Robert Grupe's AppSecNewsBits 2024-05-18

What's Weak This Weak: Ascension Health, US Army, Google, Christie's, Linux SSH, Free Laundry

Author

Robert Grupe
May 18, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Ascension can’t fill prescriptions at its Michigan pharmacies

A cyberattack at one of the nation’s largest hospital chains enters a second week with no end in sight.

The health care giant Ascension continues to maintain that its hospitals, doctors offices, and other sites remain “open and operational,” but it’s clear that the St. Louis-based Catholic health-care giant remains deep in crisis. The attack has cut off access to the system’s electronic health records system, disrupted phones as well as scheduling and testing processes, and forced the rerouting of at least some Michigan patients to non-Ascension hospitals. Monday, Ascension said its pharmacies can no longer take credit cards, and it acknowledged its dependence now on “manual and paper based systems.”

CNN said the type of ransomware used is known as Black Basta, which is also the name of a group that, according to a 2023 alert from the U.S. Department of Health and Human Services, is known for its “double extortion attack.”

At the same time as it faces the ransomware attack, Ascension is juggling a looming labor strike at Ascension Genesys. Teamsters Local 332 in Flint has given notice of its intent to strike May 24. “The union’s sudden decision to strike, for an indefinite period, in the midst of an ongoing cyber event is truly difficult to understand,” the hospital said in a statement.

 

According to the criminal(s), who has been especially active lately and goes by the moniker IntelBroker — and it's important to keep in mind that crims aren't necessarily the most trustworthy folks.

An extortionist claims to have stolen files from the US Army Aviation and Missile Command in August 2023, and now claims they are selling access to a $75 billion aerospace and defense company. US Army Aviation and Missile Command (AMCOM) develops and maintains the Army's aviation, missile and drone capabilities. The compromised data, according to the leak site, includes a ton of code, including source software, swiped from the defense company's CI/CD pipeline, Bitbucket, Github and Apache SVN repositories.

 

The company accidentally erased the private Google Cloud account of a $125 billion Australian pension fund, UniSuper. The result: more than half a million UniSuper fund members had no access to their accounts for about a week. UniSuper had a backup account with another cloud provider, and service was restored May 2.

rG: Moral is to never have all your "eggs in one basket" - which includes service providers, and to regularly conduct disaster recovery exercises to confirm backup restoration within acceptable recovery periods.

 

From his laptop, Sherbrooke ran a script of code with instructions telling the machine in front of him to start a cycle despite having $0 in his laundry account. The machine immediately woke up with a loud beep and flashed “PUSH START” on its display, indicating the machine was ready to wash a free load of laundry.

In another case, students added an ostensible balance of several million dollars into one of their laundry accounts, which reflected in their CSC Go mobile app as though it were an entirely normal amount of money for a student to spend on laundry.

Months later, the vulnerability remains open after CSC ServiceWorks repeatedly ignored requests to fix the flaw.

The students are now revealing more about their findings after waiting longer than the customary three months that security researchers typically grant vendors to fix flaws before going public.

 

Christie's website remains offline as of Monday after a "technology security issue" shut it down Thursday night. It's not thought, at the moment, that any customer data has been stolen.

The latest security snafu comes less than a year after Christie's inadvertently leaked location data belonging to hundreds of high-end art owners seeking to sell their paintings at auction. That blunder, which came to light in August, was basically a privacy oversight by Christie's website, which allowed would-be customers to upload photos of the art they were seeking to sell. Some of these uploads included precise GPS coordinates revealing the exact location of some very pricey pieces. These physical addresses — which could guide would-be thieves to the buildings where the art resided — were publicly available to anyone online via the Christie's website, which had failed to strip out this location metadata from submitted snaps.

 

CVE-2024-4671, is a “use after free,” a class of bug that occurs in C-based programming languages. In these languages, developers must allocate memory space needed to run certain applications or operations. They do this by using “pointers” that store the memory addresses where the required data will reside. Because this space is finite, memory locations should be deallocated once the application or operation no longer needs it.

Use-after-free bugs occur when the app or process fails to clear the pointer after freeing the memory location. In some cases, the pointer to the freed memory is used again and points to a new memory location storing malicious shellcode planted by an attacker’s exploit, a condition that will result in the execution of this code.

A good way to prevent, and at the same time get notified of, UAF bugs is by setting pointers to NULL (nullptr) when you free the memory they point to. Trying to dereference a null pointer will lead to a crash, which is better than having a silent UAF bug that leads to data corruption and other undefined behavior.

rG: SSDLC Prevention is use Static Application Security Testing scanners and Security Code Reviews to ensure setting pointers to NULL (nullptr) when free the memory they point to.

 

Ebury malware's continuous evolution over 15 years and its multiple ways of propagating, it’s not hard to see how it was able to infect kernel[.]org and the many other organizations it has claimed. Given that the malware continues to spread and shows no signs of stopping, it's imperative that organizations of all sizes remain vigilant.

One of the most notable propagation methods is Ebury using its presence inside data centers to perform AitM attacks at scale on servers deemed to be high value. Most, if not all, of the commandeered ISP servers were shared among multiple users for hosting websites, with a total of more than 1.5 million accounts. Since the compromised infrastructure ran mostly the same configurations and OS and application versions, the attackers were able to deploy a variety of newly added malware tools at a massive scale.

Ebury spreads through compromised of SSH credentials. By backdooring OpenSSH files on both servers and client devices, the compromise of one server would reveal the SSH credentials for accessing one or more new servers. The process would repeat in an almost exponential fashion. Additional methods are Credential stuffing, Spreading from hypervisors or containers to all subsystems, Spreading from a hosting provider to all connected servers, Exploitation of vulnerabilities, including one known as Dirty COW and what was once a zero-day in the Control Web Panel for managing servers inside host facilities, Using their access to one server to perform adversary-in-the-middle attacks to steal SSH credentials from other servers in the same network.

Infection hitting the kernel[.]org network began in 2009 and since then the OpenSSH-dwelling malware has infected more than 400,000 servers. In 2011 kernel maintainers revealed that 448 accounts had been compromised after attackers had somehow managed to gain unfettered, or “root,” system access to servers connected to the domain. After obtaining the cryptographic hashes for 551 user accounts on the network, the attackers were able to convert half into plaintext passwords, likely through password-cracking techniques and the use of an advanced credential-stealing feature built into the malware. From there, the attackers used the servers to send spam and carry out other nefarious activities.

The ESET report provides IP addresses, file hashes, and other technical indicators that administrators can use to determine if they have been targeted. It also notes the benefit of protecting SSH servers with multi-factor authentication (MFA) so that a compromise of the password isn't sufficient to take control of the server it protects. Unfortunately MFA relies on third-party PAM modules such as the Google Authenticator PAM module and needs manual configuration. It is not the default security setting of any popular Linux distribution. As a result, MFA is rarely deployed for the SSH service.

 

CVE-2024-34359 is related to the Jinja2 template rendering Python tool, which is mainly used for generating HTML, and the llama_cpp_python package, which is used for integrating AI models with Python.

Llama_cpp_python uses Jinja2 for processing model metadata, but failed to use certain safeguards, enabling template injection attacks.

The core issue arises from processing template data without proper security measures such as sandboxing, which Jinja2 supports but was not implemented in this instance.

More than 6,000 AI models on the Hugging Face AI community that use llama_cpp_python and Jinja2 are impacted.

Imagine downloading a seemingly harmless AI model from a trusted platform like Hugging Face, only to discover that it has opened a backdoor for attackers to control your system.

The vulnerability has been patched with the release of llama_cpp_python 0.2.72.

rG: Importance of SCA vulnerability scanning in SSDLC - While the originating vulnerability has been patched, developers need to ensure if they are using any of the 6,000 models that they are patched, and then redeploy updates.

 

HACKING

The senior hacking team allocated three resources to it for three weeks.

IBM's red team (along with everyone else in the world) has been building out its AI capabilities. This includes using generative and predictive AI for penetration testing from a platform the team code-named Vivid, which they used to help with the unnamed computer component manufacturer break-in.

While AI tools can "never replace dedicated hackers, truly the most skilled people out there, we can take a load off. There's a lot of fluff out there around AI. But there's also a lot of really interesting things that are happening.

In this particular case, the X-Force crew and its AI tooling found a flaw in the manufacturer's HR portal, exploited this to upload a shell, and then waited to see if they would get caught. They didn't, so they pushed further, escalating their privileges on the host, and used a rootkit to cover their tracks and avoid being detected. "Then we just sat and waited, mapped up their internal network over time, and eventually got to the design of that key computer component."

Of course, criminals and government-backed intruders are also seeing how they can use machine-learning tools to make their jobs more efficient, and Thompson said he believes the pace at which this technology is changing and improving is only going to accelerate from here on out.

 

Minh Phuong Vong, of Bowie, Maryland, who was arrested on Thursday morning and charged with conspiracy to commit wire fraud, secured jobs under his own identity which were allegedly carried out by remote North Korean natives. Vong's alleged role in the conspiracy, at least according to the Feds, was to secure positions at companies and then outsource that work to North Koreans who could actually do the technical work, all while keeping a percentage of the salary for his trouble and funneling the rest back to Pyongyang. A Vietnam native, Vong was a naturalized US citizen who actually worked in a nail salon.

Also arrested this week was US national Christina Marie Chapman, 49, of Litchfield Park, Arizona who was accused of running a laptop farm – a residence in the US fitted with arrays of laptops that overseas or Nork workers can remote into and work from. The local IP address of the machines was intended to add a layer of perceived legitimacy to any remote work carried out for a US company. She allegedly helped North Korean workers defraud major US companies, more than 300 in total, including various blue-chip companies across multiple industries.

At least some of the overseas workers who benefitted from Chapman's alleged crimes also worked with Ukrainian national Oleksandr Didenko. Didenko is primarily accused of running the website UpWorkSell which claimed to offer overseas IT workers the opportunity to register on freelance IT job sites using identities other than their own to secure gig work at US-based companies.

From August to November of 2022, the North Korean IT workers allegedly amassed guides and other information online designed to coach North Koreans on how to write effective cover letters and résumés and falsify US Permanent Resident Cards. Under the alleged scheme, the foreign workers developed “fictitious personas and online profiles to match the job requirements” and submitted fake documents to the Homeland Security Department as part of an employment eligibility check.

Christina Chapman operated a “laptop farm” at one of her residences to give the employers the impression the North Korean IT staffers were working from within the US; the laptops were issued by the employers. By using proxies and VPNs, the overseas workers appeared to be connecting from US-based IP addresses. Chapman also received employees’ paychecks at her home.

The indictment came alongside a criminal complaint charging a Ukrainian man, Oleksandr Didenko, with carrying out a similar multiyear scheme.

rG: Illustrating that MFA isn't impervious.

 

Royal Tiger uses AI voice cloning to impersonate staff at government agencies, banks, and utilities. These robocalls purport to offer credit card interest rate reductions or fake purchase authorization orders. The gang also use spoofing techniques to obtain consumer's financial and other sensitive data, which then allows them to target individuals. Because they didn't obtain consent from consumers, these calls violate the US Telephone Consumer Protection Act and/or Commission rules for robocalls to wireless telephone numbers, the FCC ruled.

 

Quick Assist is a legitimate application from Microsoft that enables users to share their Windows or macOS device with another person over a remote connection, mainly with the intent to troubleshoot technical issues on their systems. It comes installed by default on devices running Windows 11.

Threat actors launch link listing attacks, a type of email bombing attack in which the targeted email addresses are signed up for various legitimate email subscription services to flood their inboxes with subscribed content. The adversary then masquerades as the company's IT support team through phone calls to the target user, purporting to offer assistance in remediating the spam issue and persuading them to grant access to their device through Quick Assist. Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads.

 

The action on Wednesday is the second time within a year that the online data bazaar has been taken down by law enforcement. Last June, a different domain used to host the site was seized three months after the FBI arrested its alleged founder and operator. Conor Brian Fitzpatrick, then 21 years old, pleaded guilty to multiple charges. In January, he was sentenced to 20 years of supervised release.

Shortly after the June takedown of the site, a new individual stepped forward and revived the forum by hosting it on a new domain, which the FBI said had changed three times. This time around, the FBI also seized the official BreachForums Telegram channel and a second one belonging to Baphomet. Both channels displayed the same graphic appearing on the newly seized BreachForums site. It’s not clear how authorities took control of the Telegram channels.

 

But the concern over scholarly research integrity isn't confined to Wiley publications. A study published in Nature last July suggests as many as a quarter of clinical trials are problematic or entirely fabricated.

The volume of papers submitted to ArXiv increased considerably in the top three categories between 2019 and 2023 – a period that roughly coincides with the debut of tools like ChatGPT. Computer science papers increased by 200 percent during these four years, followed by physics papers (45 percent) and mathematics (22 percent).

 

The impacts enabled by these flaws are manifold: from the implant of ransomware on the ultrasound machine to the access and manipulation of patient data stored on the vulnerable devices.

 

 

APPSEC, DEVSECOPS, DEV

NIST has not enriched vulnerabilities listed in the NVD since Feb. 12 — meaning anyone relying on these reports potentially has been at risk for months.

Three Factors Affecting the NVD

1. Credit-Seeking Contributors: inexperienced seeking career entry

2. Widespread Accessibility

3. Monetary Incentives: bug bounty rewards seekers

 

AWS and IBM released a study based on a survey of 200 C-levelfound

81 percent of respondents said generative AI requires a new security governance model. Similarly,

82 percent said secure and trustworthy AI is essential to the success of their businesses.

However, only 24 percent of gen-AI projects have a security component.

There needs to be safeguards and other protections around these advanced neural networks, from training to inference, to avoid them being exploited or used in unexpected and unwanted in ways. A model exists in the context of an application.

The AI stack is a cake with three layers. The bottom layer is the training environment, where the large language models (LLMs) upon which generative AI applications are built. That training process needs to be robust to ensure you're not, among other things, putting garbage in and getting garbage out.

 

Global news headlines have been dominated by stories of major data breaches, exposing millions of customer records. While initial reports often point to complex attacks, investigations frequently reveal a sobering truth: The breach could have been prevented. The culprit? A simple security flaw that slipped through the cracks of a traditional development process.

Security, instead of being a part of a dedicated team, is seen as a last resort—something that applications must pass before reaching production.

This siloed approach has several critical flaws.

• Security vulnerabilities identified late

• Friction and finger-pointing

• Slow deployments

The transition to a DevSecOps culture requires a strategic approach.

1. Shift Left Security: But it's not just about the tools—educating those developers on secure coding practices and common security threats is crucial, too.

2. Automate Security Tasks

3. Build A Culture Of Security

 

1. Failing to conduct a risk assessment

2. Not completing due diligence to integrate authentication with current systems

3. Requiring only one authentication factor

4. Forgetting about user experience

5. Not paying attention to authentication activities and patterns

6. Neglecting to train and educate users

 

 

VENDORS & PLATFORMS

Depscan utilizes cdxgen to produce Software Bill-of-Materials (SBOMs), which allows us to support many different languages and source code configurations

It offers result exports into customizable Jinja reports as well as JSON documents in a couple of standards, including: CycloneDx Vulnerability Disclosure Report (VDR) and Common Security Advisory Framework (CSAF) 2.0

Reachability analysis, that uses AppThreat/atom to create slices of the source code

Deep packages risk audit for dependency confusion attacks and maintenance risks

 

The capability – dubbed "Detecting Unwanted Location Trackers" (DULT) – is available in Android devices running versions 6.0 and later, and iOS devices with iOS 17.5.

Android users will receive a "Tracker traveling with you" alert if an unidentified Bluetooth tracking device is detected as moving along with them over time, irrespective of the platform it's paired with. On iOS, users will get an "[Item] Found Moving With You" message.

 

With this upgrade, if a thief forces a reset of the stolen device, they're not able to set it up again without knowing your device or Google account credentials.

The tech giant further said it's integrating an AI-powered feature that's capable of recognizing suspicious signals (i.e., abrupt motion) and proactively protecting users' data by automatically locking the device's screen when it detects that a phone has been snatched out of someone's hands and the miscreant attempts to run or drive away.

Other improvements encompass the ability to mark a device as lost for easier tracking via Find My Device and even remotely lock a phone's screen with a phone number and a security challenge using any device. This buys you time to recover your account details and access additional helpful options in Find My Device, including sending a full factory reset command to completely wipe the device.

 

Now customers must determine if they want to follow the newly announced chosen path, which calls for the migration of the QRadar legacy and SaaS suites to Palo Alto's Cortex XSIAM, or evaluate other options. According to Omdia research, IBM's QRadar is the third largest next-generation SIEM provider based on revenue, behind Microsoft, and Splunk (now part of Cisco). While Palo Alto Networks' intentions with the QRadar stack may be uncertain, the agreement does call for incorporating IBM's watsonx large language models into Cortex XSIAM, which will provide its new Precision AI tools.

The deal, which builds on a partnership between the two companies that was previously expanded in late 2023, is expected to close by the end of September. The pact also calls for IBM Consulting to become a "preferred managed security services provider (MSSP)" for existing and future Palo Alto Networks customers, with the two vendors sharing a joint security operations center (SOC).

 

If the consumer agrees, behind-the-scenes, Visa issues a private data token to the merchant complete with AI-generated insights based on the consumer’s transaction data. The data token can be used with the merchant’s AI models to deliver real-time recommendations for the shopper. Visa will also pass the data token to the consumer’s bank to capture where the data has been shared, so the consumer can easily review where it has been shared in their mobile banking app and revoke access if they choose.

 

Sandra Carielli, a Forrester Research principal analyst, said "Announcing a lot of out-of-the-box integrations seems like a table-stakes, necessary feature. Having them in a marketplace may help customers with ease of integration, speed of deployment and overall time to value — maybe. But a quick Google search shows that ArmorCode has more than 200 integrations and Legit Security has around 75. Just because there isn’t a marketplace doesn’t mean the integrations aren’t easily accessible. So I’m inclined to say this isn’t that interesting an announcement. Cycode is still pretty small. Are people going to be flocking to the Cycode marketplace?”

Dale Gardner, a Gartner senior director analyst reacted similarly, “One of the primary reasons organizations look at these tools is to help integrate information from a variety of application security tools across the SDLC to gain visibility into the security status of an application, help with prioritization, and better understand risks posed by an application. In the space, I see a couple of different types of vendors: those who focus on integration of existing tools, and those who also incorporate their own tooling as either a replacement for someone’s existing tools or to augment gaps. Cycode falls into the latter category.” 

 

LEGAL & REGULATORY

Institutions must notify individuals whose personal information was compromised “as soon as practicable, but not later than 30 days” after learning of unauthorized network access or use of customer data. The new requirements will be binding on broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.

The requirements also broaden the scope of nonpublic personal information covered beyond what the firm itself collects. The new rules will also cover personal information the firm has received from another financial institution.

Notifications must detail the incident, what information was compromised, and how those affected can protect themselves. In what appears to be a loophole in the requirements, covered institutions don’t have to issue notices if they establish that the personal information has not been used in a way to result in “substantial harm or inconvenience” or isn’t likely to.