- Robert Grupe's AppSecNewsBits
- Posts
- Robert Grupe's AppSecNewsBits 2024-01-27
Robert Grupe's AppSecNewsBits 2024-01-27
Robert Grupe
January 27, 2024
EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
In major gaffe, hacked Microsoft test account was assigned admin privileges
Russia-state hackers, Microsoft said, used a technique known as password spraying to exploit a weak credential for logging into a “legacy non-production test tenant account” that wasn’t protected by multifactor authentication. From there, they somehow acquired the ability to access email accounts that belonged to senior executives and employees working in security and legal teams.
The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protcol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft’s Office 365 email service.
The only way for an account to assign the all-powerful full_access_as_app role to an OAuth app is for the account to have administrator privileges. “Somebody,” he said, “made a pretty big config error in production.”
One of the most fundamental network security practices is the principle of least privilege. Accounts should always be configured with the fewest privileges required to perform their assigned tasks. In the case at hand, it’s hard to understand why the legacy test account needs administrator privileges.
[rG: No amount of automated security vulnerability test scanning would have prevented this flaw. IAM security requires least-privilege and separation of duties design assurance and then continuous configuration compliance monitoring.]
The CoronaLab data exposure report reads in many ways like any other accidental data exposure news: It was found, and now the offending database is offline. But this one isn't that simple.
No-one at CoronaLab or Microbe & Lab ever responded to repeated attempts to reach out and inform them of the exposure.
"I sent multiple responsible disclosure notices and did not receive any reply, and several phone calls also yielded no results. The database remained open for nearly three weeks before I contacted the cloud hosting provider and it was finally secured from public access."
The University of California, San Diego, for the record, is the only school in the top 24 with a computer science and engineering program that does list security as an undergraduate degree requirement, although it's unclear if that's really the case from the college's curriculum.
Cybersecurity is viewed as a subdiscipline, much like graphics or human-computer interaction – not essential knowledge that every future software developer should be equipped with as they enter the workforce. All too often, attacks exploit simple weaknesses that any developer with basic security knowledge could have stopped.
One of the reasons for these lack of courses, according to CISA, is that the private sector isn't demanding these skills in its developer hires.
HACKING
Actors tailor their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures. The intruders then leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment, weaponizing it to create additional malicious OAuth applications.
Google says keeping users safe is a top priority, and that the company has a team of thousands working around the clock to create and enforce their abuse policies. And by most accounts, the threat from bad ads leading to backdoored software has subsided significantly compared to a year ago.
Seemingly benign software download sites will periodically turn evil, swapping out legitimate copies of popular software titles with backdoored versions that will allow cybercriminals to remotely commander the systems.
They’re using automation to pull in fake content, and they’re rotating in and out of hosting malware. Malicious downloads may only be offered to visitors who come from specific geographic locations, like the United States.
In malicious ad campaigns, they would wait until the domains gain legitimacy on the search engines, and then flip the page for a day or so and then flip back.
GPS jamming and spoofing have grown worse in Eastern Europe, the Black Sea and the Middle East. Airlines have been urging quick action after a series of incidents where navigation systems were disrupted to show a false location or wrong time, though aircraft flight controls remained intact. Spoofing might involve one country's military sending false Global Positioning System signals to an enemy plane or drone to hinder its ability to function, which has a collateral effect on nearby airliners.
Advertisements in ordinary mobile apps can ultimately lead to surveillance by spy firms and their government clients through the real time bidding data supply chain.
Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability that starts with ads inside each app, and ends with the apps' users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people to build billions of profiles.
An external threat actor in possession of a Google account could misuse this misconfiguration by using their own Google OAuth 2.0 bearer token to seize control of the cluster for follow-on exploitation such as lateral movement, cryptomining, denial-of-service, and sensitive data theft.
As many as 250,000 active GKE clusters in the wild are estimated to be susceptible to the attack vector.
It stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (even outside the organization).
To make matters worse, this approach does not leave a trail in a manner that can be linked back to the actual Gmail or Google Workspace account that obtained the OAuth bearer token.
Even though [Google's fix change recommendations] are improvements, it still leaves many other roles and permissions (other than cluster-admin) that can be assigned to the system:authenticated group, so organizations must make sure that the system:authenticated group is not overprivileged.
The first edition of Pwn2Own Automotive targeted fully patched electric vehicle (EV) chargers, infotainment systems, and car operating systems.
Team Synacktiv hacked the Tesla car twice, getting root permissions on a Tesla Modem by chaining three vulnerabilities on the first day and demoing a Tesla Infotainment System sandbox escape via a two zero-day exploit chain on the second day.
They also demoed two unique two-bug chains against the Ubiquiti Connect EV Station and the JuiceBox 40 Smart EV Charging Station, as well as a three-bug exploit targeting the Automotive Grade Linux OS.
AI
The creator of an audio deepfake of US President Joe Biden urging people not to vote in this week's New Hampshire primary has been suspended. ElevenLabs' technology was used to make the deepfake audio, a voice-fraud detection company that analyzed it.
A recent study conducted by researchers at the Amazon Web Services (AWS) AI Lab found that a "shocking amount of the web" is already made up of poor-quality AI-generated and translated content.
According to the study, over half — specifically, 57.1 percent — of all of the sentences on the internet have been translated into two or more other languages. The poor quality and staggering scale of these translations suggest that large language model (LLM) -powered AI models were used to both create and translate the material. The phenomenon is especially prominent in "lower-resource languages," or languages with less readily available data with which to more effectively train AI models.
This wouldn't be the first warning sign of generative AI's existential threat to the web's usability. Google, for example, has been forced to grapple with the persistence of AI-generated material in its search and — as a new 4o4 Media report shows — its Google News algorithms. Amazon has also had a notably rough go with AI content; in addition to its serious AI-generated book listings problem, a recent Futurism report revealed that the e-commerce giant is flooded with products featuring titles such as "I cannot fulfill this request it goes against OpenAI use policy."
Last year, the conversation was 'gee whiz.' Now, it's what are the risks? What do we have to do to make AI trustworthy?
APPSEC, DEVSECOPS
Application breaches, which often consist of stolen credentials and vulnerabilities, accounted for 25 percent of all breaches.
Over 75 percent of applications have at least one flaw. Over 99% of technologists report that applications in production have a minimum of four vulnerabilities.
42% of companies suffering from external attacks attributed these incidents to vulnerabilities in software security. Additionally, 35% of these organizations identified the cause as defects in web applications.
61% of the applications tested were found to have at least one vulnerability of high or critical severity that was not included in the OWASP Top 10 list.
83% of applications exhibit at least one security issue during their initial vulnerability assessment.
Unpatched vulnerabilities were involved in 60% of data breaches.
The highest recorded average data breach cost is $4.35 million, while the average ransomware attack cost is $4.54 million.
On average, it takes about nine months (277 days) to detect and control a breach.
43% of breaches involve insiders, and 30% of breaches involve internal actors.
95% of data breaches result from human errors.
41% increase in ransomware-caused breaches, which take 49 days longer than average to manage.
20% of respondents express confidence in their ability to detect vulnerabilities before an application release, while over
60% struggle with effective remediation, and
50% fail to test application security post-release.
Attackers exploit vulnerabilities swiftly, with 25% of vulnerabilities targeted on the day of publication and 75% within 19 days.
Securing applications later in their development lifecycle poses a significant risk. 47% of organisations attribute challenges in remediating vulnerabilities post-production to a lack of qualified personnel.
The survey underscores a reactive approach to security education, with 68% of respondents engaging in secure coding training only due to compliance needs or in response to exploits. This indicates a heavy reliance on tools for vulnerability detection and overburdening security teams rather than investing in long-term human intervention during the development stage.
Key findings also point to a patching crisis. In the year before the study, 54% of respondents suffered security incidents due to unpatched vulnerabilities, with 51% experiencing over eight incidents. Only 11% believe they effectively patch vulnerabilities in a timely manner, while 55% blame misalignment.
Insurers doubled premiums in late 2021 to offset losses from ransomware claims. With attacks rising again, organizations can anticipate a new round of increases.
More than 20% of top 50K NPM packages may have maintenance gaps, based on analysis by Aqua. Deprecated, archived and “orphaned” NPM packages can contain unpatched and/or unreported vulnerabilities that pose a risk to the projects that depend on them.
JavaScript developers who rely on open-source NPM packages for their own projects may not be aware of the extent to which dependencies on deprecated packages impact their work.
[rG: SSDLC importance to regularly run SCA scans throughout complete software lifecycle to detect and remediate security vulnerabilities in 3rd party components.]
The problem is probably much worse because Aqua only checked direct dependencies, not transient ones as well — the dependencies of dependencies. The dependency chain for npm packages can go many levels deep and not accounting for this is a common reason why vulnerable code might make it into projects undetected.
CISA published Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group.
VENDORS & PLATFORMS
Merely days after the flaw became public knowledge, nearly 40,000 exploitation attempts targeting CVE-2023-22527 have been recorded in the wild as early as January 19 from more than 600 unique IP addresses.
This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands.
A majority of the attacker IP addresses are from Russia (22,674), followed by Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador.
Over 11,000 Atlassian instances have been found to be accessible over the internet as of January 21, 2024, although it's currently not known how many of them are vulnerable.
The Hub contains detailed breakdowns of the type of surveillance systems used, from bodycams to biometrics, predictive policing software to gunshot detection microphones and drone-equipped law enforcement. It also has a full news feed so that concerned citizens can keep up with the latest US surveillance news; they can also contribute to the Atlas of Surveillance on the site. The Atlas allows anyone to check what law enforcement is being used in their local area – be it license plate readers, drones, or gunshot detection microphones. It can also let you know if local law enforcement is collaborating with third parties like home security vendor Ring to get extra information.
The Mobb approach eliminates the need for IT teams to sort through static application security testing (SAST) scans themselves. Each vulnerability typically requires at least 30 minutes to fix, so the Mobb platform improves application security while simultaneously making developers more productive.
Historically, one of the reasons for the wide divide between application development teams and cybersecurity professionals is that many of the vulnerabilities discovered don’t actually impact applications running in production environments. Development teams then find themselves wasting time investigating vulnerabilities and, when they do determine a vulnerability is an issue, spending time developing a patch.
The Mobb tool automatically creates the necessary patch, so there is less of a need to debate which vulnerabilities are worthy of the time required to create a patch.
Included in the new features, users can now view the integration of Checkmarx scans within the ServiceNow DevOps toolchain and directly associate ServiceNow DevOps orchestration tools, such as Azure DevOps, GitHub Actions or Jenkins, with Checkmarx scans to be run on the pipelines.
LEGAL
HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, "We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network."
That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.
The lawsuit seeks monetary damages and an injunction preventing HP from issuing printer updates that block ink cartridges without an HP chip. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.
HP also questions the security of third-party ink companies' supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.
The development makes InMarket the second data aggregator to face a ban in as many weeks after Outlogic (formerly X-Mode Social), which faced accusations that it had sold location information that could be used to track users' visits to medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.
Like Outlogic, InMarket is said to harvest location information from its own proprietary apps like CheckPoints and ListEase, and more than 300 other third-party applications that incorporate its software development kit (SDK). These apps have been downloaded onto over 420 million unique devices since 2017.
This historical data is then used to slot consumers into nearly 2,000 segments based on the locations visited and serve tailored ads on apps that include the SDK. It also offers a product that pushes ads to consumers based on their current whereabouts, serving ads related to medicines, for example, when a person is within 200 meters of a pharmacy.