New PosRobert Grupe's AppSecNewsBits 2024-05-11

Epic Fails: F5, VPNs, Europol, Dell, Microsoft, Ascension Health, US Patent Office, AT&T, ...

Author

Robert Grupe
May 11, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Critical vulnerabilities in BIG-IP appliances leave big networks open to intrusion

F5, which sells the product, says its gear is used in 48 of the top 50 corporations as tracked by Fortune. F5 describes the Next Central Manager as a “single, centralized point of control” for managing entire fleets of BIG-IP appliances. Researchers from security firm Eclypsium reported finding what they said were five vulnerabilities in the latest version of BIG-IP. F5 has confirmed two of the vulnerabilities and released security updates that patch them. Eclypsium said three remaining vulnerabilities have gone unacknowledged, and it’s unclear if their fixes are included in the latest release.

CVE-2024-21793—as an Odata injection flaw, a class of vulnerability that allows attackers to inject malicious data into Odata queries. The other vulnerability,

CVE-2024-26026, is an SQL injection flaw that can execute malicious SQL statements.

Eclypsium said it reported three additional vulnerabilities.

One is an undocumented programming interface that allows for server-side request forgeries, a class of attack that gains access to sensitive internal resources that are supposed to be off-limits to outsiders.

Another is the ability for unauthenticated administrators to reset their password even without knowing what it is. Attackers who gained control of an administrative account could exploit this last flaw to lock out all legitimate access to a vulnerable device.

The third is a configuration in the bcrypt password hashing algorithm that makes it possible to perform brute-force attacks against millions of passwords per second. The Open Web Application Security Project says that the bcrypt “work factor”—meaning the amount of resources required to convert plaintext into cryptographic hashes—should be set to a level no lower than 10. When Eclypsium performed its analysis, the Central Manager set it at six.

 

Have I Been Pwned has added the information for 26,818,266 people whose data was leaked in a recent hack of The Post Millennial conservative news website. Earlier this month, both news platforms were hacked, with their sites' front pages defaced with fake messages claiming to be written by The Post Millennial's editor.

As part of the attacks, the threat actors claim to have stolen the company's mailing lists, subscriber database, and details of the company's writers and editors, sharing links to the stolen data shared on the defaced pages. The data quickly spread online, being shared in torrents and hacking forums, allowing threat actors and others to download the data easily.

 

The healthcare industry is a prime target for online attackers and has been for years. The combination of the sector's often aging systems and the necessity for 24/7 uptime means ransomware miscreants in particular favor healthcare targets due to the perceived increased likelihood of victims paying for a quick restoration.

It's still early days in the investigation, and as such there are very few details that have been officially confirmed. However, a source with close ties to Ascension told The Register there are signs that ransomware may be involved. The source claimed all virtual desktop infrastructure (VDI) and virtual private network (VPN) connections are down across the US and that the "disruption to clinical operations" mentioned in Ascension's statement has left at least some partners resorting to pen and paper operations.

The incident is the latest in a long line of attacks by cybercrims on major healthcare organizations. UnitedHealth's Change Healthcare represents perhaps the most high-profile healthcare incident of the year so far, whose nightmare ransomware attack is has to date cost it close to $1 billion.

The US infosec agency also cited attacks on healthcare and other critical orgs in recent calls to stamp out directory traversal vulnerabilities, which have pervaded software for decades despite methods to eliminate them being known since the nineties.

 

​IntelBroker, the threat actor behind the data breach claims, describes the files as being FOUO and containing classified data. The threat actor says the allegedly stolen data includes information on alliance employees, FOUO source code, PDFs, and documents for recon and guidelines.

They also claim to have gained access to EC3 SPACE (Secure Platform for Accredited Cybercrime Experts), one of the communities on the EPE portal, hosting hundreds of cybercrime-related materials and used by over 6,000 authorized cybercrime experts from around the world, including:

Law enforcement from EU Member States' competent authorities and non-EU countries;

Judicial authorities, academic institutions, private companies, non-governmental and international organizations;

Europol staff

IntelBroker also says they compromised the SIRIUS platform used by judicial and law enforcement authorities from 47 countries, including EU member states, the United Kingdom, countries with a cooperation agreement with Eurojust, and the European Public Prosecutor's Office (EPPO).

"Europol is aware of the incident and is assessing the situation. Initial actions have already been taken. The incident concerns a Europol Platform for Expert (EPE) closed user group. No operational information is processed on this EPE application. No core systems of Europol are affected and therefore, no operational data from Europol has been compromised."

 

In total, 1,274,086 documents were exposed to the internet via a misconfigured database for an unknown length of time. Among the exposed data, which dates back to 2017, was a folder containing 99,151 snapshots of guards checking in for their shifts, either by using a picture of themselves, their ID cards, or both. The pictures taken of the ID cards displayed basic information such as their name, headshot, and the card's expiry date. In rare cases, it showed their signature too.

 

The State lottery concluded its investigation into the incident on April 5 and as a result, some 538,959 individuals had their names and social security numbers exposed. DragonForce, if you can believe anything that the Hasbro toy-sounding gang says, now claims the 1.5 million records, or 94 GB worth of data, it allegedly stole is available to download in a CSV format via its leak blog. It also reckons that dates of birth are included in the file – a data type not mentioned in Ohio Lottery's filing.

 

University System of Georgia (USG), which oversees 26 higher education institutions in the USA state, filed a disclosure with the attorney general of Maine on Tuesday – the first time it has publicly explained the incident it detected on May 31, 2023.

USG explained that the breach was actually one of many from last year linked to the Cl0p gang's exploitation of a since-patched flaw in Progress Software's MOVEit MFT tool.

The data accessed by the cybercriminals may include full social security numbers (SSNs), the last four digits of SSNs, dates of birth, bank account numbers, and federal income tax documents with tax ID numbers.

US state law doesn't set a deadline for reporting security breaches in the same way as the GDPR does, for example, so for those wondering what action USG will face for disclosing so late, the answer is probably none.

Most states simply use the wording "without unreasonable delay," or something equally unspecific, when describing the ideal window for disclosing security incidents, which is why these kinds of waits are allowed to happen.

 

The agency took blame for the incident, saying the addresses were “inadvertently exposed as we transitioned to a new IT system.”

If this sounds remarkably familiar, USPTO had a similar exposure of applicants’ address data last June. At the time, USPTO said it inadvertently exposed about 61,000 applicants’ private addresses in a years-long data spill in part through the release of its bulk datasets, and told affected individuals that the issue was fixed.

 

Notification follows claim of compromised database with 49M Dell customers' data.

Dell is declining to elaborate on, appears to confirm an April 29 post by Daily Dark Web reporting the offer to sell purported personal information of 49 million people who bought Dell gear from 2017 to 2024. People who receive unsolicited calls claiming to come from Dell should hang up and either ignore them or call the Dell support line directly.

 

The CSRB also blasted Microsoft for leaving a September blog post that 'explained' how the attackers gained access to Exchange – which it never proved to be true – up for months all while knowing it was just one of the 46 hypotheses it investigated that yielded no concrete conclusions.

The House Committee on Homeland Security's letter to Smith also referred to a January attack, this time at the hands of Russia's Midnight Blizzard crew, otherwise known as Cozy Bear and APT29 – the same lot behind a string of major worldwide systems attacks exploiting a flaw in widely used network management software made by SolarWinds.

Midnight Blizzard broke into email accounts, but this time it was those belonging to Microsoft's execs rather than US officials. The attackers stole messages and files from the company leadership team, and the cybersecurity and legal divisions. Two months later Microsoft admitted source code was also stolen and the Russians gained access to internal systems.

"It is imperative that Microsoft, which accounts for nearly 85 percent of the market share in the US government's productivity software, be held to the same level of accountability as the rest of the US government's trusted vendors."

 

Starting on Monday, AT&T customers began reporting they could no longer receive email from Microsoft 365 email addresses. When Microsoft 365 customers attempted to email an address at @att[.]com, @sbcglobal[.]net, or @bellsouth[.]com, AT&T servers would refuse the connection and not accept the email for delivery.

Since then, AT&T customers have created numerous topics with hundreds of replies in the company's forums about the issue [1, 2, 3, 4], with some claiming it also affects Gmail. "Same problem. Can't send from multiple 365 accounts or gmail... only to att[.]net domain... Hey ATT... I cant even email your SALES guys... get this working...," reported someone trying to send an email to an AT&T address.

 

TunnelVision vulnerability has existed since 2002 and may already be known to attackers.

 

Many VPN providers are currently making promises to their customers that their technology can’t keep. The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “evil twin” wireless hotspot that mimics the signal broadcast by a legitimate provider.

In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.

DHCP option 121 allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.

This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server. 

 

HACKING

We saw situations where threat actors essentially SIM swap the phones of children of executives, and start making phone calls to executives, from the phone numbers of their children.

It changes the calculation involved in deciding whether to pay the extortion demand. "It's less about 'do I need to protect my customers?' But more about 'how do I better protect my employees and protect the families of employees?' That's a pretty scary shift."

If it's an OFAC or sanctioned country that you're paying a ransom to, that's a violation. But if you don't pay, and there's a business disruption or personal, private information [is leaked]. It's the worst day of their career having to deal with something like that.

 

Investigators tracked the Wi-Fi signal from a stolen vehicle to bust two men suspected of breaking into ATMs in recent weeks.

 

GhostStripe is undetectable to the human eye, but could be deadly to Tesla and Baidu Apollo drivers as it exploits the sensors employed by both brands – specifically CMOS camera sensors.

It basically involves using LEDs to shine patterns of light on road signs so that the cars' self-driving software fails to understand the signs; it's a classic adversarial attack on machine-learning software.

Crucially, it abuses the rolling digital shutter of typical CMOS camera sensors. The LEDs rapidly flash different colors onto the sign as the active capture line moves down the sensor. For example, the shade of red on a stop sign could look different on each scan line to the car due to the artificial illumination. The result is a camera capturing an image full of lines that don't quite match each other as expected. The picture is cropped and sent to a classifier within the car's self-driving software, which is usually based on deep neural networks, for interpretation. Because the snap is full of lines that don't quite seem right, the classifier doesn't recognize the image as a traffic sign and therefore the vehicle doesn't act on it.

GhostStripe1, which does not require access to the vehicle, employs a tracking system to monitor the target vehicle's real-time location and dynamically adjusts the LED flickering accordingly to ensure a sign isn't read properly.

GhostStripe2 is targeted and does require access to the vehicle, which could perhaps be covertly done by a miscreant while the vehicle is undergoing maintenance. It involves placing a transducer on the power wire of the camera to detect framing moments and refine timing control to pull off a perfect or near-perfect attack.

GhostStripe1 presented a 94 percent success rate and GhostStripe2 a 97 percent success rate.

 

What we've seen over the last year is that the traditional attack is always pre-authentication. They're going after your password. They're coming after you directly. What we're seeing now is a shift away from that and actually more into post-authentication. So the idea that they’re not going to try and target your login page anymore or your passwords or your credentials.

They’re actually just gonna go straight to your browser and steal that little session token cookie that's in your browser. And they’re just gonna copy it and paste it into their own browser and access all your applications. This is a post-authentication attack.

We have always focused on the Okta service as where we need to protect the most. That's not the right threat model. We need to protect the same threat model we put on production and apply it to everything. I think that Microsoft and us are two examples of companies that are really focused on security because the threat landscape around us both, while it's always been bad, over the last 12 months it's gotten worse. The next six months I think are critical for both our companies to protect the world, because we're going through some really tough times. So it's going to be a fascinating era.

 

He argued that while certain sectors such as government and healthcare are certainly attractive to extortionists, these criminals will go for the lowest-hanging fruit, meaning poorly secured IT environments are just as tempting. And it's increasingly hard for victims not to pay up when they see their stolen corporate data leaking online.

 

You get the added specter of sometimes the nation state intelligence services are wrapping themselves in the cloak of anonymity of the hacktivists to go out and give it a nudge even further. Many critical infrastructure sectors – including water and wastewater, healthcare and public health, and government facilities, especially at the state and local level – are historically under-funded and poorly secured.

In the meantime, the hackers deploy backdoors to ensure access and persistence, and come in every 15, 30, 90 days and just touch those accounts to verify they can still get in. And that's really quiet activity, especially if they are using legitimate credentials Orgs may need to rethink their log management and retention policies, and implement stronger identity and access management policies.

[rG: Internet application attacks and defenses have been well understood for over two decades, and internal attecks decades earlier. OWASP was started in 2001 in response to Internet application attecks and the Microsoft Software Development Life Cycle (SDLC: proactive pre-production "shift-left" security practices) was published in 2024. Software developement organizations who continue to under invest in SSDLC, security coding best practices, data encryption, and vulnerability testing QA will continue to provide preventative lucrative cybersecurity targets; disrupting commercial service delivery and exposing personal information for identity theft and fraud.]

 

 

APPSEC, DEVSECOPS, DEV

Vulnerabilities like directory traversal have been called 'unforgivable' since at least 2007. Despite this finding, directory traversal vulnerabilities (such as CWE-22 and CWE-23) are still prevalent classes of vulnerability. Path vulnerabilities took the eighth spot in MITRE's top 25 most dangerous software weaknesses, surpassed by out-of-bounds write, cross-site scripting, SQL injection, use-after-free, OS command injection, and out-of-bound read flaws.

Attackers can exploit path traversal vulnerabilities (also known as directory traversal) to create or overwrite critical files used to execute code or bypass security mechanisms like authentication. Such security flaws can also let threat actors access sensitive data, such as credentials that can later be used to brute-force already existing accounts to breach the targeted systems.

Another possible scenario is taking down or blocking access to vulnerable systems by overwriting, deleting, or corrupting critical files used for authentication (which would lock out all users).

 

The CISA boss has been beating this drum throughout her tenure at America's lead government cybersecurity agency, after she took over from the inaugural CISA chief Chris Krebs – who joined Easterly on stage during the aptly titled session, World on Fire. As the two CISA bods noted, it does seem as though the digital world is on fire these days, with the "scourge of ransomware we've been dealing with," Easterly said.

The federal government can use its technology procurement power to encourage providers to sell more secure software, she added. "And frankly, it's a lever that anybody who buys technology should use. Demand that what we get from technology manufacturers is as safe and secure as possible."

Some 60-plus tech companies will sign a pledge to develop more secure technology, according to Easterly. The signatories are expected to include Microsoft, Google, AWS, IBM, Palo Alto Networks, and Cisco.

 

87% of CISOs saying application security is a blind spot at the CEO and board level.

75% of CISOs highlight the issue is rooted in security tools that cannot generate insights that C-level executives and boards of directors can use to understand business risks and prevent threats.

72% of CISOs say their organization has experienced an application security incident in the past two years. These incidents carry significant risk, with CISOs highlighting the common consequences they’ve experienced, including

impacted revenue (47%),

regulatory fines (36%), and

lost market share (28%).

45% are also concerned about AI’s potential to allow developers to accelerate software delivery with less oversight, leading to more vulnerabilities.

83% of CISOs say DevSecOps automation is more important to manage the risk of vulnerabilities introduced by AI.

71% of CISOs say DevSecOps automation is critical to ensuring reasonable measures have been taken to minimize application security risk.

77% of CISOs say current tools such as XDR and SIEM solutions cannot manage cloud complexity, as they lack the intelligence needed to drive automation at scale.

70% of CISOs say the need for multiple application security tools drives operational inefficiency due to the effort needed to make sense of disparate sources of data.

 

  • Challenge #1: Advanced AI-Driven Threats To Detect And Exploit Vulnerabilities
    Educate your security and software engineering teams as to the risks posed by the adoption of LLMs in your home-grown apps.

  • Challenge #2: Adoption Of Modern Security Tooling
    Evaluating and adopting security tooling vendors that are built specifically for success in the technology stacks, CI/CD pipelines, and cloud-native environments used by your engineers.

  • Challenge #3: Increased Rigor Of Privacy And Data Protection Requirements
    Invest in automated technologies that conduct data inventory and mapping to understand both data flows and any privacy compliance requirements you are obliged to follow.

  • Challenge #4: The Wild West Of Supply Chain Security Continues
    Start by vetting and monitoring your software dependencies and implementing Software Bill of Materials (SBOM) to track components
    [rG: SBOMs is security investigative control, not preventative. SBOMs can be useful for post release new-day vulnerability remediationl and to identify root cause liability. For preventention, ensure SCA vunverability scanning is always done prior to compiling/building applications.]

  • Challenge #5: Educate Yourself On The Risks Of Integrating Llms In Your Apps
    Educate your security and software engineering teams as to the risks posed by the adoption of LLMs in your home-grown apps.

 

The traditional approach for defenders is to list security gaps directly related to their assets in the network and eliminate as many as possible, starting with the most critical. Adversaries, in contrast, start with the end goal in mind and focus on charting the path toward a breach. They will generally look for the weakest link in the security chain to break in and progress the attack from there all the way to the crown jewels.

But to validate that your house is protected requires testing your security like a burglar: attempting to pick the locks, climb through windows, and looking for places where house keys might be "safely" stored. Penetration testing serves this need precisely: it provides an attacker's view into what can be compromised.

 

  • Enhanced risk awareness:
    By providing a comprehensive view of their entire security posture, organizations can pinpoint potential vulnerabilities and routes of attack that could be exploited.

  • Proactive threat prevention:
    Through proactively identifying weaknesses and anticipated paths of infiltration, companies can take preventative action to thwart possible dangers before they have an opportunity to materialize.

  • Optimizing third party risk management:
    This analytical approach extends beyond a single entity by evaluating the security arrangements of providers and external services. Users are then capable of swiftly determining if they are at risk should an issue emerge with a third party.

  • Adherence to compliance standards:
    It aids achieving compliance with constantly evolving regulations. Regulations may appear to change daily but their core principles endure. When vulnerabilities and their connections are illuminated, generating necessary reports is simplified.

  • Enhanced incident response:
    Through attack path examination, security teams can develop more effective response plans in the event of a breach. This planning includes anticipating possible scenarios of infiltration and outlining proactive steps to curb impact.

  • Refinement of security infrastructure:
    We often hear adding resources is not the sole solution. Insights from attack path analysis can be applied to redesign or strengthen an existing security framework, making it more resilient against potential threats.

 

 

M1. Improper Credential Usage

M2. Inadequate Supply Chain Security

M3. Insecure Authentication/Authorization

M4. Insufficient Input/Output Validation

M5. Insecure Communication

M6. Inadequate Privacy Controls

M7. Insufficient Binary Protections

M8. Security Misconfiguration

M9. Insecure Data Storage

M10. Insufficient Cryptography

 

VENDORS & PLATFORMS

Although PCI DSS 4.0 was released in March 2022, certain parts became either required or a suggested best practice in March 2024 and the rest will become required in March 2025.

In 8.6.2.a, compliance includes interviewing personnel and examining systems to ensure hard-coding credentials in software isn't happening and specifying explicitly that they aren't to be hard-coded going forward. That's a great policy recommendation, but policies don't work consistently without consistent monitoring to ensure they're followed (and to issue corrective action when they're not).

GitGuardian can scan your existing codebase for issues you need to fix and you can implement automations to integrate GitGuardian into your source code management systems, such as GitHub or Gitlab, to catch and block commits that add hard-coded secrets to the codebase. Our secret-blocking and secret scanning tools mean you don't have to worry if your developers follow the new policy perfectly, because our smart automations are backstopping that policy.

 

GitHub has introduced Artifact Attestations, a software signing and verification feature based on Sigstore that protects the integrity of software builds in GitHub Actions workflows. Artifiact Attestations is now available in a public beta.

 

With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately. And, this "fediverse effect" increases the load on the website's server in a big way.

A single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and... an image. In total, 114.7 MB of data was requested from my site in just under five minutes — making for a traffic amplification of 36704:1.

 

Since 2019 pedestrian fatalities are still up 14 percent—and cyclist deaths are up 50 percent since 2010. That doesn't mean lidar and cameras have "failed," but because they rely on what the sensors can pick up, they cannot necessarily ID hazards (and alert drivers) as quickly as we need them to, particularly if that's a cyclist in your lane 300 feet down the road, just over the next rise. For that, we need better tech, which is emerging and is called Connected Vehicle to Everything (C-V2X). It's a chipset that operates on a portion of the cellular bandwidth, and vehicles with this tech embedded (say in an e-bike or car) monitor anything with a C-V2X chip as well as broadcast their own location at a pulse of 10 times a second. This precision location system would then warn a driver of a cyclist on the road ahead, even beyond line of sight, and in an emergency—possibly because a cyclist was right in a car's path—could prevent a collision.

 

With an economic crisis gripping the nation, people are having their irises scanned in exchange for $50 in crypto.

 

Will involve the integration of Noname into Akamai's API Security business as the firm looks to offer security operations teams and developers more comprehensive tools for shadow API and vulnerability identification.

 

 

Microsoft announced AI security posture management (AI-SPM) as part of Defender Cloud Security Posture Management (CSPM). It aims to leverage Microsoft Azure AI services, such as Microsoft Azure AI Content Safety and Azure OpenAI, to provide ongoing surveillance of AI applications, detecting any irregular behavior, consolidating observations and enhancing security alerts with logged evidence.

 

 

LEGAL & REGULATORY

BetterHelp has agreed to pay $7.8 million in a settlement agreement with the U.S. Federal Trade Commission (FTC) over allegations of misusing and sharing consumer health data for advertising purposes.

 

Onur Aksoy, the CEO of a group of companies controlling multiple online storefronts, was sentenced to six and a half years in prison for selling $100 million worth of counterfeit Cisco network equipment to government, health, education, and military organizations worldwide. He imported tens of thousands of modified low-quality networking devices from Hong Kong and Chinese counterfeiters for as much as 98 percent off Cisco's suggested retail price. These devices all had "counterfeit Cisco labels, stickers, boxes, documentation, and packaging, all bearing counterfeit trademarks registered and owned by Cisco.

 

“LockBitSupp” has been unmasked by an international law enforcement team, and a $10 million bounty has been placed for his arrest.

US federal prosecutors unmasked the flamboyant persona as Dmitry Yuryevich Khoroshev, a 31-year-old Russian national. Prosecutors said that during his five years at the helm of LockBit—one of the most prolific ransomware groups—Khoroshev and his subordinates have extorted $500 million from some 2,500 victims, roughly 1,800 of which were located in the US. His cut of the revenue was allegedly about $100 million. If convicted, Khoroshev faces a maximum penalty of 185 years in prison.

LockBit has operated since at least 2019 and has also been known under the name “ABCD” in the past. Within three years of its founding, the group’s malware was the most widely circulating ransomware. Like most of its peers, LockBit has operated under what’s known as ransomware-as-a-service, in which it provides software and infrastructure to affiliates who use it to do the actual hacking. LockBit and the affiliates then divide any resulting revenue.

 

And Now For Something Completely Different …