Robert Grupe's AppSecNewsBits 2024-05-25

Epic Fails: Ascension Health, Cencora, MITRE, GitLab | Now-Next: MS Windows Recall, Global Intel of Wi-Fi Routers, John Deere IT & Dev

Author

Robert Grupe
May 25, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
How the Ascension cyberattack is disrupting care at hospitals

"Unusual activity" was first detected on multiple technology network systems Ascension uses on Wednesday, May 8. Later, representatives confirmed that some of Ascension's electronic health records systems had been affected, along with systems used "to order certain tests, procedures and medications."

Kris Fuentes, who works in the neonatal intensive care unit at Ascension Seton Medical Center in Austin, said she remembers when paper charting was the norm. But after so many years of relying on digital systems, she said her hospital wasn't ready to make such an abrupt shift. "It's kind of like we went back 20 years, but not even with the tools we had then," Fuentes said. "Our workflow has just been really unorganized, chaotic and at times, scary." Orders for medication, labs and imaging are being handwritten and then distributed by hand to various departments, whereas typically these requests are quickly accessed via computer. A lack of safety checks with these backup methods has introduced errors, she said, and every task is taking longer to complete.

Ascension still ha no timeline for when the issues might be resolved, and reported that it continued to work with "industry-leading cybersecurity experts" to investigate the ransomware attack and restore affected systems. The FBI and Cybersecurity and Infrastructure Security Agency are also involved in the investigation.

 

Some of the largest drug companies in the world have disclosed data breaches due to a February 2024 cyberattack at Cencora, whom they partner with for pharmaceutical and business services. Cencora, formerly AmerisourceBergen, is a pharmaceutical services provider specializing in drug distribution, specialty pharmacy, consulting, and clinical trial support. The data breach notices warn that Cencora's internal investigation, which concluded on April 10, 2024, confirmed that the following information had been exposed: full name, address, health diagnosis, medications, and prescription.

 

The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server's Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure. The motive behind such a move is to sidestep detection by obscuring their malicious activities from centralized management interfaces like vCenter and maintain persistent access while reducing the risk of being discovered.

One effective countermeasure against threat actors' stealthy efforts to bypass detection and maintain access is to enable secure boot, which prevents unauthorized modifications by verifying the integrity of the boot process.

MITRE is making available two PowerShell scripts named Invoke-HiddenVMQuery and VirtualGHOST to help identify and mitigate potential threats within the VMware environment.

 

A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States. The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware’s intended users.

Daigle said he attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed at the time of publication.

Unfortunately, PCTattletale have ignored attempts at contacting them to fix the issue, so I can't give any more details here to avoid encouraging abuse of the vulnerability. Hopefully the stalkerware author(s) can be bothered to fix the issue soon, at which point I can give a full writeup.

The hacker says on the now-defaced website, he didn't exploit the vulnerability Daigle found. Instead, he claims he used a Python exploit to extract pcTattletale's AWS credentials via its SOAP-based API, which provided access to the spyware's source code and databases.

 

A software maker serving more than 10,000 courtrooms throughout the world hosted an application update containing a hidden backdoor that maintained persistent communication with a malicious website, in the latest episode of a supply-chain attack.

The installer copied the binary file fffmpeg.exe to the file path C:\Program Files (x86)\JAVS\Viewer 8\. To bypass security warnings, the installer was digitally signed, but with a signature issued to an entity called “Vanguard Tech Limited” rather than to “Justice AV Solutions Inc.,” the signing entity used to authenticate legitimate JAVS software. fffmpeg.exe, in turn, used Windows Sockets and WinHTTP to establish communications with a command-and-control server. Once successfully connected, fffmpeg.exe sent the server passwords harvested from browsers and data about the compromised host, including hostname, operating system details, processor architecture, program working directory, and the user name. fffmpeg.exe also downloaded the file chrome_installer.exe from the IP address 45.120.177.178. chrome_installer.exe went on to execute a binary and several Python scripts that were responsible for stealing the passwords saved in browsers. fffmpeg.exe is associated with a known malware family called GateDoor/Rustdoor.

 

Exploitation of this vulnerability would have allowed unauthorized access to the AI prompts and results of all Replicate's platform customers. The issue stems from the fact that AI models are typically packaged in formats that allow arbitrary code execution, which an attacker could weaponize to perform cross-tenant attacks by means of a malicious model.

Replicate makes use of an open-source tool called Cog to containerize and package machine learning models that could then be deployed either in a self-hosted environment or to Replicate. Cybersecurity researcher Wiz said that it created a rogue Cog container and uploaded it to Replicate, ultimately employing it to achieve remote code execution on the service's infrastructure with elevated privileges.

 

QuTSCLoud, and QTS hero operating systems and found 15 vulnerabilities, with only four of the holes receiving patches. Six of the remaining 11 bugs were accepted and validated by QNAP, and all have CVEs assigned to them, but despite most being reported in early January, and one as far back as December 2023, the vendor still hasn't released patches. The other five are either still under embargo, per the cybersecurity industry's standard 90-day disclosure window, or have no fix available, in which case users should retire their devices.

 

GitHub has rolled out fixes to address a maximum severity flaw in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication protections. Tracked as CVE-2024-4985 (CVSS score: 10.0), the issue could permit unauthorized access to an instance without requiring prior authentication. On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.

 

GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks. The security flaw (tracked as CVE-2024-4835) is an XSS weakness in the VS code editor (Web IDE) that lets threat actors steal restricted information using maliciously crafted pages.

Even though Shadowserver discovered over 5,300 vulnerable GitLab instances exposed online in January, less than half (2,084) are still reachable at the moment. Tracked as CVE-2023-7028, this maximum severity security flaw allows unauthenticated attackers to take over GitLab accounts via password resets.

 

Cybersecurity researchers have discovered a critical security flaw in a popular logging and metrics utility called Fluent Bit that could be exploited to achieve denial-of-service (DoS), information disclosure, or remote code execution. Regardless of whether or not any traces are configured, it is still possible for any user with access to this API endpoint to query it. During the parsing of incoming requests for the /api/v1/traces endpoint, the data types of input names are not properly validated before being parsed.

By default, the data types are assumed to be strings (i.e., MSGPACK_OBJECT_STR), which a threat actor could exploit by passing non-string values, leading to memory corruption. 

 

HACKING

The number of new ransomware strains in circulation has more than halved over the past 12 months, suggesting there is little need for innovation given the success of the existing tools used by top gangs.

Exploiting vulnerabilities in public-facing applications and getting hold of a valid account are the two most common ways ransomware attacks begin. Apply patches and deploy MFA – the same old advice still stands. And for those wondering if these miscreants have moved away from encrypting files given the success of Cl0p's MOVEit MFT attack, then it's bad news. The "vast majority" of incidents involve encryption. The MOVEit incident has claimed 2,771 victims so far.

Without trying to labor the point, deploying MFA is really important, if you can believe it. Last year it was the single most common initial access vector for all kinds of attacks, including ransomware and all the others, used in 41 percent of cases.

Vulnerability exploits accounted for 30 percent of intrusions and social engineering methods such as phishing were responsible for 12 percent.

So, the advice to defend the majority of ransomware and all other kinds of attacks is generally the same: if you can deploy MFA effectively and patch vulnerabilities quickly, then that will eliminate the majority of attacks from taking place.

Effective MFA is enforced MFA. If you have MFA set up but a quarter of your organization is in an MFA bypass group, that security mechanism is not having the intended effect. In other places, the wheels of security change just move slowly; unfortunately, adversaries have a way of prioritizing security measures for businesses if those businesses aren't able to prioritize security themselves. We have also seen upticks in attack techniques like MFA push fraud that are aimed at social engineering employees into giving attackers access to systems with MFA enabled.

Cybercrime is profitable, and like any financial ecosystem, the demand for new zero-day exploits incentivizes their development. Rapid7 regularly sees dark web postings soliciting new zero-day exploits for popular technologies such as enterprise VPNs for $100K+. A ransomware group that's pulling in eight figures or more from orchestrated global attack campaigns can afford to buy or commission plenty of bespoke new zero-day exploits. Zero days were especially prevalent in network and security appliances, which were at the heart of 60 percent of all zero-day vulnerabilities in 2023.

 

By far the most impersonated corp was Best Buy and its repair business Geek Squad, with a total of 52k reports. Amazon impersonators came in second place with 34k reports, and PayPal a distant third with 10,000. Proportionally, the top three made up roughly 72 percent of the reports among the top ten, and Best Buy and Geek Squad scam reports were about 39 percent on their own. Best Buy and Geek Squad, Amazon, and PayPal scams made about $15 million, $19 million, and $16 million respectively, but that's nothing compared to the $60 million that Microsoft impersonators were able to fleece.

 

A group calling itself “NoName057(16)” has effectively gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia. That program allows NoName to commandeer the host computers and their Internet connections in coordinated DDoS campaigns, and DDoSia users with the most attacks can win cash prizes. The DDoS attack infrastructure used in NoName campaigns is assigned to two interlinked hosting providers: MIRhosting and Stark Industries. MIRhosting is a hosting provider founded in The Netherlands in 2004. But Stark Industries Solutions Ltd was incorporated on February 10, 2022, just two weeks before the Russian invasion of Ukraine.

 

University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.

Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.

 

For 4 days, the c-root server maintained by Cogent lost touch with its 12 peers.

 

 

 

APPSEC, DEVSECOPS, DEV

This is compared to 68 percent the year prior, and 48 percent in 2022. Additionally, nearly a third (31 percent) believe a significant attack is "very likely," compared to 25 percent in 2023.

 

Tenet 1: Establish a collaborative, security-minded culture

Make security a shared responsibility

Break down functional silos and collaborate continuously

  • Defining and agreeing upon a set of measurable security objectives, such as:
    % decrease of application security incidents
    % decrease time spent on audit
    % increase in deployment frequency
    % decrease in change failure rate
    % decrease of vulnerabilities deployed to production
    % of artifacts deployed to production with SBOM/SLSA

  • Decrease in lead time to zero-day vulnerability remediation

  • Involvement from software developers and DevOps teams throughout the evaluation and procurement processes for new security tools

  • Ensuring no DevSecOps process has a single functional gatekeeper

  • Iteratively optimizing tooling choices and security practices for developer productivity and velocity

Tenet 2: Shift security information left, not security workload

  • Security should own the orchestration and automation of application security tests throughout CI and CD pipelines

  • Remove the burden of deduplicating and prioritizing detected vulnerabilities from developers. Instead, security should ensure developers get a fully processed vulnerability list in a timely manner

  • Accelerate remediation by generating actionable developer-oriented guidance for understanding and resolving each vulnerability

Tenet 3: Maintain proper governance and guardrails

  • Enforce fine-grained Role-based Access Control (RBAC) throughout the development environment

  • Overlay policies on top of pipelines. The Open Policy Agent (OPA) standard is an excellent policy-as-code approach for this.

  • Use templates wherever possible to eliminate unforced errors that lead to security and compliance risk.

Tenet 4: Focus on securing the software supply chain (and not just your own source code)

  • Govern the use of open source software components throughout CI and CD pipelines.

  • Adopt comprehensive capabilities for generating, managing, and analyzing software bills of materials (SBOMs) for software artifacts

  • Generate and verify SLSA compliance beyond the minimum requirements of level 1.

  • Establish a full chain of custody for all software artifacts.

Tenet 5: Achieve 'continuous security' through automation and AI#

  • Orchestrate security scans throughout pipelines.

  • Automate vulnerability list deduplication and prioritization for developers.

  • Generate remediation guidance with AI.

 

Employers will sometimes simulate phishing messages to train workers on how to spot the hacking threat. But one Google security manager argues the IT industry needs to drop the practice, calling it counterproductive.

"There is no evidence that the tests result in fewer incidences of successful phishing campaigns,” Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing.”

 

Securing open source software may soon become a little bit easier thanks to a new vulnerability info-sharing effort initiated by the Open Source Security Foundation (OpenSSF). Dubbed OpenSSF Siren, the threat intelligence sharing group aims to “aggregate and disseminate threat intelligence” to provide real-time security warning bulletins and deliver a community-driven knowledge bas

Among the items OpenSSF hopes will be shared on Siren are tactics, techniques, and procedures being used by those who attack open source software, plus indicators of compromise associated with recent incidents. The Foundation doesn't intend Siren to be a place to disclose new flaws, instead intending it to serve as a "post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination."

 

Threat actors were found breaching AWS accounts using authentication secrets leaked as plaintext in Atlassian Bitbucket artifact objects. Mandiant discovered that artifact objects generated during pipeline runs can contain sensitive information, including secured variables in plaintext. As developers may not be aware that these secrets are exposed in artifact files, the source code may be published to public repositories where threat actors can steal them.

Mandiant reminds developers that Bitbucket was not designed to manage secrets, suggesting that a dedicated, specialized product is used for that purpose instead.

Developers are also recommended to carefully review artifacts to ensure no plain text secrets are contained inside the generated files.

Finally, it is advisable to deploy code scanning over the complete pipeline lifecycle to catch secret exposure events and remove them prior to the code reaching production.

 

 

VENDORS & PLATFORMS

A four-year digital transformation project has seen John Deere replace its previous infrastructure in order to take advantage of cloud-native technologies. It’s not hard to find evidence of private 5G network adoption in the company’s factories. Those facilities now produce GPU-packing machines that use AI to target application of herbicides.

Autonomous vehicles are more efficient,and that’s important because he said the world needs to grow “more crops on significantly fewer arable acres.” John Deere is trying to make its manufacturing environments “as smart as our products that we have AI built into today.”

 

Screenshot prevention policies will secure against data exfiltration in the browser by blocking the ability to take screenshots on pages labeled as sensitive or protected. IT managers at corporations will be able to tag web pages as protected, as defined in various Microsoft policy engines in Microsoft 365, Microsoft Defender for Cloud Apps, Microsoft Intune Mobile Application Management and Microsoft Purview.

 

Recall, at its core, is simple: The feature quietly takes screenshots of what you're doing on your PC throughout your session. Whenever you perform a search with Recall, it pulls from all these screenshots to find relevant moments in your PC activity history that might be what you're looking for, stitching them together into a scrollable timeline. Rewind offers a similar experience over on macOS, recording all your activity (including transcribing your audio) in order to make everything you do on your Mac searchable. Of course, the big difference here is Recall is a Microsoft-built feature, while Rewind is only offered by a third-party developer on macOS.

Recall is entirely handled on-device, with no processing outsourced to the cloud. That means everything, from the AI processing to the screenshots themselves, happen on your PC. Microsoft says the screenshots used for Recall are encrypted on your PC, too, even from other profiles on the machine: If you lock your PC, your Recall screenshots are locked, too.

However, while Microsoft is all about the security of Recall, it isn't necessarily foolproof. For one, Recall takes screenshots of almost everything you do on your PC (assuming you haven't adjusted these settings yourself). That means it won't stop taking screenshots when you enter or access sensitive information like passwords, your social security number, or banking data: If you can see it on-screen, chances are Recall is recording it. While it's great that these screenshots are encrypted when you lock your device, if someone does manage to break into your PC, they'll be able to access your entire Recall history, including this sensitive information. It seems like an unforced error to let a potential hacker open Recall, search "Bank of America" or "Turbo Tax," and watch as you from the past enters all the relevant credentials and private information in for them.

 

If you're tired of Google's AI Overview extracting all value from the web while also telling people to eat glue or run with scissors, you can turn it off—sort of. Google has been telling people its AI box at the top of search results is the future, and you can't turn it off, but that ignores how Google search works: A lot of options are powered by URL parameters. That means you can turn off AI search with this one simple trick!

 

 

LEGAL & REGULATORY

Georgia resident Malachi Mullings received a decade-long sentence for laundering money scored in scams against healthcare providers, private companies, and individuals to the tune of $4.5 million. Mullings' helped clear the financial tracks of a scheme that ran from 2019 to July 2021 and consisted of both business email compromise (BEC) attacks and romance scams, with the former aimed at healthcare entities, among other biz, and the latter at ordinary citizens.

 

Steven Kramer, 54, of New Orleans wanted Biden supporters to stay home, giving House Rep Dean Phillips (D-MN) a better chance at being selected to challenge Joe Biden for the New Hampshire Democratic nomination.

New Hampshire Attorney General John Formella announced Kramer has been charged with 13 felony counts of voter suppression and 13 misdemeanor counts of impersonation of a candidate, spread across four counties

Kramer faces a $6 million fine from the FCC for the bogus call, which used AI-generated voice cloning technology to impersonate President Joe Biden and caller ID spoofing to hide the source. Kramer previously said he wrote the script for the call, which urged people not to vote in the New Hampshire Democratic primary, paid a magician $150 to use some form of artificial intelligence to record that script using the US president's cloned voice, and hired a telemarketing firm to play the recording to more than 5,000 voters over the phone.

 

As Regulation Systems Compliance and Integrity (Regulation SCI) requires, firms must immediately notify the SEC about security incident intrusions and provide an update within 24 hours unless they determine the impact on their operations or market participants is negligible. As alleged in the order, they instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity. The SEC says that ICE staff did not notify the legal and compliance officials at the company's subsidiaries about this VPN security breach for several days, violating both Reg SCI rules and ICE's own internal cyber incident reporting procedures.

 

The proposed fine relates to an incident where personal information – including surname, initials, rank, and role of all 9,483 serving PSNI officers and staff – was included in a "hidden" tab of a spreadsheet published online in response to a freedom of information request. According to the ICO's assessment, the incident put exposed individuals at grave physical risk, resulted from poor data security from PSNI, and was deemed entirely preventable.

 

102 national and state medical associations – whose members relied on UnitedHealth's IT systems to process patient data – urged HHS Secretary Xavier Becerra to make it crystal clear that their doctors, surgeons, and other healthcare professionals should be off the hook for alerting individuals that their sensitive info was stolen in the February intrusion into UnitedHealth.

They also want assurances that Change Healthcare, and not medical offices themselves, are under the microscope when it comes to the government's investigation into the incident.