Robert Grupe's AppSecNewsBits 2023-12-23

Author

Robert Grupe
December 23, 2023

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
OpenAI rolls out imperfect fix for ChatGPT data leak flaw
ecurity researcher Johann Rehberger discovered a technique to exfiltrate data from ChatGPT and reported it to OpenAI in April 2023. The researcher later shared in November 2023 additional information on creating malicious GPTs that leverage the flaw to phish users. This GPT and underlying instructions were promptly reported to OpenAI on November, 13th 2023. However, the ticket was closed on November 15th as "Not Applicable". Two follow up inquiries remained unanswered. Following the lack of response by the chatbot's vendor, the researcher decided to publicly disclose his findings on December 12, 2023, where he demonstrated a custom tic-tac-toe GPT named 'The Thief!,' which can exfiltrate conversation data to an external URL operated by the researcher.

 

Xfinity waited to patch critical Citrix Bleed 0-day. Now it’s paying the price
Comcast waited as many as 9 days to patch its network against a high-severity vulnerability, a lapse that allowed hackers to make off with sensitive information belonging to 36 million Xfinity customers. Information known to have been taken includes usernames and hashed passwords, names, contact information, the last four digits of social security numbers, dates of birth, and/or secret questions and answers.
Comcast is requiring Xfinity customers to reset their passwords to protect against the possibility that attackers can crack the stolen hashes. The company is also encouraging customers to enable two-factor authentication.

 

Mr. Cooper, mortgages and loans, said the hackers stole customer names, addresses, dates of birth and phone numbers, as well as customer Social Security numbers and bank account numbers.

Mr. Cooper initially told customers on October 31 — the day of the breach — that its systems were offline due to an outage, which it later admitted was related to a cybersecurity incident. The cyberattack will cost the company at least $25 million, up from an estimated $5 to 10 million, largely due to paying for identity protection to its current and former customers for two years.
[rG: Further regulatory fines and lawsuit costs still to come.]

 

First American Financial Corporation is the second-largest title insurance company in the United States. On November 28, First American paid a $1 million penalty to settle violations of New York's Department of Financial Services' Cybersecurity Regulation stemming from a May 2019 breach.

 

Insomniac hacker releases more than 1.3 million stolen files, including unannounced games info
Around 98% of the hacked data has been leaked, with ransomware grouop Rhysida stating that “not sold data was uploaded,” implying that the remaining 2% may have been sold to someone.
People have already started downloading and sifting through the files, which appear to include a host of information and assets for the upcoming Wolverine game, a publishing agreement with Marvel that promises future games, and internal HR documents.

 

A cyberattack that occurred on December 13, 2023. In response to the detected unauthorized access on its network, the company shut down some of its systems and brought in external experts to help contain the attack. The threat actor disrupted the company's business operations by encrypting some IT systems, and stole data from the company, including personal data. The impact of the incident on the company's operation is significant and is expected to have a lasting effect on the business.

 

AI: Rite Aid banned from using facial recognition software after falsely identifying shoplifters
The Federal Trade Commission (FTC) found that the U.S. drugstore giant’s “reckless use of facial surveillance systems” left customers humiliated and put their “sensitive information at risk.”

When a customer entered a store who supposedly matched an existing image on its "watchlist database", employees would receive an automatic alert instructing them to take action. Often, these “matches” were false positives that led to employees incorrectly accusing customers of wrongdoing, creating “embarrassment, harassment, and other harm.”

Employees, acting on false positive alerts, followed consumers around its stores, searched them, ordered them to leave, called the police to confront or remove consumers, and publicly accused them, sometimes in front of friends or family, of shoplifting or other wrongdoing. Rite Aid failed to inform customers that facial recognition technology was in use, while also instructing employees to specifically not reveal this information to customers.

The findings shines a light on inherent biases in AI systems. Rite Aid failed to mitigate risks to certain consumers due to their race — its technology was more likely to generate false positives in stores located in plurality-Black and Asian communities than in plurality-White communities. Rite Aid failed to test or measure the accuracy of their facial recognition system prior to, or after, deployment.

The FTC’s Order instructs Rite Aid to delete any images it collected as part of its facial recognition system rollout, as well as any products that were built from those images. The company must also implement a robust data security program to safeguard any personal data it collects.

 

The vulnerability, tracked as CVE-2023-50164, is rated 9.8 out of 10 in terms of CVSS severity. It is a logic bug in the framework's file upload feature: if an application uses Struts 2 to allow users to upload files to a server, those folks can abuse the vulnerability to save documents where they shouldn't be allowed to on that remote machine. Thus someone could, for instance, use the flaw to upload a webshell script to a web server, and access it to take control of or get a foothold on that system.
The fix is simple: use versions of Struts that have been fixed.
[rG: And redeploy old running apps with new builds from updated code.]

 

Europol warns 443 online shops infected with credit card stealers
Skimmers are small snippets of JavaScript code added to checkout pages or loaded from a remote resource to evade detection. They are designed to intercept and steal payment card numbers, expiration dates, verification numbers, names, and shipping addresses and then upload the information to the attackers' servers.

 

HACKING

The cyberassault comes as pro-Hamas crews linked to Iran have increased their digital disruptions on Israeli and American targets – including targeting water facilities in both countries.

 

Before deploying ransomware, they will steal sensitive documents from compromised systems, which they use to pressure victims into paying ransom demands under the threat of leaking the stolen data online. The gang is also using a custom VSS Copying Tool helps steal files from shadow volume copies even when those files are in use by applications.

 

The dark-web site belonging to AlphV, a ransomware group that also goes by the name BlackCat, suddenly started displaying a banner that said it had been seized by the FBI as part of a coordinated law enforcement action.

Within hours, the FBI seizure notice displayed on the AlphV dark-web site was gone. In its place was a new notice proclaiming: “This website has been unseized.” As the hours went on, the FBI and AlphV sparred over control of the dark-web site, with each replacing the notices of the other.

One researcher described the ongoing struggle as a “tug of Tor,” a reference to Tor, the network of servers that allows people to browse and publish websites anonymously. Like most ransomware groups, AlphV hosts its sites over Tor. Not only does this arrangement prevent law enforcement investigators from identifying group members, it also hampers investigators from obtaining court orders compelling the web host to turn over control of the site.

The only way to control a Tor address is with possession of a dedicated private encryption key. Once the FBI obtained it, investigators were able to publish Tuesday’s seizure notice to it. Since AlphV also maintained possession of the key, group members were similarly free to post their own content. Since Tor makes it impossible to change the private key corresponding to an address, neither side has been able to lock the other out.

The FBI engaged with a confidential human source (CHS) to sign up and become an affiliate for the ALPHV/BlackCat ransomware operation. After being interviewed by the ransomware operators, the CHS was provided login credentials to the backend affiliate panel.

Using this access, the FBI obtained the private decryption keys used in attacks and created a decryptor that has helped over 400 victims recover their files for free.

A theory is that the FBI used its internal access to find vulnerabilities that could be exploited to dump the database or gain further access to the server, but this is unconfirmed. The FBI also states that they obtained 946 private and public key pairs associated with the ransomware operation's Tor negotiation sites, data leak sites, and management panel and saved them to a USB flash drive that is now stored in Florida. Anyone possessing these private and public key pairs effectively controls the URL, allowing them to hijack them so they point to their own servers.

 

Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake—the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.

For Terrapin to be viable, the connection it interferes with also must be secured by either "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC," both of which are cipher modes added to the SSH protocol (in 2013 and 2012, respectively). A scan performed by the researchers found that 77 percent of SSH servers exposed to the Internet support at least one of the vulnerable encryption modes, while 57 percent of them list a vulnerable encryption mode as the preferred choice.

People who want to know if the SSH client or server they use is vulnerable to Terrapin can use a custom scanner developed by the researchers. nyone using AsyncSSH should patch right away. While the researchers didn’t focus much time on the dozens of other widely used SSH implementations, it’s entirely possible that some of them may also harbor currently undetected vulnerabilities that can be exploited using Terrapin.

Anyone who uses any app implementing SSH should check with the developer for guidance, including whether the app is affected by Terrapin and, if so, the conditions under which it is vulnerable to exploitation and whether a fix is available.

 

The attack begins with the initial malware infection of the victim's device. Once the victim visits the attackers' compromised or malicious sites, the malware injects a new script tag with a source ('src') attribute pointing to an externally hosted script. The malicious obfuscated script is loaded on the victim's browser to modify webpage content, capture login credentials, and intercept one-time passcodes (OTP).

This new approach makes the attacks more stealthy, as static analysis checks are unlikely to flag the simpler loader script as malicious while still permitting dynamic content delivery, allowing attackers to switch to new second-stage payloads if needed. It's also worth noting that the malicious script resembles legitimate JavaScript content delivery networks (CDN), using domains like cdnjs[.]com and unpkg[.]com, to evade detection. Furthermore, the script performs checks for specific security products before execution.

 

Cybercrooks book a stay in hotel email inboxes to trick staff into spilling credentials
Cybercriminals are preying on the inherent helpfulness of hotel staff during the sector's busy holiday season. Two main categories of emails are sent: those that complain about serious issues regarding a recent stay, and requests for information to assist a future booking. Both typically necessitate a fast response from hotel management.
When the staff then responds by requesting more information, the attacker sends a message directing the staff to open a link that supposedly contains evidence supporting their claim. These links typically point to legitimate cloud storage services like Google Drive and contain a password-protected archive, the password for which is included in the email, which leads to the download of a digitally signed executable. That program contains the credential-stealing malware, which starts up when the worker opens the file thinking they're about to view a document. The executable is typically large, like 600MB in size, to perhaps fool or put off antivirus scanners; the password protection on the archive also obscures the contents from scans until it's unpacked.

 

A new Python project called 'Wall of Flippers'

The idea was quickly adopted by other developers who created a custom Flipper Zero firmware that could launch spam attacks against Android smartphones and Windows laptops. Soon after, developer Simon Dankelmann ported the attack to an Android app, allowing people to launch Bluetooth spam attacks without needing a Flipper Zero. However, people attending the recent Midwest FurFest 2023 conference discovered first-hand that the consequences of these Bluetooth spam attacks can go far beyond the scope of a harmless prank. Many reported severe business disruption with their Square payment readers, and others faced more threatening situations, like causing an insulin pump controller to crash. People using Bluetooth-enabled hearing aids and heart rate monitoring tools also reported disruption, which could put their well-being at risk.

 

 

APPSEC, DEVSECOPS, DEV

Ponemon Institute Cost of a Data Breach Report 2023: Insights, Mitigators and Best Practices
The costliest breaches occur in healthcare ($10.93M), financial ($5.9M), pharmaceuticals ($4.82M), energy ($4.78M) and industrial ($4.73M).
In 2017, the average cost was "merely" $3.62M. In 2023, it reached an all-time high of $4.45M in 2023. In the past three years, average breach costs increased by 15%.
Phishing is the most common way for threat actors to breach organizations, and they are also the second most costly breach for organizations ($4.76M).

Stolen or compromised credentials are also commonly used and are fairly costly ($4.62M).

Malicious insiders are a fairly less common attack vector. However, they are the costliest breach ($4.9M).
Yet, when organizations were asked if they would increase their security investment following a breach, only 51% replied that they would.
Out of the 51% who said they would increase their security spending, 50% would invest in incident response planning and testing, 46% in employee training and 38% in threat detection and response technologies.

 

One of the most significant changes we're seeing is in the US regulatory framework governing cybersecurity. Public companies are now required to report cybersecurity incidents within just four business days, marking a significant shift in corporate governance and cybersecurity management. This new mandate is reshaping how businesses approach cybersecurity, with a strong emphasis on compliance and proactive management of cybersecurity risks.

In parallel, the EU has taken a pioneering step by passing the first regulation specifically targeting AI technology.

  1. Making software releases faster and more secure with DevSecOps and AIOps
    DevSecOps helps agencies break down the silos between development, operations, and security to produce faster, more secure software releases.
    AIOps works across IT operations to help ensure software in production is operating efficiently, securely, and reliably. AIOps works by leveraging artificial intelligence, machine learning, and predictive analytics to collect data from the entire digital ecosystem. It autonomously analyzes this data to yield deep, consolidated insights into the IT infrastructure and development process, including identifying vulnerable code and fixing.

  2. Meeting and exceeding compliance standards
    Executive Order (EO) 14028 and other actions underscore the federal government’s commitment to leveraging its purchasing power to elevate security standards across the supply chain.

  3. Increased transparency through SBOMs
    DoD, NASA, and GSA – have proposed new rules for federal contractors to develop and maintain SBOMs for any software used on a government contract.

    Compliant vendors generate SBOM files at build time and may use them in the build process to validate that third-party dependencies haven’t changed underlying code, provide a comprehensive picture of the dependency tree available on a current build and historical basis, and perform build-time checks and enforce policies based on CVSS-scoring.

  4. Increased observability across the supply chain

 

  1. Failing to move beyond compliance - Recognize compliance as a starting point

  2. Not recognizing the need for centralized data security - Know where your sensitive data resides

  3. Unclear responsibility for ownership of data - Hiring a Chief Data Officer (CDO) or Data Protection Officer (DPO)

  4. Failure to address known vulnerabilities - Implement a vulnerability management program

  5. Insufficient data activity monitoring - Develop a comprehensive data security and compliance strategy

 

The AISC will be a key part of NSA's cybersecurity mission, with the goal to defend the Nation's AI through Intel-Driven collaboration with industry, academia, the IC, and other government partners.

 

 

 

VENDORS & PLATFORMS

Trusted Types addresses DOM-XSS, or document object model cross-site scripting – considered to be both rather dangerous and fairly common. Ranked first among the OWASP Top Ten Web Application Security Risks in 2017 – under the category "Injection" – XSS attacks slipped to the third most common vulnerability by 2021. And XSS attacks should become less common as more websites revise their code to take advantage of Trusted Types.
Mozilla won't implement Trusted Types in Firefox immediately – there are still some technical issues to sort out. But the org's decision is a win for web security, which has been looking up since May 2020 when Trusted Types shipped in Chrome 83 and Edge 83. Opera (based on the open source Chromium project, like Edge) added support in June 2020.

 

 

Typo, GitHub, Codacy, Bitbucket, Gerrit, Veracode, Rhodecode

 

Before anyone was allowed to use ChatGD, the firm required them to complete an initial training, either live or on demand. The firm presented three live training sessions tailored specifically for its attorneys, paralegals and business professionals. The focus of the trainings, which were developed by Scrudato and members of the firm’s AI Working Group, was on how LLMs and RAG actually work, in order to provide everyone with a baseline understanding of the technology, and how to use ChatGD safely and ethically. The trainings also covered the ideal use cases for generative AI and areas where the technology is not yet well suited.

$10,000 was mostly attributable to operational and infrastructure costs, not to the actual LLMs. (It does not include the firm’s internal engineering.)

Green, in his post, attributes the firm’s ability to keep the cost that low to two strategic decisions:

Self-hosting an open-source model for RAG vector embeddings.

Leveraging GPT 3.5 Turbo for both pure chat and RAG functionalities instead of using the most expensive models available.

 

.

LEGAL

The South Korean authorities led HAECHI operations and worked with law enforcement agencies from 34 countries, including the United States, the United Kingdom, Japan, Hong Kong (China), and India. The latest operation, which occurred between July and December 2023, targeted threat actors engaging in voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise, and e-commerce fraud.

An emerging scam tool is AI and deep fake tools to generate synthetic content that appears realistic to the targets or even the voice of a person close to them. The UK authorities participating in HAECHI reported the disruption of several cases where fraudsters leveraged AI in impersonation scams, online sexual blackmail, and investment fraud.

 

The controversial rule requires publicly traded companies to report such events to the agency within 4 business days. However, critics of the rule have levied myriad complaints, including that the disclosure time is too quick, such information could potentially endanger national security, it is duplicative of existing regulations, and — following the SEC’s lawsuit against SolarWinds and its former chief information security officer for fraud — it places more liability pressure on CISOs.

Concerns around the ruling also focused on a potential duplicate reporting regulatory regime, as the Cybersecurity and Infrastructure Security Agency is undergoing a rulemaking that would require critical infrastructure owners and operators to report major cyber incidents. Mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the law requires owners to report significant cyber breaches to CISA within 72 hours.

 

  1.  Artificial intelligence (AI) regulations
    The Biden Administration’s Executive Order on AI established standards for developing and utilizing this emerging technology. Now, Congress and state-level officials have indicated an interest in establishing guardrails for the responsible use of AI in the coming year.

  2. Data privacy and cybersecurity:
    Five state-level consumer data privacy laws were enacted in 2023, adding California, Colorado, Connecticut, Utah, and Virginia to the list of states with unique data-related legislature on the books. The list will continue to expand in 2024, with at least five more states – Florida, Montana, Oregon, Texas, and Washington – passing privacy laws that will take effect in the coming year.

 

And Now For Something Completely Different …

 

***

Robert Grupe, CISSP CSSLP PMP
http://rgrupe.com