Robert Grupe's AppSecNewsBits 2024-04-13

Epic Fails: Microsoft and Sisense Accounts Exposed, OSS Supply Chain Vulns ignored, TVs and Road Tolls

Author

Robert Grupe
April 13, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Microsoft employees exposed internal passwords in security lapse

Security researchers discovered an open and public storage server hosted on Microsoft’s Azure cloud service that was storing internal information relating to Microsoft’s Bing search engine. The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems.

But the storage server itself was not protected with a password and could be accessed by anyone on the internet.

The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5.

Microsoft’s Jeff Jones told TechCrunch: “Though the credentials should not have been exposed, they were temporary, accessible only from internal networks, and disabled after testing. We thank our partners for responsibly reporting this issue.” Jones did not say for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.

[rG: Whether or not the exposed credentials are usable internally or externally, their secrets need to be immediately changed to prevent potential attack exploitation. Revoking the account access is also recommended but can't be 100% trusted because may not know for certain all the places it is used.]

 

Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. Unknown attackers now have all of the credentials that Sisense customers used in their dashboards.

The breach appears to have started when the attackers somehow gained access to the company’s Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud. The attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.

Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time — sometimes indefinitely. And depending on which service we’re talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials.

Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that they’ve previously entrusted to Sisense.

The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.

[rG: Important take aways: 1. Always encrypt sensitive data at rest, 2. Ensure credentials secrets can be quickly changed, and 3. Ensure credential secrets and encryption keys are updated regularly (e.g. monthly).]

 

PyPI, short for the Python Package Index, hosts over 20 terabytes of files that are freely available for use in Python projects. If you've ever typed pip install [name of package], it likely pulled that package from PyPI.

In the 2024 report, GitGuardian reported finding over 11,000 exposed unique secrets, with 1,000 of them being added to PyPI in 2023.

A more distressing fact is that, of the secrets introduced in 2017, nearly 100 were still valid 6-7 years later. They did not have the ability to check all the secrets for validity. Still, over 300 unique and valid secrets were discovered. While this is mildly alarming to the casual observer and not necessarily a threat to random Python developers (as opposed to the 116 malicious packages reported by ESET at the end of 2023), it's a threat of unknown magnitude to the owners of those packages.

In tests, honeytokens (a kind of "defanged" API key with no access to any resources) have been tested for validity by bots within a minute of being published to GitHub. In fact, honeytokens act as a "canary" for a growing number of developers. Depending on where you've placed a specific honeytoken, you can see that someone has been snooping there and get some information about them based on telemetry data collected when the honeytoken is used. The bigger concern when you accidentally publish a secret is not just that a malicious actor might run up your cloud bill. It's where they can go from there. If an over-permissioned AWS IAM token were leaked, what might that malicious actor find in the S3 buckets or databases it grants access to? Could that malicious actor gain access to other source code and corrupt something that will be delivered to many others?

The best first step when you discover a secret has leaked is to revoke it. Remember that tiny window between publication and exploitation for a honeytoken. Once a secret has been published, it's likely been copied. Even if you haven't detected an unauthorized use, you must assume an unauthorized and malicious someone now has it.

 

This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system—even when it's turned off. BMCs provide what’s known in the industry as “lights-out” system management. AMI and AETN are two of several makers of BMCs.

For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd.

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can’t be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code.

[rG: To provide awareness, developers need to ensure that all all 3rd party components are actively managed using an enterprise binary repository management system that includes Software Composition Analysis (SCA) vulnerability scanning. Responsible developers who useopen source components should fork and submit pull requestcommit vulnerablity remediation fixes; not just claim that it is someone else's responsibility.]

 

The key vulnerability making these threats possible resides in a service that allows TVs to be controlled using LG’s ThinkQ smartphone app when it’s connected to the same local network. The service is designed to require the user to enter a PIN code to prove authorization, but an error allows someone to skip this verification step and become a privileged user.

The function that handles account registration requests uses a variable called skipPrompt which is set to true when either the client-key or the companion-client-key parameters correspond to an existing profile. It also takes into consideration what permissions are requested when deciding whether to prompt the user for a PIN, as confirmation is not required in some cases.

We can request the creation of an account with no permissions, which will be automatically granted. Then we request another account with elevated permissions, but we specify the companion-client-key variable to match the key we got when we created the first account. The server will confirm that this key exists but will not verify if it belongs to the correct account. Thus, the skipPrompt variable will be true and the account will be created without requesting a PIN confirmation on the TV.

[rG: Importance of doing SSDLC Design Threat Assessment, using functional process diagrams, to detect prior to production.]

While many sets are configured to install updates automatically, it’s worth checking the firmware settings to ensure that the most recent version is installed. The precise instructions vary from model to model but generally involve navigating to: Settings > All Settings > Support and then selecting Software Update and then selecting Check for Updates. If an update is available, then select Download and Install.

 

The embarrassing security lapse is linked to a book he published on Amazon, which left a digital trail to a private Google account created in his name, along with his unique ID and links to the account’s maps and calendar profiles.

Sariel is the secret author of The Human Machine Team. cPublished in 2021 using a pen name composed of his initials, Brigadier General YS, it provides a blueprint for the advanced AI-powered systems that the Israel Defense Forces (IDF) have been pioneering during the six-month war in Gaza.

 

The first technique described takes advantage of SharePoint's "Open in App" feature, which allows users to open documents with applications like Microsoft Word instead of using the web browser, which is the default option. Utilizing this feature does not generate a "FileDownloaded" event in SharePoint's audit logs but instead creates an "Access" event that administrators may ignore. Opening the file from a cloud location creates a shell command with the non-expiring URL from the file's location on the cloud endpoint, which someone can use to download the file without restrictions. Misuse of "Open in App" can be both manual and automated, using a custom PowerShell script that could enable someone to exfiltrate large lists of files quickly.

The second technique involves spoofing the User-Agent string of the file access requests to mimic Microsoft SkyDriveSync, a service used for file synchronization between SharePoint and a user's local computer. This trick makes the file downloads performed via the browser or Microsoft Graph API appear in the logs as data syncing events ("FileSyncDownloadedFull"), reducing the likelihood of scrutiny by security teams. In this case, too, the alteration of the User-Agent string and subsequent file exfiltration can be done manually or via a PowerShell script to automate the process.

 

HACKING

All reports mention the attackers using "outstanding toll amount" to trick the targets into clicking an embedded hyperlink. However, the link provided within the text is created to impersonate the state's toll service name, and phone numbers appear to change between states. Threat actors have also been targeting E-ZPass customers since March.

 

Several senders were left appalled to see their mail returned and being slapped with a £5 fine for use of "counterfeit stamps," despite the senders insisting that they had bought legitimate stamps.

As Royal Mail transitioned towards barcoded stamps last year, the public had until the end of July 2023 to swap out their old paper stamps with ones carrying a 2D data matrix barcode at no cost. Ironically, "security features," such as these unique barcodes believed to prevent stamp re-use and forgeries in the future failed at just that.

The penalized customers state that these stamps were purchased at Post Office branches and not Royal Mail. Post Office often partners with Royal Mail to provide a variety of mail and collection services but remains a separate commercial entity. The Post Office further claims that it receives these stamps directly from Royal Mail's secure printers. Post-printing these stamps are kept in a warehouse and transported to Post Office branches via specialist delivery vans that also carry cash.

 

576,000 accounts were hacked in new credential stuffing attacks after disclosing another incident that compromised 15,000 accounts in early March. The company said the attackers used login information stolen from other online platforms to breach as many active Roku accounts as possible in credential stuffing attacks.

In such attacks, the threat actors leverage automated tools to attempt millions of logins using a list of user/password pairs, with this technique being particularly effective against accounts whose owners have reused the same login information across multiple platforms.

 

Although the number of data breaches, exposures and leaks was up on Q1 2023, the total victim count decreased 72% annually to 72.5 million, and 81% from the previous quarter.

Cyber-attacks were the main cause of these incidents once again, accounting for 642 breaches and 28.3 million victims. System and human error was blamed for 85 incidents and around 181,000 victims.

Supply chain attacks continue to cause significant challenges for US organizations. The number of companies impacted by these threats more than tripled in Q1 2024 versus the same period in 2023. Fifty new supply chain breaches impacted 243 organizations and around 7.5 million victims, compared to 73 organizations and 11.4 million victims in Q1 2023.

Financial services was the hardest hit industry in terms of overall data breaches, followed by healthcare and professional services. Financial services breach notices tripled year-on-year to 224, while 100 compromises impacted professional services firms – more than double the figure a year ago.

 

However, protecting against jailbreaks is difficult due to the infinite possible prompts someone could craft in their attempts to manipulate the AI model. In the details of its bug bounty program, which was launched in April 2023, OpenAI explicitly notes there are no bounties for “jailbreaks,” stating, “While we work hard to prevent risks, we can’t predict every day people will use or misuse our technology in the real world.”

 

In the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely solely on reputation as a metric when using open source code. These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware.

Threat actors were seen abusing GitHub Actions to automatically update the malicious repositories by making small modifications to a file named ‘log’, which artificially boosts the repositories’ visibility and increases the chances of users accessing them.

Furthermore, the attackers were seen adding fake stars to their repositories from multiple fake accounts, to manipulate users into thinking the repositories are widely popular and reliable.

The attackers embedded their malicious payload within a pre-build event of a Visual Studio project file, so it would be automatically executed during the build process. The payload checks the system’s IP address to determine if it is in Russia, downloads additional content from specific URLs based on the victim’s country, downloads encrypted files from the URLs, and extracts and executes their content.

 

"Test files" associated with the XZ Utils backdoor have made their way to a Rust crate known as liblzma-sys.

liblzma-sys, which has been downloaded over 21,000 times to date, provides Rust developers with bindings to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The impacted version in question is 0.3.2. The test files themselves are not included in either the .tar.gz nor the .zip tags on GitHub and are only present in liblzma-sys_0.3.2.crate that is installed from Crates.io.

 

The bogus Meta Pixel tracker script contains similar elements as its legitimate counterpart, but a closer examination reveals the addition of JavaScript code that substitutes references to the domain "connect.facebook[.]net" with "b-connected[.]com."

While the former is a genuine domain linked to the Pixel tracking functionality, the replacement domain is used to load an additional malicious script ("fbevents.js") that monitors if a victim is on a checkout page, and if so, serves a fraudulent overlay to grab their credit card details.

 

Tracked as CVE-2024-3400 (CVSS score: 10.0), is a command injection flaw that enables unauthenticated attackers to execute arbitrary code with root privileges on the firewall.

The Python file is designed to write and launch another Python script ("system.pth"), which subsequently decodes and runs the embedded backdoor component that's responsible for executing the threat actor's commands in a file called "sslvpn_ngx_error.log." The results of the operation are written to a separate file named "bootstrap.min.css."

The most interesting aspect of the attack chain is that both the files used to extract the commands and write the results are legitimate files associated with the firewall -

/var/log/pan/sslvpn_ngx_error.log

/var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css

As for how the commands are written to the web server error log, the threat actor forges specially crafted network requests to a non-existent web page containing a specific pattern. The backdoor then parses the log file and searches for the line matching the same regular expression ("img\[([a-zA-Z0-9+/=]+)\]") to decode and run the command within it.

The script will then create another thread that runs a function called restore. The restore function takes the original content of the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original contents back to the file and sets the access and modified times to their originals.

 

 

 

The notification did not disclose the attackers’ identities or the countries where users received notifications.

“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,” it wrote in the warning to affected customers.

The iPhone maker sends these kind of notifications multiple times a year and has notified users to such threats in over 150 countries since 2021. Apple previously described the attackers as “state-sponsored” but has replaced all such references with “mercenary spyware attacks.”

 

Analyzing the PowerShell script that loaded Rhadamanthys, the researchers noticed that it included a pound/hash sign (#) followed by specific comments for each component, which are uncommon in human-created code. The researchers note that these characteristics are typical to code originating from generative AI solutions like ChatGPT, Gemini, or CoPilot. While developers are great at writing code, their comments are usually cryptic, or at least unclear and with grammatical errors. 

 

APPSEC, DEVSECOPS, DEV

XZ Utils could have been one of the highest-impact software supply chain breaches to date, had it not been detected in time. Although it didn’t end up having the widespread exploitation potential of Log4j, it served as another wake-up call that the modern digital ecosystem is incredibly fragile and needs to mature how it consumes and secures OSS.

The top 10 OSS risks are:

  1. OSS-RISK-1 Known Vulnerabilities: A component version may contain vulnerable code, accidentally introduced by its developers. Vulnerability details are publicly disclosed, e.g, through CVE, GitHub Security Advisories or other, more informal communication channels. Exploits and patches may or may not be available.

  2. OSS-RISK-2 Compromise of Legitimate Package: Attackers may compromise resources that are part of an existing legitimate project or of the distribution infrastructure in order to inject malicious code into a component, e.g, through hijacking the accounts of legitimate project maintainers or exploiting vulnerabilities in package repositories.

  3. OSS-RISK-3 Name Confusion Attacks: Attackers may create components whose names resemble names of legitimate open-source or system components (typo-squatting), suggest trustworthy authors (brand-jacking) or play with common naming patterns in different languages or ecosystems (combo-squatting).

  4. OSS-RISK-4 Unmaintained Software: A component or component version may not be actively developed any more, thus, patches for functional and non-functional bugs may not be provided in a timely fashion (or not at all) by the original open source project.

  5. OSS-RISK-5 Outdated Software: A project may use an old, outdated version of the component (though newer versions exist).

  6. OSS-RISK-6 Untracked Dependencies: Project developers may not be aware of a dependency on a component at all, e.g., because it is not part of an upstream component’s SBOM, because SCA tools are not run or do not detect it, or because the dependency is not established using a package manager.

  7. OSS-RISK-7 License Risk: A component or project may not have a license at all, or one that is incompatible with the intended use or whose requirements are not or cannot be met.

  8. OSS-RISK-8 Immature Software: An open source project may not apply development best-practices, e.g., not use a standard versioning scheme, have no regression test suite, review guidelines or documentation. As a result, a component may not work reliably or securely.

  9. OSS-RISK-9 Unapproved Change: A component may change without developers being able to notice, review or approve such changes, e.g., because the download link points to an unversioned resource, because a versioned resource has been modified or tampered with or due to an insecure data transfer.

  10. OSS-RISK-10 Under/over-sized Dependency: A component may provide very little functionality (e.g. npm micro packages) or a lot of functionality (of which only a fraction may be used).

 

ASPM tools "continuously manage application risk through collection, analysis and prioritization of security issues from across the software life cycle. They ingest data from multiple sources, maintain an inventory of all software within an organization, correlate and analyze findings for easier interpretation, triage and remediation. They enable the enforcement of security policies and facilitate the remediation of security issues while offering a comprehensive view of risk across applications.

  1. "How does the ASPM tool aggregate and provide a holistic view of security vulnerabilities?"

  2. "Can the ASPM tool integrate across the entire software supply chain and ecosystem?"

  3. "How does the ASPM tool derive and express relationships between technologies and metadata?"

  4. "Can the ASPM tool accommodate organizational and team-specific security policies?"

  5. "How does the ASPM tool prioritize and drive remediation for the most significant vulnerabilities?"

 

NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as "a key piece of the nation's cybersecurity infrastructure... We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD.

The US National Institute of Standards and Technology (NIST) has unveiled an industry consortium to help it run the world’s most widely used software vulnerability repository. This situation was expected to change, with vetted organizations helping the agency from as soon as the beginning of April 2024.

According to its own data, NIST has analyzed only 199 Common Vulnerabilities and Exposures (CVEs) out of the 2957 it has received so far in March. In total, over 4000 CVEs have not been analyzed since mid-February. Since the NVD is the most comprehensive vulnerability database in the world, many companies rely on it to deploy updates and patches.

 

To meet the real challenges of cybersecurity in the open source ecosystem, and to demonstrate full cooperation with, and to support the implementation of, the European Union’s Cyber Resilience Act (CRA), Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation are announcing an initiative to establish common specifications for secure software development based on open source best practices.

 

Because secrets unlock access to highly sensitive systems and data, the damage potential of a stolen secret increases exponentially.

  1. After an exposed secret is discovered, mitigation must be swift

  2. Alerting developers is insufficient; they need guidance

  3. Some file types are more likely to leak secrets than others (e.g. .env files are commonly used to store environment variables)

  4. Automated detection is a necessary but not enough alone

  5. DMCA notices can be used to stop leaks

  6. Don’t count on AI tools to block leaks

  7. Always revoke compromised secrets  

 

 

VENDORS & PLATFORMS

 

Most of these advancements are reserved for Google Workspace, which means you won't get them on your personal Google Account (unless you pay for Workspace yourself). That said, if your company or business uses Google Workspace, you're about to get some new AI-powered tools to help you get your work done.

 

Neutralizing poisoned content (Spotlighting)

Mitigating the risk of multiturn threats (Crescendo)

Microsoft has released an open automation framework, PyRIT (Python Risk Identification Toolkit for generative AI). Read more about the release of PyRIT for generative AI Red teaming, and access the PyRIT toolkit on GitHub.

 

"Malware Next-Gen," now allowing the public to submit malware samples for analysis by CISA.

However, only CISA analysts and other vetted people will have access to the malware analysis reports generated by the system. Therefore, if you wish to receive an immediate analysis of a suspicious file, VirusTotal remains an excellent option.

 

Under this new policy change, a member's first name and profile picture will now be displayed in new and past reviews.

However, not everyone is happy with this policy change, as their personal information can now be associated with past negative reviews.

OpenTable suggests the following steps to take before May 22nd:

To edit or remove any of your reviews, see here

To add or remove your profile picture, see here 

 

 

LEGAL & REGULATORY

The trouble for AT&T will be their denial of a breach in 2021 and the subsequent years in which tens of millions of social security numbers were floating around. As much as it's hard for the victim of identity theft to say "this happened because of that breach", it's also hard for the corporate victim of a breach to say that identity theft didn't happen because of their breach. I wouldn't be at all surprised if the legal cost of this runs into the tens if not hundreds of millions of dollars. I doubt the plaintiffs will see much of this, but there's sure going to be some happy lawyers out there!

 

More than a dozen US states have passed laws covering AI use, with additional state legislatures debating regulations on the way.

Organizations not not wait until the regulatory landscape settles. Companies should first take an inventory of the AI products they’re using. Organizations should rate the risk of every AI they use, focusing on products that make outcome-based decisions in employment, credit, healthcare, insurance, and other high-impact areas. Companies should then establish an AI use governance plan.

“You really can’t understand your risk posture if you don’t understand what AI tools you’re using."

 

At the time of both attacks, Ahmed, a U.S. citizen, was a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits. While the name of the company was not disclosed, he was residing in Manhattan, New York, and working for Amazon before he was apprehended. Besides the three-year jail term, Ahmed has been sentenced to three years of supervised release and ordered to forfeit approximately $12.3 million and pay restitution amounting more than $5 million to both the impacted crypto exchanges.