support at least the Critical Security Controls, long past time to switch to ones one that do.
  • The recommendations are familiar, with the possible exception of zero trust, and before you roll your eyes, revisit these. The feasibility of implementing many things is changing and it may now be feasible to roll out MFA, monitor for compromised credentials, check for default accounts and implement secure configurations. Don’t forget to check on incident detection and response as well as threat intel sources needed to detect and respond to relative threats and incidents.

Read more in

CISA Tells Federal Agencies to Patch VMware Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive instructing federal agencies to mitigate VMware vulnerabilities. The flaws affect five products. Agencies have until Monday, May 23 to enumerate all instances of impacted VMware products or disconnect the products if the patches cannot be applied.

Note

  • One of the downsides of the virtualized data center is that if the underlying virtualization platform (usually VMware at enterprises) inevitably needs to be patched, all servers will need to brought down. This is kinda like when network switches have vulnerabilities – too often, very long time to patch. Switches were harder to attack, need to have emergency down time procedures for critical vulnerabilities in VMware.
  • The short version is you should be updating your hypervisors now. Ideally, migrate the workload to another hypervisor so you can patch with nominal downtime. Note that this ED not only applies to on-premises systems but also to systems processing data on the agency’s behalf, meaning outsourced or cloud operations. If you’re using FedRAMP authorized cloud services, you can leverage the FedRAMP tracking and reporting services to track status. The ED not only requires enumeration but also status reporting by May 24th. All internet facing impacted VMware products are to be considered compromised, disconnected, reported, and not reconnected until they are both updated and have a clean bill of health.

Read more in

Microsoft Releases Out-of-Band Update to Fix Active Directory Authentication Issues

On Thursday, May 19, Microsoft released an out-of-band update to address problems introduced in a Patch Tuesday update. The issue was causing authentication failures for some Windows services.

Note

  • Many organizations held back applying the May updates due to this bug, which affected one of the more important vulnerabilities patched in May. Exploits for this “certified” vulnerability are already public and with this update, you should not delay the May patches any longer.
  • This patch only applies to domain controllers. If you’re applying the patch bundle, you’ll need to apply the May monthly rollup as well as the standalone patch. The patch will not be listed via Windows Update, nor will it install automatically. Make sure you’re following the guidance for the certificate-based authentication changes on your domain controllers, you may need to change the KDC to disabled rather than compatibility mode to ensure certificate-based authentication works properly. See support.microsoft.com: KB5014754—Certificate-based authentication changes on Windows domain controllers

Read more in

NSA: North Korean Spies Seeking IT Jobs

The FBI, along with the US Department of the Treasury and the Department of State, has issued an advisory warning that North Korean spies are using fake documentation to pose as non-North Korean IT job applicants. The “advisory provides detailed information on how DPRK IT workers operate; red flag indicators for companies hiring freelance developers and for freelance and payment platforms to identify DPRK IT workers; and general mitigation measures for companies to better protect against inadvertently hiring or facilitating the operations of DPRK IT workers.”

Note

  • Same advice as after every “privileged insider gone bad” story comes out – security should work with IT and HR to make sure that all potential hires that will fill jobs that require privileged access will required more thorough vetting, including checking references.
  • These workers are targeting WMD information, so you’re in a defense or defense related industry read the guidance carefully, paying attention to both the actions taken such as forged documents and “borrowed” identities as well as look at mitigations to include verification of documentation provided and supporting evidence of employment. Make sure that your pre-employment screening firm is aware of these activities when vetting new-hires, don’t let work commence until the checks are complete. The mitigations relating to data exfiltration and inappropriate access should be considered irrespective of these threat actors.

Read more in

iPhones are Never Fully Powered Down

Researchers have developed a way to take advantage of the fact that iPhones are never fully powered down, even when they are turned off. The iPhone’s Bluetooth, Near Field Communication (NFC) and Ultra-wideband (UWB) technologies remain on when the devices are powered down to allow the use of the “Find My” feature, credit cards, and keys. In a recently published paper, researchers from Germany’s technical University of Darmstadt “demonstrate the possibility to load malware onto a Bluetooth chip that is executed while the iPhone is off.”

Note

  • Note that this is only an issue if the attacker is able to upload malware into the Bluetooth system. But it does illustrate an important point that the state of modern systems isn’t always obvious. Similar issues have come up years ago with IPMI interfaces in servers that are on and listening even if the server appears to be powered down. A larger issue may be that phones can be located even while turned off. On the one hand, this is a useful feature should you ever lose your phone, but there appears to be no clear control for the user to enable or disable the feature.
  • Not an easy one to exploit, but good idea to check current and planned medical, office and retail environments for plans for any sort of Bluetooth/NFC/UWB technology where scanning of phones is going on in a public area.
  • iOS 15 introduced the capability to allow the “Find My” and express cards and keys features to work on a powered-off device. Prior to iOS you had an option for a low power mode to save battery, this is a separate mode which is active even though you powered off the device or the battery is drained. As the chips are still running, the possibility exists to have them executing other code as well. To set that up, you need a device which is already fully compromised/jailbroken.

Read more in

DoJ Revises Policy on CFAA Charges

The US Justice Department has revised its policy on changing violations of the Computer Fraud and Abuse Act (CFAA). Under the new policy, DoJ will not charge good faith security researchers with CFAA violations. According to the DoJ press release, “Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

Note

  • I’m thinking of so many mentors who would be reminding me “above all else do no harm.” Shortly followed by an admonishment that I had proper permission. When researching security issues, make sure that you have permission from someone authorized to grant it. With the advent of vulnerability disclosure programs, this is even more easily secured.
  • Call me old fashioned but I prefer it when a government changes a law so that the law is clearer and easily understood rather than simply changing their policy on how they will apply the existing law. Policies can be easily changed, laws not so much.

Read more in

MITRE Supply Chain Security Framework

MITRE has developed the “System of Trust (SoT), a supply chain security community effort defining, aligning, and addressing the concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings.” The framework will be introduced at next month’s RSA Conference in San Francisco.

Note

  • Haven’t been able to review this one yet, but we haven’t lacked for frameworks defining what to do. Achieving meaningful improvement in software supply chain security will always require action and changes that require buy-in of multiple groups: IT, procurement, logistics/OT, etc. – a “can’t do that” chain of obstacles that needs to be overcome. If you/your CISO does Board of Director briefings, this is a good area for a table top exercise that is first run for the CEO,CIO, CEO, etc.
  • This is intended to provide a consistent framework for assessing your software supply chain. You’re going to want to leverage any available frameworks to get your arms around securing your software supply chain to keep the effort scoped, and maximize success as attackers aren’t going to pause while we figure this out.
  • One hopes that such a framework focuses on the responsibilities of suppliers rather than on those of the buyers. The solution to the “supply chain” vulnerability lies with suppliers.

Read more in

Jupiter WordPress Plugin Vulnerabilities

A critical flaw in the Jupiter Theme and JupiterX Core plugin for WordPress can be exploited to gain administrator privileges. The issue affects more than 90,000 sites.
There are also other vulnerabilities. Fully patched versions of the Jupiter Theme and JupiterX Core plugin have been released.

Note

  • The vulnerability could be exploited by any authenticated user. Make sure you’re running at least version 6.10.2 of JupiterTheme 6.10.2 or 2.0.7 of JupiterX. The fixed versions were released May 10, so they should have already autoupdated; you want to make sure you’re not on the April 28th released versions which didn’t fully patch the weaknesses. Make sure your WAF is running current firewall rules. Wordfence released firewall rules for the paid and free versions April 5th and May 4th respectively.

Read more in

India Inches Back Cyber Incident Reporting Requirements

India has made some revisions to its data security incident reporting requirements. First introduced in April, the stringent requirements met with pushback from technology companies. Initially, the rules required that organizations report incidents within six hours of detection and to retain log files for 180 days. The new document clarifies that only “incidents of severe nature … on any part of the public information infrastructure including backbone network infrastructure” are subject to the six-hour rule.

Note

  • While this is an improvement, particularly as Annex 1 of the FAQ [regmedia.co.uk: Frequently Asked Questions on Cyber Security Directions of 28.02.2022 (PDF) ] enumerates the types of incidents to be reported. They are now permitting the use of NTP services native to cloud services as well as authoritative sources so long as there is no drift from their time source. They are holding the line on logging VPN and reporting network scans. The implementation due date remains June 27, and India has yet to disclose their data handing and privacy protections. Knowing how your data will be handled and protected is one of the key factors that should be established before sharing any information.
  • “Time to report” requirements are well intended and respond to the many instances in which reports have been late and self-serving. On the other hand, they are at odds with the fact many breaches are so subtle and covert as to resist discovery for weeks to months. Perhaps it is better to sponsor an ethic of transparency and accountability than to resort to law or regulation that in context appear unrealistic and punitive.

Read more in

The unhackable phone is here

According to reports, China Telecom has launched a new smartphone that uses quantum encryption, apparently rendering it unhackable. The Tianyi no. 1 2022 was created by the Shenzhen Tianyi Company and is also 5G ready.

Reports on the phone are apparently non-existent in Western media sources, but a range of Asian news networks such as the Maldives News Network are reporting that the QuantumCTeck team that was behind the Micius quantum satellite have managed to create a version of the technology that will allow quantum encryption and decryption of the specially-made SIM card, data on the phone, and voice calls.

Although technical information about how the phone actually works is scant at the moment (and will likely stay that way for the foreseeable future), the phone offers an insight into the world of quantum products that humanity is approaching. If these devices are truly unhackable (which I am saying with a healthy dose of cynicism), security professionals could be looking at an incredible breakthrough in the battle against the adversary. Well, and possibly a lot less demand for their skillset!

The adversary takes aim at food production

Smart products sounded like such a good idea when they first appeared, but continuing failures to secure them are leading to the adversary taking aim at one of the most basic necessities of modern human existence – the food supply chain. Although supply issues were already expected this year due to the ongoing Russia-Ukraine conflict in the “breadbasket of the world” and heatwaves in India causing issues with wheat production, it seems like cybercriminals will be turning the knife even more.

Flaws in the hardware of agricultural smart products such as automatic crop sprays, drones, and robotic harvesters are all at risk, a recent report from the University of Cambridge says. Although the usual concerns about data security are a top concern for the British government and the FBI, there is a potentially larger worry about the continued operability of the machines themselves.

Attacks on the food supply chain aren’t exactly new, either. Meat processing company JBS was targeted last year and paid threat actors $11 million to open up the supply chain again. Just like when WannaCry hit hospitals, the victim has very little choice but to pay the ransom as people are relying on this necessary function of society to survive. As certain conditions around the world create a more precarious food situation, we could see the idea of the cybercriminal “honor among thieves” – that is, refusing to target hospitals, schools, and other necessary functions – could be a myth that doesn’t reflect the type of attacks the cybersecurity world is going to face.

The only thing to stop a bad guy with a computer is a good guy with a computer

Unless you’ve refused to look at the cybersecurity world since the start of 2022, you will have probably noticed that more and more high-profile “good guy hacker” cases are appearing. Seemingly a central part of the growing cyber-Cold War, hackers such as P4x have used their skills to combat overseas adversarial forces.

The good news for people like this is that the United States Justice Department has decided that “good-faith hackers” are no longer breaking the law. The Computer Fraud and Abuse Act (CFAA) will now no longer prosecute actors who use their skills “in a manner designed to avoid any harm to individuals or the public” as long as the investigations are “used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.” You can read the full report here.

Although this both applies to security researchers and other cybersecurity professionals who are penetration testing domestic and international services, there is a big black-hat question mark over this ruling – what precisely does “good faith” entail? As with many laws which are vague in their wording, there is a concern about who will be considered a good faith actor and who might be considered acting in bad faith. Hopefully, it will reduce the number of people being brought up on false charges, like the Missourian journalist who reported that over 100 thousand social security numbers were exposed on a state website when you played around with Inspect Element for a while.

Are SIEMs useless?

Do you want to make people using Splunk, Microsoft Sentinel, IBM QRadar and other SIEMs angry? Recent research from CardinalOps shows that up to 80% of all MITRE ATT&CK techniques are being missed by popular SIEMs, meaning that the adversary already has the upper hand as long as they choose the correct tactics.

Analyzing data from SIEM instances in production environments, CardinalOps put together the largest known recorded sample of SIEM data that any organization has analyzed and the findings have been damning. As well as the catastrophic failure rate to identify techniques as they are happening, the investigation also showed that only five of the top fourteen MITRE ATT&CK techniques are actually being successfully intercepted. It’s always good to start with the most dangerous threats, but can we really excuse such a huge rate of failure?

But blaming the SIEMs themselves isn’t entirely fair – security professionals should also take some of the blame as a concerning 15% of all SIEM rules are broken due to misconfiguration and missing fields. We know there’s a skills gap, but this level of negligence can’t go on if companies expect to defend sensitive data against the adversary.

“What is to be done?”, you ask? Well, CardinalOps suggests using their alternatives instead (an entirely predictable conclusion), but a deep introspective look at the way your company operates is now a necessity for security pros. If you don’t understand what your tools do or don’t do, how can you say that understand how you are establishing a strong security posture?

Greenland, too

The Greenland government said this week that a cyberattack that took place on May 9 crippled the activity of its national health service. Government officials said they are in the process of restoring the agency’s IT systems, but since the attack, doctors have not been able to access patients’ medical records, and citizens haven’t been able to contact the agency via email. Officials did not disclose the nature of the attack.

Texas DOI breach

The Texas Department of Insurance disclosed a data breach last week. Officials said that the data of more than 1.8 million Texans was exposed “due to a programming code error” for almost three years between March 2019 and January 2022.

NFT Discord hacks

Hackers compromised several Discord servers of popular NFT projects this week and tried to trick users into giving up cryptocurrency or buying fake NFTs, Motherboard reported.

Nikkei got ransomed

The Singapore division of the Nikkei media conglomerate was hit by ransomware on Thursday, the agency said.

Mozilla to continue supporting ad blockers

After Google announced in 2018 plans to create a new browser extensions API that would greatly diminish the power ad blockers have inside Chromium-based browsers, Mozilla announced plans this week to support this new API but also backward compatibility with the old one as a way to ensure its users have access to powerful and efficient ad-blocking technologies.

India doesn’t budge on VPNs

Earlier this month, the Indian government passed a new cybersecurity law that included a clause to force all cloud and VPN providers active within its borders to keep records on the identities and IP addresses of Indian users. In statements made this week, the government said it wouldn’t back down on the new requirement even after several cloud and VPN providers have threatened to stop providing services and pull out of India.

Disinformation Governance Board

Less than a month after establishing its Disinformation Governance Board, the DHS has paused its effort after the new agency was at the center of several disinformation efforts led by right-wing groups, the Washington Post reported. The backlash focused on accusations that the US government was trying to control free speech, but DHS officials said this was never the agency’s purpose.

DOJ’s new CFAA policy

The US Department of Justice also announced on Thursday a revision to how it prosecutes violations of the Computer Fraud and Abuse Act (CFAA), instructing prosecutors not to charge individuals who committed CFAA violations while conducting “good-faith security research.” The new DOJ policy comes after rights groups and the cybersecurity industry have lobbied for changes to the CFAA for decades, arguing that its current wording stifles cybersecurity research and threatens national security [See publications from Rapid7, Stanford Law School, Harvard, the EFF, the US National Association of Criminal Defense Lawyers, and Brookings University].

ID.me inquiry

Three US senators have asked the FTC to investigate ID.me, a private company that was contracted to provide a selfie-based facial recognition login system for the IRS web portal. The senators believe the company made “deceptive statements” on how it would handle biometrics data it would have collected from Americans; before its solution was withdrawn following public backlash.

FTC crackdown

The US FTC announced its intention to crack down on companies that collect the personal details of children via online learning platforms. “Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

Funds recovery

The US Department of Justice said it recovered more than $15 million from Swiss bank accounts owned by the operators of the 3ve (Kovter) ad fraud operation.

Uninsurable

Cyberscoop is reporting that a growing number of US-based water companies are finding it harder to get cyber-insurance due to the large number of attacks targeting their industry and their poor cybersecurity practices.

More cyber-insurance analysis

The WSJ is reporting that many cyber-insurance providers have raised their rates throughout 2021 after a series of high-profile cybersecurity incidents and especially after the May 2021 Colonial Pipeline hack. Direct-written premiums in 2021 grew by 92% year-over-year, according to information submitted to the National Association of Insurance Commissioners.

Conti allegedly shuts down

The Conti ransomware group is apparently preparing to shutter its operations, according to a report from threat intelligence company AdvIntel. The company said that early on Thursday, the Conti administrators informed affiliates about plans to move on from the Conti brand and then shut down their internal Rocket instant messaging servers. Experts believe the group will rebrand and is just ditching the Conti name, which has seen several reputational hits on the cybercriminal underground after suffering several high-profile leaks in recent months and had its inner workings thoroughly documented by the cybersecurity community. For example, just earlier this week, security teams at Prodaft and IBM X-Force published reports on the gang’s history and operational patterns based on the leaked materials.

How many K8s did you say?

The Shadowserver Foundation said that following a recent study, more than 381,000 of the total 450,000 Kubernetes API instances it identified had responded to its queries, meaning they were exposed on the internet and open to attacks.

ATM explosions

Europol has detained three suspects for allegedly orchestrating a series of attacks against ATMs in Germany. The group stole almost €1 million and was deemed highly dangerous as it used explosives to open or unhinge ATMs from building walls, putting the buildings at risk of collapse.

DarkFeed returns

After being threatened and forced by a ransomware operator to go offline, the DarkFeed ransomware monitoring service said it plans to return in a new format.

New Deadbolt ransomware attacks

Taiwanese IoT maker QNAP published a security alert on Thursday warning of a new wave of attacks using the Deadbolt ransomware against its network-attached storage (NAS) devices. The company said the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly the TS-x51 series and TS-x53 series.

Ransomware academic study

A recent academic study on the landscape of ransomware payments has found that the operators of RaaS (Ransomware-as-a-Service) portals are better at laundering their funds than the smaller commodity ransomware crews. According to researchers, RaaS operators are more strict in their laundering patterns and prefer bitcoin mixers or (now-sanctioned) cryptocurrency exchanges over exchanges that adhere to KYC/AML regulations, typically used by the smaller commodity ransomware crews.

Pie chart of one-hop laundering entities.

Ransomware initial access trends

A recent report published by cybersecurity firm Group-IB has found that many ransomware gangs prefer to use vulnerabilities in unpatched network devices as the preferred way to gain access to victim networks. In addition, the same report found that the average ransom demand grew by 45% to reach $247,000/attack last year in 2021. [Coverage of the report in Bleeping Computer]

BlackByte

Cisco Talos has published a report on the BlackByte ransomware crew, which AdvIntel recently connected to the larger Conti operation.

KillNet

Threat analyst CyberKnow has a report out on the internal structure of the KillNet pro-Russian hacktivist group.

Phishing campaign uses chatbots

Security firm Trustwave said in a report published on Thursday that it discovered a novel phishing campaign that used automated chatbots to trick users into entering their personal and financial data in chat windows appearing on phishing sites. Previous phishing campaigns that relied on chat windows relied on a threat actor being on the other side to ask victims questions and didn’t rely on automated chatbots.

Cytrox attribution

Google TAG has formally linked five zero-day vulnerabilities exploited last year to Cytrox, a surveillance kit provider based in North Macedonian. Four of the zero-days impacted Google Chrome, while a fifth was used to hack Android devices.

1.1 Tbps DDoS attack

DDoS mitigation provider Radware said it dealt with a massive 1.1 Tbps DDoS attack that targeted “one of the world’s largest service providers.” According to the company, the attack took place last week and lasted approximately 36 hours.

XORDDOS

Microsoft has published a technical report on XORDDOS, a strain of Linux malware that is being used to hijack servers and smart devices into DDoS botnets. Microsoft said that this malware, which has been around since late 2014, has had a recent spike in usage, with the company reporting a sudden 254% rise in activity.

GitLab server attacks

SentinelLabs said it detected a campaign that targeted Rust developers using a malicious library disguised as a popular Rust package. Researchers said this package contained malicious code that would look for a local GitLab CI build server installed on the developer’s machine and, if found, it would download a Go-based backdoor to be used for future attacks. SentinelOne researchers said they suspect the threat actor was compromising systems in preparation for future supply chain attacks against software makers.

Emotet botnet

The Trend Micro team has published a technical report on the recent malspam campaigns carried out by the Emotet botnet since its return this winter.

Dridex

Palo Alto Networks has published a report on the recent infection chains used by the Dridex group.

Qbot

Red Canary has published its quarterly threat report this week, and the company says that for the first time, the Qbot operation was observed using Windows Installer (MSI) packages instead of malicious Microsoft Office macros.

Recent disinformation efforts

Mandiant has published an overview report of disinformation efforts centering around Russia’s invasion of Ukraine. Threat actors involved in these campaigns include the likes of APT28, Secondary Infektion, Ghostwriter, Russia’s IRA, Russian intelligence-linked media outlets, and Russian hacktivist groups Killnet, Xaknet, and RahDit. One of the most disturbing disinformation operations was one conducted by Belarusian group Ghostwriter, which tried to push narratives that Polish criminal groups were harvesting organs from Ukrainian refugees in an attempt to sow distrust between the two countries.

Russian intrusions

Mandiant told Bloomberg that it is currently responding to more than a dozen live intrusions by Russian foreign intelligence services aimed at diplomats, military computers, defense contractors, and other targets.

Twisted Panda

Check Point published a report on a threat actor it calls Twisted Panda that has recently targeted Russian state-owned defense institutes.

Space Pirates

Positive Technologies has published a report on an APT group it calls Space Pirates that’s been targeting Russian companies from the aerospace field and companies from the energy sector in Russia, Georgia, and Mongolia. Researchers believe the group operates for the benefit of the Chinese government.

Lazarus attacks

AhnLab published a report about recent attacks from the Lazarus APT that are trying to exploit the Log4Shell vulnerability for initial access into targeted networks. AhnLab said that during successful attacks, the group would install the NukeSpeed backdoor on compromised systems.

APT academic paper

A recent paper published by a team of Italian academics has discovered that APT groups heavily rely on publicly-disclosed vulnerabilities to breach their victims rather than the use of zero-days. The study included data from 86 APTs and 350 campaigns carried out from 2008 to 2020. [Additional coverage in ThreatPost]

DHS BOD

CISA has issued a rare emergency directive ordering federal agencies to patch a set of VMWare vulnerabilities disclosed last month that are now actively exploited in the wild. The two vulnerabilities are CVE 2022-22954 and CVE 2022-22960. In addition, CISA has ordered federal agencies to patch two other VMWare vulnerabilities (CVE-2022-22972 and CVE-2022-22973) that the company disclosed yesterday and which the agency expects that threat actors will also weaponize in the future.

NSW driver’s license forgeries

According to a report published this week by cybersecurity firm Dvuln, Australia’s New South Wales government has yet to fix vulnerabilities dating back to 2019 that can be used to generate fraudulent digital driver’s licenses.

Pwn2Own results

Results from the Pwn2Own 2022 hacking contest are being added to this live blog. The Microsoft Teams desktop app seems to be a favorite target this year.

BishopFox/GadgetProbe

Tool by Bishop Fox’s Jake Miller that helps you exploit Java deserialization bugs when none of the ysoserial payloads worked, and you need to debug or build a gadget chain totally blind. Probes endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.

Impact-I/reFlutter

Flutter reverse engineering framework by @Impact_I that uses the patched version of the Flutter library which is already compiled and ready for app repacking. This library has a snapshot deserialization process modified to allow you to perform dynamic analysis in a convenient way.

Hunting evasive vulnerabilities

Nullcon Berlin keynote by Portswigger’s James Kettle picks out evasive vulnerabilities found across a decade of web security research, exploring what factors hid both individual bugs and entire attack classes – and what gave them away. He extracts both specific techniques and broad principles that you can apply to find other overlooked flaws, as well as what doesn’t work, as he’s learnt quite a bit about that too.

See also James’ excellent So you want to be a web security researcher?

alufers/mitmproxy2swagger

Automatically convert mitmproxy captures to OpenAPI 3.0 specifications. Basically you can automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.

Building a Data Perimeter on AWS

An AWS whitepaper on best practices and available services for creating a perimeter around your identities, resources, and networks in AWS. Read more:

Building a Data Perimeter on AWS

Security reference architecture for a serverless application

Salesforce’s Anunay Bhatt walks through the security controls you can apply to a demo serverless application, including authentication, authorization, infra least privilege, network security, code security, data protection, and logging.

Complete AWS Security Maturity Model

Great resource by AWS’ Dario Goldfarb et al breaking things down into the following phases: quick wins, foundational, efficient, and optimized.

quick wins, foundational, efficient, and optimized.

Complete AWS Security Maturity Model

BPFDoor — an active Chinese global surveillance tool

By Kevin Beaumont.

PFDoor is interesting. It allows a threat actor to backdoor a system for remote code execution, without opening any new network ports or firewall rules. For example, if a webapp exists on port 443, it can listen and react on the existing port 443, and the implant can be reached over the webapp port (even with the webapp running). This is because it uses a BPF packet filter.

I swept the internet for BPFDoor throughout 2021, and discovered it is installed at organisations in across the globe— in particular the US, South Korea, Hong Kong, Turkey, India, Viet Nam and Myanmar, and is highly evasive. These organisations include government systems, postal and logistic systems, education systems and more.

kris-nova/xpid

By Kris Nóva: Like nmap but for pids. xpid gives a user the ability to “investigate” for process details on a Linux system, for example: investigate a specific pid, find all container processes on a system, find all processes in the same namespace as a given pid, find all processes running with eBPF programs, etc.

solo-io/bumblebee

By solo.io: Get eBPF programs running from the cloud to the kernel in 1 line of Bash. BumbleBee helps to build, run and distribute eBPF programs using OCI images. It allows you to focus on writing eBPF code, while taking care of the user space components – automatically exposing your data as metrics or logs.

kris-nova/boopkit

Linux eBPF backdoor over TCP by Kris Nóva. Remote code execution over TCP (SSH, Nginx, Kubernetes, etc), network gateway bypass (bad checksums, TCP reset), self obfuscation at runtime (eBPF process hiding).

A flow-based IDS using Machine Learning in eBPF

Academic paper: “We show that it is possible to develop a flow based network intrusion detection system based on machine learning entirely in eBPF.”

sigstore/gitsign

Keyless Git signing using Sigstore. Uses keyless Sigstore to sign Git commits with your own GitHub / OIDC identity.

GitHub Actions signing Lambda code

LaunchDarkly’s Alex Smolen describes how to sign AWS Lambda function code built with GitHub Actions.

Caroline Lemieux on getting higher observed fuzzing coverage

This ICSE’22 paper brings up a very important point in fuzzer evaluation — the observation that spending more time in the more destructive, “havoc” mutation stage, can lead to higher observed coverage 1/n

Fuzzing ClamAV with real malware samples

“tl;dr: Fuzzing ClamAV using real malware samples results in 10 bugs discovered including one buffer overflow and three DoS vulnerabilities.” See also their multiple posts on fuzzing game map parsers and network fuzzing with AFL.

Go Fuzz Testing – The Basics

Fuzzbuzz’s Everest Munro-Zeisberger walks through fuzzing a simple Golang function, and in Advanced Go Fuzzing Techniques discusses fuzzing with assertions, round-trip fuzzing, and differential fuzzing.

How to Disable Ad ID Tracking on iOS and Android, and Why You Should Do It Now

Walkthrough by the EFF on revoking tracker access to your ad ID on Android and iOS as well as the history of ad identifiers and why they matter.

ICE uses data brokers to bypass surveillance restrictions, report finds

According to details in American Dragnet: Data-Driven Deportation in the 21st Century, ICE has used a combination of public records and privately acquired information to build a surveillance system that can investigate the majority of US adults with little oversight. The agency now has access to the driver’s license data of three-quarters of US adults (74 percent) and has already run facial recognition scans on the license photographs of 1 in 3 adults (32 percent). And when three out of four adults hooked up utilities like gas, water, and electricity in a new home, ICE was able to automatically update their new address.

“ICE consistently paints itself as an agency whose efforts are really focused or targeted, but we’re not really seeing that at all. Instead, what we’re seeing is that ICE has built up a sweeping surveillance infrastructure that’s capable of tracking almost anyone seemingly at any time. These initiatives were conducted in near-complete secrecy and impunity, sidestepping limitations and flying under the radar of most state officials.”

Attackers exploit critical F5 BIG-IP vulnerability to wipe systems, CISA urges patch

A critical F5 BIG-IP vulnerability continues to dominate security headlines this week, as it’s still being used in the wild. Most recently, security researchers saw attackers exploiting the vulnerability to try and completely wipe some Linux systems. Adversaries are running specific commands to erase all the files on the BIG-IP devices’ Linux file system when executed. Since attackers could exploit CVE-2022-1388 to obtain root privileges in the Linux operating system powering the BIG-IP devices, they could delete almost every file on the machine, including configuration files needed to run the Linux system. The U.S. Cybersecurity and Infrastructure Security Agency also added the vulnerability to their running list of actively exploited vulnerabilities, warning federal agencies that they need to patch the issue by May 30.

Read more in

Bitter APT adds Bangladesh to their targets

Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of an actor targeting South Asian government entities. This campaign targets an elite unit of Bangladesh’s government with a themed lure document alleging to relate to the regular operational tasks in the victim’s organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim’s machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.

Read more in

Report on Real-Time Bidding

The Irish Council for Civil Liberties has published a report on Real-Time Bidding (RTB), the process at the heart of the modern online advertising industry. The report called RTB “the biggest data breach ever recorded” because it tracks and shares what people view online and their real-world location. The report discovered that a regular US citizen has their data and location tracked 747 times per day, on average, while in the EU, where there are stricter privacy regulations, users get their data tracked only 376 times per day. Read more: Report spotlights vast scale of adtech’s ‘biggest data breach’

Report on Real-Time Bidding

New Google Cloud security features

At its yearly Security Summit conference, the Google Cloud team announced new security features and services coming to its service. Among the new features, the most interesting one is the option to give customers the ability to use the same open-source libraries that Google itself uses—as a way for customers to harden their cloud infrastructure against supply chain attacks. This new feature is called the Google Cloud Assured Open Source Software service. Read more: Google to launch repository service with security-tested versions of open-source software packages

New GDPR fine calculator

The EU has published new guidelines for calculating GDPR fines as part of an effort to align fine levels for infringing companies across member states. The new rules put more focus on the size of a company when determining the final fine size—instead of the offense type—and will also play a more important role in allowing supervisors from member states to monitor investigations in other countries.

North Korea IT workers warning

The FBI, the State Department, and the US Treasury have published a joint advisory [PDF] this week warning that the North Korean government is using agents disguised as IT freelancers that apply for jobs at large corporations, as a way to get a foothold inside corporate networks and high-value assets. The three agencies warn that these agents may help North Korean state hackers penetrate networks and steal intellectual property, classified information, or carry out financially-motivated attacks.

Initial access report

Cybersecurity agencies from across Five Eyes countries have published a joint report on the most common methods and techniques used by threat actors to gain an initial foothold into corporate and government networks. According to the report, some of the most common weaknesses that allow attackers to penetrate networks include not enforcing multifactor authentication, incorrectly aplied privileges or permissions, the use of default/factory logins, and not keeping software up to date.

FBI alert on web skimmers

The FBI has a flash alert [PDF] out, warning US companies about the danger of having their online stores backdoored by web skimmer gangs.

Thanos ransomware author charged

The US charged on Monday a French-Venezuelan citizen for allegedly creating the Jigsaw and Thanos ransomware strains. According to the complaint, the suspect—named Moises Luis Zagala Gonzalez—is a 55-year-old cardiologist from Venezuela. DOJ officials said Zagala created and advertised his ransomware on underground cybercrime forums and that one of his customers was the Iranian espionage crew MuddyWater. The FBI said it linked illicit money transfers from Thanos attacks to Zagala’s accounts and confirmed his identity and current location following an interview with a US-based family member, whose PayPal account was also used to launder some of the suspect’s ransomware profits.

Conti all along

In a report published on Tuesday, security firm AdvIntel said that the ransomware attack that hit the San Francisco 49ers NFL team earlier this year was actually carried out by the Conti gang, which used the BlackByte persona as “a shell group to process the breach.” AdvIntel described the BlackByte gang as a “data-stealing venture,” and not as a classic ransomware group, operating similar to Karakurt, another Conti sub-group that extorts companies with stolen files, typically after the main Conti gang failed to encrypt systems.

Attacks on SQL servers

In a Twitter thread on Tuesday, Microsoft published details about a brute-force campaign currently targeting MSSQL servers.

Ukraine arrests hacker

Ukraine’s Cyber Police agency has detained a 28-year-old for hacking into social media accounts and then requesting money loans from the victim’s friends into his own account. The suspect is believed to have hacked the accounts of at least 50 individuals and made more than $6,500 from his scheme.

UpdateAgent

Jamf published a report on Monday on recent changes to UpdateAgent, a malware dropper designed to target Mac systems. TL;DR: The malware has been re-written in the Swift programming language.

Facestealer

Trend Micro has published a report on Facestealer, a malware strain that was recently found in more than 200 Android apps uploaded on the official Play Store. The company said the malware is capable of stealing user passwords and other sensitive information, including private keys.

Destructive version of Chaos ransomware

Fortinet said that it recently spotted a new ransomware strain built using the Chaos ransomware builder that after it infects victims, it shows messages of support for the Russian government in its conflict with Ukraine. This version encrypts files with no way to decrypt them and adds a “.fuckazov” extension to all affected files.

Cry-what now

In a blog post on Tuesday, Microsoft’s security team re-branded every infostealer malware strain that can steal cryptocurrency wallet data as “cryware.” Please never use this term. Just trust me on this!

Nonghyup Bank hack

On Tuesday, South Korean officials indicted five suspects for a cyber-attack on Nonghyup Bank in 2011. Officials charged four North Korean hackers and a South Korean who allegedly traveled to China and shared information about the bank’s network, including data like IP addresses. The alleged meeting took place in July 2011, two months after Nonghyup Bank detected an initial intrusion that began in 2010. Officials said the second attack that used data shared by the South Korean insider failed, although Nonghyup admitted to other intrusions in the following years.

HUI Loader

JP-CERT has published a technical analysis of HUI Loader, a malware strain used by multiple APT groups, such as APT10, A41APT, and Blue Termite.

Chinese operations

Presenting at Black Hat Asia over the weekend, analysts from Team T5 said that threat intel analysts could predict future targets of Chinese cyber-espionage groups by keeping an eye on new Chinese government policies. The company gave an example of how Beijing’s recent crackdown on gaming companies during the COVID-19 pandemic was also accompanied by a wave of cyber-attacks carried out by Chinese cyber-espionage groups that targeted the local online gaming, gambling, and casinos sector.

Lazarus

ESET said it discovered traces of Lazarus malware that hid inside the folder of a known Windows crack activation tool. The victim of this attack was the same Philippines company that was infected via a trojanized KeePass app last month, and ESET said it used this technique because the Windows crack tool’s instructions told users to exclude its folder from antivirus scanning.

Tatsu Builder attacks

Web security firm Wordfence reported on Tuesday seeing a massive uptick in attacks targeting WordPress sites running the free and commercial versions of the Tatsu Builder plugin. The attacks peaked on May 14, when the company said it detected 5.9 million attacks against 1.4 million websites. The attackers used a recently disclosed vulnerability tracked as CVE-2021-25094.

Apple backports zero-day fixes

After releasing initial fixes for iOS and macOS zero-days at the end of March, Apple released on Monday additional backported fixes for macOS BigSur users as well.

Tetragon

Security firm Isovalent has open-sourced Tetragon, an eBPF-based security observability and runtime enforcement platform.

Open Source Security Foundation and Linux Foundation Call for $150 Million to Improve Open Source Security

In response to President Biden’s executive order on supply chain security, the Open Source Security Foundation (OpenSSF) and Linux Foundation are calling for $150 million in funding over two years to fix ten major open-source security problems. Amazon, Ericsson, Google, Intel, Microsoft, and VMWare have pledged $40M in support of the effort to address issues such as replacing non-memory-safe programming languages, expanded and improved code audits, increased penetration of Software Bills of Materials (SBOM) and a focus on enhancing the security the 10 most critical open-source software build systems, package managers, and distribution systems.

Note

  • From Heartbleed to Log4j, progress in this area has long been badly needed and it would be good to see more big tech companies step up and join Amazon, AWS. Ericsson, Google, Intel, Microsoft, and VMWare in committing funding. Start now educating app dev and IT about the areas of improvement that will be rolling out over the next two years and push for rapid adoption. (See Google’s Open-Source Maintenance Crew related news item.)
  • The ten goals they hope to address include security education, risk assessment, digital signatures (for code), memory safety, incident response, better (security) scanning, code audits, data sharing, SBOMs and improved supply chains. The last being the 10 most critical build systems and includes the C and Rust languages, subsequently this is a huge undertaking. Some of the other areas are already being addressed by emerging standards such as Sigstore for code signing, which is backed by RedHat, Perdue University and Google. Using this approach in multiple areas should help meet the aggressive timeline.

Read more in

Google’s Open-Source Maintenance Crew

Google on Thursday announced the creation of its “’Open Source Maintenance Crew’ – a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects.” Google made the announcement at a meeting with the Open Source Security Foundation, the Linux Foundation, and industry leaders.

Note

  • Great move by Google to put money and bodies behind open source. Google is one of the big commercial users of open source and most of its services would not exist without open source.
  • Active participation by Google and others is needed to raise the bar on software supply chain security. Google has pledged $10 billion USD over the next five years, including $100 million for third-party foundations, including the OpenSSF, which help manage open source security and fix vulnerabilities. Expect updates to Google’s Know, Prevent, Fix framework to make it more encompassing and accessible, allowing your developers, as well as open-source providers to better leverage it and produce better code.

Read more in

Iranian APT Group Launching Ransomware Attacks Against US

Over the past several months, Iran-linked cyberespionage group Charming Kitten, aka APT35, Magic Hound, Phosphorus, NewsBeef, Newscaster and TA—453, has been engaging in financially-motivated activities, the SecureWorks Counter Threat Unit (CTU) reports. In December 2021, the group was acquiring exploits that leveraged Log4J vulnerabilities; in January 2022 they were observed using a new PowerShell backdoor and most recently the group has turned to financially motivated attacks including ransomware deployment.

Note

  • At this time the group appears to be small, using manual operations rather than an automated system to map victims to their specific encryption keys; which increases the likelihood of unsuccessful recovery even if the ransom is paid. It is expected that they are also going to, if they haven’t already, be posting exfiltrated data as additional leverage to entice customers to pay. Know where your data is and be prepared to decide the value before someone else puts a price tag on it. If you’re not comfortable with the protection or location, take steps before an incident happens.
  • We published multiple detection opportunities for APT35 in this Threat Thursday blog post. While prevention is a goal, detection and response are a requirement. These detections cover a number of TTPs used by other threat actors as well: https://www.scythe.io/library/threat-actor-apt35

Read more in

European Union Agrees on NIS2 Language for Updated EU Cybersecurity Regulatory Requirements

The European Council and the European Parliament agreed on updated measures for a common level of cybersecurity across the EU, known as NIS2 (Directive on Security of Network and Information Systems). The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. It sets out minimum rules for a regulatory framework and defines mechanisms for cooperation among authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for common remedies and sanctions. NIS 2 will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.

Note

  • NIS2 is mostly about standardizing governance, enforcement and incident reporting/response across the EU. It includes a list of seven key elements addressing incident response, supply chain security, encryption and vulnerability disclosure. Organizations will have 24 hours after detection of an incident to submit an initial report. A full report will be required in 30 days. NIS2 expands the number of sectors covered, and specifically identifies social media platforms. If previous NIS rollout timelines hold for NIS2, compliance is likely to be required in 2024.
  • Having consistent cybersecurity requirements across the EU will help with not only a consistent implementation, but also simplify requirements needed when doing business in or with EU based partners.

Read more in

Maryland Governor Signs Bills to Assist Local Governments Increasing Cybersecurity

Maryland Gov. Larry Hogan signed measures to strengthen cybersecurity in state and local governments in Maryland on Thursday, after lawmakers approved legislation and big investments earlier this year to protect vital systems against cyberattacks. The measures include the Maryland Emergency Management Agency supporting local governments in developing vulnerability assessments and response plans, and reporting requirements for state agencies and local governments, including reporting of cybersecurity incidents. Agencies will be required to complete a cybersecurity assessment and to remediate findings.

Note

  • Maryland had its largest and smallest counties hit hard by ransomware and learned that not all counties are equally able to reach basic security hygiene. That applies to most organizations – centralized support focused on the “security-needy” BUs in a distributed organization can often reduce the risk of potential weak links.
  • Even if you’re not in Maryland, you should be performing assessments, both internal and external, to identify issues and then remediate them, using a risk-based approach. Seek support from your local CISA or ISAC, or even reach out to local IT security chapters (ISSA, ISC2, ISACA, etc.) for expertise and resources.
  • There’s still much to be done via federal legislation to make mutual support easier, establish privacy standard, etc. States like Maryland should be commended for the work they’re doing!

Read more in

Microsoft Alerting Customers that Patch Tuesday Updates are Causing Authentication Errors

Microsoft is warning its customers that the May Patch Tuesday update is causing authentications errors. Microsoft noted that “An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.”

Note

  • This update, when applied to domain controllers, impacts certificate-based authentication. Microsoft’s KB5014754 provides guidance, review before applying the update. The patch addressed a privilege escalation vulnerability (CVE-2022-26391 and CVE-2022-26923) which can occur when the KDC is servicing a certificate-based authentication request. Essentially after applying the update, make sure the authentication is in compatibility mode (the default), and watch for events in your log, following the remediation guidance. Wait at least a month without issues before planning on turning on enforcement mode.

Read more in

CISA Temporarily Pulls Vulnerability From KEV Catalog

CISA is temporarily removing CVE-2022-26925 from its Known Exploited Vulnerability Catalog due to a risk of authentication failures when the May 10, 2022 Microsoft rollup update is applied to domain controllers. After application of the patch to Domain Controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).

Note

  • Note the issue does not exist on workstations and non-domain controller windows servers, so apply the patch to everything but your domain controllers. Review Microsoft KB5014754 if you’re using certificate based authentication for configuration guidance.
    support.microsoft.com: KB5014754—Certificate-based authentication changes on Windows domain controllers

Read more in

Critical Zyxel Flaw is Being Actively Exploited

Attackers are exploiting a recently patched critical vulnerability affecting Zyxel firewall and VPN devices. Zyxel released an advisory last week urging administrators to install the patched updates. The vulnerability can be exploited to remotely inject arbitrary code without authentication and can allow attackers to set up a reverse shell.

Note

  • The flaw is trivial to exploit and it is no surprise that it is already being used. Did I mention lately to not expose administrative interfaces to the Internet? This isn’t the last trivial to exploit remote code execution vulnerability in a Firewall, VPN Concentrator, Load Balancer, NAS or other device people just love to expose to make live easier for the bad guys.
  • Given that last week Shodan queries showed only 25 percent of Zyxel devices were running updated firmware, it comes as no surprise that these are now being attacked and exploited. Don’t overlook your boundary protection devices in branches or other remote locations, verify that they are being updated and, while you’re asking, ensure they have lifecycle plans. Share the one-line exploit code in the Rapid7 report (also in the article below) if anyone doubts how easily this flaw can be exploited.

Read more in

Study Looks at US Federal Government Zero Trust Implementation

According to a study commissioned by General Dynamics Information Technology (GDIT), US federal agencies are making progress in their efforts to implement zero-trust. An executive order requires that the agencies attain certain zero-trust goals by the end of fiscal year 2024. While more than 60 percent of the federal officials surveyed said they expected to meet those goals on schedule or ahead of time, more than half said that building or replacing legacy infrastructure poses a challenge to meeting those goals.

Note

  • A key challenge to zero-trust will be modernizing legacy systems, followed by implementing needed (micro) segmentation and other attack surface reduction activities. Remember agencies are making the move to zero-trust with no relief on existing mission deliverables as well as little to no added funding so far. To get this right, specific funding and resources are needed beyond the status quo. Additionally leveraging external assessments to identify gaps and remediation requirements should also be planned and funded.

Read more in

Oklahoma City Indian Clinic Data Breach

Oklahoma City Indian Clinic (OKCIC) this week announced that it experienced a “data security incident” exposing personally identifiable information (PII) of nearly 40,000 individuals. OKCIC reports the data breached included name, dates of birth, treatment information, prescription information, medical records, physician information, health insurance policy numbers, phone numbers, Tribal ID numbers, Social Security numbers and driver’s license numbers. They have notified affected customers and engaged a third-party forensic firm.

Note

  • OKCIC’s notification of affected parties, as well as their posted advice, reinforced the value of proactive, rapid, and transparent communication. Not only are they providing identity theft and credit monitoring services to affected individuals, but they also encourage all potentially impacted individuals to take steps to protect their identity and credit, including providing resources and guidance we should all be following.

Read more in

Apple Releases Multiple Updates

Apple released iOS and iPadOS 15.5, watchOS 8.6, macOS 12.4, macOS 11.6.6, Catalina updated 2022-004, Xcode 13.4 and tvOS 15.5. The macOS, iOS/iPadOS updates address 34 CVEs, tvOS and watchOS, 27 & 21 respectively. Kernel, WebKit, and other flaws addressed which can lead to arbitrary code execution.

Note

  • These updates are more about security and bug fixes than adding new functionality. With 20-34 CVEs each, you’re going to want to push the updates. With nominal new features, the impact will be minimal to end-users. macOS 12.4 communication safety now allows parents to configure notification in messages for images which contain porn or nudity, iOS/iPadOS 15.5 adds functions to Wallet to allow Apple Cash users to send and request money from their Apple Cash card, Apple Podcasts adds settings to limit number of episodes stored on your iPhone, auto-deleting older ones, and fixes some home automation bugs.

Read more in

Microsoft’s Patch Tuesday for May 2022

On Tuesday, May 10, Microsoft released fixes for more than 70 security issues, including seven that are rated critical. One of the patched flaws, a Windows Local Security Authority (LSA) spoofing vulnerability, is being actively exploited. In a related story, some users have reported authentication failures after installing the May updates. Microsoft is investigating.

Note

  • CVE-2022-26923, while “only” a privilege escalation vulnerability, is relatively easy to exploit and exploits have been well documented. Do not overlook this issue. CVE-2022-26925: Take it as another reason to review the configuration of your Windows systems and make sure NTLM is no longer used.
  • The LSA vulnerability (CVE-2022-26925) is kind of a big deal. While the raw CVSS score is 8.1, Microsoft suggests it warrants a 9.8 in some situations. This flaw allows attackers to exploit a MITM condition to force domain controllers to authenticate with NTLM authentication. Which, in summary, means you’re going to need to roll this one out, but do some testing, you’re messing with the authentication stack.

Read more in

CISA Adds BIG-IP Flaw to Known Exploited Vulnerabilities Catalog

Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) added the F5 BIG-IP missing authentication vulnerability to its Known Exploited Vulnerabilities catalog. The flaw is being actively exploited; federal agencies are required to apply updated by May 31.

Note

  • As reported earlier, this vulnerability is heavily exploited and the pool of exposed vulnerable systems has likely been completely compromised by now. Look for webshells and backdoors. If exposed, you will likely find several by now. We also noted some destructive attacks and the system may not reboot cleanly (but function reasonably well otherwise for a while) if affected by them.
  • You’re reading this and saying “We so totally fixed that flaw last week,” right? For real, you need to patch your BIG-IPs and lock down access to their management interfaces. Don’t skip your internal devices. Scan your network for devices which may be overlooked, possibly really old, and patch/update/lifecycle them as needed. If you’re determined to redeploy old (still working) hardware to lower tier environments, make sure that it still includes a lifecycle plan.

Read more in

FDA Medical Device User Fee Legislation Includes Security Requirements

A bill introduced in the US House of Representatives would amend the Federal Food, Drug, and Cosmetic Act. The amendment would require medical device manufacturers to “design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure, and shall make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device.”

Note

  • A law was enacted in 1992 to allow the FDA to charge manufacturers fees when they submitted applications for product approval – these funds allowed the FDA to shorten the review cycle by increasing staff and other resources required to review applications. This cybersecurity language follows that model and is badly needed – it mainly requires the vendors to demonstrate the product will be under a vulnerability discovery and disclosure program and (finally) products must have the ability to be updated/patched if vulnerabilities are discovered. Good stuff.
  • This bill dovetails on the PATCH act which also requires SBOMs, regular testing and assurance as well as the lifecycle plan above prior to pre-market approval from the FDA. This raises the bar on both the production of medical devices and drugs, but also the lifecycle of those in the field and/or implanted. SBOMS are seen as a critical mitigation for software supply chain security risks related to those devices.

Read more in

Five Eyes Alert Warns of Attacks Against Managed Service Providers

Cybersecurity authorities from the Five Eyes countries – the UK, the US, Canada, Australia, and New Zealand – have issued a joint advisory warning that they “are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.” The advisory includes recommendations of security measures and operational controls MSPs and their customers can implement.

Note

  • The back-end management platforms built by many Managed Service Providers often use a lot of open source tools and libraries, putting them at risk to attacks like we’ve seen against Log4J. There are many, many forms of MSPs and all should be subject to demonstrating at least basic security hygiene, but MSPs with remote access to high privilege accounts on internal systems should be required to demonstrate higher levels of security and their connections monitored.
  • This is third-party risk. Your MSP has a trust relationship with you and all their other customers. This means you need to have assessed their security posture and practices, including how they are separating access to customers. Understand how they vet and maintain the products they use. Ask to see their latest external assessment/audit, including actions taken on any issues. Verify these are conducted on a regular basis.

Read more in

Sucuri Analysts Find JavaScript Injection Attacks Against WordPress Sites

Analysts at Sucuri have observed a malware campaign involving malicious JavaScript injected into WordPress websites. The code redirects site visitors to third-party domains that host scams and malware.

Note

  • Attackers have been taking advantage of WordPress vulnerabilities to inject malicious CharCode obfuscated JavaScript into the wp-includes with JQuery in the name, which are incorporated into every rendered page with those elements; odds are they are on every rendered page of your WP site. You’ll want to make sure that you’re on full-auto update, verify your site is clean using a scanner, like the free Sucuri scanner (https://sitecheck.sucuri.net), address any issues found, then make sure that you’ve got a WAF, like Wordfence, pay for security profile updates, to help prevent malfeasance.

Read more in

US, EU, UK: Russia Launched Viasat Attack

The US, the EU, and the UK say that Russia was the perpetrator of a cyberattack on Viasat in the days before it invaded Ukraine. The attack against the satellite network deployed wiper malware that disrupted communications and wind farms.

Note

  • This is an important step in the attribution stakes as it is the first time that the EU has openly identified the source of a cyber attack. It is also important to note that while this attack was aimed at Viasat to disrupt the communications capabilities of the Ukrainian army, it also disrupted businesses outside of Ukraine. It is a good example of why organisations located outside of Ukraine need to be vigilant for cyber attacks that may result in collateral damage against them. So do follow the Shields Up guidance from US Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies.
  • For those, like me, who said that was obvious, step back and remember attribution can be tricky and can have serious ramifications if incorrectly done. Further, it’s possible to fake the fingerprint in malware, as was demonstrated in a project John Strand lead where he and his team offered a service which would inject “telltale” fingerprints into an uploaded executable, so it looked like it came from the selected entity. Be patient with those tasked with attribution, provide them tools and information needed, don’t delay mitigation and remediation activities for their result.

Read more in

Pushback Against Incident Reporting Requirements

The Information Technology Industry Council (ITI) is asking the Securities and Exchange Commission (SEC) to postpone its implementation of regulations that require publicly traded companies and investment firms to report of cybersecurity incidents. In public comments, ITI says the rule’s implementation should be delayed “to ensure [it] does not undermine cybersecurity and create additional security risks.” In a separate story, ITI sent a letter to India’s Computer Emergency Response Team (CERT-In) saying that the organizations six-hour incident reporting rule is not feasible.

Note

  • The major point of ITI’s “undermine cybersecurity” comment is that quickly reporting an incident may give away technical details of vulnerabilities before they are mitigated. This is a pretty low risk – most corporate disclosures of cybersecurity incidents stay at very high levels that make them barely understandable, let alone useful to attackers.
  • With the plethora of cyber security reporting initiatives of late, it is easy to lose track of what’s required and assess if you’re meeting them. Work to develop the needed disclosure processes and relationships to build assurance that information will be properly protected, whether you’re sending information to the CISA, FBI or SEC. Where possible, provide feedback on what timelines are workable, such as India’s six-hour reporting requirement. The goal is to encourage regulators to have a common/consistent requirement.

Read more in

Zyxel Releases Patches OS Command Injection Vulnerability

Zyxel has released fixes for a command injection vulnerability that affects Zyxel firewalls that have the zero-touch provisioning feature. Researchers from Rapid7 detected the flaw and disclosed it to Zyxel in mid-April. Rapid7 “suggested a coordinated disclosure date in June. Instead, Zyxel released patches to address this issue on April 28, 2022.”

Note

  • Still waiting for exploitation to start, but the vulnerability is trivial to exploit and will likely be added to bots in the next couple days.
  • These are firewalls designed for small business and branch office deployments. On the one hand, this is an easily exploited flaw which doesn’t require authentication and can be weaponized easily. Rapid 7 has a Metasploit module to exploit this flaw. On the other hand, Zyxel released a fix two weeks after the flaw was disclosed to them, which is awesome! If you have Zyxel firewalls, update the firmware and enable automatic updates. Shodan queries indicate only about 25% of these devices are running updated firmware.

Read more in

US DEA Investigating Breach

The US Drug Enforcement Agency (DEA) is investigating reports that attackers breached an agency portal that accesses 16 federal law enforcement databases. The incident appears to be linked to a group of attackers that impersonates police and government officials to gather information.

Note

  • The databases provide access to various records including aircraft, firearms, motor vehicles, boats, drones, etc. While the portal is configured to primarily accept Personal Identity Verification (PIV) cards, it also can accept reusable passwords. This is how the site was compromised and why you need to make sure your MFA is comprehensive. If you must enable fallback to password authentication, limit what those weaker credentials can access; better still, provide rapid credential issuance and recovery negating the need for the fallback.

Read more in

BIG-IP vulnerability could lead to arbitrary code execution

A recently disclosed vulnerability in F5 Networks’ BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity. This vulnerability, tracked as CVE-2022-1388 is an authentication bypass vulnerability in F5’s BIG-IP modules affecting the iControl REST component. BIG-IP is F5’s line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing in to and out of networks. The vulnerability has a CVSS score of 9.8 out of a possible 10 and is considered critical.

Read more

Microsoft fixes more than 70 vulnerabilities as part of May Patch Tuesday

Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft disclosed more than 140 security issues in April. The point-to-point tunneling feature in Windows contains two of the most serious vulnerabilities that could allow an attacker to execute remote code on a targeted RAS server machine. While CVE-2022-21972 and CVE-2022-23270 are rated “critical,” Microsoft stated the attack complexity is high since an adversary needs to win a race condition, making it less likely an attacker could exploit these issues. CVE-2022-26931 and CVE-2022-26923 are elevation of privilege vulnerabilities in Windows Kerberos and Windows Active Directory, respectively. They both are considered critical, though CVE-2022-26931 is considered less likely to be exploited because it has a higher attack complexity.

Read more

Crunch Time for Facial Recognition

In a court settlement with the American Civil Liberties Union (ACLU), controversial facial recognition technology company Clearview AI agreed to not sell access to its facial recognition database of over 10 billion images to private companies or individuals in the US (although selling the use of its algorithm alone is ok).

The ACLU, which brought the case under a US state law, the Illinois Biometric Information Privacy Act, described the settlement as a “big win”, although Clearview’s lawyers also managed to claim victory, writing in a statement:

This settlement is a huge win for Clearview AI. Clearview AI will make no changes to its current business model. It will continue to expand its business offerings in compliance with applicable law.

The settlement does not require any material change in the company’s business model or bar it from any conduct in which it engages at the present time.

Given that Clearview is paying USD$250k for the ACLU and other plaintiffs’ legal fees and USD$50k to publicise the settlement, we think they are really stretching to describe the outcome as a ‘win’.

Clearview’s facial recognition technology is objectively pretty good, as determined by NIST’s facial recognition technology testing. The company has fallen afoul of various regulators, however, for voraciously scraping publicly available images for its facial database without consent.

Clearview is not the only company that does this, but the ACLU’s Nate Wessler, Deputy Director of its Speech, Privacy, and Technology Project, Clearview was “especially brazen among American companies” in harvesting faceprints without consent.

“We hope this settlement will be a strong deterrent to any other company considering replicating Clearview’s original business model, by making clear how untenable such practices are under Illinois’ strong law.”

Clearview also aggressively marketed its product to law enforcement by offering free trial accounts to individual police officers without the knowledge of their employers.

The unconstrained collection of biometrics and unregulated use by police forces is concerning, but we think privacy advocates sometimes go too far.

In a statement given to this newsletter, for example, the EFF’s Senior Staff Attorney Adam Schwartz wrote:

The settlement announced today in the Illinois lawsuit, ACLU v. Clearview, demonstrates the need for strong data privacy laws, modelled on the Illinois Biometric Information Privacy Act. These laws must also include a ban on government use of face recognition technology, including through private contractors like Clearview.

Similarly, the ACLU’s Wessler told that the ACLU was working to “enact state and local bans on police use of face recognition technology in dozens of jurisdictions across the country”.

Although these technologies present risks to civil liberties, they can also be used to improve public safety. The trick is to strike the right balance.

James Lewis, Senior Vice President at the Center for Strategic and International Studies (CSIS) and author of a report on the responsible use of facial recognition technologies, public safety “tends to get left out” of the discussion.

In most respects, the three experts we consulted were in agreement.

They all agreed that there are more risks from facial recognition technology than just Clearview and that overarching federal legislation is desirable. As Lewis puts it, “federal regulation would be the best solution instead of 50 states with different rules”.

Where they differed however, was on the desired end state. Wessler and Schwartz were sceptical about legitimate government uses of facial recognition technology, whereas Lewis argued for a tiered approach, outlined below:

  1. Strict controls on use by law enforcement agencies should be similar to those used for communications data. These should include oversight and prior approval for programs, transparency in use, rules limiting secondary uses of collected data, and requirements for human review and rights for redress.
  2. Rules governing government uses other than law enforcement should be less restrictive. These should also include transparency and oversight, defining acceptable secondary uses, and providing processes for redress.
  3. Rules for commercial use should be linked to improved privacy protections. Rules for commercial use in public spaces may need to be more fulsome than rules for on-premise use.

These tiers make sense to us, and there are certainly reasons to be wary of unrestrained government access to its citizen’s data. A Georgetown Law Center on Privacy and Technology report this week says US Immigration and Customs Enforcement (ICE) has built a “surveillance dragnet by tapping data from private companies and state and local bureaucracies” while avoiding congressional oversight.

Russia’s Coolest Hack Condemned by EU, Five Eyes

The US, UK, European Union, and other countries have formally attributed various cyber attacks on Ukraine to Russia, mostly notably the hour-before-invasion attack on Viasat’s KA-SAT communications network. The attack affected tens of thousands of terminals, and although aimed at Ukrainian command and control, other customers were affected, including private and commercial internet users and wind farms in central Europe.

Interestingly, while some statements explicitly condemn malicious cyber activity in general or the attack on KA-SAT in particular, the UK’s statement is much more circumspect. It said “Russia is responsible for a series of cyber-attacks”, but didn’t explicitly condemn them separately from Russia’s broader war.

The Russians seem to have focussed their attack on terminals in spot beams that serviced Ukraine rather than disabling KA-SAT entirely, so there is an argument to be made that this was a proportionate attack on a legitimate military target.

Other destructive attacks also seem to have, at least so far, been focussed relatively narrowly on Ukraine, and we haven’t (thankfully!) seen a repeat of NotPetya. From what we can see so far (a huge caveat!), we think Russian cyber operations have been relatively responsible.

A statement by UK Foreign Secretary Liz Truss points out that cyberspace isn’t special and that unprovoked aggression is a problem wherever it occurs:

We will continue to call out Russia’s malign behaviour and unprovoked aggression across land, sea and cyberspace, and ensure it faces severe consequences.

The real problem with all these destructive cyber operations isn’t the attacks themselves, it’s that the whole war is unjustified, irresponsible, and illegal. These cyber attacks are arguably targeted and proportionate, but what makes them necessary? Putin’s idiocy?

Ransomware “National Emergency” in Costa Rica

The newly installed President of Costa Rica, Rodrigo Chaves, has declared a state of emergency after a ransomware attack by the Conti group. The attack took place in mid-April, prior to Chaves’ inauguration, and has affected a number of government organisations including the Ministry of Finance. Independent news outlet Amelia Rueda reports that the Finance Ministry has been without digital services since 18 April and has to resort to manual procedures.

Funnily enough, the fact ransomware hasn’t destroyed the government’s ability to function illustrates the limits of disruptive cyber operations in other contexts — Conti has caused a lot of pain in Costa Rica, resulting in a national emergency, but somehow the government is muddling through. It says it is refusing to pay a USD$10m ransom, and the angry rhetoric from Conti’s affiliate makes us believe them.

“The US public sector has long been ransomware gangs’ target of choice, but that may be changing. While attacks in countries like Costa Rica and Peru may not offer the same ROI, the increasing number of successes by US and European LEAs may make them seem like a safer choice,” Callow said.

The US State Department calls Conti “the costliest strain of ransomware ever documented” and cited an FBI estimate of over 1,000 victims and USD$150m in ransom payments. However, Chainalysis counted Conti’s takings at USD$180m in 2021 alone, so who knows what the real total is. The State Department continues to use large rewards as a tool against cyber criminals. It cited the Costa Rican incident when offering rewards of up to USD$10m for Conti’s key leadership and USD$5m for other Conti co-conspirators.

Conti is the third ransomware group that the State Department has offered rewards for, after DarkSide and REvil in November last year. It’s not clear what impact these type of rewards have, but that’s ok: Even if rewards don’t work, they’re low cost until they do.

My Phone is my password

Apple, Google and Microsoft have announced that they’ll support a passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. This means that one day you’ll be able to log onto all the things by logging onto your device. Brian Krebs has a good wrap on the tricky but not all that uncommon problems like, what happens when you lose your phone?

Fined for Being Hopeless

The US Department of Transportation’s Pipeline and Hazardous Materials Administration (PHMA) intends to fine Colonial Pipeline USD$1m for not complying with various control standards. Colonial Pipeline was victim of a May 2021 ransomware attack that resulted in significant disruption to US east coast fuel supplies. The fine doesn’t relate to cyber security standards per se, but Colonial essentially ignored the requirement for it to have manual shutdown and restart procedures in place. Colonial’s ‘plan’ for a manual restart was to just figure things out if they ever needed to. PHMA alleges this planning failure “contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack”.

Mandatory MFA for Github

Github will require all users who contribute code to use MFA by the end of 2023. It sounds like Github would like to move faster but will spend some time figuring out how to improve security without it being too much of a PITA, such as by using passwordless authentication (cheerful reason #1).

Knives Out in Spain’s Phone Hacking Fallout

The head of Spain’s official intelligence agency (the CNI), Paz Esteban, has been dismissed after two separate mobile spyware campaigns have come to light in recent weeks.

The first campaign involved the domestic targeting of individuals linked to the Catalan separatist movement. The second campaign, most likely international espionage, involved the compromise of the phones of the Prime Minister, the Minister of Defence, and the Interior Minister.

Esteban reportedly admitted the CNI had hacked some Catalan pro-independence politicians after obtaining judicial approval, but the government says the second campaign is “illegal and external”.

It’s not altogether clear why Esteban is being removed. When announcing her dismissal, Defense Minister Margarita Robles implied that it was because the compromise of senior ministers’ phones went undetected for so long. Robles said “that [the hacks of government phones] took a year to discover, well, it is clear there are things that we need to improve”.

“We are going to try to ensure that these attacks don’t happen again, even though there is no way to be completely safe”, Robles continued.

We have our suspicions that Esteban’s removal has more to do with politics than insecure phones — the current minority government relies on Catalan separatist parties for support in Parliament.

What Does the F in F5 Stand For?

It’s been a while since we’ve seen a dunce-cap level vulnerability in enterprise software, but F5 has come through with a doozy. Its BIG-IP portfolio of appliances that includes encryption inspection boxes, load balancers and firewalls are vulnerable to an attack that lets people log on as an admin without a password.

A patch is available and this is definitely one to fix quickly. This vulnerability is being exploited and has already been added to CISA’s list of exploited vulnerabilities. There were reports someone was dropping a wiper which deletes the BIG-IP devices Linux file system, but this doesn’t appear to have been widespread.

A bunch of similar bugs made last week’s Five Eyes 2021 Top Routinely Exploited Vulnerabilities list. These bugs — in Accellion, Fortinet, Pulse Secure and SonicWall devices — are internet-facing, tend to have broad access into a network and often have administrative privileges. Everything an attacker could wish for, wrapped up in a nice null password bug.

US college to shut down

Lincoln College, a predominantly black college based in Illinois, is scheduled to shut down operations on Friday, becoming the first US educational institution to close down due to a ransomware attack, The Hill reported on Sunday. In a message posted on their website, college officials said the institution has struggled to recover its data following a ransomware attack that took place in December 2021. While the college has been struggling with enrollments due to the COVID-19 pandemic, the attack hindered access to all institutional data, blocking access to recruitment, retention, and fundraising efforts, and creating an unclear picture for next year. When systems were restored in March, officials discovered too late a grim enrollment projections outlook for the 2022 fall, which required a great financial effort to keep the college afloat.

Another crypto heist

The operators of decentralized finance (DeFi) lending and credit protocol Fortress announced on Sunday that about $3 million worth of cryptocurrency was stolen during an attack on third-party infrastructure. While the company has not published a full post-mortem of the recent incident, Fortress described the incident on Twitter as an “oracle manipulation attack” that drained all its funds.

OPM settlement

Federal employees have asked a judge to approve a $63 million settlement in a class-action lawsuit related to the 2015 OPM data breach. The settlement, if approved, would grant from $700 and up to $10,000 to current and former OPM employees who had their data snatched by Chinese state hackers back in 2015. More than 21.5 million OPM employees had their information stolen, but only those who can prove a direct economic loss from the hack will be eligible for compensation.

9 May hacks

Pro-Ukraine hacktivists have hacked and defaced several Russian TV and online platforms on Monday during Russia’s Victory Day celebrations, WaPo reported. The attackers defaced TV schedules on Russian smart TVs and widgets on the Yandex search engine to show a message reading: “On your hands is the blood of thousands of Ukrainians and their hundreds of murdered children. TV and the authorities are lying. No to war.” In addition, the hackers also launched an attack against RuTube, a local Russian YouTube-like video hosting platform. Initially, the attackers claimed to have wiped the site’s content, but RuTube denied their claims in a statement published on Tuesday. The Russian video platform said that 75% of its web infrastructure was destroyed but that its source code and video archives were intact.

AA breach

The New Zealand Automobile Association said that it recently discovered that a threat actor used a vulnerability to extract personal data for some of its users from one of its older websites. In a statement posted on its official site, AA said the attacker exploited a bug in a version of AA Traveller, an online platform for making travel reservations. AA said the vulnerable site was in use between 2003 and 2018 but did not say how many users had their personal data stolen in the attack. This is the second time that AA discloses a breach of this nature after a first incident in 2010.

Clearview AI lawsuit

The ACLU and Clearview AI have agreed to a court settlement that will ban the company from selling its biometrics database to private businesses or individuals in the US. Both parties celebrated the settlement as some sort of win, but as Michael Kan, a reporter for PCMag, pointed out, Clearview appears to have won more, as the company was not selling its facial recognition tech to private businesses in the first place, only to state agencies, meaning the settlement will have little impact on its operations.

CCC privacy warning

Germany’s Chaos Computer Club, one of the largest hacker communities in the world, published a blog post on Tuesday [in German] warning their members about the EU’s plan to screen all IM/chat messages. Euractiv has obtained and broken down a copy of the EU’s proposed plans—meant to combat child pornography.

Pentagon hates data brokers

And now for an oxymoron from the US government on data brokers and privacy. For starters, the US DoD has put out a call to the private sector for solutions to protect its military and civilian personnel from data tracking and data brokers that can amass vast quantities of information about its staff.

ICE loves data brokers

But on the same note, the ICE absolutely loves data brokers, according to a recent report. Academics from Georgetown University said that they’ve discovered that the ICE has used data brokers to bypass US judicial, legislative, and public oversight and build a surveillance system capable of tracking most US citizens.

DOD cyber to get State Dept. oversight

Cyberscoop reported on Tuesday that the White House is preparing an agreement to put give the State Department more say in some DOD offensive cyber operations. The State Department will have a say if the DOD sends notifications to foreign countries about their intention to enter their cyberspace to interrupt adversary infrastructure, according to sources familiar with the future agreement.

New Kaspersky probe

Following Russia’s invasion of Ukraine, US officials have started a new probe into Russian security firm Kaspersky, Reuters reported on Monday, citing three people familiar with the new investigation. The probe is being led by the US Department of Commerce using new broad powers granted to it by the past Trump administration. Reuters claims these new powers can allow the Commerce Department to ban the use of Kaspersky software across the US, purchases by US citizens, or prohibit the download of software updates. US regulators have already banned federal government use of Kaspersky software in 2017.

Biden signs cybercrime bill

President Joe Biden signed last week the Better Cybercrime Metrics Act into law. The new law aims to improve how the federal government tracks, measures, analyzes, and prosecutes cybercrime offenses.

Spain fires intel chief

The Spanish government has fired the director of its intelligence agency, citing the agency’s failure to detect the Pegasus spyware on the phones of Spanish officials for more than a year. Paz Esteban, director of the National Intelligence Center (CNI), was relieved of duties on Tuesday. Prime Minister Pedro Sánchez’s mobile phone was breached twice in May 2021, and Defense Minister Margarita Robles’ device was targeted once the following month, per an AP report earlier this month.

Ransomware count

Microsoft’s security team said on Monday that it tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities. Microsoft called the DEV-0193 cluster (also known as Trickbot) as “the most prolific ransomware group today.”

DCRat

The team at BlackBerry has published an in-depth report on DCRat (or DarkCrystal RAT), a remote access trojan sold on underground cybercrime markets. Sold predominantly on Russian underground forums, BlackBerry said DCRat was one of the cheapest commercial RATs they’ve ever come across, priced at only $6 for its lowest tier.

FluBot

Finland’s cybersecurity agency published an alert on Tuesday about a new wave of SMS spam distributing links to apps infected with the FluBot Android malware.

German car dealerships

Check Point has a report out on an email phishing campaign targeting German car dealerships and manufacturers. The final payload in the attacks are infostealers such as Racoon, AZORult, or BitRAT.

UK hacker charged

The DOJ has charged a UK national for a hacking campaign that took place between 2011 and 2018. The suspect stands accused of gaining access to email servers and computers belonging to US financial institutions in order to steal money from online bank accounts and make unauthorized stock transactions from brokerage accounts. The suspect was detained in the UK in August 2021, and the US is now seeking his extradition.

Quantum Locker

Security firm Cybereason has published a report on the Quantum Locker ransomware, the latest rebrand of the MountLocker crew. Previous rebrands included the AstroLocker and XingLocker ransomware variants.

New REvil samples

Secureworks have published a report on samples of the REvil ransomware that were in recent attacks over the past weeks. The company concluded that this new REvil group has access to the original REvil ransomware source code, “reinforcing the likelihood that the [REvil] threat group has reemerged.”

Black Basta

Trend Micro has published a report on the new Black Basta ransomware operation, believed to have splintered off from the old Conti gang.

Frappo

Something we missed last month—Resecurity’s report on Frappo, a new Phishing-as-a-Service platform for cybercrime groups.

F5 active exploitation

Owners of F5 BIG-IP devices (load balancers, firewalls, and proxies) are advised to install the security updates F5 Networks released last week for a vulnerability tracked as CVE-2022-1388. Reports are coming in from multiple threat intel analysts and security firms that several threat groups are now exploiting this bug, which has already been used to hijack at least 300 devices. The current attacks have begun after several security researchers published PoCs for this bug over the weekend, fast-tracking the attacks that began earlier this week.

Google reviews AMD security processor

Google’s infamous Project Zero team has released a security audit [PDF] of the AMD Security Processor (ASP), an isolated core in AMD EPYC CPUs that handles secure system initializations. The report found 19 security issues. Google said AMD fixed all reported flaws.

Good-guy researcher

A security researcher has recently avoided a major disaster by registering the expired domain that was used as the email domain for a very popular npm library. If left unregistered, the domain and the npm package could have been hijacked by a threat actor. This new technique of hijacking npm accounts was first discussed in an academic paper published last December. At the time, the researchers said they found that thousands of npm packages were using expired email domains for their npm portal accounts.

Patch Tuesday

Yesterday was Patch Tuesday, so there are loads of security updates to apply this morning, such as those from VMWare, Adobe, and Microsoft. The Microsoft updates also included a fix for an actively exploited zero-day (CVE-2022-26925), and half of the 75 fixed vulnerabilities were reported by one single company—China’s Kunlun Lab

New tool

Crowdsource hacker Luke “hakluke” Stephens has released a new tool for discovering the origin host behind a reverse proxy which is useful for bypassing WAFs and other reverse proxies.

One Year Later, US Regulator Proposes Colonial Pipeline Fine

The US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed fining Colonial Pipeline nearly $1 million for control room management failures that contributed to the severity of the May 2021 cyberattack. One year ago, Colonial Pipeline shut down operations in the wake of a ransomware attack. According to a PHSMA press release, the Notice of Probable Violation (NOPV) and Proposed Compliance Order “alleges that failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack.”

Note

  • While PHMSA is still under the US Department of Transportation, the Transportation Security Administration (TSA) which is under DHS has overall responsibility for pipeline security. Until the Colonial Pipeline incident, TSA largely focused on voluntary compliance and interviews on security issues, mostly focused on operational technology and physical security, with no real audits. Since the incident, TSA has put out 2 Pipeline Cybersecurity Directives (one requiring a “Cybersecurity Coordinator” for the first time) and established a cybersecurity operations branch. This is a good example to use to drive a proactive review of (a) cross OT/IT cybersecurity visibility into and security testing of OT cybersecurity and (b) development of playbooks for response to a cyber incident that impacts OT operations directly or indirectly.
  • If you had not considered regulatory fines for breaches and ransomware, here is an example you can use. The direct cost is more obvious: negotiator, incident response, recovery, etc. I go deeper into these costs in my blog: www.scythe.io/library: The Real Costs of Ransomware: Direct Costs
  • This emphasizes the importance of a viable COOP plan. If you’re in a regulated industry, you need to make sure that your regulators are on-board with your service resumption goals. Even so, you need to make sure you can meet those goals, to include any assumptions about acquisition. Revisit plans about backup communication paths as well as changes to perimeter security to facilitate resumption of operations. The last two years have taught us that exposed services are rapidly targeted, remember security by obscurity isn’t. Stand things up securely from the get-go.
  • In addition to fines, accountability for these failures should include changes in both governance, directors, and management. Fines alone are not sufficient to change an organization’s behavior.

Read more in

Big-IP Flaw is Being Actively Exploited: Patch Now

A critical vulnerability in F5’s Big-IP appliances is being actively exploited. F5 released fixes for the flaw last week. The flaw affects the Big-IP iControl REST authentication component. It can be exploited to execute commands with root privileges and could potentially allow attackers to take complete control of vulnerable devices.

Note

  • This is a serious vulnerability and represents a foundational misunderstanding of threat modeling. Regardless of authentication bypass issues, F5 essentially built a webshell into its product. The only saving grace is that the management interface of the F5 should not be accessible from the Internet. Still, we’re already observing threat actors exploiting the vulnerability. I wrote a blog post on the post-exploitation activity observed and recorded a video dissecting the vulnerability, including recommendations for organizations.
    Blog post: www.scythe.io: VULN ALERT: F5 Big-IP appliances vulnerability – CVE-2022-1388
    Video: www.youtube.com: Threat Emulation Plans for F5 Big-IP appliances vulnerability – CVE-2022-1388
  • Our honeypots started seeing numerous exploit attempts Sunday-Monday night. Exploit attempts include simple recon, backdoors (including webshells), data exfiltration and even two attempts to destroy the devices. Please see this as yet another “last warning” to remove admin/control interfaces from public networks and carefully restrict traffic to these interfaces. This particular vulnerability is about as bad as they come, but F5 isn’t the only one having patched an unauthenticated remote code execution flaw recently. The number of exposed systems is small, but if your system is vulnerable and exposed, it was likely exploited by now.
  • Readers of this newsletter probably know to turn off external management interface, but when’s the last time you ran ssh [email protected] nmap $(curl icanhazip.com) on your home network? On your friends’ and relatives’?
  • If you’re still procrastinating because the flaw wasn’t well known, or being exercised, time’s up. Make sure that you’ve got your roll-back process well defined then get that maintenance window lined up. Repeat until done.

Read more in

Agricultural Equipment Company Systems Hit with Ransomware

Agricultural machinery maker AGCO says its systems were hit with a ransomware attack. The incident affects some of its production facilities. AGCO says it “is still investigating the extent of the attack, but it is anticipated that its business operations will be adversely affected for several days and potentially longer to fully resume all services.”

Note

This is the time of year where agricultural machinery is in high demand as crops are planted, making the attack even more disruptive. While you may not have heard of AGCO, its brands include Challenger®, Fendt®, GSI®, Massey Ferguson® and Valtra® and their biggest rivals are Caterpillar, Komatsu and John Deere & Company. We’ve been talking about supply chain risks for a bit, but have you considered the availability of large system components and your realistic ability to pivot to alternatives. How about when those components are pre-paid? How about a supplier which provides services that manage operations?

Read more in:

Microsoft Fixes Azure Data Factory and Azure Synapse Pipelines Vulnerability

Microsoft has released updates to address a vulnerability affecting Azure Data Factory and Azure Synapse Pipelines. The issue could be exploited to execute remote commands across Integration Runtimes. Microsoft does not expect that customers will need to take any action, but in the event that action is necessary, customers will receive notifications through Azure Service Health Alerts.

Note

If you’re running Azure Integration Runtime, or on-premises Self-Hosted Integration Runtime, with auto-updates enabled, you’re good to go. If you’re not so big on auto-update – keep an eye on your Azure Service Health notifications and have a frank conversation about enabling auto-updates, things are moving pretty fast these days, and leveraging auto-updates from your providers can save you all sorts of long-term issues.

Read more in

RubyGems Fixes Critical Unauthorized Gen Takeover Flaw

RubyGems has fixed a critical vulnerability that could be exploited to unpublish Ruby packages from the repository and put altered and/or malicious versions in their places. The flaw affected RubyGemsorg, which hosts more than 170,000 gems.

Note

This was a simple oversight and there is no evidence it’s been exploited. While authentication and most rights were indeed checked, the check that the gem you were accessing was indeed the one you’re permitted access to was missed, this is fixed. RubyGems also now sends an email to the gem owner when a gem is yanked or published. As a package owner, you should audit your gems for signs of potential tampering as well as make sure that you’re following best practices outlined in the mitigation section of the RubyGems GitHub page below.

Read more in

Better Cybercrime Metrics Act Becomes US Law

Last week, US President Joe Biden signed the Better Cybercrime Metrics Act into law. The legislations requires that the Department of Justice and the FBI to maintain cybercrime statistics and requires the DoJ to work with National Academy of Sciences to develop a taxonomy to help make sense of the information.

Note

  • Reliable, repeatable data on cybercrime incidents is badly needed, but don’t look for output from this Act for at least two years. The taxonomy effort alone is planned to take 1 year.
  • Until the taxonomy is completed, the benefits cannot begin to be realized. With luck this will lead to standardized metrics which will allow us to consistently assess the current landscape.
  • This effort might be boot strapped by starting with the Veris framework used by the many contributors, including the FBI and Secret Service, to the Verizon Data Breach Incident Report (DBIR).

Read more in

US State Department Offers Reward for Info About Conti Ransomware Operators

In an attempt to hobble the Conti Ransomware operation, the US State Department is offering “a reward up to $10,000,000 for information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group [and] a reward of up to $5,000,000 for information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.”

Note

  • This is another measure to deter malicious actors but will probably only gain businesses more time to prepare as other actors will fill in Conti’s place. The best time is now folks. Test, measure, train and improve your people, process, and technology. We have a ton of resources at SANS: https://sans.org/purple-team
  • Given the alignment of the Conti Ransomware operators with the Russian government, it’ll be interesting to see if anyone takes the State Department up on this offer. Also, as they are a RAAS provider, it’s not clear how much legal action will flow down to their affiliates using their platform. This should be interesting to watch.

Read more in

Costa Rica Declares Cybersecurity Emergency

Costa Rica’s new president Rodrigo Chaves has declared a state of cybersecurity emergency several weeks after a Conti ransomware attack significantly impaired multiple government computer networks. The country’s treasury has not had access to digital services since mid-April.

Note

  • The attacks on Costa Rica commenced April 18th, and they are still recovering, and their government has decided they are not going to pay the ransom. The attack is impacting their Ministry of Finance, Ministry of Science, Innovation, Technology and Communications, National Meteorological Institute, Radiographic Costarricense, Costa Rica Social Security Fund, and others. The reward offered by the US State Department hopes to result in a take-down before others can be harmed. In the meantime, this declaration will enable the support needed to apply resources to recovery, remediation, and prevention of recurrence, just as an emergency declaration after a natural disaster does.

Read more in

Data broker selling location of people who visit abortion clinics

This week saw the leak of a Supreme Court draft opinion that indicated that the court will soon overturn Roe v. Wade here in the U.S., ending guarantees that protect a person’s constitutional right to have an abortion. Clearly this will have major ramifications, not least for human rights and healthcare — but also for privacy rights, especially for those who seek abortions or need to seek medical and reproductive services in places where procedures are banned. As @josephfcox reported this week it’s incredibly easy to identify people who visit abortion clinics from the location data collected from the apps on people’s phones. @alfredwkng also reported on another data broker that offered location insights on dozens of Planned Parenthood locations. My colleague @carlypage_ explored the not-unfounded fears that data collected from period trackers could be used in a post-Roe world to prosecute people seeking abortions. No matter which way you look at it, we’re on the edge of a major human rights crisis in the U.S., and reporting this week shows just how easy it is for data to be used to identify people. As Recode says, “The pre-Roe world didn’t have data privacy laws. The post-Roe world needs them.”

Read more in

Grindr user data was sold through ad networks

The precise movements of millions of users of the gay-dating app Grindr were collected from a digital ad network since at least 2017, according to sources speaking to the Journal. Grindr cut off the flow of location data two years ago. But for a time this commercially available data contained at-times intimate details about its users, like location data. It’s the same kind of location data that allowed a publication to out a U.S. Catholic official last year as a Grindr user.

Read more in

Over 200 Spanish mobile numbers ‘possible targets of Pegasus spyware’

The Moroccan government is likely behind the mobile hacking of 200 Spanish phone numbers, including Spain’s prime minister and defense minister, in mid-2021. The hacks happened at a turbulent time for Spanish politics, given the divisive pardons of nine Catalan independence leaders and a separate diplomatic spat with Morocco. Their numbers were on a leaked list of phone numbers said to be possible targets of NSO’s Pegasus spyware, but also Candiru spyware, according to Citizen Lab’s report last month. This week also saw a leading Catalan separatist politician say that Spain’s spy chief “acknowledged” that her agency hacked into the phones of “some” of the Catalonian pro-independence party members. So, to recap: Morocco is likely hacking politicians in Spain, and Spain is likely hacking politicians in Catalonia.

Read more in

Cyber Command did nine ‘hunt forward’ ops last year, including in Ukraine

U.S. Cyber Command, the offensive operations sister agency to the NSA, launched nine “hunt forward” operations last year, which is to say operations that have caused friction to the adversary in cyberspace. One of the operations was to help build resilience in Ukraine ahead of an anticipated (and eventual) Russian invasion. The unit’s chief, Gen. Paul Nakasone, told the AP that some of these operations involved deploying defensive teams, including in Lithuania. As an aside, Nakasone — who heads both Cyber Command and the NSA under Trump and Biden administrations, has been asked to stay on for another year beyond his four-year posting.

Read more in

Heroku resets user passwords weeks after GitHub OAuth token theft

ZDNet: Heroku has reset user passwords after sending out a last-minute alert warning users that their API access would also get wiped out and would need to be regenerated. It follows a security incident on April 12 that saw a theft of OAuth tokens — four tokens related to Heroku Dashboard and one from Travis CI. The OAuth token theft was detected by GitHub. The tokens were used to read and list all of the private repos they could access, and downloaded the contents of private repos from dozens of organizations. SecurityWeek explains more, too. People are rightfully not thrilled about Heroku’s handling of all this.

Read more in

GitHub will require all code contributors to enable two-factor by 2023

TechCrunch: Speaking of GitHub, the coding platform giant will require all users who contribute code to enable two-factor authentication by the end of 2023. According to GitHub’s own data, only about 16% of active GitHub users and 6% of npm users have 2FA enabled. Per @fredericl: “That is not a lot, and frankly fewer than I would have expected.” Here’s GitHub’s explainer on the data.

Read more in

Man convicted in phishing scam that cost Pentagon $23.5M

Decipher: A California man was convicted this week of launching a complex phishing attack that allowed him to steal the login credentials of a defense contractor employee, who was responsible for communicating with the Pentagon using a government system, to break in and redirect $23.5 million in federal funds to a bank account that he owned. The money was meant for supplying jet fuel to troops in southeast Asia. (So, did he not think the government wouldn’t notice when their jet fuel didn’t turn up?) Still, a good lesson for network defenders. More from Bleeping Computer, and the Justice Department’s own presser.

Read more in

India’s new super app has a privacy problem

How much would it completely upend your day if you logged into a new app for the first time and all of your personal data was already there? That’s what happened to many in India who signed up to Tata Neu, the country’s latest do-everything app. The app is run by the Tata Group, one of India’s largest conglomerates and a regular household name, which has amassed so much personal information — in large part because India has incredibly lax privacy rules.

Read more in

Google drops IOCs on threat activity in eastern Europe

Google’s TAG has a new blog post with new indicators of compromise for a range of threat actors operating in Eastern Europe using the war in Ukraine as a lure. Russia’s APT28 or Fancy Bear gets a mention, as does Turla and Ghostwriter, a Belarusian group with links to Moscow, as well as an espionage group operating out of China.

U.S. planning significant sanctions on Hikvision

According to the Financial Times, the U.S. is close to imposing new sanctions on Hikvision, the China-based video surveillance equipment maker accused of supplying its technology to detention camps in Xinjiang, which Beijing uses to oppress the largely-Uyghur population. The new sanctions would put Hikvision on the same “specially designated nationals” list as terrorists and drug traffickers and would make it near-impossible for U.S. and other Western countries to do business with Hikvision. Last month I spoke with a Kyrgyz man and a former Xinjiang prisoner, who gave a first-hand account of the use of Hikvision’s technology in the camps. Washington is already in discussions about the sanctions with allies, per Reuters.

Big tech teams up on passwordless tech

Of the few things that Silicon Valley can get behind, a future without passwords is one of them. Google, Apple and Microsoft said this week (via ZDNet) that they will build passwordless support into their devices and platforms. “This means that, sooner or later, you won’t need a password to log into devices, websites or applications. Instead, your phone will store a FIDO credential called a passkey, which is used to unlock your device — and your entire online account.”

Ikea Canada hit by data breach, instructions unclear

An employee of Ikea Canada compromised a database of 95,000 Canadian customers, according to Dark Reading, by performing unsanctioned searches over a period of three days in early March. Ikea confirmed the breach and said that personally identifiable information was compromised — including names, email addresses, phone numbers and postal codes — but that banking information was not included.

CERT-IN’s VPN logging announcement in context

The latest rules by CERT India asking VPN providers to collect user data or face jail terms is interesting because the organisation lacks both:

  • the technical capability
  • the enforcement powers

Their technical limitations were on display in November 2019 when Meta
reported the vulnerabilities in WhatsApp that were used by Pegasus.
CERT-IN famously responded that it was “a communication in pure
technical jargon.”

The VPN notification also contains gems, such as:

  1. Strict requirement to use specific Indian controlled NTP servers,
    3 out of 4 of which are down.
  2. Report incidents via a form (whatever happened to STIX or TAXI?)
    • Including port scanning attempts (!!)
  3. Mandatory logging of data with 180 days retention for every server
  4. Every data centre, public company or corporation that provides hosting or cloud services must collect user data.

The Ukraine war has clearly demonstrated the dangers of relying on other countries’ infrastructure. It is understandable to want to limit reliance on external infrastructure.

The key takeaway here, though, is that although countries want to be self-reliant, aspiration is no substitute for capacity, capability and budgets.

GitHub Will Require 2FA for Developers and Other Contributors by End of 2023

GitHub says that it will require all code contributors to enable two-factor authentication (2FA) by the end of next year. GitHub CSO Mike Hanley wrote that “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”

Note

  • This is awesome. Comprehensive 2FA is essential to prevent bypass use cases. Be proactive and enable 2FA for your account now rather than scrambling, and getting stressed, after a hard deadline. Check out the npm 2FA phased rollout timeline to be aware of when you may fall into an enforcement window and to model a plan for getting your staff and contributors on 2FA.
  • Github had previously said only developers and admins would have the 2FA requirement, good to see strong authentication mandate extended.

Read more in

Apple, Microsoft and Google Will Support Passwordless Authentication

Microsoft, Apple, and Google have announced that they will implement standards developed by the FIDO Alliance and World Wide Web Consortium (W3C) intended to eliminate passwords. The new standards will allow users to authenticate with PINs or biometric information.

Note

  • This is by far the most promising effort to solve the authentication challenge. In my opinion, the most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators. If you haven’t done so yet: Look into what it will take to integrate these standards with your web application.
  • Great to see but most previous attempts at getting standards to be agreed upon and implemented by these “big three’ have failed. I think this has a much better chance of success. Fewer passwords in use are better than more, but important to see the protocols and implementations thoroughly pounded on by researchers before any releases.
  • Adoption of new stronger authentication technology can be hastened by it being easier and faster than the old technology. The new standards from FIDO and W3C being implemented in Office, Azure, iPhones, Chrome, Gmail, and iCloud are intended to do just that, enabling access to existing passkeys, allowing mobile devices to be used for authentication on a nearby computer. It’s time to see where these activities lie on your IDP or service provider’s roadmap to build a path forward towards passwordless authentication for your users.

Read more in

White House National Security Memorandum on Quantum Computing

The White House has issued a new National Security Memorandum that “identifies key steps needed to maintain the Nation’s competitive advantage in quantum information science (QIS), while mitigating the risks of quantum computers to the Nation’s cyber, economic, and national security.” Agencies that fund quantum computer research or develop or acquire quantum computers have 90 days to “coordinate with the Director of the Office of Science and Technology Policy to ensure a coherent national strategy for quantum information science (QIS) promotion and technology protection.”

Note

  • The risks posed by a cryptanalytically relevant quantum computer would pose to all existing use of public key crypto have been long known and discussed. But, quantum has kinda been another Y2K-like risk, but without a deadline. Good to see a proactive, but reasonably timed, effort being put in place (public comment period to open in 90 days) to lead a new federal crypto standard by 2024. This memorandum also recognizes that US adversaries will focus on stealing quantum technology being developed in the US and mandates extra protections be implemented by all development organizations.
  • Implementing new encryption algorithms will take years or even decades. This is why we need to worry about this now. The threat from quantum computing may never materialize, but it doesn’t hurt to think ahead now.
  • The goal is to move to cryptographic agility, allowing for migration to encryption which is resistant to decryption by a cryptanalytically relevant quantum computer (CRQC) attack. Within one year of the memo, all agencies are expected to report on information systems which have not mitigated risks of CRQCs. The challenge will be availability of products which meet updated NIST cryptographic standards (FIPS 140) which agencies are required to implement along with maintaining backwards compatibility to support collaboration with others who have not implemented support for these new standards

Read more in

Dept. of Health and Human Services FISMA Compliance Audit

An Office of Inspector General (OIG) audit of the US Department of Health and Human Services’ (HHS) compliance with the Federal Information Security Modernization Act (FISMA) found the agency’s security program ineffective. “The determination was made based on HHS not meeting the ‘Managed and Measurable’ maturity level for the Identify, Protect, Detect, and Recover function areas as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics.”

Note

  • Most of the deficiencies stemmed from lack of full implementation of continuous monitoring based on tools/platforms from the DHS Continuous Diagnostics and Mitigation (CDM) Program. HHS, like many, has a distributed responsibility model from HQ to operational divisions to contractors. This complicates asset inventory, configuration management and full monitoring/reporting but is the realistic model for most organizations. Takes more support from the top, and often some additional funding, to completely move the operating divisions away from legacy security controls that have already been paid for.
  • As an agency, this is not what you want to hear from your IG. The audit was performed by E&Y on behalf of the HHS OIG. While the report [oig.hhs.gov: Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021 (PDF)] notes improvements since the 2020 evaluation, they are not sufficient to meet the requirements, highlighting the need for stronger supply chain security controls, something we’re all dealing with. Read through the management responses in the report; many areas of concerns are things we’re all dealing with, identity management, identification and categorization of systems, configuration management, appropriate visibility into current state and making sure that security remains in place. Note the challenges identified in a federated environment and think about how that applies to your own autonomous or semi-autonomous business units or partners when meeting your cybersecurity and interoperation goals.

Read more in

Operational Continuity-Cyber Incident Checklist for Healthcare Organizations

The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) has developed an Operational Continuity-Cyber Incident checklist. The checklist “is intended to provide a flexible template for operational staff and executive management of healthcare organizations to respond to and recover from an extended enterprise outage due to a serious cyber-attack. Its suggested operational structures and tasks can be modified or refined according to an organization’s size, resources, complexity, and capabilities.”

Note

  • If you are in healthcare or related medical services, this a good checklist to apply against your existing playbooks and processes.
  • While this is intended as a tactical measure in response to collateral damage from current cyberwarfare activities, this is a good checklist beyond the healthcare industry. Note that this checklist [healthsectorcouncil.org: Operational Continuity – Cyber Incident (OCCI)] is a collection of homework assignments, many of which you’ve already completed. Make sure that you’ve got validated copies in known locations which are accessible during an incident. If you’re keeping physical copies in binders, make sure they are maintained on a regular, non-optional basis.
  • This kind of guidance is preferable to that (such as HIPAA) which expects buyers and end users to do “risk assessments” which require knowledge and experience that most do not have. While efficient security must be risk based, the most significant risks are common to most organizations. We know what they are; we should not expect each organization to discover them de novo.

Read more in

Heroku Acknowledges Cyberattack, Resets User Passwords

Cloud platform as a service Heroku has acknowledged that customer account credentials were compromised in a cyberattack a month ago. Heroku began resetting user account passwords earlier this week.

Note

  • Heroku notes that some customers may also receive notifications directly from Salesforce relating to actions required after the breach. The exfiltrated passwords are salted and hashed; even so, a forced rotation is a great idea. In addition to password rotations, integration with GitHub and the Heroku dashboard or automation remains disabled, the status updated from April 26th includes instructions for deploying their apps until the integration is restored.

Read more in

VPN Providers Find India’s New Rules Onerous

VPN companies have said they might not comply with a new rule from India’s Computer Emergency Response Team (CERT-In) that requires them to collect customer information and retain it for several years. CERT-In wants the companies to keep the information to help with potential cybercrime investigations. Some VPN companies say they might stop operating within the country.

Note

  • If your business model is based on anonymity, or not providing logs, this new law makes doing business in India a non-starter. As a user, use of a VPN to secure traffic where your network connection is untrusted remains a best practice. Keep an eye on guidance from your provider when planning use in foreign countries to avoid regulatory entanglements.

Read more in

New Framework for Apps and Technology Not Covered by HIPAA

The American College of Physicians, the American Telemedicine Association, and the Organization for the Review of Care and Health Applications have jointly developed a framework to help secure health-related technology and apps that are not subject to the Health Insurance Portability and Accountability Act (HIPAA).

Note

  • The new framework is being piloted, and uses technology which isn’t incorporated into the current HIPAA act. In parallel, a new Health Data Use and Privacy Commission Act is in committee. This new act is intended to update the HIPAA requirements allowing for better alignment with modern technology. The trick is to create a framework which provides guidance that is not technology-specific to support advancement and innovation.

Read more in

NIST Updates Supply Chain Risk Guidance

The US National Institute of Standards and Technology (NIST) has published updated guidelines for software supply chain risk management. The document is the result of two earlier drafts and is part of NIST’s response to Executive Order 14028: Improving the Nation’s Cybersecurity.

Note

  • This will help you get your arms around beefing up your supply chain security efforts. Watch for an upcoming “quick start” guide to help start your processes. While some actions may require resources and funding, progress can be made with tweaks to existing processes and procedures you can implement today
  • “The primary audience for the revised publication is acquirers and end users of products, software and service.” Caveat Emptor. Buyers and end-users cannot solve this problem. The solution rests with suppliers, with their transparency and accountability. Start with a digital software bill of materials.

Read more in

F5 Big-IP Critical Remote Code Execution Flaw

F5 has released fixes to address a critical vulnerability in the Big-IP iControl REST component; the flaw could be exploited to bypass authentication and potentially take control of vulnerable systems. F5 has released fixes for affected 13.x, 14.x, 15.x, and 16.x versions of Big-IP, but will not be issuing fixes for affected 11.x and 12.x versions.

Note

  • This is an authentication bypass flaw with a 9.8 CVSS score. As your Big-IP is often an Internet-facing device, you’re going to want to verify the plans to remediate or mitigate this vulnerability. The mitigations may be more complex than simply applying the update. Even so, make sure that you’re limiting access to your iControl REST and other management interfaces for your F5 products. If you’re on devices running versions prior to 13.x of BIG-IP, you need to update or replace them (The current version is 17.x) Note that BIG-IQ, F5OS-A/C and Traffix SDC devices are not affected.

Read more in

Cisco patches vulnerabilities in ASA, FTD

Cisco disclosed and patched several vulnerabilities in some of its most notable security systems — Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD) and Firepower Management Center (FMC). Of the 19 vulnerabilities fixed earlier this week, 11 are of high severity. CVE-2022-20746 is the most serious of the group with a severity score of 8.8 out of 10. This is an issue in FTD that exists because the software doesn’t properly handle TCP flows. An attacker could exploit this vulnerability without authentication to cause a denial of service. In its release of the vulnerabilities, Cisco said it was not aware of any active attempts to exploit these vulnerabilities.

Read more in

Chinese APT using new version of PlugX malware

The Chinese state-sponsored actor Bronze President (aka Mustang Panda) recently started deploying a new version of the PlugX malware in several espionage campaigns. Security researchers say the group is actively targeting the Russian military. The group is sending targets a decoy document alleged to relate to the Russian military, though it eventually downloads a malicious DLL that loads an updated version of PlugX, a remote access Trojan (RAT) previously associated with Bronze President. This group is known to previously target Asian countries with its malware, and is particularly surprising given China is military allies with Russia and has yet to strongly condemn the country’s invasion of Ukraine. Once installed, PlugX can remotely monitor and access the targeted machine.

Read more in

Vulnerability: API vulnerability in VeryFitPro app

Security researcher Martin Francois recently disclosed a vulnerability in the VeryFitPro fitness tracking app (versions 3.3.7 and lower).

The vulnerability potentially allows attackers to access the backend API without the original credentials. Francois disclosed the details in GitHub after two unsuccessful attempts to contact the vendor. At the time of writing, the vulnerability had not been addressed, and version 3.3.7 was still the most recent version of the app available on the Google Play store, with over 100k installations.

The vulnerability originates from the decision to store a password hash in a device database: if attackers get access to the database, they can reuse the hash to access the account of a targeted user. This method is known as the Pass-the-Hash attack. Francois describes a relatively simple proof of concept for the exploit, and suggests mitigating this by transmitting the user password in the body of the POST request over HTTPS.

Vulnerability: Exposed Docker APIs targeted by botnets

Crowdstrike provides coverage of ongoing attempts by the LemonDuck crypto mining botnet to target exposed Docker APIs on Linux systems. The attacks are anonymized using proxy tools and evade detection because they do not show in Alibaba Cloud’s monitoring services. According to the article, crypto mining is becoming increasingly prevalent, with the majority of compromised Google Cloud Platform instances being used for mining.

Docker executes with elevated privileges so it can spin up containers and use OS resources. The Docker daemon also has the option to expose the management API through a port, typically 2375. If this port is inadvertently exposed to the internet or unsecured, attackers may exploit it to execute arbitrary workloads on the host through Docker. Attacker can point the API to use a customer Docker ENTRYPOINT to execute a malicious core.png file which is actually a shell script:

Attacker can point the API to use a customer Docker ENTRYPOINT to execute a malicious core.png file which is actually a shell script.

This script creates a cron job and downloads the active payload, which then performs the following operations:

  • Kills processes based on names (competitor applications)
  • Kills known daemons, such as sshd, syslog
  • Deletes know Indicators of Compromise file paths to evade detection
  • Kills know network connections (to competitor websites)

The script then evades Alibaba Cloud’s protection services, and finally downloads the crypto mining payload which then begins mining. Finally, a proxy disguises the recipient crypto wallet to avoid identification.

The key takeaway is to be very careful if exposing the Docker API port, particularly if connected to a public network.

Tools: TruffleHog v3 detects stored API credentials

Leaked API credentials (keys, passwords, and tokens) is one of the most prevalent challenges in security API deployments. One of the stalwart tools of the trade for detecting leaked credentials is TruffleHog. This week, PortSwigger has featured details of the newly released TruffleHog version 3, with improved capabilities for API key detection.

TruffleHog can detect credentials leaked through JavaScript or overly permissive CORS settings in APIs. Importantly, TruffleHog can also scan GitHub repositories to discover exposed credentials. The new version supports up to 639 new key types, including AWS, Azure, Confluent, Facebook, and GitHub.

A key new feature in this release is verifying if a suspected leaked credential is still valid by testing access against the affected backend service. This powerful feature should be a great boon to security teams for reducing the false positives from expired or invalidated credentials.

TruffleHog comes highly recommended in my experience, and anyone wishing to actively monitor credential leaks should check it out.

Article: Scaling APIs in real-world backend platforms

Gary Archer at Curity who discusses the security challenges of scaling APIs in real-world backend platforms. Although there are numerous well-written articles about the handling and validating JSON web tokens (JWTs), the articles often lack the depth of coverage on how to scale the use of JWTs to large systems, with multiple APIs and clients.

This article is an excellent discussion on the challenges for the handling of JWTs in complex topologies, and it makes a number of recommendations on topics, such as:

  • Use reverse proxies to return opaque tokens rather than raw JWTs.
  • Use standard security libraries for JWT validation, and include security parameters in the claims section rather than in headers or URL paths.
  • For multiple APIs, use a so-called entrypoint API to federate access to internal APIs based on the calling client.
  • Extend JWTs to allow the initial authorizing server to add additional claims to them to be consumed downstream.
  • Use a separate short-lived token in callbacks to avoid the challenge that asynchronous methods pose for maintaining the state and identity of the original requester.
  • Be aware of the additional challenges regarding authorization and identity posed by partner APIs.
  • Design clients to be reliable and resilient to mitigate complexities of microservices with multiple components that present more points of failure.

Great food for thought in this article, thanks for the author for the contribution.

India’s CERT Requires Fast Reporting of Cyber Incidents

New guidelines from India’s Computer Emergency Response team (CERT-In) require companies, data centers, service providers, and government agencies to report cyber incidents within six hours of detection. The covered organizations will also be required to maintain ICT system logs for a rolling period of 180 days and be prepared to submit them to CERT-In if requested. The new requirements take effect in late June.

Note

  • There are a lot of flaws in this one. Simple example: “targeted” scanning/probing of networks is included in the incidents that need to be reported, which means a flood of incident reports of low value. Reporting in six hours is obviously a tough requirement, but the CERT-In reporting form has a lot of free-form text and FAX is OK for submission! So, reams of data flowing in but analysis can’t keep up – no increase in security. Large libraries of unread books do not make us smarter.
  • This regulation appears to be overly ambitious, and the author lacks the basic competence required to draft such a regulation. The broad definition of reportable incidents and the short reporting deadline will lead to a flood of meaningless reports. Requiring long log retention times without specifying what to log will incentivize organizations to enable less verbose logs. You will end up with more but less meaningful logs.
  • The timeline is short, 60 days. Twenty incident types are listed with a six-hour reporting window along with requirements to use their specified NTP service. While having a consistent time source is critical for correlation and aggregation, and you should make sure you’re using a reliable NTP source, simply requiring use of a known authoritative service would be preferable to limiting the country to a single choice. The big tasks will be getting clarification of all the reporting requirements as well as establishing the communication channels and relationships needed. The reporting window is unusually small, GDPR uses 72 hours and the US is asking for 24 hours. Irrespective of the window size, make sure you know what needs reporting and how.
  • It seems like a very grand plan, with very few specific details set to be rolled out within the next 60 days. I don’t think this is realistic and to say it’s ambitious is an understatement. Specifically, just attempting to retain 180 days’ worth of logs will be difficult with all the supply chain shortages. Considering that a single firewall in a decent-sized enterprise will create several gigabytes of daily logs, I can’t imagine how many potential terabytes of records will be required to be retained from here on out in one of the most densely populated countries in the world. The other issue is what would constitute both an incident and detection. If companies decide to report to comply, CERT-In could potentially be seeing a large percentage of reported detections of false-positive or low priority events. How would the CERT-In triage a large influx of reports? Instead of systematically bringing up the regulations, CERT-In wants to collect as much data as possible and sort it out later. We know that this doesn’t typically end well. Maybe it would be ideal to buy storage now, ahead of the rush?

Read more in

Microsoft Patches Flaws in Azure PostgreSQL Database

Microsoft has fixed two vulnerabilities in the Azure Database for PostgreSQL Flexible Server. The flaws could be exploited to obtain elevated privileges and access other customers’ databases. Wiz researchers reported the issued to Microsoft in January. Microsoft has addressed the issues; no action is needed by customers.

Note

  • Privilege escalation flaws are very difficult to prevent and dangerous for on-premises systems. But for cloud providers, a simple privilege escalation flaw is deadly as it destroys the illusion of cross-tenant isolation of data.
  • Microsoft patched the databases on February 25th, so you’re covered. They recommend setting up private network access to flexible servers to minimize further exposure. Fundamentally make sure that you’re not needlessly exposing access to services, leverage security services and options to also monitor access to ensure protections are what you think they are. Read the Wiz research blog (www.wiz.io: Wiz Research discovers “ExtraReplica”— a cross-account database vulnerability in Azure PostgreSQL) for more details on the ExtraReplica flaw.
  • While, on the surface, this seems to be tragic, I guess the real question is how prevalent the PostgreSQL Flexible Server deployment is going to be. Having a system with a disclosed vulnerability in your cloud service provider is a double-edged sword. While there was a privileged escalation flaw in PostgreSQL because this is a cloud provider, each PostgreSQL instance can be patched and remediated without the user necessarily worrying about it. With on-premises software, we often see that it is the case that servers go unpatched. The question is a tricky one to weigh in on. Cloud-hosted and shared infrastructure vs. on-premises and private. Which one is safer, less risky, or more secure? Is it better or worse than it is cloud-hosted? Only time will tell.

Read more in

Breach Reporting Rules for US Banks Now in Effect

As of May 1, US banks are required to notify regulators of computer security incidents within 36 hours of detection. “A collective of U.S. regulators, including the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency” passed the rule in November 2021.

Note

  • The FDIC currently requires incident reporting with 72 hours of detection, so this is a significant move forward. But the FDIC, along with the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency, took input from industry and narrowed the definition of what constitutes a “notification incident” to those that actually caused some harm – probing/scanning would not qualify. 36 hour response will be tough for many but the financial sector certainly needs the toughest requirements.
  • Essentially if you’re a federally insured or regulated financial institution, this applies. Make sure that you review your agency specific guidance for reporting and note the examples of incidents that were released to clarify the initially overly vague ‘Computer-Security Incident’ in the initial legislation. Expect your examiners to verify that you have both the notification and definition of what you need to report. As other organizations, CISA, DHS, etc. are looking for incident reporting, it’d be a good idea to make sure you know what that would mean if you’re required to comply, to include what information you would rather not share and establishing the relationship required for reporting or assistance.

Read more in

Google Expands Types of Data Users Can Have Removed from Search Results

Google now allows people to remove more personally identifiable information (PII) from search results. Google has previously allowed people to request that their financial information be removed from search results; now they can have their contact information removed as well.

Note

  • This has been a right, known as the “right to erasure” or more commonly referred to as the “right to be forgotten,” to those based in the EU and covered by the EU General Data Protection Regulation (GDPR). A key point to note is that while the personal data is removed from the search results, the data is still available on the sites hosting that data. Under GDPR, individuals also need to exercise their right to erasure with the sites hosting their personal data.
  • With more privacy legislation including the “right to be forgotten” knowing how to exercise that right is important and varies by service. Be sure you understand the process and limitations available. Google outlines the process and limits of what they will do on their Remove select PII or doxing content from Google Search help page: support.google.com: Remove select personally identifiable info (PII) or doxxing content from Google Search

Read more in

Netatalk Vulnerabilities Affect Synology and QNAP NAS Devices

Critical vulnerabilities in the Netatalk open source version of Apple Filing Protocol fileserver affect certain QNAP and Synology network attached storage (NAS) devices. The flaws could be exploited to access sensitive data and potentially execute arbitrary code.

Note

  • Not a terrible big deal. Disable Netatalk (it is no longer needed) and apply patches as they become available. This affects many Linux based network storage systems. Synology and QNAP are just the two out of them responsible enough to release an advisory.
  • Patch your NAS, make sure it’s not exposed to the Internet. Remove unneeded apps and user accounts, watch for unexpected additions. Ideally don’t allow SMB or AFP through your boundary, require a VPN for the access. If you must allow the direct connection, only allow it from trusted devices.

Read more in

Espionage Threat Actor Target Corporate eMails

Researchers from Mandiant have identified a new espionage threat actor it has dubbed UNC3524. The group “targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions.” The threat actors have been observed maintaining dwell time up to 18 months.

Note

  • Interesting attack group leverages typically unmonitored systems for their ingress and egress point. Smart move. Most companies do not realize how vulnerable and easy it is to leverage these systems for C2. There are three things to look for in the article. The command channel for the attacker group, how they leverage EWS On-Premises, and then they mention the Mandiant M365 Hardening Guides. My advice for those considering keeping on-premises servers. Don’t.

Read more in

US Legislators Introduce Satellite Cybersecurity Companion Bill

Companion legislation introduced in the US House of Representatives would direct agencies to help improve network cybersecurity for the commercial satellite sector. The Satellite Cybersecurity Act would “require a report on Federal support to the cybersecurity of commercial satellite systems [and] establish a commercial satellite system cybersecurity clearinghouse in the Cybersecurity and Infrastructure Security Agency.”

Note

  • Having standards should help suppliers design for an appropriate level of security. Making them voluntary may be a double-edged sword if the goal is to raise the bar consistently across the board. The trick will be adding security to existing satellites, often not sized or otherwise equipped to add that workload. One hopes that industry input can be gathered during a RFC comment for the new standards to make them both relevant and achievable.

Read more in

April Updates

April 2022 saw a slew of security updates, including fixes for iOS, iPadOS and macOS; patches for Android; several updates or Chrome; Oracle’s quarterly Critical Patch Update; Microsoft’s Patch Tuesday; a fix for Mozilla Firefox and Thunderbird; and an update to address a critical vulnerability in the WordPress Elementor plug-in.

Note

  • While we’ve been focused on OS and browser updates, make sure we don’t overlook the other update actions needed. While many users can be trusted to keep mobile devices and apps they care about updated, verify they are indeed keeping to a defined timeline and not just kicking the can down the road. If you don’t have published timelines, and enforcement for keeping systems updated, get that done post-haste. Also, make sure you aren’t missing less publicized updates such as the Android April update and Apple’s updates beyond iOS, iPadOS and macOS.

Read more in

Russia began setting the stage for cyberattacks against Ukraine a year ago

A Microsoft report out this week found that Russia started to lay the groundwork for launching cyberattacks against Ukraine as early as March 2021 when Russian hackers gained a foothold into Ukrainian government and critical infrastructure networks. Microsoft’s report notes at least six separate Russia-aligned state hacking actors have launched more than 237 operations against Ukraine. The most notable are the destructive attacks launched by a GRU unit which researchers dub “Sandworm,” which was blamed for the Ukraine power grid attacks in 2016 and 2017, and several other recent destructive attacks, including the Viasat attack that knocked out the satellite network over much of Eastern Europe. The U.S. Department of State put a $10 million bounty on six of the Sandworm hackers this week, shortly after CISA sounded the alarm over fears that the U.S. should itself brace for a Russian cyberattack.

Read More

Tech giants duped into giving up data used to sexually extort minors

Absolutely brilliant reporting by @williamturton, who uncovered that tech giants including Google and Apple processed fake emergency user data requests sent by hackers, often by breaking into the email system of a law enforcement agency. From there, the hackers file user requests for minors, which the tech giants turned over without verifying the requests. (These emergency requests are often filed amid threats to life or safety.) According to the report, the information given by tech giants was used to extort and harass minors. The tech giants have said little so far. Apple — which constantly harps on about how much it claims to care about your privacy — didn’t even bother to comment. It’s thanks to companies like… *checks notes*… Toontown, which helped to bring the issue to light. @nixonnixoff said that most of the companies that were duped “treated this as a shameful matter to be kept top secret.” I think a lot of us will be thinking this…

Read More

How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities

Who needs a massive botnet when all you need, apparently, is a shovel? French intelligence is investigating an apparent act of sabotage that extensively disrupted internet services across France after a large number of fiber cables were cut. Now U.S. authorities are said to be on guard, knowing that fiber cables — which keep the backbone of the internet going — aren’t well protected, and often their locations are widely known.

Read More

FBI conducted millions of searches of Americans’ data last year

According to the U.S. intelligence community’s transparency report, pushed out every year by the ODNI since the Snowden leaks, the U.S. government conducted as many as 3.4 million searches of U.S. data previously collected by the NSA. That’s without needing a warrant, since the data is collected and accessed under Section 702 of FISA, the law that allows the U.S. to spy on Americans, which is due to expire next year. The actual number of direct searches investigating Americans is probably far lower. More than half of the searches — close to 2 million — were related to a national security investigation involving attempts by alleged Russian hackers to break into U.S. critical infrastructure networks, for which the searches included efforts to identify and protect victims — including U.S. citizens. The WSJ does a good job of breaking down the figures and what they mean — and, @emptywheel, as always, has you covered.

Read More

Twitter’s legal team is an aggressive defender of free speech, will that continue?

After the news finally dropped that Elon Musk would buy Twitter — a deal that still has to pass shareholder and regulatory approval(!) — @mmasnick dug into how Twitter’s legal department has been an “aggressive defender” of free speech, in large part by pushing back on subpoenas, often filed by “thin-skinned rich and powerful users,” and what Musk’s Twitter buy might mean for content moderation, privacy and free speech.

European wind-energy sector hit in wave of hacks

Three Germany-based wind energy companies have been targeted by cyberattacks since Russia’s invasion of Ukraine, at a time where Germany is moving away from its reliance on Russian oil and gas after Western sanctions try to cut off Russia from the rest of the economic world. The problem is that Germany is highly dependent on Russian oil and gas, and switching away to less reliant fuels is likely a multi-year process. Not a huge surprise then that cyberattacks targeting renewable, non-fossil fuels have swept the country, in some cases with ransomware, aimed at disrupting energy supplies. “A simpler strike on local internet-connected services could interfere with the remote monitoring systems of wind farms,” according to one security expert. You know, just how Viasat was hacked, causing roughly 5,800 wind turbines that relied on the satellite network to lose connection.

DJI insisted drone-tracking AeroScope signals were encrypted — now it admits they aren’t

In March, Ukraine’s vice prime minister accused drone maker DJI of helping Russia kill Ukranians by allowing Russia to freely use its drone detection system called AeroScope. DJI claimed that AeroScope signals are encrypted. Turns out, they’re not. That means governments (and others) don’t need AeroScope to see the exact position of every DJI drone. It wasn’t until hacker @d0tslash proved that the signals aren’t encrypted that DJI finally admitted that its remarks weren’t truthful.

Mexico top court strikes down phone and biometrics registry

Reuters reports that Mexico’s Supreme Court ruled that the government’s plans to create a national phone user registry tied to biometric data is unconstitutional. The phone carriers didn’t want it as it would’ve been costly to implement, but the government said it would’ve fought crime — where Mexico has some of the highest incidences of abductions in the world. The court said the registry would’ve violated human rights. Mexico has some 120 million cell lines, most of which are pre-paid.

Read more

Microsoft finds critical Linux flaw

A duo of privilege escalation bugs in Linux, dubbed Nimbuspwn, can be exploited to quickly gain root/system level permissions to an affected device. Ars Technica goes deep on the technical details, including how to gain persistent root access for a future backdoor.

Read more

Great news that security.txt is finally an RFC

According to @EdOverflow, who was one of the main proponents of security.txt. For those who don’t know, security.txt is a publicly accessible text file that admins can put in the root of their website directory to help researchers and hackers easily find urgent security contact information. It’s a great idea that’s aimed at speeding up the process of finding and alerting companies to security flaws. Some of the biggest companies use it — Yahoo and Google to name a couple. You can see how Google’s security.txt, for example, looks here. Excellent news and extremely well deserved.

Read more

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.