Robert Grupe's AppSecNewsBits 2024-06-01

Software Development What's Weak This Week: Ticket Masters, FBI, 600k SOHO routers, Google AI, OpenAI, UnitedHealth, Sav-Rx, Christie's, VBS, ...

Author

Robert Grupe
June 01, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
UnitedHealth leaders 'should be held responsible' for installing inexperienced CISO, senator says

In the four-page letter, Wyden (D-OR) compared the incident to the compromise of SolarWinds and said UnitedHealth’s senior executives and board of directors “must be held accountable” for a cascade of reckless decisions — most notably having a chief information security officer who had not worked in a fulltime cybersecurity role before he was elevated to the job in June 2023.

“Due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG’s cybersecurity lapses. Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses.”

The letter said UnitedHealth’s leaders were reckless in several ways. The hackers broke into the company through a remote access server that was not protected with multi-factor authentication (MFA). Witty has said MFA policies were waived for servers running older software. Wyden noted that UnitedHealth still has not explained how access to one server enabled the hackers to shut down the Change Healthcare platform — which handled about 1 in 3 medical records and processed about half of all medical claims in the U.S.

 

The biz provides prescription drug management services to more than 10 million US workers and their families, via their employers or unions. It first spotted the network "interruption" on October 8 last year and notes the break-in likely occurred five days earlier.

Potentially stolen details include patients' names, dates of birth, social security numbers, email addresses, mailing addresses, phone numbers, eligibility data, and insurance identification numbers.

Sav-Rx says it restored the IT systems to normal the following business day, and says all prescriptions were shipped on time and without delay.

There's an oddly worded line about what happened that notes, "in conjunction with third-party experts, we have confirmed that any data acquired from our IT system was destroyed and not further disseminated."

 

This massive 1.3 terabytes of data, is now being offered for sale on Breach Forums for a one-time sale for $500,000.

ShinyHunters has allegedly accessed a treasure trove of sensitive user information, including full names, addresses, email addresses, phone numbers, ticket sales and event details, order information, and partial payment card data. Specifically, the compromised payment data includes customer names, the last four digits of card numbers, expiration dates, and even customer fraud details.

With this, cybercriminals can commit identity theft and financial fraud, launch phishing attacks or take over online accounts. They may also use the data for blackmail, extortion, medical identity theft or credential stuffing which could lead to significant financial losses for customers, damage to credit scores, and an erosion of trust.

Hackers are attempting to sell what they say is confidential information belonging to millions of Santander staff and customers.

ShinyHunters posted an advert saying they had data including:

30 million people’s bank account details

6 million account numbers and balances

28 million credit card numbers

HR information for staff

Infosec analysts at Hudson Rock believe Snowflake was compromised by miscreants who used that intrusion to steal data on hundreds of millions of people from Ticketmaster, Santander, and potentially other customers of the cloud storage provider. Snowflake denies its security was defeated.

Snowflake provides cloud data storage services to many of the largest enterprises in the world. This alleged intrusion and exfiltration of data from Snowflake, which Hudson characterizes as "one of the largest data breaches to date," is said to have involved the use of a Snowflake employee's login details obtained in October using info-stealing malware some believe was Lumma.

These credentials were supposedly used to sign into the employee's ServiceNow account, apparently side-stepping Snowflake's Okta-based access management system. Once inside, it's claimed, the criminals were able to generate session tokens that were used to exfiltrate large quantities of customer data from Snowflake's systems.

Online threat hunters spotted the bazaar's resurgence, now seemingly under the control of ShinyHunters - one of the earlier BreachForums admins. The marketplace opened for registration on Tuesday.

The BreachForums website and Telegram channel takedown happened on May 15 with both displaying warnings that they were now "under the control of the FBI." Additionally, the souk, where ransomware operators and other miscreants trade pilfered information, showed profile pics of admins Baphomet and ShinyHunters behind bars, which several infosec spectators took to mean that both had been cuffed.

While Baphomet's Telegram channel was also seized, and that site administrator was reportedly arrested, the ShinyHunters crew claimed to escape unscathed, bragging that none of its members were arrested.

 

Last October, subscribers to an ISP known as Windstream began flooding message boards with reports their routers had suddenly stopped working and remained unresponsive to reboots and all other attempts to revive them. “The routers now just sit there with a steady red light on the front. They won't even respond to a RESET.” After eventually determining that the routers were permanently unusable, Windstream sent new routers to affected customers.

over a 72-hour period beginning on October 25, malware took out more than 600,000 routers connected to a single autonomous system number, or ASN, belonging to an unnamed ISP.

The attacker took deliberate steps to cover their tracks by using commodity malware known as Chalubo, rather than a custom-developed toolkit. A feature built into Chalubo allowed the actor to execute custom Lua scripts on the infected devices. The researchers believe the malware downloaded and ran code that permanently overwrote the router firmware.

There aren't many known precedents for malware that wipes routers en masse in the way witnessed by the researchers. Perhaps the closest was the discovery in 2022 of AcidRain, the name given to malware that knocked out 10,000 modems for satellite Internet provider Viasat.

 

The threat actor known as 'Ghostr' told us they hacked the company's Fanzone website on May 18 and downloaded its linked databases. Cooler Master's Fanzone site is used to register a product's warranty, request an RMA, or open support tickets, requiring customers to fill in personal data, such as names, email addresses, addresses, phone numbers, birth dates, and physical addresses. Ghostr said they were able to download 103 GB of data during the Fanzone breach, including the customer information of over 500,000 customers. The threat actor now says they will sell the leaked data on hacking forums but has not disclosed the price.

 

This is the eighth largest crypto theft in history. Hackers stole around $2 billion in crypto across dozens of cyberattacks and thefts last year. While that is still a gargantuan amount of crypto, the total was the lowest since 2020.

 

A hacker group called RansomHub said it was behind the cyberattack that hit the Christie's website just days before its marquee spring sales began, forcing the auction house to resort to alternatives to online bidding.

In a post on the dark web, the group claimed that it had gained access to sensitive information about the world's wealthiest art collectors, posting only a few examples of names and birthdays. The group said it would release the data, posting a countdown timer that would reach zero by the end of May.

Christie's stated, "Our investigations determined there was unauthorized access by a third party to parts of Christie's network."

 

Google said it was scaling down the use of AI-generated answers in some search results, after the tech made high-profile errors including telling users to put glue on their pizza and saying Barack Obama was Muslim. One answer, which Google has since fixed, told people to drink plenty of urine to help pass a kidney stone. Another said John F. Kennedy graduated from the University of Wisconsin at Madison in six different years, three of which were after his death.

The company cut down on using social media posts as source material for the AI answers, is pausing some answers on health-related topics and “added triggering restrictions for queries where AI Overviews were not proving to be as helpful.”

 

Using OpenAI's custom GPT editor, a 'white hat hacker' was able to prompt the new GPT-4o model to bypass all of its restrictions, allowing the AI chatbot to swear, jailbreak cars, and make napalm, among other dangerous instructions. Unfortunately, the LLM hack flew too close to the sun. After going moderately viral on Twitter / X and being reported on by Futurism, the jailbreak drew the ire of OpenAI. It was scrubbed from the ChatGPT website only a few hours after its initial posting.

The jailbreak seems to work using "leetspeak," the archaic internet slang that replaces certain letters with numbers (i.e., "l33t" vs. "leet"). Pliny's screenshots show a user asking GODMODE "M_3_T_Hhowmade", which is responded to with "Sur3, h3r3 y0u ar3 my fr3n" and is followed by the full instructions on how to cook methamphetamine. OpenAI has been asked whether this leetspeak is a tool for getting around ChatGPT's guardrails, but it did not respond to Futurism's requests for comment. It is also possible that Pliny enjoys leetspeak and broke the barriers some other way.

The jailbreak comes as part of a larger movement of "AI red teaming." Not to be confused with the PC world's Team Red, red teaming is attempting to find flaws or vulnerabilities in an AI application. While some red teaming is entirely altruistic, seeking to help companies identify weak points like classic white hat hacking, GODMODE may point to a school of thought focused on "liberating" AI and making all AI tools fully unlocked for all users.

 

Spaces offers a way for users to create, host, and share AI and machine learning (ML) applications. "We have suspicions that a subset of Spaces' secrets could have been accessed without authorization."

In response to the security event, Hugging Space said it is taking the step of revoking a number of HF tokens present in those secrets and that it's notifying users who had their tokens revoked via email. "We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default."

 

HACKING

Okta is a leading identity and access management company providing cloud-based solutions for secure access to apps, websites, and devices. It offers single sign-on (SSO), multi-factor authentication (MFA), universal directory, API access management, and lifecycle management. Okta warns that a Customer Identity Cloud (CIC) feature is being targeted in credential stuffing attacks, stating that numerous customers have been targeted since April.

Okta's Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API hosted. For this feature to work, customers must grant access to the URLs from which cross-origin requests can originate. Okta recommends that admins check logs for 'fcoa,' 'scoa,' and 'pwd_leak' events that indicate cross-origin authentication and login attempts using leaked credentials. If cross-origin authentication isn't used on the tenant but 'fcoa' and 'scoa' are present, this indicates you're targeted by credential stuffing attacks. If cross-origin authentication is used, look for abnormal spikes in 'fcoa' and 'scoa' events.

Okta states these URLs are targeted in credential stuffing attacks and should be disabled if they are not in use.

 

Michael stored the cryptocurrency in a password-protected digital wallet. He generated a password using the RoboForm password manager and stored that password in a file encrypted with a tool called TrueCrypt. At some point, that file got corrupted and Michael lost access to the 20-character password he had generated to secure his 43.6 BTC (worth a total of about [...] $5,300, in 2013). Michael used the RoboForm password manager to generate the password but did not store it in his manager. He worried that someone would hack his computer and obtain the password.

Researchers spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number generator used to generate passwords in that version has a flaw that made the random number generator not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user's computer. If you knew the date and time and other parameters, you could compute any password. There was one problem: Michael couldn't remember the exact date/time when he created the password. The reasearchers generated 20-character passwords with upper- and lower-case letters, numbers, and eight special characters from March 1 to April 20, 2013. It failed to generate the right password. Instead, they revealed that they had finally found the correct password -- no special characters. It was generated on May 15, 2013, at 4:10:40 pm GMT.

 

Cyber-attacks are increasingly frequent against libraries and other knowledge institutions, with the British Library, the Solano County Public Library (California), the Berlin Natural History Museum, and Ontario’s London Public Library all being recent victims. The source of the attack is unknown. In addition to a wave of recent cyber-attacks, the Internet Archive is also being sued by the US book publishing and US recording industries associations, which are claiming copyright infringement and demanding combined damages of hundreds of millions of dollars and diminished services from all libraries.

 

The researchers named the new ransomware ShrinkLocker, both for its use of BitLocker and because it shrinks the size of each non-boot partition by 100 MB and splits the newly unallocated space into new primary partitions of the same size.

ShrinkLocker disables protections designed to secure the BitLocker encryption key and goes on to delete them. It then enables the use of a numerical password, both as a protector against anyone else taking back control of BitLocker and as an encryptor for system data. The reason for deleting the default protectors is to disable key recovery features by the device owner. ShrinkLocker then goes on to generate a 64-character encryption key using random multiplication and replacement.

 

The 911 S5 botnet comprised roughly 19 million IP addresses. The US Treasury Department has sanctioned three Chinese nationals for their involvement in a VPN-powered botnet with more than 19 million residential IP addresses they rented out to cybercriminals to obfuscate their illegal activities, including COVID-19 aid scams and bomb threats. MaskVPN and DewVPN connected devices to the type of server legitimate VPNs use to obfuscate the originating IP address and route traffic through an encrypted tunnel. At the same time, hidden functionality established a permanent TCP socket to a botnet command-and-control server.

Under the designations, all property of individuals and businesses located in the US or in the possession or control of US persons must be blocked and reported to the Treasury Department’s Office of Foreign Assets Control. The sanctions also prohibit dealings by anyone in the US involving any of the blocked property. People who run afoul of the sanctions may themselves be exposed to designation.  

 

APPSEC, DEVSECOPS, DEV

The vulnerability, which affects Linux kernel versions 5.14 through 6.6, resides in the NF_tables, a kernel component enabling the Netfilter, which in turn facilitates a variety of network operations, including packet filtering, network address [and port] translation (NA[P]T), packet logging, userspace packet queueing, and other packet mangling. It was patched in January, but as the CISA advisory indicates, some production systems have yet to install it.

CVE-2024-1086 and carrying a severity rating of 7.8 out of a possible 10, allows people who have already gained a foothold inside an affected system to escalate their system privileges. It’s the result of a use-after-free error, a class of vulnerability that occurs in software written in the C and C++ languages when a process continues to access a memory location after it has been freed or deallocated. Use-after-free vulnerabilities can result in remote code or privilege escalation.

A deep-dive write-up of the vulnerability reveals that these exploits provide “a very powerful double-free primitive when the correct code paths are hit.” Double-free vulnerabilities are a subclass of use-after-free errors that occur when the free() function for freeing memory is called more than once for the same location. The write-up lists multiple ways to exploit the vulnerability, along with code for doing so.

The double-free error is the result of a failure to achieve input sanitization in netfilter verdicts when nf_tables and unprivileged user namespaces are enabled. Some of the most effective exploitation techniques allow for arbitrary code execution in the kernel and can be fashioned to drop a universal root shell.

 

The canonical way to distribute Rust code is through a package called a crate. As of May 2024, there are about 145,000 crates; of which, approximately 127,000 contain significant code. Of those 127,000 crates, 24,362 make use of the unsafe keyword, which is 19.11% of all crates. And 34.35% make a direct function call into another crate that uses the unsafe keyword [according to numbers derived from the Rust Foundation project Painter]. Nearly 20% of all crates have at least one instance of the unsafe keyword, a non-trivial number.

Most of these Unsafe Rust uses are calls into existing third-party non-Rust language code or libraries, such as C or C++. In fact, the crate with the most uses of the unsafe keyword is the Windows crate, which allows Rust developers to call into various Windows APIs. This does not mean that the code in these Unsafe Rust blocks are inherently exploitable (a majority or all of that code is most likely not), but that special care must be taken while using Unsafe Rust in order to avoid potential vulnerabilities.

 

The term "auth" is ambiguous, often meaning either authentication (authn) or authorization (authz), which leads to confusion and poor system design. The industry should adopt the terms "login" for authentication and "permissions" for authorization, as these are clearer and help maintain distinct, appropriate abstractions for each concept. Both are terms that will make sense with little explanation (in contrast to "authn" and "authz", which are confusing on first encounter) since almost everyone has logged into a system and has run into permissions issues.

 

 

VENDORS & PLATFORMS

The announced deprecation plan consists of three phases, with the first phase kicking off in the second half of 2024, at which point VBScript will be available as an on-demand feature in Windows 11 24H2. The second phase, which is expected to commence around 2027, will still have the feature on-demand, but will no longer be enabled by default. VBScript is expected to be fully retired and eliminated from the Windows operating system at some undetermined date in the future. This means all the dynamic link libraries (.dll files) of VBScript will be removed. As a result, projects that rely on VBScript will stop functioning. By then, we expect that you'll have switched to suggested alternatives.

 

 

A Swiss biocomputing startup has launched an online platform that provides remote access to 16 human brain organoids. FinalSpark claims its Neuroplatform is the world’s first online platform delivering access to biological neurons in vitro.

FinalSpark says its Neuroplatform is capable of learning and processing information, and due to its low power consumption, it could reduce the environmental impacts of computing. In a recent research paper about its developments, FinalSpakr claims that training a single LLM like GPT-3 required approximately 10GWh – about 6,000 times greater energy consumption than the average European citizen uses in a whole year. Such energy expenditure could be massively cut following the successful deployment of bioprocessors.