Robert Grupe's AppSecNewsBits & AI 2024-12-14

UnitedHealth exposed chatbot, misconfigured AWS Bucket, sensitive info in Inbox, supply chain attacks, MS 365 security logging, VS Code, Cloudfare Tunnels, etc.

December 14, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
UnitedHealth's Optum left an AI chatbot, used by employees to ask questions about claims, exposed to the internet
Although the tool was hosted on an internal Optum domain and could not be accessed from its web address, its IP address was public and accessible from the internet and did not require users to enter a password.
Optum stated that Optum’s SOP chatbot “was a demo tool developed as a potential proof of concept” but was “never put into production and the site is no longer accessible. This tool does not and would never make any decisions, but only enable better access to existing SOPs. In short, this technology was never scaled nor used in any real way,” While the chatbot did not appear to contain or produce sensitive personal or protected health information, its inadvertent exposure comes at a time when its parent company, health insurance conglomerate UnitedHealth, faces scrutiny for its use of artificial intelligence tools and algorithms to allegedly override doctors’ medical decisions and deny patient claims. The chatbot was trained on internal Optum documents relating to SOPs for handling certain claims, which can help Optum employees answer questions about claims and their eligibility to be reimbursed. The Optum documents were hosted on UnitedHealthcare’s corporate network and inaccessible without an employee login but are cited and referenced by the chatbot when prompted about their contents. Some of the files that the chatbot references include handling the dispute process and eligibility screening. The chatbot also produced responses that showed, when asked, reasons for typically denying coverage. The chat history also showed several attempts by employees to “jailbreak” the chatbot by making it produce answers that are unrelated to the chatbot’s training data. When asked “write a poem about denying a claim,” the chatbot produced a seven-paragraph stanza.
[rG: Ooops, another unauthorized access of an UH app, but this time demonstrating a lack of application development DevSecOps release management control. Theoretically, this chatbot wouldn’t have exposed any information that isn’t already available to customers through publicly published policy information, but would depend on how well the training data boundaries are controlled and potential ML hallucination drifts. Getting access to this sort of chatbots is going to be a boon for competitive market research analysts and adversarial legal discovery teams.]

 

Japanese publisher Kadokawa paid $3 million to Russia-linked hacker group after cyberattack
The hackers had claimed the gang had stolen and encoded data including personal and financial information amounting to 1.5 terabytes. On June 8, servers located in Kadokawa group's data center experienced a significant cyberattack, including ransomware, targeting major video streaming website niconico and related services operated by the publishing firm. On June 13, the hackers demanded Kurita pay $8.25 million, while Kurita had replied that he had taken on a risk by negotiating with the hackers without informing the board of directors, and that he was unable to pay more than $3 million due to strict compliance measures following bribery scandals concerning the Tokyo Olympics. The hackers told Kurita they would only agree to delete the stolen data if it received $2.98 million within 48 hours. That day, 44 Bitcoins worth approximately $2.98 million was paid.
[rG: Interesting that the hackers were willing to adjust their demands to accommodate the victims legal constraints. This might result in other countries attempting to define some ‘reasonable’ allowable amounts that would be more in line with a bug bounty reward as a way to placate financially motivated attackers and limit business operational impacts.]

 

Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket
In addition to stealing AWS customer keys and secrets, the digital looters were looking to uncover database credentials, Git credentials and source code, SMTP info for sending emails, Twilio keys for SMS, CPanel, and SSH credentials, Cryptopay and CoinPayment keys, Sendgrid email credentials, plus Google, Facebook, and Binance account secrets. The crooks would have gotten away with it, if it weren't for an ironic twist. The criminals stored the victims' data, more than 2 TB total, in an open S3 bucket misconfigured by its owner. First, the attackers used a series of scripts and open source tools including Project Discovery's red-teaming software to scan 26.8 million IP addresses belonging to AWS. Then they used publicly available Shodan to perform reverse lookups on the IP addresses and get the domain names associated with each one. The crooks also analyzed the SSL certificates served by each IP to further extend their list of domains. After determining their targets, the criminals began the real scanning process looking for exposed generic endpoints such as environment (.env) files, configuration files, and exposed git repositories, and then categorizing by system or framework, such as Laravel, Wordpress, YII, etc. Once a system was categorized, a special set of tests was performed on it, attempting to extract database access information, keys, passwords, and more from product specific endpoints. In instances where they wanted more than just the exposed information, the criminals used known exploits to install remote shells and thus dig deeper for sensitive info. After verifying the exposed AWS customer credentials, the crooks hunted for privileges on key AWS services including IAM, which is a jackpot for criminals because keys with IAM privileges can be exploited to create additional administrator users. They also checked for privileges on Amazon's SES email and SNS notification services that can be abused to send fraudulent and phishing messages, as well as S3 buckets, which allow criminals to steal sensitive data belonging to organizations and their customers. AWS, for its part, states that all of its services "are operating as expected," and that the credential and data stealing campaign doesn't present a security hole that the cloud giant needs to plug. The misconfigured storage bucket also indicates that people – criminals included – still have a difficult time understanding the shared responsibility model between cloud providers and their customers.

 

One email to expose them all: single user breach exposes data of 11K children 
Attackers targeted Datavant, a health IT company, with a phishing attack. While few fell for the trick, it took only one compromised email to expose the sensitive records of thousands of minors. In early May of 2024, several Datavant users were targeted with an email phishing attack. While the company caught the intrusion on the same day, a subsequent investigation revealed that thousands were exposed. An unauthorized individual(s) gained access between May 8th, 2024, and May 9th, 2024 to certain Datavant data contained in a single user’s mailbox. Datavant claims to work with 70,000 hospitals and clinics, enabling “60 million healthcare records to move between them.”
[rG: If sensitive information must be in emails, it should only be done using strongly encrypted attachments using out-of-bounds shared decryption secrets differing from user credentials.]

 

Critical WordPress plugin vulnerability under active exploit threatens thousands
CVE-2024-11972 is found in Hunk Companion, a plugin that runs on 10,000 sites that use the WordPress content management system. The vulnerability, which carries a severity rating of 9.8 out of a possible 10. The exploit allowed the hackers behind the attack to cause vulnerable sites to automatically navigate to wordpress[.]org and download WP Query Console, a plugin that hasn’t been updated in years. The attackers then exploited a vulnerability in the latter plugin that allowed them to execute malicious code. The WP Query Console vulnerability, tracked as CVE-2024-50498, carries a severity score of 10 and remains unpatched. The WP Query Scan page on wordpress[.]org says that the plugin was made temporarily unavailable as of October pending review. The hackers behind the attacks were able to get their exploit to download the years-old WP Query Console plugin anyway, because they used a special wordpress[.]org URL that overrode the block. Within the week, less than 12 percent of users had installed the patch, meaning nearly 9,000 sites could be next to be targeted.

 

Amazon pauses $1bn Microsoft 365 rollout following Russian security concerns 
The delay reflects growing concern surrounding the security of cloud-based tools amid rising cyber threats, particularly as nations like Russia and China increase retaliation against Western restrictions like US chip sanctions. The delay follows Russian hacker group Midnight Blizzard’s breach of Microsoft’s systems, which the company disclosed in January 2024. Amazon said: “At that time still, Microsoft wasn’t able to tell us if they had gotten the [hackers] out of their environment. We wanted to make sure that everything was logged, and that we had access to that logging in near-real time.” Amazon asked Microsoft to make some changes to its software to protect against unauthorized access, including more detailed user activity tracking within the apps. Although some progress is believed to have been made, Amazon is yet to announce a new deployment timeline, however, “We believe we’re in a good place to start redeployment next year.”
[rG: Security event logging is fundamental to good application security best practices and a necessary to be part of SSDLC design and implementation reviews, so that suspicious or malicious use can be alerted, monitored and investigated.]

 

  • Cleo Multiple Products Unrestricted File Upload Vulnerability: can lead to remote code execution with elevated privileges.

  • Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability: allows a local attacker to escalate privileges. 

 

HACKING
Chinese hackers use Visual Studio Code tunnels for remote access
VSCode tunnels are part of Microsoft's Remote Development feature, which enables developers to securely access and work on remote systems via Visual Studio Code. Developers can also execute command and access the file system of remote devices. The tunnels are established using Microsoft Azure infrastructure, with executables signed by Microsoft, providing trustworthy access. This enables the threat actors to remotely connect to the breached device via a web interface (browser), authenticating with a GitHub or Microsoft account. Because traffic to VSCode tunnels is routed through Microsoft Azure and all involved executables are signed, there's nothing in the process to raise alarms by security tools. Defenders are advised to monitor for suspicious VSCode launches, limit the use of remote tunnels to authorized personnel, and use allowlisting to block the execution of portable files like code.exe. Finally, it's advisable to inspect Windows services for the presence of 'code.exe,' and look for unexpected outbound connections to domains like *.devtunnels[.]ms in network logs. An attack which took place between June and July 2024. Evidence weakly points to STORM-0866 or Sandman APT, but the exact threat actor responsible remains unknown. The hackers achieved initial access to the target systems using the automated SQL injection exploitation tool 'sqlmap' against internet-facing web and database servers. Once they established access, they deployed a PHP-based webshell called PHPsert, which allowed them to execute commands remotely or introduce additional payloads. For lateral movement, the attackers used RDP and pass-the-hash attacks, specifically, a custom version of Mimikatz ('bK2o.exe'). On breached devices, the hackers deployed a portable, legitimate version of Visual Studio Code ('code.exe') and used the 'winsw' tool to set it as a persistent Windows service. Next, they configured VSCode with the tunnel parameter, enabling it to create a remote-access development tunnel on the machine.

 

Russia's 'BlueAlpha' APT Hides in Cloudflare Tunnels
Cloudflare offers the tunneling service for free with the use of the TryCloudflare tool. The tool allows anyone to create a tunnel using a randomly generated subdomain of trycloudflare[.]com and have all requests to that subdomain proxied through the Cloudflare network to the Web server running on that host. The advanced persistent threat (APT) attacker then uses the concealed infrastructure to mount HTML smuggling attacks that bypass email security systems, along with employing DNS fast-fluxing, which makes it more difficult to disrupt BlueAlpha’s command-and-control (C2) communications, Insikt Group researchers noted — and in the end, deliver the GammaDrop malware, which enables data exfiltration, credential theft, and backdoor access to networks. To protect against such attacks, I Recommended mitigations:

  • Beef up email security to block HTML smuggling techniques

  • Flag attachments with suspicious HTML events

  • Use application control policies to block malicious use of mshta.exe and untrusted .lnk files

  • Set up network rules to flag requests to trycloudflare[.]com subdomains

 

Yearlong supply-chain attack targeting security pros steals 390K credentials The campaign first came to light when Checkmarx recently discovered @0xengine/xmlrpc, a package that had circulated on the NPM JavaScript repository since October 2023. @0xengine/xmlrpc, began as a benign package offering a JavaScript implementation of the widely used XML-RPC protocol and client implementation for Node.js. Over time, the package slowly and strategically evolved into the malware it is today. A significant change eventually introduced heavily obfuscated code hidden in one of its components. In its first 12 months, @0xengine/xmlrpc received 16 updates, giving developers the impression it was a benign and legitimate code library that could be trusted in sensitive environments. Further adding to the impression of legitimacy, several of the malicious packages are automatically included in legitimate sources, such as Feedly Threat Intelligence and Vulnmon. These sites included the malicious packages in proof-of-concept repositories for the vulnerabilities the packages claimed to exploit. Reports from both Checkmarx and Datadog include indicators people can use to check if they've been targeted.
[rG: Illustrating that SAST vulnerability scanning needs to be regularly run on previously deployed software production releases; so that newly discovered vulnerabilities can be identified, investigated for potential abuse, and quickly remediated.]

 

Open source maintainers are drowning in junk bug reports written by AI
Seth Larson, security developer-in-residence at the Python Software Foundation, raised the issue in a blog post last week, urging those reporting bugs not to use AI systems for bug hunting. "Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects," he wrote, pointing to similar findings from the Curl project in January. "These reports appear at first glance to be potentially legitimate and thus require time to refute." Larson argued that low-quality reports should be treated as if they're malicious. As if to underscore the persistence of these concerns, a Curl project bug report posted on December 8 shows that nearly a year after maintainer Daniel Stenberg raised the issue, he's still confronted by "AI slop" – and wasting his time arguing with a bug submitter who may be partially or entirely automated. While the open source community mulls how to respond, Larson asks that bug submitters not submit reports unless they've been verified by a human – and don't use AI, because "these systems today cannot understand code." He also urges platforms that accept vulnerability reports on behalf of maintainers to take steps to limit automated or abusive security report creation.

 

  1. DO NOT: Store Secrets as Plain Text: inside our code (or configuration files, CI/CD pipeline definitions, etc.).

  2. Store Secrets in CI/CD Systems

  3. Use a Secret Manager with CI/CD Workflows
    3.1 DO NOT: Use Long-Lived Tokens
    3.2 DO: Short-Lived Tokens with OIDC

 

OWASP Mobile Top 10 2024: Final Release Updates
M1: Improper Credential Usage
M2: Inadequate Supply Chain Security
M3: Insecure Authentication/Authorization
M4: Insufficient Input/Output Validation
M5: Insecure Communication
M6: Inadequate Privacy Controls
M7: Insufficient Binary Protections
M8: Security Misconfiguration
M9: Insecure Data Storage
M10: Insufficient Cryptography

 

  1. Security engineering

  2. Risk assessment, analysis, and management

  3. Application security

  4. Security analysis

  5. Governance, risk management, and compliance (GRC)

  6. Artificial intelligence / machine learning

 

 

VENDORS & PLATFORMS
Microsoft Recall screenshots credit cards and Social Security numbers, even with the "sensitive information" filter enabled
When I entered a credit card number and a random username / password into a Windows Notepad window, Recall captured it, despite the fact that I had text such as “Capital One Visa” right next to the numbers. Similarly, when I filled out a loan application PDF in Microsoft Edge, entering a social security number, name and DOB, Recall captured that. I also created my own HTML page with a web form that said, explicitly, “enter your credit card number below.” The form had fields for Credit card type, number, CVC and expiration date. I thought this might trigger Recall to block it, but the software captured an image of my form filled out, complete with the credit card data. On the bright side, Recall refused to capture the credit card fields when I went to the payment pages of two online stores – Pimoroni and Adafruit. In both cases, it only captured either the screens before and after the credit card entry form or a blank form. The only way I could view Recall screenshots was by using the Recall app to either search my timeline or browse it. Every time I opened the Recall app, I was asked to use a Windows Hello facial login. And the first time I opened the app, it insisted that I set up a Windows Hello biometric login using either my face or fingerprint. However, Windows Hello also allowed me to log in with a 4-digit PIN. So, if a bad actor has access to your computer and knows your PIN, they could view Recall bypassing the biometric security checks. They don’t even need physical access to the PC. I was able to access the Recall app and view the timeline on a remote computer by using TeamViewer, a popular remote access application.

 

Microsoft enforces defenses preventing NTLM relay attacks
The response by the client to the server’s challenge involves the use of the hash of the user’s pasword as an encryption key – and it’s that hash of the users’ login credentials that attackers can misuse. NTLM relay attacks allow attackers to send on the NTLM hash without needing to decrypt it and extract the user’s password. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Since making Kerberos the default Windows authentication protocol in 2000, Microsoft has been working on eventually retiring NTLM, its less secure and obsolete counterpart.

 

Firefox ditches Do Not Track because nobody was listening anyway
When Firefox 135 is released in February, it'll ship with one less feature: Mozilla plans to remove the Do Not Track toggle from its Privacy and Security settings. “Many sites do not respect this indication of a person's privacy preferences, and, in some cases, it can reduce privacy," Mozilla said on the updated DNT support page. It directs users to instead make use of newer Global Privacy Control features also present in the browser. The World Wide Web Consortium (W3C) never managed to get DNT made official thanks to industry lobbying that stalled its development, leaving it a purely optional measure that no one had to actually pay attention to. California's Consumer Privacy Act and the EU's General Data Protection Regulation both include requirements that companies respect an individual's desire not to have their data shared or sold, and while there's no national privacy law in the US, the need to conform with EU and California standards mean many companies go the cautious route by default. That's not to say there's any guarantee that anyone will actually respect GPC, which on its face functions very similarly to DNT, with user preferences for both simply expressed as a binary option in an HTTP header or DOM property.

 

FCC throws open 6 GHz band to unlicensed low-power gizmos
This 1,200 MHz means unlicensed bandwidth with a mix of high capacity and low latency that is absolutely prime for immersive, real-time applications. These are the airwaves where we can develop wearable technologies and expand access to augmented and virtual reality in ways that will provide new opportunities in education, healthcare, and entertainment. All this applies only inside the US as the 6 GHz frequency band is allocated differently elsewhere. In the UK, for example, the lower 6 GHz band (5,925-6,425 MHz) is available for license-exempt use for technologies such as Wi-Fi, while the upper 6 GHz band (6,425-7,125 MHz) is to be shared with cell networks. China last year earmarked the upper 6 GHz band exclusively for 5G and 6G services.
[rG: This might make international travel with such devices problematic for designers or users.]

 

LEGAL & REGULATORY
What the EU’s new software legislation means for developers
In 3 years, all obligations of the EU Cyber Resilience Act (CRA) will be fully applicable, with vulnerability reporting obligations applying already from September 2026. Even with the clarifications added during the legislative process, many open source developers still struggle to make sense of whether they’re covered or not. If you think your open source activities may fall within the scope of the CRA (either as a manufacturer or as a steward). While it’s good news that some classes of open source developers will face minimal obligations, that probably won’t stop some companies from contacting projects about their CRA compliance. In the best case, this will lead to constructive conversations with companies taking responsibility for improving the cybersecurity of open source projects they depend upon.

 

 

American cops are using AI to draft police reports, and the ACLU isn't happy
The American Civil Liberties Union published a report this week detailing its concerns with law enforcement tech provider Axon's Draft One, a ChatGPT-based system that translates body camera recordings into drafts of police reports that officers need only edit and flesh out to ostensibly save them time spent on desk work. Concerns include the unreliability and biased nature of AI, evidentiary and memory issues when officers resort to this technology, and issues around transparency. The ACLU also points out privacy issues with using a large language model to process body camera footage: That's sensitive police data, so who exactly is going to be handling it? After all, if we can't even trust AI to write something as legally low-stakes as news or a bug report, how can we trust it to do decent police work?

 

Bitfinex heist gets the Netflix treatment after 'cringey couple' sentenced Biggest Heist Ever covers the story of Ilya Lichtenstein and Heather Morgan, described in the trailer as the "cringey couple" that pulled off a massive digital heist of nearly 120,000 Bitcoin eight years ago. At the time, the stolen tokens were worth around $69 million, although at today's exchange rate, the sum would be north of $11 billion. Spoiler alert: They didn't get away with it. Lichtenstein was sent to prison last month for 5 years for masterminding the plot after leaving a marketing startup on bad terms with his co-founder. The court ruled that he roped in Morgan, his girlfriend at the time who he later married in 2019. She was also found guilty of money laundering and fraud charges, and was sentenced to 18 months in prison after already serving 33 months under house arrest.

 

 

And Now For Something Completely Different …
Here's Who Owns U.S. Debt