Robert Grupe's AppSecNewsBits 2024-03-23

Author

Robert Grupe
March 23, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
UnitedHealth Group has paid more than $2 billion to providers following cyberattack

UnitedHealth disclosed nearly a month ago that a cyber threat actor breached part of Change Healthcare’s information technology network. The fallout has wreaked havoc across the U.S. health-care system. Change Healthcare offers e-prescription software and tools for payment management, so the interruptions left many providers temporarily unable to fill medications or get reimbursed for their services by insurers.
UnitedHealth Group said it’s paid out more than $2 billion in advances to help affected health-care providers. UnitedHealth said the advances will not need to be repaid until claims flows return to normal. Federal agencies like the Centers for Medicare & Medicaid Services have introduced additional options to ensure that states and other stakeholders can make interim payments to providers.
UnitedHealth said it began releasing medical claims preparation software, which will be available to thousands of customers in the next several days.
[rG: This is looking to be the most expensive attack in history so far, and is being closely watched by threat actors in selecting their next US targets. See below in LEGAL]

 

This data includes names, addresses, mobile phone numbers, encrypted date of birth, encrypted social security numbers, and other internal information. The data is from an alleged 2021 AT&T data breach that a threat actor known as ShinyHunters attempted to sell on the RaidForums data theft forum for a starting price of $200,000 and incremental offers of $30,000. The hacker stated they would sell it immediately for $1 million. When we told ShinyHunters that AT&T said the data did not originate from them, they replied, "I don't care if they don't admit. I'm just selling." Another threat actor known as MajorNelson leaked data from this alleged 2021 data breach for free on a hacking forum, claiming it was the data ShinyHunters attempted to sell in 2021.
If you receive any SMS texts or phishing emails claiming to be from AT&T, be very careful about providing any information. Instead, contact AT&T directly to confirm that they attempted to contact you.

 

As of now, all 49M impacted email addresses are searchable within HIBP.
As I'm fond of saying, there's only one thing worse than your data appearing on the dark web: it's appearing on the clear web. And that's precisely where it is; the forum this was posted to isn't within the shady underbelly of a Tor hidden service, it's out there in plain sight on a public forum easily accessed by a normal web browser. And the data is real. The old adage of "absence of evidence is not evidence of absence" comes to mind (just because they can't find evidence of it doesn't mean it didn't happen).
Social security numbers and dates of birth exist on most rows of the data in encrypted format, but two supplemental files expose these in plain text. Taken at face value, it looks like whoever snagged this data also obtained the private encryption key and simply decrypted the vast bulk (but not all of) the protected values.
What I'll typically do in a scenario like this is reach out to the 30 newest subscribers (people who will hopefully recall the nature of HIBP from their recent memory), and ask them if they're willing to assist. I linked to the story from the beginning of this blog post and got a handful of willing respondents for whom I sent their data and asked two simple questions:
Does this data look accurate?
Are you an AT&T customer and if not, are you a customer of another US telco?
"What do I do?" Usually I'd tell them to get in touch with the impacted organisation and request a copy of their data from the breach, but if AT&T's position is that it didn't come from them then they may not be much help. I've personally also used identity theft protection services since as far back as the 90's now, simply to know when actions such as credit enquiries appear against my name. In the US, this is what services like Aura do and it's become common practice for breached organisations to provide identity protection subscriptions to impacted customers.

 

The technique starts with obtaining any keycard from a target hotel—say, by booking a room there or grabbing a keycard out of a box of used ones—then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock's data, and the second opens it.
Only 36 percent of installed Safloks have been updated. Given that the locks aren't connected to the Internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, at the very least. Some older installations may take years.
For many of the Saflok systems sold in the last eight years, there's no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door.

 

The flaw—a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols—can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster.
Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value “looks like” a pointer, it will be treated as an “address” (where in fact it's actually not!) and the data from this “address” will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels.

 

A malicious actor could have exploited the FlowFixation flaw to take over the targeted user’s MWAA web management panel and leverage it to perform tasks such as reading connection strings, adding configurations, and triggering directed acyclic graphs, which could have led to remote code execution on the underlying instance or lateral movement to other services.
Many cloud services offered by the same vendor share a parent domain. For instance, several AWS services use ‘amazonaws.com’. The problem is that some assets may also allow client-side code execution as a service. This scenario is like an XSS on a subdomain of a website you do not own. In an on-prem setting you would not normally allow users to run XSS on your subdomain, but in the cloud, allowing this is quite natural,” the security firm added. “For example, when creating an AWS S3 bucket, you can run client-side code by storing an HTML page in your bucket. The code will run in the context of the S3 bucket subdomain you were granted and also in the context of the shared parent domain, ‘amazonaws.com’.”
AWS and Microsoft took steps to mitigate the risk in response to Tenable’s report, but Google said it would not implement a fix after determining that it is not severe enough to be tracked as a security issue.

 

If you're using Google's Firebase, make sure it's securely configured to avoid leaking private info to the rest of the world.
Penetration testers previously identified exposed credentials in AI hiring service chattr's Firebase implementation. They found a way to use Firebase's registration feature to create a new user with administrative read and write privileges. Following that dumpster fire, the cyber-trio decided to conduct an internet-wide search for poorly configured Firebase databases using a scanning program. The code took between two and three weeks to scour 5.2 million domains, and ultimately ended up with a list of data obtainable from more than 900 websites. All told, the list included almost 125 million records, with 85 million names, 106 million email addresses, 34 million phone numbers, 20 million passwords, and 27 million billing details.
24 percent of site owners fixed the misconfiguration, though just one percent of site owners mailed back and a mere 0.2 percent of site owners – just two of them – offered some form of bug bounty.
 

While external link previews should ideally show the first immediate domain a link takes you to when you click on it, X does the opposite. The social media platform tries to determine (albeit unsuccessfully) the ultimate destination where a URL takes you and shows that as the website name, in a post.
Once a user arrives at the posted URL, its server determines whether a request originates from a web browser or a bot—such as Twitter's, being used to generate link previews. It does so by checking the User-Agent HTTP header within an incoming request.
If a request is coming from a web browser, meaning most likely a human clicked on the link, the site happily and sneakily redirects the user. Otherwise, when it suspects that a bot or an automated tool is in use to trace where joinchannelnow ultimately redirects to, it redirects the request to a legitimate location.
This is how X can be fooled into showing a website name in a post (or worse, an ad) which is completely different from where users would be arriving. The slick trick can be abused by all kinds of adversaries, from crypto scammers to those pushing malware, trojanized app installs, phishing, and spam services to prey on unsuspecting users.
Suffice to say, it's best not to click on external links in Twitter posts and ads without hovering over them and paying close attention to the URL shown in your browser's status bar. On mobile devices, it's safest to not tap on posts with links at all.

 

While many of these mismatches are the result of protocol specification differences or variations in the scripts section of the package file, 18 of them are said to have been designed to exploit manifest confusion.
Manifest confusion was first documented in July 2023, when security researcher Darcy Clarke found that mismatches in manifest and package metadata could be weaponized to stage software supply chain attacks. The problem stems from the fact that the npm registry does not validate whether the manifest file contained in the tarball (package.json) matches the manifest data provided to the npm server during the publishing process via an HTTP PUT request to the package URI endpoint. As a result, a threat actor could take advantage of this lack of cross verification to supply a different manifest containing hidden dependencies that's processed during package installation to stealthily install malicious dependencies onto the developer's system.
[rG: Bottom line is that all 3rd party components need to be managed in an organizational authoritive binarary repository and monitored (daily) using SCA vulnerability scans.]

 

 

HACKING

Unless you want to be the next Change Healthcare, that is
The Feds and friends yesterday issued yet another warning about China's Volt Typhoon gang, this time urging critical infrastructure owners and operators to protect their facilities against destructive cyber attacks that may be brewing.
As a first step, organizations should use intelligence-informed prioritization tools, such as the Cybersecurity Performance Goals (CPGs) or derived guidance from an SRMA.

 

A novel cyberattack method dubbed "Conversation Overflow" has surfaced, attempting to get credential-harvesting phishing emails past artificial intelligence (AI)- and machine learning (ML)-enabled security platforms.
Cybercriminals craft emails with two distinct parts; a visible section prompting the recipient to click a link or send information, and a concealed portion containing benign text intended to deceive AI/ML algorithms by mimicking "known good" communication. The goal is to convince the controls that the message is a normal exchange, with attackers betting humans won't scroll down four blank pages to the bottom to see the unrelated fake conversation meant for AI/ML's eyes only. Once these attacks bypass security measures, cybercriminals can then use the same email conversation to deliver authentic-looking messages requesting that executives reauthenticate passwords and logins, facilitating credential theft.

 

After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices.
A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven – but they aren't required to have tested safety controls built in.
Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs.
"We discovered that they are distributed with factory default firmware settings that present considerable security risks."
This included an exposed API that permits over-the-air (OTA) updates. The devices also have Wi-Fi and Bluetooth enabled by default, with a "predictable" Bluetooth identifier and Wi-Fi Service Set Identifier (SSID) and weak default password. That makes it easy to connect to the device and then obtain network access to the rest of the vehicle's systems – at least for attackers within wireless range. This can be achieved via a drive-by attack, or by hanging out at truck stops, rest stops, distribution centers, ports – basically anywhere that heavy-duty trucks tend to congregate.

 

DDP services allow users to upload and share PDF files in a browser-based interactive flipbook format, adding page flip animations and other skeuomorphic effects to any catalog, brochure, or magazine.
Threat actors have been found to abuse the free tier or a no-cost trial period offered by these services to create multiple accounts and publish malicious documents.
Besides exploiting their favorable domain reputation, the attackers take advantage of the fact that DDP sites facilitate transient file hosting, thereby allowing published content to automatically become unavailable after a predefined expiration date and time.

 

There has been a fall in the number of reported healthcare data breaches for the second consecutive month, with 59 data breaches of 500 or more records reported. There were 24 data breaches of 10,000 healthcare records in February, the largest of which was a 2.35 million record data breach at Medical Management Resource Group, which does business as American Vision Partners. A further 1.67 million records were compromised in breaches at Eastern Radiologists and Unite Here, both of which were hacking incidents. Only four breaches of 10,000 or more records were not hacking incidents.

 

 

APPSEC, DEVSECOPS, DEV

  • GenAI adoption is predicted to collapse the skills gap, removing the need for specialised education from 50% of entry-level cybersecurity positions.

  • Enterprises which combine GenAI with integrated platforms-based architecture in security behaviour and culture programs (SBCP) are expected to experience 40% fewer employee-driven cybersecurity incidents.

  • The growing personal legal exposure faced by cybersecurity leaders due to new laws and regulations. By 2027, two-thirds of global 100 organisations will extend directors and officers (D&O) insurance to cybersecurity leaders to mitigate this risk.

  • By 2028, enterprises are expected to spend over US$500 billion on combating malinformation (Information that is based on fact, but used out of context to mislead, harm, or manipulate a person, organization, or country.) - cannibalising half of marketing and cybersecurity budgets.

  • By 2027, 70% of organisations are likely to merge data loss prevention and insider risk management disciplines with identity and access management (IAM) context for more effective detection of suspicious behaviour.

  • Trend towards application security becoming more user-friendly, with 30% of cybersecurity functions likely to be redesigned to be directly consumed by non-experts and owned by application owners by 2027. “To bridge the gap, cybersecurity functions must build minimum effective expertise in these teams, using a combination of technology and training to generate only as much competence as is required to make cyber risk informed decisions autonomously,”

 

High-profile breaches show how quickly a hack of one widely used software tool or service provider can spread. The way in which third-party dependencies are managed is probably insufficient for today’s market, given the threat outlook and the sophistication of the actors that are engaged in either social engineering tactics or in ransomware operations, Many now require third-party providers to adhere more closely to best practices from the U.S. Commerce Department’s National Institute of Standards and Technology, and others.
Every organization should be looking where their sensitive data is, if third and fourth parties have access to that data, and if those organizations have a good data classification policy.
[rG: Organizations need to ensure that data sensitivity analysis is regularly done for internally developed applications as part of SSDLC, as well as all SaaS development tools.]

 

Pulling together an AI project isn't that much different from constructing any other piece of software. You'll typically glue together libraries, packages, training data, models, and custom source code to perform inference tasks. Code components available from public repositories can contain hidden backdoors or data exfiltrators, and pre-built models and datasets can be poisoned to cause apps to behave unexpectedly inappropriately.
Bad packages could lead to developers' workstations being compromised, leading to damaging intrusions into corporate networks, and tampered-with models and training datasets could cause applications to wrongly classify things, offend users, and so on. Backdoored or malware-spiked libraries and models, if incorporated into shipped software, could leave users of those apps open to attack as well.
If you think of a pie chart of how you're gonna get hacked once you open up an AI department in your company or organization, a tiny fraction of that pie is going to be model input attacks, which is what everyone talks about. And a giant portion is going to be attacking the supply chain – the tools you use to build the model themselves.
Hugging Face hosts hundreds of thousands of neural network models, datasets, and bits of code developers can download and use with just a few clicks or commands.
The Safetensors converter runs on Hugging Face infrastructure, and can be instructed to convert a PyTorch Pickle model hosted by Hugging Face to a copy in the Safetensors format. But that online conversion process itself is vulnerable to arbitrary code execution.
[rG: Amen! Secure Software Development Lifecycle Process (SSDLC) needs to be applied any type of API, web, or mobile applications. Keep in mind that negelecting security upfront results in future compounded interest damages. QA Maxim: Do it right in the first place, or suffer much hight future impact and remediation costs.]

 

90% organizations currently use AI/ML-powered tools in some capacity to assist in security scanning and remediation.
32% organizations use AI/ML-powered tools to write code. This indicates the majority still are wary of the potential vulnerabilities that AI-generated code can introduce to enterprise software.
47% use between four and nine application security solutions. 33% are using 10 or more application security solutions.
40% of survey respondents said it typically takes a week or longer to get approval to use a new package or library.
25% of security teams’ time is spent remediating vulnerabilities.
48.9% of CVEs analyzed hold the potential for a DoS attack
18.9% that have the potential to perform remote code execution.
53% use four to nine programming languages, and 31% use more than 10 languages.

 

JFrog Security Research team downgraded the severity of 85% of Critical CVEs and 73% of High CVEs on average after analyzing 212 different high-profile CVEs discovered in 2023. Additionally, JFrog found that 74% of the reported common CVEs with High and Critical CVSS scores on the top 100 Docker Hub community images weren’t exploitable.

 

74% of the reported common vulnerabilities and exposure (CVEs) with high and critical CVSS scores assigned to the top 100 Docker Hub community images weren’t actually exploitable. Only 17% of the vulnerabilities analyzed enabled remote code execution, compared to 44% that could enable a denial of service (DoS) attack.
Tools that generate alerts based on severity rather than also rating exploitability are creating too much noise simply because they don’t provide enough contextual analysis.
The most frequently used tools are static application security testing (61%), dynamic application security testing (58%), software composition analysis testing (56%), and application programming interface (API) security (56%).
A full 89% said their organization has adopted a security framework such as OpenSSF or Supply-chain Levels for Software Artifacts (SLSA) .

 

Commerce is the most attacked vertical with 44% of API attacks, followed by business services at nearly 32%.

 

It’s not unusual for organizations to have over 10,000 APIs across their infrastructures. Even more critical is a lack of visibility. Once an API is deployed, it can become invisible to security teams. This type of shadow API, even if perfectly written, is now open to potential abuse or exploitation.
Discovery is not a “one-and-done” proposition; it must be a continuous activity. This involves ongoing monitoring of API interactions across your enterprise infrastructure to understand the full scope of your organization’s API activity.

 

Example of how to configure request filtering settings in the web.config file.

 

Zero tolerance of failure by information security professionals is unrealistic, and makes it harder for cyber security folk to do the essential part of their job: recovering fast from inevitable attacks. Relying on adrenaline also means the business assumes infosec teams are capable of heroic effort, motivated by the fear that cyber attacks create personal consequences of being fired or even prosecuted.
Developing recovery playbooks and practising their execution will help to keep infosec teams effective – by making heroic action less necessary and by allowing cyber security practitioners to follow processes they have rehearsed. Incident response plans must create at least two teams who work on strictly defined shifts, so that incident responders get proper rest.

 

Questions often include:
"How much cybersecurity is enough?"
"What tools do we need to buy?"
"Are we compliant with the latest cybersecurity regulations?"
"Can we guarantee we won't be hacked?"
"How does our cybersecurity spending compare to our competitors?"
Instead, encouraging the board to ask strategic questions like, "What resources do we need to feel comfortable with our level of risk?" transforms the dialogue.
Communicating the Need for the Cybersecurity Program to the Board:

  1. Speak the Language of the Board: Perform a Business Impact Analysis and translate technical cybersecurity risks into business terms that resonate with the board, such as financial impact, regulatory compliance, and reputational damage.

  2. Quantify Risks and Impacts: Use data and metrics from a risk assessment to quantify cybersecurity risks and the potential impacts on the organization. Present cost-benefit analyses and return on investment (ROI) projections to demonstrate the value of investing in cybersecurity measures.

  3. Align with Business Objectives: Emphasize how the cybersecurity program aligns with the organization's strategic objectives and contributes to long-term growth and sustainability.
    Highlight the role of cybersecurity in enabling digital transformation, enhancing customer trust, and protecting brand reputation.

  4. Provide Context and Benchmarks: Provide context by comparing the organization's cybersecurity posture with industry peers and benchmarks. Highlight areas where the organization may be lagging behind or where investments are needed to meet industry standards and regulatory requirements.

  5. Foster Ongoing Dialogue and Collaboration: Foster an ongoing dialogue with the board about cybersecurity risks, trends, and mitigation strategies.
    Solicit input and feedback from the board to ensure that cybersecurity initiatives are aligned with their risk tolerance level and strategic priorities.

  6. Demonstrate Accountability and Compliance: Emphasize the importance of cybersecurity as a corporate governance issue and demonstrate the organization's commitment to accountability and compliance with regulatory requirements.
    Provide regular updates to the board on cybersecurity initiatives, progress, and key performance indicators (KPIs).

 

AutoDev empowers AI agents to tackle a broad spectrum of software engineering tasks autonomously, from intricate code editing and comprehensive testing to advanced git operations. This framework is designed to focus on autonomy, efficiency, and security. By housing operations within Docker containers, AutoDev ensures that development processes are streamlined and secure, safeguarding user privacy and project integrity.

 

 

VENDORS & PLATFORMS

 

This new feature combines the real-time capabilities of GitHub’s Copilot with CodeQL, the company’s semantic code analysis engine.
GitHub promises that this new system can remediate more than two-thirds of the vulnerabilities it finds — often without the developers having to edit any code themselves. The company also promises that code scanning autofix will cover more than 90% of alert types in the languages it supports, which are currently JavaScript, Typescript, Java, and Python.

 

IAR provides a local assessment that enables customers to conduct comprehensive image scans within their own environments. This addresses the critical need for privacy and efficiency by allowing organizations to bypass the limitations of cloud-based scanning solutions, which are unable to conduct scans at the local level.

 

Giving customers (and trial users) access to robust, actionable security context and AI-powered risk insights. ‍Each security profile includes an app description, key vendor details, security certifications, breach histories, data locality, security program links, supported authentication methods, and SaaS supply chain details.

 

Identifies every connected app, enabling the security team to minimize risks and mitigate threats.

 

 

Flipper Zero relies on a single radio module and is limited to just ten milliwatts, which makes it severely underpowered and impractical for use cases such as actual car thefts. The Flipper Zero team also criticizes the ban decision as highly selective, considering that the internal electronics the device uses have been widely available for many years and are used by numerous other devices. The device makers highlight the underlying error in focusing on the means rather than the actual problem, which is the widespread use of outdated and vulnerable access control systems found in automobile systems.

 

 

LEGAL & REGULATORY

OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.
OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.
[rG: See page for links to OCR Cybersecurity resources.]

 

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) revised its controversial guidance on how HIPAA applies to the use of online tracking on regulated entities' public webpages.
But regulated entities still may find it impossible to distinguish between what is and is not a disclosure of protected health information (PHI) subject to HIPAA.
For example: If a student were writing a term paper on the changes in the availability of oncology services provided by a hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student. However, if an individual were looking at a hospital's webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual's IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI.
The difficulty here is that when a user visits a hospital's webpage listing the oncology services provided by the hospital, the hospital likely has no way of knowing whether the user is doing so to write a term paper about cancer or to seek a second opinion on a brain tumor.

 

 

Robert Purbeck, adopting the aliases "Lifelock" and "Studmaster" during his time as a cybercriminal, according to the Department of Justice (DoJ), stole personal data belonging to more than 132,000 people. The 44-year-old pleaded guilty to launching attacks on at least 18 different organizations across the US, including medical clinics. In one incident described by the DoJ following his 2021 indictment, Purbeck was said to have targeted a Florida orthodontist and threatened to sell his child's personal information unless they paid a ransom.
Purbeck is due to be sentenced on June 18, and as part of his guilty plea, he agreed to pay $1 million in restitution to his victims.

 

The U.S. Department of Justice (DoJ), along with 16 other state and district attorneys general, on Thursday accused Apple of illegally maintaining a monopoly over smartphones, thereby undermining, among other things, the security and privacy of users when messaging non-iPhone users. "Apple selectively compromises privacy and security interests when doing so is in Apple's own financial interest – such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars each year for choosing Google as its default search engine when more private options are available."