Robert Grupe's AppSecNewsBits 2025-03-08

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Feds Link $150M Cyberheist to 2022 LastPass Hacks
Federal prosecutors in northern California said they seized approximately $24 million worth of cryptocurrencies that were clawed back following a $150 million cyberheist on Jan. 30, 2024. The complaint refers to the person robbed only as “Victim-1,” but according to blockchain security researcher ZachXBT the theft was perpetrated against Chris Larsen, the co-founder of the cryptocurrency platform Ripple.
The U.S. Secret Service and the FBI agree with security researchers who said they were witnessing six-figure crypto heists several times each month that they believed all appeared to be the result of crooks cracking master passwords for the password vaults stolen from LastPass in 2022.
Researchers found that many of the cyberheist victims had chosen master passwords with relatively low complexity, and were among LastPass’s oldest customers. That’s because legacy LastPass users were more likely to have master passwords that were protected with far fewer “iterations,” which refers to the number of times your password is run through the company’s encryption routines. In general, the more iterations, the longer it takes an offline attacker to crack your master password. Over the years, LastPass forced new users to pick longer and more complex master passwords, and they increased the number of iterations on multiple occasions by several orders of magnitude. But researchers found strong indications that LastPass never succeeded in upgrading many of its older customers to the newer password requirements and protections.
“They could have encouraged users to rotate their credentials. They could’ve prevented millions and millions of dollars from being stolen by these threat actors. But instead they chose to deny that their customers were are risk and blame the victims instead.”

Rubrik rotates authentication keys after log server breach
Rubrik is a cybersecurity company that specializes in data protection, backup, and recovery and has over 3,000 employees in more than 22 global offices. The company has over 6,000 customers worldwide, including high-profile companies like AMD, Adobe, Pepsico, Home Depot, Allstate, Sephora, GSK, Honda, Harvard University, and TrelliX.
“An investigation supported by a third party forensic partner has confirmed that the incident was isolated to this one server and we found no evidence of unauthorized access to any data we secure on behalf of our customers, or our internal code.” However, Rubrik says that a small number of log files contained access information, causing the company to rotate authentication keys out of an abundance of caution.
[rG: Never log sensitive data (use masking), and automate regular secrets rotation and quick response changes.]

Developer sabotaged ex-employer with kill switch activated when he was let go
Davis Lu, 55, of Houston, Texas, was a seasoned coder employed by power-management biz Eaton Corporation between November 2007 to October 2019. In his last year with the outfit, there was a corporate restructuring and he was demoted, both in terms of job responsibilities and server access.
On August 9, 2019 Lu began introducing home-designed malware onto at least one of his employer's production systems. He wrote a Java program that would, in an infinite loop, create more and more non-terminating threads that would consume more and more resources until the computer running the code crashed and prevented people from logging in and using the machine. Lu also wrote code on that development box that would trash other users' files.
Lu created a dead man's switch that would lock every employee out of their accounts if his credentials were ever revoked, and named the code IsDLEnabledinAD, as in "Is Davis Lu enabled in Active Directory." When his position was eventually terminated on September 9, 2019, the switch was activated and thousands of employees around the world were locked out of the network, causing hundreds of thousands of dollars of damage.
[rG: Importance of ensuring separation of duties in software development processes and pipelines.]

What’s Weak This Week: file handling, resource control, input validation, memory buffers, concurrency, initialization

• CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability:
  The Linux kernel contains a use of uninitialized resource vulnerability that allows an attacker to leak kernel memory via a specially crafted HID report. Related CWE: CWE-908

• CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability:
  VMware ESXi and Workstation contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. Related CWE: CWE-367

• CVE-2025-22225 VMware ESXi Arbitrary Write Vulnerability:
  VMware ESXi contains an arbitrary write vulnerability. Successful exploitation allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox. Related CWE: CWE-123

• CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. Successful exploitation allows an attacker with administrative privileges to a virtual machine to leak memory from the vmx process. Related CWE: CWE-125

• CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection Vulnerability:
  Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data. Related CWE: CWE-77

• CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability: Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization. Related CWE: CWE-647

• CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability:
  Microsoft Windows Win32k contains an improper resource shutdown or release vulnerability that allows for local, authenticated privilege escalation. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. Related CWE: CWE-404

• CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability:
  Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution. Related CWE: CWE-22 

HACKING

Silk Typhoon hackers now target IT supply chains to breach networks
Previously, the threat actors were primarily leveraging zero-day and n-day flaws in public-facing edge devices to gain initial access, plant web shells, and then move laterally via compromised VPNs and RDPs.
Switching from organization-level breaches to MSP-level hacks allows the attackers to move within cloud environments, stealing Active Directory sync credentials (AADConnect), and abusing OAuth applications for a much stealthier attack.
The threat actors no longer rely on malware and web shells, with Silk Typhoon now exploiting cloud apps to steal data and then clear logs, leaving only a minimal trace behind.

Ransomware gang encrypted network from a webcam to bypass EDR
The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim's network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows.
Attackers opted for the webcam because it was vulnerable to remote shell access and unauthorized video feed viewing. Furthermore, it ran on a Linux-based operating system compatible with Akira's Linux encryptor. It also did not have an EDR agent, making it an optimal device to remotely encrypt files on network shares.
The threat actors utilized the webcam's Linux operating system to mount Windows SMB network shares of the company's other devices. They then launched the Linux encryptor on the webcam and used it to encrypt the network shares over SMB, effectively circumventing the EDR software on the network.
As the device was not being monitored, the victim organisation's security team were unaware of the increase in malicious Server Message Block (SMB) traffic from the webcam to the impacted server, which otherwise may have alerted them.
Akira was subsequently able to encrypt files across the victim's network.
There were patches available for the webcam flaws, meaning that the attack, or at least this vector, was avoidable.
The case shows that EDR protection isn't an all-encompassing security solution, and organizations shouldn't rely on it alone to protect against attacks. Furthermore, IoT devices are not as closely monitored and maintained as computers but still pose a significant risk.

Massive botnet that appeared overnight is delivering record-size DDoSes
A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen. Besides a 30,000-node botnet seeming to appear overnight, another salient feature of Eleven11bot is the record-size volume of data it sends its targets. The largest one Nokia has seen from Eleven11bot so far occurred on February 27 and peaked at about 6.5 terabits per second. The previous record for a volumetric attack was reported in January at 5.6 Tbps.

The Badbox botnet is back, powered by up to a million backdoored Androids
Off-brand Android-powered internet-connected TV devices – knockoffs of kit like Apple TV, Roku, or Amazon Fire Sticks – contaminated with malware that participated in a colossal ad-fraud network called Peachpit. Around 74,000 devices participated in the first Badbox cluster.
Badbox 2.0 apparently again targets Android, this time hardware running the base Android Open Source Project, aka AOSP, and has been spotted in cheap off-brand phones, more net-connected TV boxes, tablets sold for use in cars, and digital projectors. More than 200 apps infected with malware that participates in the botnet, all hosted on third-party Android app stores. Most are "evil twins" of legit programs submitted to Google's Play Store. After those legit apps appear, crooks create and publish very similar packages on third-party software souks – complete with the malware. Users of third-party app stores – which are big in the developing world - are fooled into downloading and installing the evil twins.

Why taking down ransomware chiefs and infra behind big name brand operations isn't working
Ransomware groups' affiliates don't disappear, despite the cops' efforts to shut down leak sites, disrupt IT infrastructure, and even make arrests.
A lot of affiliates just find a new home and they continue operating which speaks to how commoditized many of these ransomware lockers and core groups fundamentally are. The core skills don't really change. The affiliates keep their preferred tactics, techniques, and procedures. They're just using a different encryptor, a different locker for their operations.
"A year, two years ago it would not be uncommon to have victims come in and say, well, we need to do negotiations because our data is encrypted, and they got our backups or and we don't have backups."
These days, however, in upwards of 70 percent of the ransomware attacks the orgs do have viable backups and are able to recover their data. So now the question of payment becomes not as much about operational viability, continuing operations and generating revenue as much as it is about suppressing the data and preventing the criminals from leaking sensitive personal and customer information along with corporate secrets and other IP. And that's a much tougher call for the organization.
[rG: “Tougher call” means the need to invest in hardening unprotected data with granular access controls and encryption.]

It's bad enough we have to turn on cams for meetings, now the person staring at you may be an AI deepfake
Along with the claimed 300 percent surge in face swap attacks – where someone uses deepfake tech to swap out their face for another in real time to fool victims, like what was used to trick a Hong Kong-based company out of $25 million last year, there has been a 783 percent increase in injection attacks targeting mobile web apps (ie, injecting fake video camera feeds and other data into verification software to bypass facial-recognition-based authentication checks) and a 2,665 percent spike in the use of virtual camera software to perpetrate such scams.
Virtual camera software, available from a number of different vendors, allows legitimate users to, say, replace their built-in laptop camera feed in a video call with one from another app that, for instance, improves their appearance. Miscreants, on the other hand, can abuse the same software for nefarious purposes, such as pretending to be someone they aren't using AI. Because the video feed is created in a different app and injected via virtual camera software, it's much harder to detect. There are 31 new crews selling tools used for identity verification spoofing in 2024 alone. This ecosystem encompasses 34,965 total users. Nine groups have over 1,500 users, with the largest reaching 6,400 members.

PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors
It all starts with the threat actors exploiting the CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access and run PowerShell scripts to execute the Cobalt Strike reverse HTTP shellcode payload to grant themselves persistent remote access to the compromised endpoint.
The next step entails carrying out reconnaissance, privilege escalation, and lateral movement using tools like JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt. Additional persistence is established via Windows Registry modifications, scheduled tasks, and bespoke services using the plugins of the Cobalt Strike kit called TaoWu. To maintain stealth, they erase event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs. Eventually, they execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim's machine.

APPSEC, DEVSECOPS, DEV

Up to $75M needed to fix up rural hospital cybersecurity as ransomware gangs keep scratching at the door
Hospitals are routinely targeted by cybercriminals because system availability is acutely linked to mortality rates, and rural facilities are often the least secure with 93 percent of malicious activity stemming from phishing and ransomware. Microsoft said it would cost an estimated $30,000 to $40,000 per rural hospital to raise its security posture to basic standards. This would include implementing MFA, unified identity management, and separating user and privileged accounts so that the most common attacks could be largely mitigated.
With the average cost of a data breach in the sector at $10.9 million, successful attacks on rural hospitals impose an unsustainable financial burden on already cash-strapped organizations. Stories like the recent case of a cancer patient facing a tragic dilemma following the Qilin ransomware assault on a London hospital, should be included in awareness training

BHIS: 5 Things We Are Going to Continue to Ignore in 2025
Penetration testing should focus on areas beyond automated tasks like vulnerability scanning and exploitation, allowing human testers to engage in activities that AI cannot perform.

1. Legacy Applications:
   Organizations often neglect legacy systems, leading to the accumulation of vulnerabilities. This includes older software and cloud-based SaaS environments.

2. Delayed Security Notifications:
   Cloud service providers sometimes have slow log shipping processes, causing delays in notifying customers about attacks, which significantly impacts incident response.

3. Vendor Vulnerabilities:
   Vendors refusing to fix reported vulnerabilities or creating exceptions for unresolved issues lead to security risks. Organizations often accept these as unavoidable.

4. Developer Oversights:
   Security lapses frequently stem from practices like using production data in development environments and developers requiring local admin privileges for tools.

5. Cloud Security Limitations:
   While cloud services can improve security, they come with ignored risks, such as inadequate logging, which impedes timely attack detection.

Outsmarting Cyber Threats with Attack Graphs
An attack graph is a visual representation of potential attack paths within a system or network. It maps how an attacker could move through different security weaknesses - misconfigurations, vulnerabilities, and credential exposures, etc. - to reach critical assets. Attack graphs can incorporate data from various sources, continuously update as environments change, and model real-world attack scenarios.
Just because a vulnerability has a high CVSS score doesn't mean it's an actual threat to a given environment. Attack graphs add critical context, showing whether a vulnerability can actually be used in combination with other weaknesses to reach critical assets. Attack graphs are also able to provide continuous visibility. This, in contrast to one-time assessments like red teaming or penetration tests, which can quickly become outdated. By analyzing all possible paths an attacker could take, organizations can leverage attack graphs to identify and address "choke points" - key weaknesses that, if fixed, significantly reduce overall risk.

How Emoji Passwords Work and Why They're a Game-Changer for Account Security
Passwords are only as strong as the effort it takes to crack them. Attackers use automated tools to systematically guess passwords, leveraging databases of leaked credentials and common patterns. Incorporating emoji expands the number of possible characters in your password, significantly increasing entropy. This added complexity makes brute-force attacks less effective since they rely on common character sets used in most passwords. And emoji-based passwords are far less vulnerable to dictionary attacks. Most brute-force tools rely on massive lists of commonly used words, phrases, and predictable substitutions (e.g., "p@ssw0rd" for "password"). Since emoji are rarely included in these databases, adding them to passwords introduces an extra layer of randomness that automated attacks struggle to process.
Emoji are represented as Unicode characters, meaning they are not stored as images but as unique code points. For example, 😂, the cry-laughing emoji, is assigned the Unicode code point U+1F602. This standardized encoding allows emoji to be sent and displayed across different devices and platforms, such as from an iPhone to an Android tablet to a Windows computer. However, the visual appearance of an emoji may vary depending on the operating system, font, or app displaying it.
It's much easier to add emoji to passwords on a computer since many apps and websites will hide the emoji keyboard when creating or entering passwords on iPhones and Android smartphones. This is where password managers like iCloud Passwords & Keychain, LastPass, 1Password, Dashlane, and so on come in handy. You can create emoji-filled passwords in your password manager, then copy them over to an app or site when creating an account or updating your credentials. Then, simply use the auto-fill feature on your device to fill the emojified password into password fields when logging in.

Will the future of software development run on vibes?
With the rise of AI tools like ChatGPT, it's now possible for someone to describe a program in English and have the AI model translate it into working code without ever understanding how the code works. "There's a new kind of coding I call 'vibe coding,' where you fully give in to the vibes, embrace exponentials, and forget that the code even exists." He described the process in deliberately casual terms: "I just see stuff, say stuff, run stuff, and copy paste stuff, and it mostly works."
If an error occurs, you feed it back into the AI model, accept the changes, hope it works, and repeat the process. This technique stands in stark contrast to traditional software development best practices, which typically emphasize careful planning, testing, and understanding of implementation details.

Cybersecurity not the hiring-'em-like-hotcakes role it once was
It seems every year there's another warning about a shortage for security talent, yet more people in the field are recounting that even getting an interview can be tough. if you could spell cybersecurity you would get an interview. Now a lot of things have changed. It used to be be that if you could spell cybersecurity you would get an interview. Now a lot of things have changed.
During COVID, there was huge hiring. Then after that, the companies said 'Oh my gosh, we have too many people. We need to do some downsizing.' And what happened then was a lot of very talented tech people were laid off and began flooding the market in all sorts of areas and began trying to reposition themselves.
The problem is also exacerbated by the latest generation of AI products coming onto the market. AI agents now routinely make decisions about a person's resume and many applicants lack the skills to game such software and bag an interview.
There's also the problem of ghost jobs bedeviling recruitment websites. The majority of HR people surveyed in multiple studies report filing job adverts for positions that don't exist. Reasons vary from trying to give the impression a business is growing to both insiders and onlookers, and to motivate staff to work harder because "they think they are replaceable.”
A CompTIA Security+ certificate is de rigueur these days and being a Certified Information Systems Security Professional (CISSP) doesn't hurt either - and without them HR software will bin an application for a cybersecurity role almost without fail, she said. But once you actually get an interview certificate collections are less important than practical experience and a more formal education.
The most in-demand skills are oversight and governance, which is mostly suited to more experienced practitioners.

LEGAL & REGULATORY

Microsoft unveils finalized EU Data Boundary as European doubt over US grows
Microsoft claims it has invested over $20 billion in AI and cloud infrastructure across the continent. It has added controls over where Microsoft 365 customer data is located, created the Microsoft Cloud for Sovereignty, and implemented the EU Data Boundary itself. While Microsoft might have met the letter of the law, it is still a US company, and EU corporations are facing up to a new reality: is dependence on a US cloud, even one with an EU Data Boundary, a good idea? The Cloud Act grants US authorities access to cloud data hosted by US companies. It does not matter if that data is located in the US, Europe, or anywhere else.
Microsoft's EU Data Boundary only applies to core services. Any services outside this bracket, as well as technical support, will continue as is, with data being processed anywhere in the world. Until users are assured of total transparent data sovereignty, full transparency of data flows including a guarantee that their data will not be used to train AI models without their express consent, customers will continue to have valid concerns over security and privacy.

Cybercrime Sentences
Stephen Hale allegedly stole many discs of unreleased movies that were being prepared for commercial distribution in the United States. These "pre-release" DVDs and Blu-rays were later sold through various e-commerce sites. Copies of 'Spider-Man: No Way Home' were downloaded tens of millions of times, with an estimated loss to the copyright owner of tens of millions of dollars.
Hale faces a maximum penalty of 10 years in prison on the interstate transportation of stolen goods count and 5 years on each criminal copyright infringement count.
Earlier this week, New York prosecutors said that two people working at a third-party contractor for the StubHub online ticket marketplace made $635,000 after reselling almost 1,000 stolen tickets for Taylor Swift's Eras Tour and other high-profile events, including Ed Sheeran concerts, Adele concerts, the US Open Tennis Championships, and NBA games. 20-year-old Tyrone Rose and 31-year-old Shamara Simmons, who worked for Sutherland Global Services in Jamaica, were arrested in New York City and now face a potential maximum sentence of up to 15 years in prison.