Robert Grupe's AppSecNewsBits 2024-06-22

Epic Fails: Unsecured APIs, Databases, Secrets in Jira

Author

Robert Grupe
June 22, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Coding error in forgotten API blamed for massive data breach
The data breach at Australian telco Optus, which saw over nine million customers' personal information exposed.
Optus stored customer info and made it accessible to authenticated customers at www[.]optus[.]com[.]au and api[.]optus[.]com[.]au – described as the "Main" and "Target" domains. Retrieving that info required use of APIs that the filing describes as "Target APIs." The Target domain existed to segregate API traffic from static content at the Main domain, and had been internet-facing since 2017.
But in 2018 a coding error broke one of those access controls, and meant it didn't work on either the Target or Main domain. Optus spotted that error … in 2021, when it fixed it – but only for the Main domain. The Target domain, however, remained online and internet-facing. It was not decommissioned despite a lack of any need for it. In September 2022, an attacker "was able to bypass access controls and send requests to the Target APIs." Doing so returned customer information for 9.5 million people – and sent Optus and its Singaporean owner, Singtel, into a world of pain.
The cyber attack was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus's processes or systems. It was carried out through a simple process of trial and error.
There but for the grace of Git goes many a reader, we suspect.

UK's Total Fitness exposed nearly 500K images of members, staff through unprotected database
More than 474,000 images of both members and staff – including men, women, and children – were stored in a database that was left unprotected and publicly accessible without the need for a password. The database totaled 47.7GB in size. It also included a cache of images that revealed individuals' identity documents, bank and payment card information, as well as phone numbers and immigration records.

Thousands of Car Dealerships Stalled Out After Software Provider Cyberattack
The cyber incident is far from over for dealerships that rely on CDK software. CDK is suffering from not one, but two cyberattacks that have caused the SaaS provider to shut down IT systems. Given the extensive reliance on this third-party vendor, the fallout from this attack reverberates throughout the entire automotive industry.

CDK Global hacked again while recovering from first cyberattack
CDK became aware that they were breached Tuesday night, causing them to shut down their data centers, IT systems, and login systems. The attack led to a massive outage as car dealerships could not conduct their normal operations, including servicing or selling vehicles. Unfortunately, as CDK was restoring its services, they were once again forced to shut down their systems after suffering another breach. While this is affecting car dealerships, it is also affecting customers who want to purchase a new car or service an existing one.

How ShinyHunters hackers allegedly pilfered Ticketmaster data from Snowflake Jira
Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a contractor that works with those customers. The hacker says that a computer belonging to one of EPAM’s employees was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. Once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer. Using this access, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The credentials were stored on the worker’s machine in a project management tool called Jira. Hackers were able to use those credentials to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them.
[rG: Which now leads on the need for exposed secrets scanning to not just look at code repositories and design documentation, but also dev team project/ticket management applications (and asset management systems).]

T-Mobile denies it was hacked, links leaked data to vendor breach
"We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor's claim that T-Mobile's infrastructure was accessed is false." Based on IntelBroker's screenshots, the hacker had access to a Jira instance for testing applications as recently as this month. IntelBroker describes the data they're selling as "Source code, SQL files, Images, Terraform data, t-mobile[.]com certifications, Siloprograms."

Hackers Demand as Much as $5 Million From Snowflake Clients
Cybercriminals are demanding payments of between $300,000 and $5 million apiece from as many as 10 companies breached in a campaign that targeted Snowflake customers.

Change Healthcare finally spills the tea on what medical data was stolen by cyber-crew
Change has, for the first time that we can tell, provided specific details about what types of records may have been exfiltrated by the thieves. This includes first and last names, dates of birth, phone numbers, email addresses, and the following:

  • Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payer ID numbers)

  • Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment)

  • Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due)

  • Other personal information such as Social Security numbers, driver's licenses or state ID numbers, or passport numbers.

Change maintained it has "not yet seen full medical histories appear in the data review."

Experts Found A Bug In The Linux Version Of Ransomhub Ransomware
After processing command-line arguments and decrypting the configuration, RansomHub ESXi leverages the file /tmp/app[.]pid to check whether it is already running. If /tmp/app[.]pid does not exist, RansomHub will create it and write the process ID there. If /tmp/app[.]pid exists on startup, RansomHub will print to console ”already running…”, read the process ID in the file, attempt to kill that process, and then exit if the process was killed. If the file /tmp/app[.]pid is created with “-1” written inside, then the ransomware will end up in a loop trying to kill process ID “-1”, which should never exist, and no encryption of files or other harm to the system will take place.

Nearly 20% of running Microsoft SQL Servers have passed end of support
19.8% were now unsupported by Microsoft. 12% were running SQL Server 2014, which is due to drop out of extended support on July 9 – meaning the proportion will be 32% early next month.

systemd 256.1: Now slightly less likely to delete /home
The systemd-tmpfiles command manages files according to a specification file called tmpfiles.d, and, among many others, it has an option called --purge, which sounds quite handy.
Among the issues fixed in version 256.1 are that even as long as five years ago, systemd-tmpfiles had moved on past managing only temporary files – as its name might suggest to the unwary. Now it manages all sorts of files created on the fly … such as things like users' home directories. If you invoke the systemd-tmpfiles --purge command without specifying that very important config file which tells it which files to handle, version 256 will merrily purge your entire home directory.

SolarWinds Serv-U path traversal flaw actively exploited in attack
Threat actors are actively exploiting a SolarWinds Serv-U path-traversal vulnerability, leveraging publicly available proof-of-concept (PoC) exploits. Although the attacks do not appear particularly sophisticated, the observed activity underscores the risk posed by unpatched endpoints, emphasizing the urgent need for administrators to apply the security updates.
The vulnerability, CVE-2024-28995, is a high-severity directory traversal flaw, allowing unauthenticated attackers to read arbitrary files from the filesystem by crafting specific HTTP GET requests.
Rapid7 warned about how trivial the flaw is to exploit, estimating the number of internet-exposed and potentially vulnerable instances between 5,500 and 9,500. 

HACKING
Notorious cyber gang UNC3944 attacks vSphere and Azure to run VMs inside victims' infrastructure
Notorious cyber gang UNC3944 – the crew suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, and plenty more besides – has changed its tactics and is now targeting SaaS applications.
UNC3944 calls corporate help desks, during which it attempts social engineering attacks. The threat actors spoke with clear English and targeted accounts with high privilege potential. In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks.
UNC3944's crooked callers would often claim they were receiving a new phone, which necessitated a multi-factor authentication (MFA) reset. If help desk staff allowed that reset, the attackers would reset passwords and bypass MFA requirements.
If social engineering doesn’t work, the gang may just threaten its targets. UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.
However the crooks entered an org's infrastructure, they would quickly go looking for info on tools like VPNs, virtual desktops, and remote telework utilities that would give persistent access. Access to Okta was another target – being able to mess with that vendor's single sign-on tools (SSO) gave attackers the ability to create accounts they could use to log into other systems. VMware's vSphere hybrid cloud management tool was one target of attacks made after compromising SSO tools. Microsoft's Azure was another.

Why Going Cashless Has Turned Sweden Into a High-Crime Nation 
Sweden's switch to electronic cash started after a surge of armed robberies in the 1990s, and by 2022, only 8% of Swedes said they had used cash for their latest purchase.
Online fraud and digital crime in Sweden have surged, with criminals taking 1.2 billion kronor in 2023 through scams, doubling from 2021. Law-enforcement agencies estimate that the size of Sweden's criminal economy could amount to as high as 2.5% of the country's gross domestic product. To counter the digital crime spree, Swedish authorities have put pressure on banks to tighten security measures and make it harder on tech-savvy criminals, but it's a delicate balancing act. Going too far could slow down the economy, while doing too little erodes trust and damages legitimate businesses in the process.Using complex webs of fake companies and forging documents to gain access to Sweden's welfare system, sophisticated fraudsters have made Sweden a "Silicon Valley for criminal entrepreneurship.

Staggering 261% Rise in Cyberattacks on Indian Websites During Jan-April 2024 Period
Indian websites experienced a staggering 261% increase in cyberattacks in the first quarter of 2024 compared to the corresponding period in 2023. Globally, the rise in cyberattacks during this time was 76%.
DDoS (Distributed Denial-of-Service) and bot continue to be the top two threat vectors employed by attackers in India. Bot attacks are spreading rapidly, with 100% healthcare apps and 90% Banking, Financial Services and Insurance (BFSI) sector apps witnessing the same throughout the quarter. Overall, bot attacks rose 147% compared to Q1 CY23.

  1. Access Control Breaches

  2. Phishing & Social Engineering

  3. Insider Threats

  4. Business Email Compromise (BEC)

  5. Physical Security Breaches

  6. Distributed Denial of Service (DDoS)

  7. Malware or Virus

  8. Supply Chain Attacks

  9. Ransomware

  10. Credentials Stored in Source Code

  11. Human Error

  12. Keystroke Recording

APPSEC, DEVSECOPS, DEV
Making Application Security A Board-Level Priority
85% of application developers and senior security decision-makers believe application security is a board-level priority—as it should be. However, additional findings paint a discordant picture. The survey found just 52% of security and IT leaders believe they can effectively rectify a critical vulnerability. This disconnect poses a difficult challenge for organizations trying to create a strong application security (AppSec) program.

  1. Understand the growing AppSec priority: nearly 70% of organizations reported experiencing a major security incident from a software vulnerability within the previous year. That’s not something CISOs—or the board—can afford to ignore, especially in light of the SEC’s recent decision to hold the former SolarWinds’ CISO accountable for failing to disclose cybersecurity risks.

  2. Measure what matters: When IT middle management is responsible for setting KPIs for the security team, there’s bound to be inconsistency not only in the KPIs being reported but also in the KPIs each function should prioritize.

  3. Communicate a tangible ROI: Calculate the time and cost savings resulting from [AppSec Controls]], which is both tangible and repeatable.

  4. Focus on compliance: A robust application security program, enabled through automation, streamlines companies’ ability to maintain code quality, find and fix vulnerabilities, and create comprehensive SBOMs, helping ensure they’re both compliant and secure.

  5. Get on board: Although no security initiative can guarantee zero risk, investment in application security tools and processes aimed at decreasing vulnerabilities can certainly reduce incident risk and help prevent potentially costly breaches.

CISA, JCDC, Government and Industry Partners Conduct AI Tabletop Exercise
The Cybersecurity and Infrastructure Security Agency (CISA) conducted the federal government's inaugural tabletop exercise with the private sector focused on effective and coordinated responses to artificial intelligence (AI) security incidents. This exercise brought together more than 50 AI experts from government agencies and industry partners.
This exercise simulated a cybersecurity incident involving an AI-enabled system and participants worked through operational collaboration and information sharing protocols for incident response across the represented organizations; emphasizing the need for advancing robust operational structures to address existing and potential security threats, while prioritizing secure-by-design AI development and deployment.
Joint Defense Collaborative Artificial Intelligence Cyber Tabletop-Exercise

How to Mitigate AI-Generated Code Security Risks
When companies develop software, it is generally composed of three parts that an organization buys or contracts people to write:
Code
Open source
Commercial code
There is now a fourth component contributing code to the software, and that, of course, is AI. This unique piece of modern software is layered with all these other pieces, adding greater complexity to the application security challenge.
Before AI-generated code is embraced fully, organizations must recognize its challenges.

MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
MITRE has introduced ACID (ATT&CK-based Control-system Indicator Detection for Zeek), a compilation of OT (operational technology) protocol indicators. These indicators utilize CISA’s ICSNPP Parsers to identify specific behaviors outlined in the ATT&CK framework for ICS (industrial control system). These indicators enhance visibility into specific aspects of configuration management and other OT network traffic activities, which are reported through the Zeek Notice Framework.

How to Build Robust and Secure Applications with Rust
The Rust team regularly posts new updates on security measures. Use the language’s official website as your guide to security. Among well-known commands are “Unwrap”, “Expect”, and “Result”. Commands prevent app crashes, which can render programs especially vulnerable to data leaks. Use “Clippy” and “Cargo audit” tools. They will notify you if there are app errors or potential hacks. This helps to prevent issues in advance before a human can see them. Basically, if code crashes and something unusual happens, you will see it. Additionally, use security libraries like “Hashbrows” and “Ring.” These libraries provide additional security features but remember to update them regularly. Otherwise, they won’t help with the newest hack tools. Use the command “Rustdoc”. With its help, Rust will generate documentation from your code comments.

How to Scale RAG and Build More Accurate LLMs
RAG needs to be surrounded by an architecture and data delivery mechanisms that allow teams to build multiple generative AI applications without reinventing the wheel, and in a manner that meets enterprise standards for data governance and quality. A data streaming model is the simplest and most efficient way to meet these needs, allowing teams to unlock the full power of LLMs to drive new value for their business.

VENDORS & PLATFORMS
19 January 2038 Linux Epoc End: SUSE upgrades its distros with 19 years of support - no other Linux comes close
SUSE Linux Enterprise Server (SLES) 15 Service Pack (SP) 6 update future-proofs IT workloads with a new Long Term Service (LTS) Pack Support Core. How long is long-term? Would you believe 19 years? This gives SLES the longest-term support period in the enterprise Linux market. Even Ubuntu, for which Canonical recently extended its LTS to 12 years, doesn't come close.
"Why 19 years?" SUSE General Manager of Business Critical Linux (BCL) Rick Spencer, explained in an interview that the reason is that on 03:14:08 Greenwich Mean Time (GMT, aka Coordinated Universal Time) Tuesday, January 19, 2038, we reach the end of computing time. Well, not really, but Linux, and all the other Unix-based operating systems, including some versions of MacOS, reach what's called the Epoch.
That's when the time-keeping code in 32-bit Unix-based operating systems reaches the end of the seconds it's been counting since the beginning of time -- 00:00:00 GMT on January 1, 1970, as far as Linux and Unix systems are concerned -- and resets to zero. Just like the Y2K bug, that means that all unpatched 32-bit operating systems and software will have fits. The Linux kernel itself had the problem fixed in 2020's Linux 5.6 kernel, but many other programs haven't dealt with it.

AWS Announces Authentication and Malware Protection Enhancements
The cloud giant informed customers about passkeys being added to the list of supported multi-factor authentication (MFA) mechanisms for root and Identity and Access Management (IAM) users. The company also started enforcing MFA on root users, particularly AWS Organization management account users. You can use the built-in authenticators in your phones and laptops to unlock a cryptographically secured credential to your AWS sign-in experience. And when using a cloud service to store the passkey (such as iCloud keychain, Google accounts, or 1Password), the passkey can be accessed from any of your devices connected to your passkey provider account. This helps you to recover your passkey in the unfortunate case of losing a device.
IAM Access Analyzer now benefits from custom policy checks to detect policies that grant access to critical AWS resources or grant any type of public access. AWS has introduced guided revocation. IAM Access Analyzer users are provided guidance that they can share with developers to revoke permissions which grant access that is not actually needed.
Amazon GuardDuty Malware Protection for the Amazon S3 service enables the detection of malicious files in S3 buckets. Until now, GuardDuty Malware Protection provided agentless scanning capabilities on Amazon EBS volumes attached to EC2 and container workloads.
The company also unveiled the preview version of natural language query generation in AWS CloudTrail Lake. The new feature uses gen-AI to enable customers to analyze CloudTrail logs to ensure that compliance, security and operational requirements are met.

Checkmarx unveils cloud-native application security services
Checkmarx has introduced two new products, Checkmarx Application Security Posture Management and Cloud Insights, to enable enhanced code-to-cloud visibility and security risks analysis in cloud-native applications.

  1. No knowledge cutoff: The free version of ChatGPT is not connected to the internet and, consequently, only has access to the information it was trained on, limiting its knowledge base to up to January 2022.

  2. Footnotes: When you ask ChatGPT a question, it simply answers with the text response and does not include any sources or footnotes. You can ask ChatGPT to provide sources after you get the answer by typing something like: "Please provide sources for the previous answer." Unfortunately, this approach doesn't always work.

  3. A more advanced model

  4. Voice inputs

  5. Image inputs

  6. Image generation

  7. Shopping assistance: because connected to current Internet

Biden bans Kaspersky: No more sales, updates in US
Uncle Sam will block the sale of Kaspersky software in the US to new customers beginning July 20 – and also ban the antivirus maker from distributing software updates and malware signatures to existing Stateside customers after September 29.
https://oicts.bis.gov/kaspersky/
https://oicts.bis.gov/kaspersky/individuals/
Uncle Sam sanctions Kaspersky's top bosses – but not Mr K himself
Uncle Sam took another swing at Kaspersky Lab today and sanctioned a dozen C-suite and senior-level executives at the antivirus maker, but spared CEO and co-founder Eugene Kaspersky.
The move prevents US persons and organizations from doing business with the designated individuals. Any non-US financial institution that works with them also risks sanctions under Executive Order 13873. 

LEGAL & REGULATORY
Shoddy infosec costs PwC spinoff and NMA $11.3M in settlement with Uncle Sam
Guidehouse, formerly PwC's US public sector arm and still headquartered in McLean, Virginia, has agreed to pay $7.6 million, while consultancy NMA – based in California's El Cajon – agreed to shell out $3.7 million. An ex-Guidehouse employee who blew the whistle on this affair earned themselves $1,949,250 as part of the settlements.
The consulting firms were supposed to ensure that this ERAP application underwent proper cybersecurity testing before deployment. But, according to the settlements, neither NMA nor Guidehouse's testing tools worked, and they cleared it for launch anyway.
The New York State ERAP went live as planned on June 1, 2021, and individuals' sensitive information loss started almost immediately. About 12 hours after the ERAP application was online, the OTDA notified both consulting firms that certain data from the applications had been leaking onto the internet.
Guidehouse admitted that between November 10 and December 14, it used an unnamed "third-party data cloud software program" to store PII without first obtaining the state's approval. This was also in violation of its contract.

Blackbaud has to cough up a $6.75 more over 2020 ransomware attack
Months after escaping without a fine from the US Federal Trade Commission (FTC), the luck of cloud software biz Blackbaud ran out when it came to reaching a settlement with California's attorney general.
The developer of apps for education, charity, and non-profit organizations will have to pay $6.75 million after Rob Bonta chastised its cybersecurity practices and lack of transparency following its 2020 ransomware attack.
Blackbaud's settlement with Bonta is the final one in the saga, after the firm previously settled with the 49 other state AGs and the District of Columbia in October 2023 for a sum of $49.5 million.

Apple Won’t Roll Out AI Tech In EU Market Over Regulatory Concerns
The company announced Friday it would block the release of Apple Intelligence, iPhone Mirroring and SharePlay Screen Sharing from users in the EU this year, because the Digital Markets Act allegedly forces it to downgrade the security of its products and services. Under the DMA, Apple is expected to receive a formal warning from EU regulators over how it allegedly blocks apps from steering users to cheaper subscription deals on the web -- a practice for which it received a $1.9 billion fine from Brussels regulators earlier this year.

Men plead guilty to aggravated ID theft after pilfering police database
Both defendants face a minimum sentence of two years in prison and a maximum of seven years.
Sagar Steven Singh, 20, and Nicholas Ceraolo, 26, admitted to being members of ViLE, a group that specializes in obtaining personal information of individuals and using it to extort or harass them. Members use various methods to collect social security numbers, cell phone numbers, and other personal data and post it, or threaten to post it, to a website administered by the group. Victims had to pay to have their information removed or kept off the website. The men gained access to the law enforcement portal by stealing the password of an officer’s account and using it to log in. Investigators tied Singh to the unlawful access after he logged in with the same IP address he had recently used to connect to a social media site account registered to him.