- Robert Grupe's AppSecNewsBits
- Posts
- Robert Grupe's AppSecNewsBits 2024-01-06
Robert Grupe's AppSecNewsBits 2024-01-06
Robert Grupe
January 06, 2024
EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
A “ridiculously weak” password causes disaster for Spain’s No. 2 mobile carrier
The password came to light after the party, using the moniker Snow, posted an image to social media that showed the orange.es email address associated with the RIPE account. Security firm Hudson Rock plugged the email address into a database it maintains to track credentials for sale in online bazaars. In a post, the security firm said the username and “ridiculously weak” password were harvested by information-stealing malware that had been installed on an Orange computer since September. The password was then made available for sale on an infostealer marketplace.
Once logged into Orange’s RIPE account, Snow made changes to the global routing table the mobile operator relies on to specify what backbone providers are authorized to carry its traffic to various parts of the world.
“Things got ugly” when Snow published four new ROAs that contained “bogus origins,” meaning origins that had no connection to Orange. As a result, the number of routes that originated from the Orange AS dropped from roughly 9,200 to 7,400, as a relatively new BGP protection known as RPKI—short for Resource Public Key Infrastructure—prompted many backbone carriers to reject the announcements. In effect, Snow had weaponized this protection to create a denial of service for Orange subscribers.
Mandiant spent several hours trying to regain control of its account on X (formerly known as Twitter) on Wednesday after an unknown scammer hijacked it and used it to spread a link that attempted to steal cryptocurrency from people who clicked on it.
The hacked Mandiant account was initially used to masquerade as one belonging to Phantom, a company that offers a wallet for storing cryptocurrency. Posts on X encouraged people to visit a malicious website to see if their wallet was one of 250,000 that were eligible for an award of tokens. Over several hours, X employees played tug-of-war with the unknown scammer, with scam posts being removed only to reappear, according to people who followed the events.
Eventually, the scammer changed the @mandiant username and reappeared under a new username. After using the account to promote a fake website impersonating Phantom and promising free tokens, it posted the cryptic message: “check bookmarks when you get account back.” It also chided Mandiant to “change password please.”
Many questions remain about Mandiant's measures to secure its X account. Among them: Was it protected by a strong password and any form of two-factor authentication? Last month, someone claimed to have discovered the social media site was vulnerable to a “reflected XSS,” a type of vulnerability that can sometimes be used to compromise the security of accounts when a legitimate user currently logged in clicks on a malicious link in a different browser tab. The user said they reported the vulnerability through legitimate channels but that the submission didn’t qualify under the X bug bounty program.
San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023.
Orrick said that the breach of its systems involved its clients’ data, including individuals who had vision plans with insurance giant EyeMed Vision Care and those who had dental plans with Delta Dental, a healthcare insurance network giant that provides dental coverage to millions of Americans. Orrick also said it notified health insurance company MultiPlan, behavioral health giant Beacon Health Options (now known as Carelon) and the U.S. Small Business Administration that their data was also compromised in Orrick’s data breach.
Orrick said the stolen data includes consumer names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. The data also includes medical treatment and diagnosis information, insurance claims information — such as the date and costs of services — and healthcare insurance numbers and provider details.
Orrick said that the breach includes online account credentials and credit or debit card numbers.
ms-appinstaller protocol handler is being disabled by Microsoft once again
Apparently, the threat actors are creating malicious fake ads for legitimate and popular software, to redirect the victims to websites under their control. There, they trick them into downloading malware. A second distribution vector is phishing through Microsoft Teams.
Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.
What may have started as a simple prank, ended up having bigger repercussions for all authors across the npm ecosystem.
The package is quite aptly named as downloading "everything" will gradually pull in every single npm package that's ever been published to the npmjs.com registry onto your computer, potentially making it run out of storage.
Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of npm's policy.
Imagine you did an experiment, published a package to NPM and now you want to remove your NPM package. You can't do it if other packages are using it. The problem is, since 'everything' relies on every package (including yours), your package gets stuck, and there's some unknown package preventing you from removing it.
Ironically, this policy has also left PatrickJS, the author of "everything," unable to easily remove his prank packages, given the extensively long dependency chain he has setup.
While "everything" continues to live on the registry, the thousands of "@everything-registry" scoped packages used by it have now been made private, potentially resolving the issue.
Google is downplaying reports of malware abusing an undocumented Google Chrome API to generate new authentication cookies when previously stolen ones have expired.
Information-stealing malware operations are abusing a Google OAuth "MultiLogin" API endpoint to generate new, working authentication cookies when a victim's original stolen Google cookies expire.
These tokens include any authentication cookies for Google sites and a special token that can be used to refresh, or generate, new authentication tokens.
Google believes the API is working as intended and and that no vulnerability is being exploited by the malware.
Google's solution to this issue is simply having users log out of their Chrome browser from the affected device or kill all active sessions via g.co/mydevices. Doing so will invalidate the Refresh token and make it unusable with the API.
While the recommended steps will mitigate the impact of information-stealing malware infections, most people infected with this type of malware will not know when to do these steps.
When people are infected with information-stealing malware, they typically do not know until their accounts are accessed without permission and abused in some detectable manner.
For example, an employee for Orange España, the country's second-largest mobile phone provider, had their passwords stolen by information-stealing malware.
However, no one knew until stolen credentials were used to log into the company's RIPE account and modify their BGP configuration, causing a 50% performance hit and Internet outages for Orange customers. While Google says that they have detected those who were impacted by this API abuse and notified them, what happens for future victims?
A better solution would be to restrict access to this API in some manner to prevent abuse by the malware-as-a-service operations. Unfortunately, it does not seem like this is happening.
Electoral Commission hid details of a huge hack for a year, yet still tight-lipped
Samsung won’t say how many customers hit by year-long data breach
Hackers stole Shadow data, and Shadow went silent
Lyca Mobile refused to say what kind of cyberattack hit
MGM Resorts still hasn’t said how many customers had data stolen after hack
Dish breach may affect millions — potentially a lot more
CommScope late to tell its own employees that their data was stolen
HACKING
Remember the good old days when ransomware crooks vowed not to infect medical centers?
Extortionists are now threatening to swat hospital patients — calling in bomb threats or other bogus reports to the police so heavily armed cops show up at victims' homes — if the medical centers don't pay the crooks' ransom demands.
After intruders broke into Seattle's Fred Hutchinson Cancer Center's IT network in November and stole medical records – everything from Social Security numbers to diagnoses and lab results – miscreants threatened to turn on the patients themselves directly.
The idea being, it seems, that those patients and the media coverage from any swatting will put pressure on the US hospital to pay up and end the extortion. Other crews do similar when attacking IT service provider: they don't just extort the suppliers, they also threaten or further extort customers of those providers.
An October report from Ukraine's Computer Emergency Response Team (CERT-UA) revealed that Russian Sandworm hackers breached the networks of 11 Ukrainian telecom service providers since May 2023.
The threat actors breached Kyivstar's network in May 2023. They launched the attack months later, wiping thousands of virtual servers and computers and "completely" destroying "the core" of the telecoms operator.
"We destroyed 10 thousand computers, more than 4 thousand servers, all cloud storage and backup systems."
Following the incident, Kyivstar's mobile and data services went down, leaving most of its 25 million mobile and home internet subscribers without an internet connection.
Cyber Toufan appeared in November, and they’ve been very busy and very naughty boys. They actually set up their infrastructure around October, and started owning things apparently undetected.
They’re not a lame DDoS pretend hacktivist group like NoName016 — instead, they claim to be Palestinian state cyber warriors. (Might they be Iran? Who cares?). They target orgs with interests in Israel.
They’ve been wiping systems — a lot of them — and dumping stolen data online. Data they have published includes a complete server disk image, SSL certificates with private keys to a host of domains (which still haven’t been revoked and are still in use), SQL and CRM dumps.
Three of the victims are cybersecurity vendors, and I suspect they may have access to another larger infosec vendor that they haven’t disclosed.
They’ve caused so much damage that many of the orgs — almost a third, in fact, haven’t been able to recover. Some of these are still fully offline over a month later, and the wiped victims are a mix of private companies and Israeli state government entities.
A computer scientists team from Nanyang Technological University (NTU) of Singapore is unofficially calling the method a “jailbreak” but is more officially a “Masterkey” process. This system uses chatbots, including ChatGPT, Google Bard, and Microsoft Bing Chat, against one another in a two-part training method that allows two chatbots to learn each other’s models and divert any commands against banned topics.
With reverse-engineered LLM densive mechanisms, they can teach a different LLM how to create a bypass. With the bypass created, the second model will be able to express more freely, based on the reverse-engineered LLM of the first model. The team calls this process a “Masterkey” because it should work even if LLM chatbots are fortified with extra security or are patched in the future.
The exploit revolves around stealing victims' session tokens. That is to say, malware first infects a person's PC – typically via a malicious spam or a dodgy download, etc – and then scours the machine for, among other things, web browser session cookies that can be used to log into accounts.
Session cookies ideally expire frequently, something that can limit their usefulness in account takeover attacks. However, recent cases such as Okta's in October, which involved the theft of HAR files that often contain session cookies, have demonstrated that session hijackings are entirely practical and can lead to major security incidents.
Those session tokens are then exfiltrated to the malware's operators to enter and hijack those accounts. It turns out that these tokens can still be used to login even if the user realizes they've been compromised and change their Google password.
Google has confirmed that if you've had your session tokens stolen by local malware, don't just change your password: log out to invalidate those cookies, and/or revoke access to compromised devices.
Researchers from Technische Universität Berlin were able to unlock Tesla’s driving assistant by inducing a two-microsecond voltage drop on the processor which allowed root access to the Autopilot software. Referring to this as “Elon mode” since it drops the requirement for the driver to keep their hands on the steering wheel, they were able to access the full self-driving mode allowing autonomous driving without driver input. Although this might be a bad idea based on the performance of “full self-driving” in the real world, the hack at least demonstrates a functional attack point and similar methods could provide free access to other premium features.
In the long term, perhaps this may make strides towards convincing manufacturers that “features as a service” isn’t a profitable strategy.
The crux of SMTP smuggling is rooted in the inconsistencies that arise when outbound and inbound SMTP servers handle end-of-data sequences differently, potentially enabling threat actors to break out of the message data, "smuggle" arbitrary SMTP commands, and even send separate emails.
It borrows the concept from a known attack method referred to as HTTP request smuggling, which takes advantage of discrepancies in the interpretation and processing of the "Content-Length" and "Transfer-Encoding" HTTP headers to prepend an ambiguous request to the inbound request chain.
Specifically, it exploits security flaws in messaging servers from Microsoft, GMX, and Cisco to send emails spoofing millions of domains. Also impacted are SMTP implementations from Postfix and Sendmail.
While Microsoft and GMX have rectified the issues, Cisco said the findings do not constitute a "vulnerability, but a feature and that they will not change the default configuration." As a result, inbound SMTP smuggling to Cisco Secure Email instances is still possible with default configurations.
Zeppelin is a derivative of the Delphi-based Vega/VegaLocker malware family that was active between 2019 and 2022. It was used in double-extortion attacks and its operators sometimes asked for ransoms as big as $1 million.
Builds of the original Zeppelin ransomware were sold for up to $2,300 in 2021, after its author had announced a major update for the software.
The RaaS offered a relatively advantageous deal to affiliates, allowing them to keep 70% of the ransom payments, with 30% going to the developer.
APPSEC, DEVSECOPS, DEV
Though AI models have demonstrated utility for software development, they still get many things wrong. Attentive developers can mitigate these shortcomings but that doesn't always happen – due to ignorance, indifference, or ill-intent. And when AI is allowed to make a mess, the cost of cleanup is shifted to someone else.
While those submitting bug reports have begun using AI tools to accelerate the process of finding supposed bugs and writing up reports, those reviewing bug reports still rely on human review. The result of this asymmetry is more plausible-sounding reports, because chatbot models can produce detailed, readable text without regard to accuracy.
"A crap report does not help the project at all. It instead takes away developer time and energy from something productive. Partly because security work is considered one of the most important areas so it tends to trump almost everything else."
Socket has been using LLMs in conjunction with human reviewers to detect vulnerable malicious open source packages in the JavaScript, Python, and Go ecosystems. The human review is absolutely critical to reduce false positives. Without human review, the system has a 67 percent false positive rate. With humans in the loop, it’s closer to 1 percent.
Their work, titled Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST.AI.100-2), is part of NIST’s broader effort to support the development of trustworthy AI, and it can help put NIST’s AI Risk Management Framework into practice.
They must focus on generating malicious prompts, or inputs into the model, in addition to tests using more traditional code in order to test the system’s ability to produce harmful or inappropriate behavior. There are all sorts of ways to generate these types of malicious prompts — from subtly changing the prompts to simply pressuring the model into generating problematic outputs. The list of ways to effectively attack generative AI is long and growing longer every day.
Web Security Regression Testing CLI & SaaS for your build pipeline.
Although voice cloning has legitimate uses, such as personalized text-to-speech services and assistive tools for people with disabilities, threat actors can also use it for fraudulent activities like voice phishing, social engineering, and other types of voice-based scams.
By impersonating the voice of someone familiar to the target, like a family member or a celebrity, malicious actors can easily trick people into believing the claims made in a call or voice message.
The winning proposal will receive $25,000 and the runner-up will get $4,000. There are up to three honorable mentions, each awarded with $2,000.
VENDORS & PLATFORMS
Even though LastPass has repeatedly said that there is a 12-character master password requirement since 2018, users have had the ability to use a weaker one.
Starting this month, LastPass is now enforcing the 12-character master password requirement for all accounts.
Furthermore, LastPass added that it will also start checking new or updated master passwords against a database of credentials previously leaked on the dark web to ensure that they don't match already compromised accounts.
Microsoft has rolled out an app for its AI chatbot on iOS and iPadOS.
In addition to letting you ask questions, draft emails, and summarize text, you can also create images through an integration with the text-to-image generator DALL-E3.
Microsoft is adding a new key to PC keyboards for the first time since 1994
Microsoft says the Copilot key will debut in some PCs that will be announced at the Consumer Electronics Show this month. Surface devices with the revised keyboard layout are "upcoming."
The upcoming changes will take effect from February 22, 2024, after which users can no longer post, subscribe, or view new Usenet content through Google Groups.
"Over the last several years, legitimate activity in text-based Usenet groups has declined significantly because users have moved to more modern technologies and formats such as social media and web-based forums.
Much of the content being disseminated via Usenet today is binary (non-text) file sharing, which Google Groups does not support, as well as spam."
All Usenet content currently accessible on Google Groups should be available on the new servers selected by users, and once a new client and server are chosen, users can simply reselect their preferred groups to continue their engagement with Usenet content.
LEGAL
It is the second class action lawsuit accusing the mortgage corporation of not doing enough to protect the personally identifiable information (PII) of its customers in another recent class action lawsuit.
“Defendants claim that ‘[k]eeping financial information is one of [their] most important responsibilities[,]’ and ‘customer service, trust and confidence is a high priority,’ the new Mr. Cooper lawsuit says. “Despite these outward assurances, Defendants failed to adequately safeguard plaintiff’s and class members’ highly sensitive private information that it collected and maintained.”
The plaintiffs had alleged that Google violated federal wiretap laws and tracked users' activity using Google Analytics to collect information when in private mode.
Google attempted to get the lawsuit dismissed, pointing out the message it displayed when users turned on Chrome's incognito mode, which informs users that their activity might still be visible to websites you visit, employer or school, or their internet service provider.
It's worth noting here at this point that enabling incognito or private mode in a web browser only gives users the choice to search the internet without their activity being locally saved to the browser.
That said, websites using advertising technologies and analytics APIs can still continue to track users within that incognito session and can further correlate that activity by, for example, matching their IP addresses.
Basically, now all costs related to software R&D cannot be expensed, including labor for software development. These costs have to be capitalized and amortized over 5 years – or 15 if labor is done outside of the US.
Before Section 174, companies could choose how they categorized software developers, and could opt into deducting costs. This is what stable and highly profitable businesses like Google have done: for software products in production (and making money) it deducted developer costs over 5 years. For pre-launch projects, Google simply expensed those developers. This is the sensible way to run a software business, after all!
Redundancies might happen for cash flow purposes to replace in-house developers with vendors.
The tax change is very hostile to software developers employed abroad: their wages need to be deducted over 15 years. Unless a US company has massive cash reserves, it now makes no sense to remotely employ or contract with individual software developers.
Assuming there’s a choice to incorporate a startup in the US or somewhere else, then any other country makes so much more sense. Ever wondered why Google has such a large software engineering center in Switzerland – despite the high cost of software engineers within Europe? Switzerland has a very powerful research and development incentive: the country allows expensing 135% of R&D-related salaries in the year they are incurred.
And Now For Something Completely Different …
The use of cheap flying robots instead of humans to smuggle drugs across borders is a worldwide phenomenon.
Last week border officials in the Punjab region of India revealed they intercepted 107 drug-carrying drones sent by smuggling gangs last year over the border from Pakistan, the highest number on record.
Spanish police seized a massive drone with a wingspan of over four metres capable of carrying up to 150 kilograms (330 pounds) of cargo in a special compartment in its nose, being used by a French smuggling gang to traffic drugs from Morocco to southern Spain. In 2022, police found three underwater drones built to smuggle up to 200 kilograms (440 pounds) of drugs across the Strait of Gibraltar between Morocco and Spain.
Drones are being used to smuggle drugs into high security prisons worldwide from Brazil and France to Australia and across the U.S.
Our experts at UK NACE take a look into Berlin’s unique history, exploring the various methods used to collect intelligence during the Cold War and what it means for society today.