Robert Grupe's AppSecNewsBits 2024-03-09

Author

Robert Grupe
March 09, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
UnitedHealth could take months to fully recover from hack

UnitedHealth Group, the largest U.S. health insurer, is likely to need several months to make a full recovery from a cyberattack that has been one of the most disruptive hacks against America's healthcare infrastructure on Feb. 21 by a hacking group called ALPHV/BlackCat.
Change Heathcare processes about 50% of medical claims in the U.S. for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories. About 1 in 3 U.S. patient records are touched by its health technology offerings, making it an attractive target for hackers looking to gain access to a large swathe of healthcare data.
UnitedHealth has said it is working to restore impacted channels, and that some of its systems are returning to normal. While it has not provided a timeline for full recovery, cybersecurity analysts say that is likely quite far off.
The amount of disruption suggests they don’t have alternate systems at the ready. Customers directly impacted may see a fix sooner,but the back end, it takes a couple months, or upwards of a year.
[rG Best Practices Defenses: Critical business functions should be actively tested at least annually to validate security incident responses and priortize continuous improvement efforts.]

 

This includes allowing Medicare providers to change clearing houses they use for claims processed during the outage via an expedited process. Additionally, the government "strongly encourages" Medicaid and Children's Health Insurance Program managed-care plans to either relax or remove prior authorization requirements and offer advance funding to providers. On top of that, Medicare Administrative Contractors are required to accept paper claims from providers while their electronic billing systems remain down.
HHS directed medical providers to its December concept paper that outlines a cyber security strategy for the sector. A month later, the Feds issued new voluntary cyber security performance goals for hospitals and other healthcare organizations – which some infosec experts predict probably won't be "voluntary" for very long.

 

The BlackCat ransomware group was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems. BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent.
On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online. The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat now says the group is shutting down and that it had already found a buyer for its ransomware source code.

 

In August, Avast researchers sent Microsoft a description of the zero-day, along with proof-of-concept code that demonstrated what it did when exploited. Microsoft didn’t patch the vulnerability until last month. Even then, the disclosure of the active exploitation of CVE-2024-21338 and details of the North Korean Lazarus rootkit came not from Microsoft in February but from Avast 15 days later.
The six-month wait gave Lazarus a much more efficient and stealthy way to install FudModule. Once in place, the rootkit allowed Lazarus to bypass key Windows defenses such as Endpoint Detection and Response, Protected Process Light—which is designed to prevent endpoint protection processes from being tampered with—and the prevention of reading memory and code injection by unprotected processes.
Now that the vulnerability is public, the risk of it being more widely exploited has grown. Windows users who have yet to patch should prioritize doing so.
[rG Best Practices Defenses: Urgently fix security vulnerabilities and automated rapid deployment of security fixes for any severity rating, because potential exploit attack chains are initially known or disclosed.]

 

Microsoft said that Kremlin-backed hackers who breached its corporate network in January have expanded their access since then in follow-on attacks that are targeting customers and have compromised the company's source code and internal systems.
The hacking group—which is tracked under multiple other names, including APT29, Cozy Bear, CozyDuke, The Dukes, Dark Halo, and Nobelium—has been using the proprietary information in follow-on attacks, not only against Microsoft but also its customers.
Microsoft said at the time that Midnight Blizzard gained access to senior executives’ email accounts for months after first exploiting a weak password in a test device connected to the company’s network. Microsoft said Midnight Blizzard used a password-spraying attack to compromise a “legacy non-production test tenant account” on the company’s network. Those details meant that the account hadn’t been removed once it was decommissioned, a practice that’s considered essential for securing networks. The details also meant that the password used to log in to the account was weak enough to be guessed by sending a steady stream of credentials harvested from previous breaches—a technique known as password spraying.
[rG Best Practices Defenses: (1) continuously test for secrets in source code, (2) remediate by changing compromised credential secrets, (3) ensure credential secrets are automatically change regularly (30-days), (4) decommission run-times and source code that is no longer being used.]

 

Miscreants "likely acquired" information about 28,268 people's life insurance policies after infiltrating Infosys.
LockBit claimed to be behind the Infosys intrusion in November, shortly after the Indian tech services titan disclosed the "cybersecurity incident" affecting its US subsidiary. At this point, Infosys are unable to determine with certainty what personal information was accessed as a result of this incident. However, the US-headquartered firm says it "believes" the data included: names, Social Security numbers, states of residence, bank accounts and routing numbers, or credit/debit card numbers in combination with access code, password, and PIN for the account, and dates of birth. In other words: Potentially everything needed to drain a ton of people's bank accounts, pull off any number of identity theft-related scams — or at least go on a massive online shopping spree.
If the Fidelity security breach sounds familiar, it's because Infosys was also at the heart of a Bank of America leak disclosed last month. Back then BofA told 57,028 of its customers that crooks may have swiped from Infosys names, addresses, business email addresses, dates of birth, Social Security number, and "other account information.
[rG Best Practices Defenses: Reputation damage and liability exposure risks are increasing as a result of consolidated data processing Supply Chain dependencies: emphasizing the importance of sensitive data processing designs utilizing strong encryption, key management, and access control - both within, and across, organizational boundaries.]

 

A total of 1.3 million files were stolen during the incident at software biz Xplain in May 2023, meaning 5 percent of the entire trove related to the Swiss Federal Administration – a collection of seven federal agencies that alongside the Federal Council comprise the main government departments. Among them were classified files and sensitive, personally identifiable information (PII) – all of which are believed to be published on the dark web. Technical documentation on IT systems and software – requirement documents and architecture information – accounted for 278 of these files.
[rG Best Practices Defendes: Attacks and breaches will happen, but exposure can be prevented by ensuring strong encryption and access controls.]

 

As a precautionary measure, FINTRAC has taken its corporate systems offline in order to ensure their integrity and to protect the information that the Centre maintains. The cyber incident occurred during the weekend, and no further updates have been shared since then.

 

An attacker at a Tesla supercharger station could deploy a WiFi network called "Tesla Guest," an SSID that is commonly found at Tesla service centers and car owners are familiar with it. Mysk used a Flipper Zero to broadcast the WiFi network but notes that the same can be accomplished using a Raspberry Pi or other devices that come with WiFi hotspot capabilities. While the researchers performed this phishing attack using a Flipper Zero, it could easily be done with other devices, such as a computer, a Raspberry Pi, or Android phones.
Once the victim connects to the spoofed network, they are served a fake Tesla login page asking to log in using their Tesla account credentials. After entering the Tesla account credentials, the phishing page requests the one-time password for the account, to help the attacker bypass the two-factor authentication protection.
The researchers reported their findings to Tesla saying that linking a car to a new phone lacks proper authentication security. However, the car maker determined the report to be out of scope.

 

 

HACKING

Fresh proof-of-concept (PoC) exploits are circulating in the wild for a widely targeted Atlassian Confluence Data Center and Confluence Server flaw. The new attack vectors could enable a malicious actor to stealthily execute arbitrary code within Confluence's memory without touching the file system.
Researchers at VulnCheck have been tracking the exploits for the CVE-2023-22527 remote code execution (RCE) vulnerability, which was disclosed in January. The CVE has since become "hotbed of malicious activity" they noted, with VulnCheck currently tracking 30 unique in-the-wild exploits for the vulnerability, including the more recent options.
Most of the attacks against Confluence load the "infamous" Godzilla Web shell. Godzilla allows attackers to remotely control the compromised server, execute arbitrary commands, upload and download files, manipulate databases, and perform other malicious activities. By exploiting this target, you're getting an on-prem version with business specific logic in it. It's pretty attractive for ransomware attackers specifically. Organizations must evolve a step to start catching this sort of thing for example network-based detection or scanning Java memory for malicious Web shells.
[rG: Not only are company interenal wikis rich sources of information for attackers, but also can be used for lateral movement and payload deployments within networks.]

 

The vulnerability, tracked as CVE-2024-27198 (CVSS score: 9.8), refers to an authentication bypass bug that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker.
[rG: Developer tools also are key targets for Supply Chain attacks.]

 

Fonts are often distributed as archive files – an approach that helps to reduce their size and bundle font families together. However, when tools like FontForge reach into the archive file and modify files in situ, they first extract a temporary directory to work on them. Researchers were able to get command injection in FontForge – which they warned is a possibility in both server mode and in the desktop application.
CVE-2023-45139 is a high-severity bug (7.5/10) in FontTools – a library for manipulating fonts, written in Python. The package can use an untrusted XML file when processing an SVG table in an attempt to subset a font (that is, reduce its size by getting rid of unneeded scripts). The researchers used this method to produce a subsetted font with a SBG table that included an entity resolved to a password file.
CVE-2024-25081 and CVE-2024-25082 are both rated 4.2/10, and are respectively associated with naming conventions and compression.
Tools like FontForge and ImageMagick can rename filenames of fonts, allowing users to work within a complex naming system to better locate a desired font inside a collection. However, the need to preserve the filename can lead to security challenges when operating on untrusted data. The researchers were able to construct a simple proof of concept in the form of a shell execution that allowed FontForge to open files to which it shouldn't have access – which is bad.

 

In the past, [threat actors] were mainly interested in corporate computers and in systems with access that enabled movement across the network," it noted. "Now, they also focus on devices with access to public AI systems.
Between June and October 2023, more than 130,000 unique hosts with access to OpenAI ChatGPT were infiltrated, a 36% increase over what was observed during the first five months of 2023.

 

According to the research paper ArtPrompt: ASCII Art-based Jailbreak Attacks against Aligned LLMs, chatbots such as GPT-3.5, GPT-4, Gemini, Claude, and Llama2 can be induced to respond to queries they are designed to reject using ASCII art prompts generated by their ArtPrompt tool. It is a simple and effective attack, and the paper provides examples of the ArtPrompt-induced chatbots advising on how to build bombs and make counterfeit money.

 

The FBI recorded 2,825 complaints linked to ransomware last year, impacting critical infrastructure sectors, including healthcare, manufacturing, government, and IT. The total amount of losses is estimated to have exceeded $59.6 million. However, it should be noted that this number reflects only reported payments and is likely far lower than the total number of ransom demands paid by companies in 2023. The majority of ransomware attack reports concerned attacks from LockBit (175), ALPHV/BlackCat (100), Akira (95), Royal (63), and Black Basta (41).
The number of relevant complaints submitted to the FBI in 2023 reached 880,000, 10% higher than the previous year, with the age group topping the report being people over 60, which shows how vulnerable older adults are to cybercrime.
For 2023, the types of crimes that increased were tech support scams and extortion, whereas phishing, personal data breach, and non-payment/non-delivery scams slightly waned.
IC3's 2023 Internet Crime Report highlights four online crimes that caused the most financial losses in the United States last year: Business Email Compromise (BEC), investment fraud, ransomware, and tech/customer support and government impersonation scams.
In 2023, BEC scams resulted in over $2.9 billion in losses from 21,489 complaints, with the agency observing the trend of fraudsters using cryptocurrency platforms for quick fund dispersal.
Investment fraud increased by 38% last year, causing confirmed losses of $4.57 billion. This was primarily driven by a 53% rise in cryptocurrency scam losses of $3.94 billion.

 

Attackers have transformed hundreds of hacked sites running WordPress software into command-and-control servers that force visitors’ browsers to perform password-cracking attacks. This campaign is significant because it leverages the computers and Internet connections of unwitting visitors who have done nothing wrong.
The script—just 3 kilobits in size—reaches out to an attacker-controlled getTaskURL, which in turn provides the name of a specific user on a specific WordPress site, along with 100 common passwords. When this data is fed into the browser visiting the hacked site, it attempts to log in to the targeted user account using the candidate passwords. The JavaScript operates in a loop, requesting tasks from the getTaskURL, reporting the results to the completeTaskURL, and then performing the steps again and again. the attackers are trying 41,800 passwords against each targeted site.

 

A gang of hackers specialized in business email compromise (BEC) attacks and tracked as TA4903 has been impersonating various U.S. government entities to lure targets into opening malicious files carrying links to fake bidding processes from the U.S. Department of Transportation, the U.S. Department of Agriculture (USDA), and the U.S. Small Business Administration (SBA). The latest tactic observed is the use of QR codes in PDF document attachments.

 

Patching quickly is critical in beating 1-day exploitation, while additional measures such as network segmentation, endpoint protection, and multi-factor authentication can help mitigate the impact of potential breaches.

 

 

 

APPSEC, DEVSECOPS, DEV

External attack surfaces are increasingly complex and distributed and, therefore, harder to monitor and secure. This expanded attack surface gives hackers plenty of blind spots and gaps to exploit. Exposure management aims to reduce that complexity by giving you visibility of all points within your attack surface that an attacker could use to breach your organization and ultimately pose a risk to the business. Exposure management can also help increase visibility of your entire attack surface, including data assets such as code repositories like GitHub and GitLab, so you can more accurately find opportunities for an attacker and shut them down before they pose too great of a risk to your business.
External Attack Surface Management (ASM) is the ongoing process of discovering and identifying assets which can be seen by an attacker on the internet, showing where security gaps exist, where they can be used to perform an attack, and where defenses are strong enough to repel an attack. Exposure management takes this a step further to include data assets, user identities, and cloud account configuration, which helps you understand your exposure and reduce it where necessary.

 

The AI Incident Database is modeled on the CVE Program set up by the non-profit MITRE, funded by Underwriters Laboratories – the largest and oldest (est. 1894) independent testing laboratory in the United States. The website is unique in that it focuses on real-world impacts from the risks and harms of AI – not just vulnerabilities and bugs in software. The organization currently collects incidents from media coverage and reviews issues reported by people on Twitter. The AI Incident Database logged 250 unique incidents before the release of ChatGPT in November 2022, and now lists over 600 unique incidents.

 

1. Ransomware
2. Third-party risks
3. Insider threats
4. Distributed denial-of-service attacks
[rG: See article for evaluation criteria.]

 

Since ChatGPT dropped in the fall of 2022, everyone and their donkey has tried their hand at prompt engineering—finding a clever way to phrase your query to a large language model (LLM) or AI art or video generator to get the best results or sidestep protections. However, new research suggests that prompt engineering is best done by the model itself, and not by a human engineer. This has cast doubt on prompt engineering’s future—and increased suspicions that a fair portion of prompt-engineering jobs may be a passing fad, at least as the field is currently imagined.
Battle and Gollapudi decided to systematically test how different prompt-engineering strategies impact an LLM’s ability to solve grade-school math questions. What they found was a surprising lack of consistency. Even chain-of-thought prompting sometimes helped and other times hurt performance. “The only real trend may be no trend,” they write. “What’s best for any given model, dataset, and prompting strategy is likely to be specific to the particular combination at hand.”
Battle says that optimizing the prompts algorithmically fundamentally makes sense given what language models really are—models. “A lot of people anthropomorphize these things because they ‘speak English.’ No, they don’t,” Battle says. “It doesn’t speak English. It does a lot of math.” In fact, in light of his team’s results, Battle says no human should manually optimize prompts ever again.

 

Developers of AI tools should not trust LLM (Large Language Model, which is what AI systems such as ChatGPT are called) output anywhere in your application. Further, keeping humans in the loop is imperative — every AI agent action should require approval. You don’t want an LLM that is reading your email to be able to turn around and send an email. There should be a boundary there.
Security measures are similar to the ones you would use for selecting an app. As more and more AI tools are built on top of the LLMs, it is critical that you vet them before using or downloading them. Start by getting your GPTs from a reliable source.
If you see a prompt on a website or social media that you’d like to try, type it out instead of copying and pasting. This way you won’t inadvertently copy hidden malicious code.

 

Data governance pertains to internal data management and consists of ensuring observability, control and scalability.
While data governance largely pertains to internal data management, data security specifically involves preventing unauthorized access to sensitive data by external actors. This is typically accomplished through practices such as end-to-end encryption, purging data once it is no longer needed, anonymizing or excluding sensitive data from data repositories, private networking and deployment and maintaining data residency in specific regions.
Based on your industry and jurisdiction, you must ensure the vendors you partner with offer the necessary certifications (like SOC2, ISO 27001 and HIPAA). In general, security depends on allowing only the minimal necessary access privileges for different categories of stakeholders to perform their roles.

 

The DevSecOps technique is shifting its attention away from merely concentrating on the discovery of security breaches and instead shifting its focus to the implementation of continuous monitoring and swift remedial actions.
The development of software bill of materials, which is sometimes referred to as SBOMs, is a manifestation of this trend and provides an increased degree of transparency within the software supply chain context. In spite of this, there are still challenges that need to be conquered in order to ensure that the data that SBOMs provide is consistent and relevant.
According to the Synopsys State of DevSecOps 2023 Report, approximately
70% of companies have not only standardized their security processes and procedures across their organization but also ensured these practices are continuously analyzed and improved.
65% of developers have stated that they are utilizing or planning to incorporate artificial intelligence and machine learning in their testing efforts over the next three years.

 

If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. Publicly available data indicates that in addition to running a dizzying array of people-search websites, the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government
[rG: Interesting analyis of online business model.]

 

 

 

 

VENDORS & PLATFORMS

A constellation of four vulnerabilities—two carrying severity ratings of 9.3 out of a possible 10—are serious because they undermine the fundamental purpose of the VMware products, which is to run sensitive operations inside a virtual machine that’s segmented from the host machine.

 

Everyone seems to agree that Kubernetes is too expensive to run. The problem is the way we build applications.
Kubernetes’ replication made it possible to easily declare “I need three instances” or “I need five instances,” and the Kubernetes control plane would manage all of these automatically—keeping them healthy, recovering from failure, and gracefully handling deployments. But this is the first place where Kubernetes started to get expensive. To handle scaling and failure, Kubernetes ran N instances of an app, where N tends to be at least three, but often five or more. But replicas are not the only thing that makes Kubernetes expensive. The sidecar pattern also contributes. Now one microservice could have four or five sidecars, which means when you are running five replicas, you are now running around 25 or 30 containers.
This is where the notion of serverless computing comes in, and WebAssembly.

 

There will now be two fees that accompany External Offers program transactions:
An initial acquisition fee, which is 10% for in-app purchases or 5% for subscriptions for two years. Google says this fee represents the value that Play provided in facilitating the initial user acquisition through the Play Store.
An ongoing services fee, which is 17% for in-app purchases or 7% for subscriptions. This reflects the “broader value Play provides users and developers, including ongoing services such as parental controls, security scanning, fraud prevention, and continuous app updates.”
With these fees, Google is going the route of Apple, which reduced its App Store commissions in the EU to comply with the DMA but implemented a new Core Technology Fee that required developers to pay €0.50 for each first annual install per year over a 1 million threshold for apps distributed outside the App Store. Apple justified the fee by explaining that the services it provides developers extend beyond payment processing and include the work it does to support app creation and discovery, craft APIs, frameworks and tools to support developers’ app creation work, fight fraud and more.

 

 

LEGAL

Bank of America secured a record 644 U.S. patents in 2023, up 13% from the previous year, as the lender focused on information security, artificial intelligence (AI) and machine learning. The second-largest U.S. lender now has 6,600 granted patents or pending applications worldwide, including more than 800 related to AI. Its more than 7,300 inventors span 42 U.S. states and 14 countries.