New Post

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response

A company that tracks and sells Americans' location data has seemingly been hacked
The incident would be one of the largest known breaches of a handful of controversial U.S. companies that sell individuals’ location data, a gold mine for advertisers as it can be used to extensively map a person’s life, usually without their knowledge. The company, Gravy Analytics, and its subsidiary, Venntel, were accused last month by the Federal Trade Commission of illegally collecting and selling Americans’ location data without their knowledge or obtaining proper legal consent. Some of the people Gravy tracked were monitored going into sensitive locations like government buildings, health clinics and places of worship. Gravy noticed unauthorized access to its Amazon Web Services cloud storage, and is still investigating it.
Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location
The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating apps like Tinder, to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening both without users’ and even app developers’ knowledge. For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients, appears to be acquiring their data from the online advertising ‘bid stream,’ rather than code embedded into the apps themselves.

After 344 million customers were hit by Marriott data breach, the hotel chain has been ordered to implement better security measures 
The Federal Trade Commission finalized an order requiring Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a comprehensive information security program to settle charges that the companies failed to implement reasonable data security, which led to three large data breaches affecting more than 344 million customers worldwide. Marriott and Starwood are required to establish a comprehensive information security program to help safeguard customers’ personal information, implement a policy to retain personal information only for as long is reasonably necessary, and establish a link on their website for U.S. customers to request for personal information associated with their email address or loyalty rewards account number to be deleted. The companies are also prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information.

Telefónica confirms internal ticketing system breach after data leak
The "internal ticketing system" is an internal Jira development and ticketing server, used by the company to report and resolve internal issues. The system was breached yesterday using compromised employee credentials. Using the compromised employee accounts, the threat actors say they were able to scrape approximately 2.3 GB of documents, tickets, and various data. Three people behind this attack, Grep, Pryx, and Rey, are also members of a recently launched ransomware operation known as Hellcat Ransomware. Hellcat is responsible for a recent breach of Schneider Electric, where 40GB of data was stolen from the company's JIRA server.

Docker Desktop blocked on Macs due to false malware alert 
The root cause of these inaccurate malware messages is an incorrect code-signing signature used on some files in existing installations, likely causing a failure in file integrity checks.

Microsoft sues service for creating illicit content with its AI platform 
The foreign-based defendants developed tools specifically designed to bypass safety guardrails Microsoft has erected to prevent the creation of harmful content through its generative AI services, said Steven Masada, the assistant general counsel for Microsoft’s Digital Crimes Unit. They then compromised the legitimate accounts of paying customers. They combined those two things to create a fee-based platform people could use. Microsoft is also suing seven individuals it says were customers of the service. All 10 defendants were named John Doe because Microsoft doesn’t know their identity. Microsoft didn’t say how the legitimate customer accounts were compromised but said hackers have been known to create tools to search code repositories for API keys developers inadvertently included in the apps they create. Microsoft and others have long counseled developers to remove credentials and other sensitive data from code they publish, but the practice is regularly ignored. The company also raised the possibility that the credentials were stolen by people who gained unauthorized access to the networks where they were stored.
[rG: Interesting distracting marketing tactic to use law suites to go after hackers for exploiting application/service vulnerabilities. There is really no excuse for secrets in code since it is easy to prevent with daily code repository scans and coding best practices to conduct release code reviews.]

Time to check if you ran any of these 33 malicious Chrome extensions
The malicious version came through a spear phishing email sent to the developers Google listed for the Cyberhaven extension on Christmas Eve. It warned that the extension wasn’t in compliance with Google terms and would be revoked unless the developer took immediate action. A link in the email led to a Google consent screen requesting access permission for an OAuth application named Privacy Policy Extension. A Cyberhaven developer granted the permission and, in the process, unknowingly gave the attacker the ability to upload new versions of Cyberhaven’s Chrome extension to the Chrome Web Store. The attacker then used the permission to push out the malicious version 24.10.4.

Misconfigured license plate readers are leaking data and video in real time
As well as broadcasting live footage accessible to anyone on the Internet, the misconfigured cameras also exposed data they have collected, including photos of cars and logs of license plates. The real-time video and data feeds don’t require any usernames or passwords to access.
[rG: Easily prevented through designing "security by default"; requiring customers to set-up access credentials during initial use.]

Widely used DNA sequencer still doesn’t enforce Secure Boot
The iSeq 100 can boot from a Compatibility Support Mode, so it works with older legacy systems such as 32-bit OSes. When this is the case, the iSeq loads from BIOS B480AM12, a version that dates to 2018. It harbors years' worth of critical vulnerabilities that can be exploited to carry out the types of firmware attacks Secure Boot envisioned. The ability to create infections on one of the most widely used gene sequencers could be a golden opportunity for threat actors. Ransomware groups could use one to take out all devices in a given network. Researchers have also shown how malware can cause sequencers to report false relations between arbitrary users on GEDmatch.

How the ransomware attack at Change Healthcare went down: A timeline

What's Weak This Week

• Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability: Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.

• Mitel MiCollab Path Traversal Vulnerability: Mitel MiCollab contains a path traversal vulnerability that could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allows an unauthenticated, remote attacker to read arbitrary files on the server.

• Mitel MiCollab Path Traversal Vulnerability: Mitel MiCollab contains a path traversal vulnerability that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization. This vulnerability can be chained with CVE-2024-41713, which allows an unauthenticated, remote attacker to read arbitrary files on the server.

• Oracle WebLogic Server Unspecified Vulnerability: Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an unspecified vulnerability exploitable by an unauthenticated attacker with network access via IIOP or T3.

HACKING

Ransomware in 2024: New players, bigger payouts, and smarter tactics 
VPN vulnerabilities, weak credentials fuel ransomware attacks Cybercriminals turn to pen testers to test ransomware efficiency MFA bypass becomes a critical security issue as ransomware tactics advance 83% of organizations experienced at least one ransomware attack in the last year Ransomware crisis deepens as attacks and payouts rise Most ransomware attacks occur between 1 a.m. and 5 a.m. 74% of ransomware victims were attacked multiple times in a year Ransomware operators continue to innovate Record-breaking $75 million ransom paid to cybercrime group Cyber insurance isn’t the answer for ransom payments Cybercriminals shift tactics to pressure more victims into paying ransoms Global ransomware crisis worsens Ransom recovery costs reach $2.73 million Behavioral patterns of ransomware groups are changing Paying ransoms is becoming a cost of doing business for many

Security pros baited with fake Windows LDAP exploit traps 
LDAPNightmare is the name of the PoC for CVE-2024-49113, a 7.5-severity denial-of-service bug in LDAP patched in Microsoft's December Patch Tuesday. In the counterfeit PoC, the legitimate version's Python files were replaced with an executable called "poc.exe." If a user ran this, it would instead drop a PowerShell script, which then downloaded and executed another script from Pastebin, collecting various data points from the user. For experienced researchers, the bait scheme should have raised suspicions given that an executable was sitting inside a Python project. It's the latest of many attempts to beat researchers at their own game. On multiple occasions, North Korean attackers have attempted to target security researchers using various tactics.

A Day in the Life of a Prolific Voice Phishing Crew 
A prolific voice phishing gang routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices. A cryptocurrency investor named Tony who was robbed of more than $4.7 million in an elaborate voice phishing attack. In Tony’s ordeal, the crooks appear to have initially contacted him via Google Assistant, an AI-based service that can engage in two-way conversations. The phishers also abused legitimate Google services to send Tony an email from google[.]com, and to send a Google account recovery prompt to all of his signed-in devices.

Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware
According to Google-owned security provider Mandiant, the vulnerability has been actively exploited against “multiple compromised Ivanti Connect Secure appliances” since mid-december December, roughly three weeks before the then zero-day came to light. After exploiting the vulnerability, the attackers go on to install two never-before-seen malware packages, tracked under the names DRYHOOK and PHASEJAM on some of the compromised devices. PHASEJAM is a well-written and multifaceted bash shell script. It first installs a web shell that gives the remote hackers privileged control of devices. It then injects a function into the Connect Secure update mechanism that’s intended to simulate the upgrading process. The attackers are also using a previously seen piece of malware tracked as SPAWNANT on some devices. One of its functions is to disable an integrity checker tool (ICT) Ivanti has built into recent VPN versions that is designed to inspect device files for unauthorized additions. SpawnAnt does this by replacing the expected SHA256 cryptographic hash of a core file with the hash of it after it has been infected.

Here’s how hucksters are manipulating Google to promote shady Chrome extensions 
Google’s Chrome browser explicitly forbid third-party extension developers from trying to manipulate how the browser extensions they submit are presented in the Chrome Web Store. The policy specifically calls out search-manipulating techniques such as listing multiple extensions that provide the same experience or plastering extension descriptions with loosely related or unrelated keywords. Developers are flagrantly violating those terms in hundreds of extensions currently available for download from Google. As a result, searches for a particular term or terms can return extensions that are unrelated, inferior knockoffs, or carry out abusive tasks such as surreptitiously monetizing web searches. One way is by abusing a language translation feature built into the extension description system. When a description is tailored to a specific language, the keywords included get swept into descriptions for other languages. This allows developers to plaster tens of thousands of misleading keywords into descriptions without the appearance they run afoul of Google policies.

APPSEC, DEVSECOPS, DEV
CISA Releases the Cybersecurity Performance Goals Adoption Report
The Cybersecurity and Infrastructure Security Agency (CISA) defines Cross-Sector Cybersecurity Performance Goals (CPGs) as a subset of cybersecurity practices selected through a thorough process of industry, government, and expert consultation aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. This report assesses the inferred adoption of select CISA CPGs since the report’s initial release on October 27, 2022.
CPG ADOPTION ANALYSIS
1.E: Mitigating Known Vulnerabilities
2.K: Strong and Agile Encryption
2.M: Email Security
2.W: No Exploitable Services on the Internet
2.X: Limit OT Connections on the Public Internet
4.C: Security.txt Adoption

Farewell to the Fallen: The Cybersecurity Stars We Lost Last Year

1. Legacy Multi-Factor Authentication (MFA): In place of legacy MFA, phishing-resistant, FIDO2-compliant solutions have emerged as the gold standard for authentication

2. Signature-Based Antivirus: Modern EDR and XDR platforms combine heuristic analysis, AI-driven insights, and real-time monitoring.

3. Legacy VPNs: Replaced by zero-trust network access (ZTNA).

4. Standalone Password Managers: Digital identity solutions offering seamless passwordless authentication and robust lifecycle management

Passkey technology is elegant, but it’s most definitely not usable security 
Passkeys are now supported on hundreds of sites and roughly a dozen operating systems and browsers. The diverse ecosystem demonstrates the industry-wide support for passkeys, but it has also fostered a jumble of competing workflows, appearances, and capabilities that can vary greatly depending on the particular site, OS, and browser (or browser agents such as native iOS or Android apps). Rather than help users understand the dizzying number of options and choose the right one, each implementation strong-arms the user into choosing the vendor's preferred choice. For Example: If you use Google Chrome as your browser on a Mac, it uses the Apple Keychain feature to store your passkeys,” he wrote. "This means you can’t sync your passkeys to your Chrome profile on other devices.” In an email last month, Kim said users can now override this option and choose to store their passkeys in Chrome. Even then, however, "passkeys created on Chrome on Mac don’t sync to Chrome in iPhone, so the user can’t use it seamlessly on Chrome on their iPhone. For now, passwords and key- or authenticator-based MFA remain essential. With any luck, passkeys will someday be ready for the masses, but that day is not (yet) here.

12 best entry-level cybersecurity certifications 

DevOps in 2025: Trends, Tools, and Best Practices 

17 Mindblowing Github Repositories You Never Knew Existed  

VENDORS & PLATFORMS

The 11 biggest tech flops of 2024, ranked – from Windows Recall to the Apple Vision Pro 

IBM's new enterprise AI models are more powerful than anything from OpenAI or Google
Big Blue claims its new Granite 8B Instruct model outperforms its rivals, such as Google Gemma 2, Meta Llama 3.1, and Qwen 2.5, on HuggingFace's OpenLLM Leaderboard benchmarks. The family of Granite 3.1 models boasts an impressive 128K token context window, a substantial increase from their predecessors. This expansion allows the models to process and understand much larger amounts of text -- equivalent to approximately 85,000 English words -- enabling more comprehensive analysis and generation tasks. By comparison, OpenAI's ChatGPT 3, which ignited the AI revolution, could handle only 2,000 tokens. The Granite 3.1 family includes dense models and Mixture of Experts (MoE) variants. IBM states its Granite 2B and 8B models are text-only dense LLMs trained on over 12 trillion data tokens. The dense models are designed to support tool-based use cases and for retrieval augmented generation (RAG), streamlining code generation, translation, and bug fixing.

Goodware Hash Sets
Sets of hashes are also interesting when they contain hashes for safe files. Exacorn has released an interesting ZIP archive with “good ware” (as opposed to “malware”). The file (2GB) provides 12M hashes and filenames: Pay attention that some files might be flagged by some antivirus solutions. For example, I searched for "putty.exe" in the file. One of the returned hashes is: 6CDBE5323E1DEC7102D86C60458D6C7465807E80516D63F2EE509625C1DF2416. It’s a perfect opportunity to remind you that other projects exist. The ones that I use regularly:

• The National Software Reference Library (NSRL) project

• The CIRCL[.]lu Hash Lookup API

• Hashsets[.]com (not 100% free) I like the second one because it includes the NSRL lists and can be used in an automated way.

Kali Linux 2024.4 released! 14 new shiny tools added

LEGAL & REGULATORY

Massive healthcare breaches prompt US cybersecurity rules overhaul
The U.S. Department of Health and Human Services (HHS) has proposed updates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to secure patients' health data following a surge in massive healthcare data leaks. These stricter cybersecurity rules, proposed by the HHS' Office for Civil Rights (OCR) and expected to be published as a final rule within 60 days, would require healthcare organizations to encrypt protected health information (PHI), implement multifactor authentication, and segment their networks to make it harder for attackers to move laterally through them. The HIPAA cybersecurity rule updates were prompted by the ransomware attacks and massive breaches that have affected hospitals and Americans in recent years. Implementing these rules would cost roughly $9 billion in the first year and over $6 billion during the following four years.

New HIPAA Security Rule Updates You Need to Understand 
Technology Asset Inventory and Network Mapping: Healthcare organizations would be required to develop and maintain a comprehensive technology asset inventory and network map.

1. Specificity in Risk Analysis: Currently, the HIPAA Security Rule requires covered entities to conduct a risk analysis, but it does not prescribe a specific methodology. Now it does.

2. Strengthened Incident Response Requirements: The NPRM also proposes enhanced requirements for incident response planning.

3. Increased Accountability for Business Associates: Business associates who handle ePHI on behalf of covered entities would face stricter compliance requirements under the proposed changes.

E.U. Commission Fined for Transferring User Data to Meta in Violation of Privacy Laws 
By means of the 'Sign in with Facebook' hyperlink displayed on the E.U. Login webpage, the Commission created the conditions for transmission of the IP address of the individual concerned to the U.S. undertaking Meta Platforms. By transferring their information to the U.S., there arose a risk of their personal data being accessed by the U.S. security and intelligence services. At the time of that transfer, on 30 March 2022, there was no Commission decision finding that the United States ensured an adequate level of protection for the personal data of E.U. citizens. Furthermore, the Commission has neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause. The court has ordered the Commission to pay the individual €400 ($412), which they sought as compensation for the non-material damage they claimed to have sustained as a result of the data transfer. 

And Now For Something Completely Different …

How to blur your house on Google Street View (and 4 reasons why people do it)
Once Google blurs an image, it cannot be reverted, so be sure you want the image hidden before making the request. A quick Google Search will show you that many people have posted in forums asking how to reverse this decision, including people that have since sold their home and feel guilty about it being blurred still as well as people that run small businesses out of their home and can't understand why it isn't appearing on Street View now.