Robert Grupe's AppSecNewsBits & AI 2024-11-09

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Criminals open DocuSign's Envelope API to make BEC special delivery
Business email compromise (BEC) scammers are trying to up their success rate by using a DocuSign API.
An attacker creates a legitimate, paid DocuSign account that allows them to change templates and use the API directly. The attacker employs a specially crafted template mimicking requests to e-sign documents from well known brands. Because the invoices are sent directly through DocuSign's platform, they look legitimate to the email services and spam/phishing filters. There are no malicious links or attachments; the danger lies in the authenticity of the request itself.
Once signed, the attacker can forward the invoices on a mass scale, thanks to DocuSign's automation features, and the money should flow into their accounts. According to the FBI, BEC scammers have made $2.9 billion from US businesses in 2023 – and that's just from the reported cases. There are undoubtedly a few embarrassed businesses that just decided to swallow the loss.
DocuSign's form letter response – a remedy may take some time. The letter reads: "We appreciate you making us aware of bad actors using the DocuSign product inappropriately. Our Security teams have created an Incident Reporting guide on our Trust site. We recommend you do not click on any links from emails that are looking suspicious."

Scumbag puts 'stolen' Nokia source code, SSH and RSA keys, more up for sale
The reported security breach potentially involving Nokia's source code and credential information represents a bit of a head-scratcher given that it appears to be another case where third party credentials for access to the software supply chain were compromised. The head-scratching comes from why a third party has access to Nokia source code? Perhaps the third party was a software engineer contributing to the software build process.
The alleged Nokia cyber-smash-and-grab is just one of many made on the Breachforums marketplace, which is – or has been – available via the dark web and surface web. Despite the best efforts of law enforcement to shutter the site in May, it was back within weeks.

Schneider Electric ransomware crew demands $125k paid in baguettes
Schneider Electric confirmed that it is investigating a breach as a ransomware group Hellcat claims to have stolen more than 40 GB of compressed data — and demanded the French multinational energy management company pay $125,000 in baguettes or else see its sensitive customer and operational information leaked. And yes, you read that right: payment in baguettes. As in bread. The miscreants also promised to delete the data as long as the French firm hands over the dough.
This is Schneider Electric's third breach in less than two years. In February, Cactus ransomware infected the corporation's Sustainability Business division. And in June 2023, the French giant was among the thousands of organizations and millions of individuals whose data was stolen by the CL0P ransomware crew in the MOVEit attacks.

Sysadmin shock as Windows Server 2025 installs itself after update labeling error
Sysadmins are cautious by nature, so an unplanned operating system upgrade could easily result in morning coffee being sprayed over a keyboard.
Microsoft had mistakenly labeled the Windows Server 2025 upgrade as KB5044284 in the Windows Update API; which references the KB number for Windows 11, not Windows Server 2025. Since rolling back to the previous configuration will present a challenge, affected users will be faced with finding out just how effective their backup strategy is or paying for the required license and dealing with all the changes that come with Windows Server 2025.
Amongst KB5044284 chaos, Microsoft offers Windows Server 2025 optional update on 2022/2019
In a linked document titled "Feature update, clean install, or migrate to Windows Server", Microsoft has explained in detail how this works under different sections.

OpenAI’s o1 model leaked
Over about two hours users could access what is thought to be the full version of o1 (OpenAI has not confirmed) by changing a parameter in the URL. "We were preparing limited external access to the OpenAI o1 model and ran into an issue. This has now been fixed."
[rG: DevOps error or marketing campaign?]

HACKING
Don't open that 'copyright infringement' email attachment – it's an infostealer
Victims are sent emails pretending to be from media and technology companies falsely alleging a copyright violation regarding content on their business Facebook pages. These emails, however, lead to the infostealer's deployment, playing on the worry victims feel when accused of wrongdoing. The emails are sent from different Gmail accounts every time and appear to be coming from the "legal representatives" of the supposed copyright complainants. Attached are what the crooks claim are content-removal instructions neatly packaged up in a password-protected ZIP archive.
[rG: A BEC attack variant would be easy and effective using above mentioned DocuSign exploitability.]

US Agency Warns Employees About Phone Use Amid Ongoing China Hack
In an email to staff sent Thursday, the chief information officer at the Consumer Financial Protection Bureau warned that internal and external work-related meetings and conversations that involve nonpublic data should only be held on platforms like Microsoft Teams and Cisco WebEx and not on work-issued or personal phones.

FBI says hackers are sending fraudulent police data requests to tech giants to steal people’s private information
The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an “uptick” around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness. Cyber-criminals are likely gaining access to compromised US and foreign government email addresses.
The FBI said that private companies “should apply critical thinking to any emergency data requests received,” given that cybercriminals “understand the need for exigency.”

Hundreds of code libraries posted to NPM try to install malware on dev machines
An ongoing attack is uploading hundreds of malicious packages to the open source node package manager (NPM) repository in an attempt to infect the devices of developers who rely on code libraries there. The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency. The discovery comes on the heels of a similar campaign a few weeks ago targeting developers using forks of the Ethers.js library.
When installed, the malicious packages use a novel way to conceal the IP address the devices contact to receive malicious second-stage malware payloads. The IP address doesn’t appear in the first-stage code at all. Instead, the code accesses an ethereum smart contract to fetch a string, in this case an IP address, associated with a specific contract address on the Ethereum mainnet.
Attacks like this one rely on typosquatting, a term for the use of names that closely mimic those of legitimate packages but contain small differences, such as those that might occur if the package was inadvertently misspelled. Developers should always double-check names before running downloaded packages. The Phylum blog post provides names, IP addresses, and cryptographic hashes associated with the malicious packages used in this campaign.
NPM Provenance: The Missing Security Layer in Popular JavaScript Libraries

Google’s Big Sleep LLM agent discovers exploitable bug in SQLite
Google has used a large language model (LLM) agent called “Big Sleep” to discover a previously unknown, exploitable memory flaw. The Google researchers reported the issue to SQLite, which fixed the problem the same day, on Oct. 9, 2024. The researchers noted that because the flaw was in a development version of the database engine, it never made its way into the official release or impacted SQLite users.
The Big Sleep team noted that the agent has the potential to discover bugs that are more difficult to discover using typical fuzzing techniques, saying that attempts to rediscover the SQLite flaw using fuzzing did not result in a discovery after 150 CPU hours of testing. They noted that this is most likely due to limitations in the configuration of the fuzzing harnesses available for SQLite and the fact that tool traditionally used for SQLite fuzzing – American Fuzzy Lop (AFL) – has “reached a natural saturation point” after long-time use.
However, the team emphasized that Big Sleep remains “highly experimental” and that they believe a target-specific fuzzer “would be at least as effective” at detecting vulnerabilities as the AI agent in its current state.

DEV
Stop Using Try-Catch: A Better Way to Handle Errors in JavaScript
Meet the Safe Assignment Operator (?=), an upcoming feature that promises to make error handling in JavaScript simpler, cleaner, and easier to manage.

VENDORS & PLATFORMS
Voted in America? This Site Doxed You
This site provides free public records access showing voting information, political party affiliation, home address, and household members with their voting history.
Access to public records is nothing new or unusual and there are many information data brokers proving this information to political campaigns, marketers, etc. The distinction here is that the information is available at no-cost to anyone.
Justin Sherman, a Duke professor who studies data brokers: “Policymakers need to get with the times and recognize that data brokers digitizing, aggregating, and selling data based on public records -- which are usually considered 'publicly available information' and exempted from privacy laws -- has fueled decades of stalking and gendered violence, harassment, doxing, and even murder. Protecting citizens of all political stripes, targets and survivors of gendered violence, public servants who are targets for doxing and death threats, military service members, and everyone in between depends on reframing how we think about public records privacy and the mass aggregation and sale of our data.”

DataBreach.com Emerges as Alternative to HaveIBeenPwned
DataBreach[.]com is an alternative to Have I Been Pwned, which is mainly searchable via the user's email address. DataBreach[.]com is designed to do that and more. In addition to your email address, the site features an advanced search function to see whether your full name, physical address, phone number, Social Security number, IP address, or username are in Atlas Privacy's extensive library of recorded breaches. More categories will also be added over time.
Atlas Privacy has been offering its paid services to customers, such as police officers and celebrities, to protect bad actors from learning their addresses or phone numbers. In doing so, the company has also amassed over 17.5 billion records from the numerous stolen databases circulating on the internet, including in cybercriminal forums. As a public service, Atlas is now using its growing repository of stolen records to create a breach notification site, free of charge.

Claude AI to process secret government data through new Palantir deal

ChatGPT has a new vanity domain name, and it may have cost $15 million
HubSpot founder and CTO Dharmesh Shah purchased chat.com for $15.5 million in early 2023. Shah sold the domain to OpenAI for an undisclosed amount.

Staff can't code? No prob. Singapore superapp's LLM whips up apps for them
Grab has developed a tool that allows its employees to build large language model (LLM) apps without coding.
The superapp claimed custom apps can be built in as little as five minutes. It gave two examples of groups that had developed tools. Its insurance division built a chatbot to provide information on policies, inquiries, and claims procedures, and its localization group developed a translation app. Spellvault operates on the front end through a three-step process. Users start by defining the model's task, such as assessing product initiatives for potential policy risks. Then they upload relevant data into the Knowledge Vault, a repository where Spellvault stores structured information. Finally, users can specify APIs if the model needs additional data from external sources.

LEGAL & REGULATORY
Law enforcement operation takes down 22,000 malicious IP addresses worldwide
The operation, which ran from the beginning of April through the end of August, resulted in the arrest of 41 people and the takedown of 1,037 servers and other infrastructure running on 22,000 IP addresses. Synergia II, as the operation was named, was the work of multiple law enforcement agencies across the world, as well as three cybersecurity organizations. An international coalition of police agencies has taken a major whack at criminals accused of running a host of online scams, including phishing, the stealing of account credentials and other sensitive data, and the spreading of ransomware. The three private cybersecurity organizations that were part of Operation Synergia II were Group-IB, Kaspersky, and Team Cymru. All three used the telemetry intelligence in their possession to identify malicious servers and made it available to participating law enforcement agencies. The law enforcement agencies conducted investigations that resulted in house searches, the disruption of malicious cyber activities, the lawful seizures of servers and other electronic devices, and arrests.
The three private security organizations helped identify 30,000 potentially malicious IP addresses. Follow-on investigations later concluded that roughly 76 percent of them were malicious, amounting to about 22,800. Authorities also seized 59 servers and 43 electronic devices, including laptops, mobile phones, and hard disks. The operation led to the arrest of 41 individuals, with 65 others still under investigation.

Canadian Man Arrested in Snowflake Data Extortions
At the end of 2023, malicious hackers learned that many large companies had uploaded huge volumes of sensitive customer data to Snowflake accounts that were protected with little more than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations. Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States.

Suspect arrested in Snowflake data-theft attacks affecting millions
UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024. In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations. The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.
A co-conspirator, John Binns, was arrested in June.

US regulator rejects bid to boost nuclear power to Amazon data center
Amazon purchased a 960-megawatt data center next to the Susquehanna power plant for $650 million earlier this year. Following the announcement, PJM sought to increase the amount of power running directly to the co-located data center. However, the move faced pushback from regional utilities, including Exelon and American Electric Power (AEP). “Co-location arrangements of the type presented here present an array of complicated, nuanced and multifaceted issues, which collectively could have huge ramifications for both grid reliability and consumer costs.”