Robert Grupe's AppSecNewsBits 2023-12-16

Author

Robert Grupe
December 16, 2023

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Ransomware gang behind threats to Fred Hutch cancer patients
The Hunters International ransomware gang claimed to be behind a cyberattack on the Fred Hutchinson Cancer Center (Fred Hutch) that resulted in patients receiving personalized extortion threats.
The hospital disclosed a cybersecurity incident that occurred on November 19, 2023, involving unauthorized access to its networks. Attackers emailed many patients stating they have the names, Social Security numbers, phone numbers, medical history, lab results, and insurance history of over 800,000 patients.

"If you are reading this, your data has been stolen and will soon be sold to various data brokers and black markets to be used in fraud and other criminal activities," reads the emails.

These emails reportedly contained recipients' personal information as proof, including a patient's address, phone number, and medical record number, and a link to a site where they could pay $50 to prevent the data from being sold.

 

U.S. nuclear research lab data breach impacts 45,000 people
On November 20, it confirmed a "cybersecurity data breach" that impacted its off-site Oracle HCM HR system one day before. The breach only impacted the cloud-based Oracle HCM test environment that resides off-site. Attackers exfiltrated the data of 45,047 current and former employees. Multiple forms of sensitive personally identifiable information (PII) was affected, including names, social security numbers, salary information, and banking details.
SiegedSec has made no attempt to negotiate or demand a ransom from INL, directly publishing it online instead. They provided evidence of their access to INL's systems by sharing a custom announcement they made using INL's system to notify everyone on the campus, along with screenshots of internal INL tools.
[rG Key take Aways: Test environments/instances need the same rigor of security as "production" instances; and without strong access controls and encryption, sensitive data is vulnerable to being exposed.]

 

Toyota hacked again, this time through its German financial services arm
The breach, which affected Toyota Financial Services, was initially disclosed in November, with the company taking systems offline as a result. The Medusa ransomware gang subsequently claimed responsibility, claiming on its leaks site that it had stolen financial documents, purchase invoices, hashed account passwords, clear-text user IDs and passwords, agreements, passport scans, internal organization charts, financial performance reports and other company information. Medusa has since released the stolen information as Toyota declined to pay the ransom demanded.
Toyota Kreditbank GmbH said that the attack occurred on Nov. 16 and involved unauthorized activity on systems. Security researchers believed that the ransomware gang may have exploited the Citrix Bleed vulnerabilities. The vulnerabilities, which are found in Citrix Systems Inc.’s NetScaler and NetGateway product lines, were first disclosed in July with attackers subsequently found to be exploiting them in August.

 

Delta Dental of California data breach exposed info of 7 million people
Personal data was exposed in a MOVEit Transfer software breach.

The software was vulnerable to a zero-day SQL injection flaw leading to remote code execution, tracked as CVE-2023-34362, which the Clop ransomware gang leveraged to breach thousands of organizations worldwide.

Delta Dental of California learned about the compromise on June 1, 2023, and five days later, following an internal investigation, it confirmed that unauthorized actors had accessed and stolen data from its systems between May 27 and May 30, 2023.

 

Cold storage giant Americold discloses data breach after April malware attack
Over 129,000 employees and their dependents had their personal information stolen in an April attack. The April network breach led to an outage affecting the company's operations after Americold forced it to shut down its IT network to contain the breach and "rebuild the impacted systems."
The Cactus gang also leaked a 6GB archive of accounting and finance documents allegedly stolen from Americold's network, including private and confidential information. The ransomware group also plans to release human resources, legal, company audit information, customer documents, and accident reports.

 

Supply chain attack targeting Ledger crypto wallet leaves users hacked
A former Ledger employee was victim of a phishing attack, which gave the hackers access to their former employee’s NPMJS account, which is a software registry that was acquired by GitHub. From there, the hackers published a malicious version of the Ledger Connect Kit. The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet.

Ledger deployed a fix within 40 minutes of the company becoming aware of the hack. The malicious file, however, was live for around five hours, but “the window where funds were drained was limited to a period of less than two hours.
It’s not immediately clear how many people fell victim to the hack. ZachXBT, a well-known independent crypto researcher, wrote on X that the hackers stole more than $600,000 in crypto during the attack.

 

DonorView publicly exposed children’s names and addresses, among other data
Infosec researcher Jeremiah Fowler found 948,029 records exposed online including donor names, addresses, phone numbers, emails, payment methods, and more. Manual analysis of the data revealed what appeared to be the names and addresses of individuals designated as children – though it wasn't clear to the researcher whether these children were associated with the organization collecting the donation or the funds' recipients. The length of time for which the information was exposed couldn't be determined – nor was it clear if the data had been accessed by unauthorized parties.

 

38% of Log4j Apps Use Vulnerable Versions
Veracode analyzed data from software scans over 90 days between August 15 and November 15 2023. These covered 38,278 unique applications running Log4j versions 1.1 to 3.0.0-alpha1 across 3866 organizations.

38% are still using vulnerable versions of Log4j.
32% of these are running Log4j2 1.2.x, which contains three critical flaws: CVE-2022-23307, CVE-2022-23305 and CVE-2022-23302.

3.8% are running Log4j2 2.17.0, which contains CVE-2021-44832.
2.8% are still on versions exposed to the Log4Shell vulnerabilities: Log4j2 2.0-beta9 to 2.15.0.
[rG: Organizations need to ensure that they are running SCA and SAST scans on all their binary and code repositories daily, and managing risk remediation appropriate.]

 

While initially thought to be a more severe Cross Site Scripting (XSS) flaw, which allows JavaScript code to be executed in a client, the bug was determined only to be an HTML injection flaw, allowing the injection of images.

Counter-Strike 2 uses Valve's Panorama UI, a user interface that heavily incorporates CSS, HTML, and JavaScript for design layout.

As part of the design layout, developers can configure input fields to accept HTML rather than sanitize it to a regular string. If the field enabled HTML, any inputted text would be rendered on output as HTML. Counter-Strike users began reporting that users were abusing an HTML injection flaw to inject images into the kick voting panel.

While the flaw was abused mostly for harmless fun, others used it to obtain the IP addresses of other gamers in the match. This was done by using the <img> tag to open a remote IP logger script that caused the IP address for every player who saw the vote kick to be logged. These IP addresses could be used maliciously, such as launching DDoS attacks to force players to disconnect from the match.

.

HACKING

The growing abuse of QR codes in malware and payment scams prompts FTC warning
Short for quick response codes, QR codes are two-dimensional bar codes that automatically open a web browser or app when they’re scanned using a phone camera. Restaurants, parking garages, merchants, and charities display them to make it easy for people to open online menus or to make online payments. QR codes are also used in security-sensitive contexts. YouTube, Apple TV, and dozens of other TV apps, for instance, allow someone to sign in to their account by scanning a QR code displayed on the screen. The code opens a page on a browser or app on the phone where the account password is already stored.
Guidance includes:

  • After scanning a QR code, ensure that it leads to the official URL of the site or service that provided the code. As is the case with traditional phishing scams, malicious domain names may be almost identical to the intended one, except for a single misplaced letter.

  • Enter login credentials, payment card information, or other sensitive data only after ensuring that the site opened by the QR code passes a close inspection using the criteria above.

  • Before scanning a QR code presented on a menu, parking garage, vendor, or charity, ensure that it hasn’t been tampered with. Carefully look for stickers placed on top of the original code.

  • Be highly suspicious of any QR codes embedded into the body of an email. There are rarely legitimate reasons for benign emails from legitimate sites or services to use a QR code instead of a link.

  • Don’t install stand-alone QR code scanners on a phone without good reason and then only after first carefully scrutinizing the developer. Phones already have a built-in scanner available through the camera app that will be more trustworthy.

 

BazarCall, first documented in 2021, is a phishing attack utilizing an email resembling a payment notification or subscription confirmation to security software, computer support, streaming platforms, and other well-known brands. These emails state that the recipient is being auto-renewed into an outrageously expensive subscription and should cancel it if they do not want to be charged. The calls are answered by a cybercriminal pretending to be customer support, tricking the victims into installing malware on their computers by guiding them through a deceptive process.
Google Forms is a free online tool that allows users to create custom forms and quizzes, integrate them on sites, share them with others, etc. The attacker creates a Google Form with the details of a fake transaction, such as the invoice number, date, payment method, and miscellaneous information about the product or service used as bait. Next, they enable the "response receipt" option in the settings, which sends a copy of the completed form to the submitted email address. Using the target's email address, a copy of the completed form, which looks like a payment confirmation, is sent to the target from Google's servers. As Google Forms is a legitimate service, email security tools will not flag or block the phishing email, so delivery to the intended recipients is guaranteed. Also, the fact that the email originates from a Google address ("[email protected]”) lends it additional legitimacy.

 

Non-Human Access is the Path of Least Resistance: A 2023 Recap
Threat actors look for the path of least resistance, and it seems that in 2023 this path was non-user access credentials (API keys, tokens, service accounts and secrets).

  • Okta (October 2023): Attackers used a leaked service account to access Okta's support case management system. This allowed the attackers to view files uploaded by a number of Okta customers as part of recent support cases.

  • GitHub Dependabot (September 2023): Hackers stole GitHub Personal Access Tokens (PAT). These tokens were then used to make unauthorized commits as Dependabot to both public and private GitHub repositories.

  • Microsoft SAS Key (September 2023): A SAS token that was published by Microsoft's AI researchers actually granted full access to the entire Storage account it was created on, leading to a leak of over 38TB of extremely sensitive information. These permissions were available for attackers over the course of more than 2 years (!).

  • Slack GitHub Repositories (January 2023): Threat actors gained access to Slack's externally hosted GitHub repositories via a "limited" number of stolen Slack employee tokens. From there, they were able to download private code repositories.

  • CircleCI (January 2023): An engineering employee's computer was compromised by malware that bypassed their antivirus solution. The compromised machine allowed the threat actors to access and steal session tokens. Stolen session tokens give threat actors the same access as the account owner, even when the accounts are protected with two-factor authentication.

As one might expect, the vast adoption of GenAI tools and services exacerbates the non-human access issue. 32% of GenAI apps connected to Google Workspace environments have very wide access permissions (read, write, delete).

 

Money-grubbing crooks abuse OAuth – and baffling absence of MFA – to do financial crimes
Multiple miscreants are misusing OAuth to automate financially motivated cyber crimes – such as business email compromise (BEC), phishing, large-scale spamming campaigns – and deploying virtual machines to illicitly mine for cryptocurrencies.
A compromised account allowed Storm-1283 to sign in via virtual private network (VPN), create a new single-tenant OAuth application in Microsoft Entra ID named similarly as the Microsoft Entra ID tenant domain name, and add a set of secrets to the application. As the compromised account had an ownership role on an Azure subscription, the actor also granted 'Contributor' role permission for the application to one of the active subscriptions using the compromised account. The crew also took advantage of other OAuth applications that the compromised user could access, and added new credentials to those apps to expand its mining capabilities. The crims started with a small set of VMs before returning to deploy more.

The moral of this cautionary tale will be familiar to readers: enable MFA. Enabling conditional access policies that are evaluated every time a user tries to sign in is also a fine idea, as is continuous access evaluation that revokes access at any point when changes to a user's condition – like appearing in an untrusted location – sets off an alarm.

 

Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
Cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.
SVR has been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.

 

PyPI is popular among Python programmers for sharing and downloading code. Since anyone can contribute to the repository, malware – sometimes posing as legitimate, popular code libraries – can appear there. ESET found 116 files (source distributions and wheels) from 53 projects containing malware. Some package names do look similar to other, legitimate packages, but we believe the main way they are installed by potential victims isn’t via typosquatting, but social engineering, where victims are walked through running pip install {package-name} to be able to use the “interesting” package for whatever reason. Over the past year, victims downloaded these files more than 10,000 times.

 

Research into Lazarus Group's attacks using Log4Shell has revealed novel malware strains written in an atypical programming language. DLang is among the newer breed of memory-safe languages being endorsed by Western security agencies over the past few years, the same type of language that cyber criminals are switching to.

 

 

APPSEC, DEVSECOPS, DEV

Cycode survey of 500 CISOs:
92% of CISOs confirmed they are looking to consolidate their AppSec tools into a single platform in the next 12 months
90% relationships between their security and development teams need to improve.
88% because of alert fatigue developers are not focused on remediating critical vulnerabilities, which increases the potential for a security breach and puts the business at risk.
85% acknowledge dev teams suffer from vulnerability noise and alert fatigue, which strains the relationship between security and dev teams.
78% today’s AppSec attack surfaces are unmanageable and
77% software supply chain security is a bigger blind spot for AppSec than Gen AI or open source
75% of security professionals struggle with the complexity of managing multiple security tools
Gartner, “By 2026, over 40% of organizations developing proprietary applications will adopt Application Security Posture Management (ASPM) to more rapidly identify and resolve application security issues."rG: "Posture Management" is an umbrella term for the infosec age old Vulnerability Management (VM) complexity problem from multiple tech stack layer vulnerability scanners and  the lack of integration between vendor solutions. Organizations either need to invest in integrating interchangeable best-of-breed solutions, or look for conglomerate vendor solutions that can provide acceptable levels of performance; but no single vendor has yet been able to provide best-of-breed products across the full spectrum of cyber security VM needs.

 

Empower security champions
Defense in depth
Address risk -- not the symptoms
Be realistic in your approach: concentrate your resources where they can have the most impact.

 

MDR: Paving the Way to Cyber Resiliency
The growth of standalone security tools, including Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR), has placed a considerable burden on security teams. Managing an average of 76 cyber tools in an enterprise has become daunting. Managed Detection and Response (MDR) has become the glue of advanced detection and response. Cybersecurity is working, but it could be more consistent and more effective. It requires discipline, rigor, automation, innovation, continuous learning, and inspection. MDR will continue evolving and will soon become the platform and intelligence engine that can direct swift, accurate responses, verify capabilities, and communicate the tactical and strategic upgrades needed.

 

 

Organizations need to make 2FA a mandatory requirement for every system in the development process, including code, build, package managers, and cloud.
MFA in the software development lifecycle makes it harder for attackers to use a developer’s credentials to make unauthorized code changes, merges, and commits; stealing credentials and secrets; accessing data; pushing unauthorized infrastructure changes; and releasing software into the production environment. Organizations can also use MFA to secure CI/CD consoles, log dashboards, and pipeline definition files, and they can require accounts with privileges to make major pipeline changes.
It’s key for development teams to understand that MFA is not solving any core security issue. MFA bolsters the efficacy of existing password and other single-factor authentication mechanisms, but it does not address insider risks.
Tokens contain information such as the user’s permissions and scope of access in the pipeline. The wide use of security tokens in CI/CD processes is another way to expand authentication,  as keys for granting developers access to the CI/CD pipelines, infrastructure, and secrets needed to build, test, and deploy applications.
Most security tokens can perform a range of privileged actions and can bypass MFA configured for that system because they are run through automation. For example, I may have 2FA configured for my AWS account, but once I generate service account tokens, I can invoke them anytime and everywhere without the need for additional approval.
In the modern SDLC, CI/CD processes are usually included in the code repositories. This makes it harder to segregate duties and manage authorization for sensitive build processes. This gives intruders a potential vector for accessing an organization’s production environment via the build system.

 

74% of global organizations have reported at least 3 API-related data breaches within the last two years.

 

 

  1. Cyberwire Daily with Dave Bittner

  2. CYBER with Matthew Gault

  3. Security Now with Steve Gibson and Leo Laporte

  4. Malicious Life with Ran Levi

  5. Darknet Diaries with Jack Rhysider

  6. RiskyBiz with Patrick Gray

  7. The Future of Security Operations with Thomas Kinsella

  8. Smashing Security with Graham Cluley and Carole Theriault
    [rG Fun Fact: In my Sophos days, my desk was next to Carole and Graham, and they subscribed to my AV NewsBits :-) Great team with extensive experience insights.]

  9. Blueprint with John Hubbard 

.

Can DevEx Metrics Drive Developer Productivity?
A 2020 McKinsey study which revealed that companies with better work environments for their developers boasted dramatically increased developer velocity, which in turn correlated to four to five times the revenue of their competitors.

What influences that developer experience comes down to 25 sociotechnical factors — including interruptions and friction from tools or processes — which are evaluated by survey responses. This data is then combined with existing data from tools, like issue trackers and CI/CD pipelines, as well as the traditional KPIs and OKRs. Another powerful DevEx metric, is Knowledge Discovery Efficiency or KEDE, which leverages repositories to identify developer knowledge gaps.

 

Developer Productivity Engineering at Netflix
There’s the centralized platform team of 150 people, which “creates the tools, the platforms and the infrastructure to handle abstracting away all of the isms so that our developer community — who are our customers, our internal developer community — can do their best work and focus on their domain of excellence,” Koehler said. In a bit of a “hub and spoke model.” 80-person developer productivity engineering team within the platform team owns the inner development loop — build, test, code, continuous integration, all the way up to but not including deploy, as well as the end-to-end developer experience, including source control and dependency management. In addition, the greater Netflix platform engineering team includes a cloud infrastructure team and a data platform team.

 

GitHub Developer Productivity at 30 Billion Messages per Day
The platform team is made up of almost 300 GitHubbers. The infrastructure and platform engineering organization within GitHub — which horizontally supports the whole company.

While teams are able to get qualitative metrics like the famous core four DORA metrics, there is usually a mix of quantitative and qualitative surveys throughout any developer productivity engineering journey, including the SPACE framework and DevEx metrics.

 

Google makes GitHub Copilot rival, Duet AI and Gemini Pro generally available
The tool currently supports over 20 languages and includes capabilities for log summarization, error explanation and automated test generation.
Duet AI for Developers is available free until February 1, 2024, after which it will cost $19 per month. In addition, Duet AI in Security Operations is now generally available. It will be included as part of Google Cloud's Security Operations Enterprise and Enterprise Plus packages.

On the other hand, Microsoft-owned GitHub announced that GitHub Copilot Chat will become generally available for both businesses and individuals in December as part of the current GitHub Copilot subscription.

.

VENDORS & PLATFORMS

Contextual insights

Data awareness

Drift awareness (dependency changes)
Risk-based scoring
Unified threat ingestion

Policy enforcement

 

Snyk AppRisk: Snyk unveils new ASPM offering to help DevSecOps manage cloud application risks
Automating asset discovery, security controls, and risk prioritization
Visualization and context for prioritization are key.

 

Netgate pfSense Security: Sensing Code Vulnerabilities with SonarCloud
We routinely perform scans on open-source projects using SonarCloud and assess the results. Importantly, anyone can do this for free! SonarCloud is available at no cost for open-source projects, regardless of their language or size.

 

Kubescape open-source project adds Vulnerability Exploitability eXchange (VEX) support
Vulnerability Exploitability eXchange (VEX) is a standard that facilitates the sharing and analyzing of information about vulnerabilities and their potential for exploitation. VEX documents have emerged as a critical component in complementing Software Bill of Materials (SBOMs) by informing users about the applicability of vulnerability findings.

 

The Cybersecurity and Infrastructure Security Agency, as part of its Secure Cloud Business Applications (SCuBA) project, released a series of nine security configuration baselines for Google Workspace today, including applications like Gmail, Google Drive, and Google Meet. The latest release follows up on CISA’s publication of baselines for Microsoft 365 products last year.

 

Townsend Security will cease operations at the end of the month
Patrick Townsend formally founded Townsend Security in 1991, and has served the IBM midrange community with security solutions ever since. In 2018, Townsend Security sold its flagship database encryption software, called AES/400, to Syncsort (formerly Vision Solutions), which would change its name to Precisely.

Customers that still use Alliance Key Manager will be able to get interim support and help with migrating to other encryption key management tools from Chris Edwards, a longtime employee of Townsend Security and an experienced AKM support technician. Edwards will offer his services via his own consulting company, called CluckTECH.

.

LEGAL

Cloud engineer gets 2 years for wiping ex-employer’s code repos
Miklos Daniel Brody, a cloud engineer, was sentenced to two years in prison and a restitution of $529,000 for wiping the code repositories of his former employer in retaliation for being fired by the company.  Brody's employment was terminated after he violated company policies by connecting a USB drive containing pornography to company computers. Following his dismissal, Brody allegedly refused to return his work laptop and instead used his still-valid account to access the bank's computer network and cause damages estimated to be above $220,000.
Among other things, Brody deleted the bank's code repositories, ran a malicious script to delete logs, left taunts within the bank's code for former colleagues, and impersonated other bank employees by opening sessions in their names," describes the U.S. DOJ announcement. He also emailed himself proprietary bank code that he had worked on as an employee, which was valued at over $5,000. 

 

***

Robert Grupe, CISSP CSSLP PMP
http://rgrupe.com