Robert Grupe's AppSecNewsBits 2024-07-06

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Indonesian government didn't have backups of ransomwared data, because DR was only an option
“This is not a governance issue, it’s a stupidity issue to have national data without a single backup,” responded Chair of the First Commission of the People's Representative Council, Meutya Hafid.
According to Budi, backup capacity is available to government agencies at the datacenters - but using it is optional. Most agencies did not use it because of budget constraints, however, in the future it will become mandatory.

Ransomware scum who hit Indonesian government apologizes, hands over encryption key
Brain Cipher, the group responsible for hacking into Indonesia's Temporary National Data Center (PDNS) and disrupting the country's services, has seemingly apologized for its actions and released an encryption key to the government. That key was in the form of an 54 kb ESXi file. Its efficacy has not yet been confirmed.
The team also provided a motive – that it was acting as a penetration tester of sorts, and that talks with the government had become deadlocked. The cyber criminals had demanded a ransom of 131 billion Rupiah ($8 million) to release data it ransomwared June 20, but the Indonesian government refused to pay up. "We hope that our attack made it clear to you how important it is to finance the industry and recruit qualified specialists," the hackers lectured. "In this case, the attack was so easy that it took us very little time to unload the data and encrypt several thousand terabytes of information."
In the statement, Brain Cipher detailed that it was releasing the decryptor of its own accord, without prodding by law enforcement or other agencies. It did, however, ask for public gratitude for its magnanimous behavior – and even provided an account at which it could receive donations.
Politicians and the public alike appear on the hunt for a scapegoat – a petition demanding the resignation of communications and informatics minister Budi Arie Setiadi over the matter garnered more than 18,000 signatures.

Twilio says hackers identified cell phone numbers of two-factor app Authy users
Hackers known as ShinyHunters wrote that they hacked Twilio and obtained the cell phone numbers of 33 million users. Twilio confirmed that “threat actors” were able to identify the phone number of people who use Authy, a popular two-factor authentication app owned by Twilio.
"Threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests. As a precaution, we are requesting all Authy users to update to the latest Android and iOS apps for the latest security updates and encourage all Authy users to stay diligent and have heightened awareness around phishing and smishing attacks.”
Now hackers can specifically target people who they know are Authy users, giving the attackers a chance to make it look like their malicious messages really come from Authy and Twilio.

CocoaPods Vulnerabilities Could Hit Apple, Microsoft, Facebook, TikTok, Snap and More
CocoaPods vulnerabilities reported today could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting “almost every Apple device.”
Security researchers found that the three vulnerabilities in the open source CocoaPods dependency manager were present in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.
The vulnerabilities have been patched, yet the researchers still found 685 Pods that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases. Researchers often find that 70-80% of client code they review is composed of open-source libraries, packages, or frameworks. By making a straightforward curl request to the publicly available API, and supplying the unclaimed targeted pod name, the door was wide open for a potential attacker to claim any or all of these orphaned Pods as their own. Once they took over a Pod, an attacker would be able to manipulate the source code or insert malicious content into the Pod, which would then go on to infect many downstream dependencies, and potentially find its way into a large percentage of Apple devices currently in use.
Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years, and close attention should be paid to software that relies on orphaned CocoaPod packages that do not have an owner assigned to them. Developers and organizations should review dependency lists and package managers used in their applications, validate checksums of third-party libraries, perform periodic scans to detect malicious code or suspicious changes, keep software updated, and limit use of orphaned or unmaintained packages.

Latest Ghostscript vulnerability haunts experts as the next big breach enabler
Ghostscript is a Postscript and Adobe PDF interpreter that lets users of *nix, Windows, MacOS, and various embedded OSes and platforms view, print, and convert PDFs and image files. It is a default installation in many distros, as well as being used indirectly by other packages to support printing or conversion operations.
A security analyst found a way to achieve remote code execution (RCE) on machines running Ghostscript after bypassing the -dSAFER sandbox.
This vulnerability has significant impact on web applications and other services offering document conversion and preview functionalities as these often use Ghostscript under the hood.
Advisories and accompanying severity assessments from the likes of Tenable and Red Hat (both rated the bug 5.5 using CVSS 3.0) were missing the mark in some aspects. Namely, onlookers believe that no user interaction is required for the exploit to be successful. Both Red Hat and Tenable assessed the opposite to be the case, a decision that, if incorrect, would mean the severity score is currently lower than what it should be.

New regreSSHion OpenSSH RCE bug gives root on Linux servers
CVE-2024-6387 is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root. CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges.
regreSSHion is hard to exploit and requires multiple attempts to achieve the necessary memory corruption. However, it's noted that AI tools may be used to overcome the practical difficulties and increase the successful exploitation rate. regreSSHion likely also exists on macOS and Windows, its exploitability on these systems hasn't been confirmed.

Ethereum mailing list breach exposes 35,000 to crypto draining attack
The attack occurred on the night of June 23 when an email was sent from the address ‘updates@blog[.]ethereum[.]org' to 35,794 addresses.
The message lured recipients to the malicious website with an announcement of a collaboration with Lido DAO and invited them to take advantage of a 6.8% annual percentage yield (APY) on staked Ethereum.
Clicking on the embedded 'Begin staking' button to get the promised investment returns took people to a fake but professionally crafted website made to appear as part of the promotion.
If users connected their wallets on that site and signed the requested transaction, a crypto drainer would empty their wallets, sending all amounts to the attacker.

Many website admins, it seems, have yet to get memo to remove Polyfill[.]io links.
Of the 384,773 sites still linking to polyfill[.]com, 237,700, or almost 62%, were located inside Germany-based web host Hetzner.
Various mainstream sites—both in the public and private sectors—were among those linking to polyfill include:
Warner Bros.
Hulu
Mercedes-Benz
Pearson
The amazonaws[.]com address was the most common domain associated with sites still linking to the polyfill site, an indication of widespread usage among users of Amazon’s S3 static website hosting.
182 domains end in .gov, meaning they are affiliated with a government entity.

Dev rejects CVE severity, makes his GitHub repo read-only
The 'node-ip' project exists on the npmjs[.]com registry as the 'ip' package which scores 17 million downloads weekly, making it one of the most popular IP address parsing utilities in use by JavaScript developers. Earlier this month, Fedor Indutny who is the author of the 'node-ip' project archived the project's GitHub repository effectively making it read-only, and limiting the ability of people to open new issues (discussions), pull requests, or submit comments to the project.
"Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from 'npm audit'," states the developer in the same post.
Unfortunately, Indutny's case isn't isolated. In recent times, open-source developers have been met with an uptick in receiving debatable or, in some cases, outright bogus CVE reports filed for their projects without confirmation.
This can lead to unwarranted panic among the users of these projects and alerts being generated by security scanners, all of which turn into a source of headache for developers.
Until the security research, developer, and vendor communities come together to identify an effective solution, developers are bound to get frustrated with bogus reports burning them out, and the CVE system becoming flooded with exaggerated "vulnerabilities" that may look credible on paper but are effectively moot.

Prudential Financial now says 2.5 million impacted by data breach
In March, the Fortune 500 company revealed in a filing with the Maine Attorney General's Office that it notified over 36,000 people whose personal information (including names, driver's license numbers, and non-driver identification card numbers) was stolen during the breach. "Through the investigation, we learned that the unauthorized third party gained access to our network on February 4, 2024 and removed a small percentage of personal information from our systems," Prudential said.
However, last week, the company updated the information shared with the Maine Attorney General's Office regarding the February data breach and now says that the incident impacted 2,556,210 people.

HACKING
Ransomware Attack Demands Reach a Staggering $5.2m in 2024
The average extortion demand per ransomware attack was over $5.2m (£4.1m) in the first half of 2024.
The biggest was a $100m (£78.9m) ransom following an attack on India’s Regional Cancer Center (RCC) in April 2024.
The second highest confirmed ransom demand was issued to UK pathology provider Synnovis, with attackers demanding $50m (£39.4m) from the company. This incident led to thousands of operations and appointments being cancelled at hospitals in South East England. The Qilin group has claimed to have stolen 400GB of data in the attack, including sensitive NHS patient medical records.
The third highest ransom demand in H1 2024 was sent to Canadian retailer London Drugs following an attack in May 2024, with the LockBit group demanding $25m (£19.7m) in payment.
The researchers logged 421 confirmed ransomware attacks in H1 2024, impacting around 35.3 million records.
Comparitech also said it has logged a further 1920 attacks that have been claimed by ransomware gangs but not acknowledged by the alleged victims.
Private businesses experienced 240 incidents impacting 29.7 million records.
This is followed by government, with 74 attacks impacting 52,390 records, and healthcare, with 63 attacks affecting 5.4 million records.

Hackers leak alleged Taylor Swift tickets, amp up Ticketmaster extortion
Sp1d3rHunters has leaked what they claim is the ticket data for 166,000 Taylor Swift Eras Tour barcodes used to gain entry on various concert dates. Sp1d3rHunters, previously named Sp1d3r, is the threat actor behind the sale of data stolen from Snowflake accounts, publicly extorting the various companies for payments. "Pay us $2million USD or we leak all 680M of your users information and 30million more event barcodes including: more Taylor Swift events, P!nk, Sting, Sporting events F1 Formula Racing, MLB, NFL and thousands more events." Ticketmaster told BleepingComputer that unique barcodes are updated every few seconds, so the stolen tickets cannot be used.

The Not-So-Secret Network Access Broker x999xx
Most accomplished cybercriminals go out of their way to separate their real names from their hacker handles. But among certain old-school Russian hackers it is not uncommon to find major players who have done little to prevent people from figuring out who they are in real life. A case study in this phenomenon is “x999xx,” the nickname chosen by a venerated Russian hacker who specializes in providing the initial network access to various ransomware groups.
Asked whether he was concerned about the legal and moral implications of his work, Kirtsov downplayed his role in ransomware intrusions, saying he was more focused on harvesting data. “I consider myself as committed to ethical practices as you are. I have also embarked on research and am currently mentoring students."
Kirtsov asserted that he is not interested in harming healthcare institutions, just in stealing their data. “As for health-related matters, I was once acquainted with affluent webmasters who would pay up to $50 for every 1000 health-themed emails. Therefore, I had no interest in the more sensitive data from medical institutions like X-rays, insurance numbers, or even names; I focused solely on emails. I am proficient in SQL, hence my ease with handling data like IDs and emails. And i never doing spam or something like this.”
x999xx said he never targets anything or anyone in Russia, and that he has little to fear from domestic law enforcement agencies provided he remains focused on foreign adversaries.

Europol takes down 593 Cobalt Strike servers used by cybercriminals
Cobalt Strike was released by Fortra (formerly Help Systems) over a decade ago as a legitimate commercial penetration testing tool for red teams to scan network infrastructure for security vulnerabilities. However, threat actors have obtained cracked copies of the software, making it one of the most widely used tools in data theft and ransomware attacks.

APPSEC, DEVSECOPS, DEV
Half of Employees Fear Punishment for Reporting Security Mistakes
51% of respondents said they believed most people across their business were focused on security, with
39% stating they felt only the executives and security teams were focused on this area.
42% admitted that their organization is not able to even somewhat prove whether their current security awareness training is changing risky behaviors.
49% noted their business does not have a mechanism for identifying the user groups that are carrying out risky behaviors.
60% said that training is only provided every few months or even just once a year.
[rG: AppSec risky behaviors are SSDLC noncompliant software development and releasing preventable vulnerabilities into production.]

AI Potentially Breaking Reality Is a Feature Not a Bug
Unlike self-serving warnings from Open AI CEO Sam Altman or Elon Musk about the "existential risk" artificial general intelligence poses to humanity, Google's research focuses on real harm that generative AI is currently causing and could get worse in the future. Namely, that generative AI makes it very easy for anyone to flood the internet with generated text, audio, images, and videos. Much like another Google research paper about the dangers of generative AI I covered recently, Google's methodology here likely undercounts instances of AI-generated harm. But the most interesting observation in the paper is that the vast majority of these harms and how they "undermine public trust," as the researchers say, are often "neither overtly malicious nor explicitly violate these tools' content policies or terms of service." In other words, that type of content is a feature, not a bug.
The researchers identified “key and novel patterns in GenAI misuse [...] including potential motivations, strategies, and how attackers leverage and abuse system capabilities across modalities (e.g. image, text, audio, video) in an uncontrolled environment.”
“[W]e find that most reported cases of GenAI misuse involve actors exploiting the capabilities of these systems, rather than launching direct attacks at the models themselves (see Figure 1). Nearly 9 out of 10 documented cases in our dataset fall into this category.”

DevOps Isn’t Dead, but It’s Not in Great Health Either
While 83% of developers are actively engaged in DevOps, there’s been a troubling increase in the proportion of low performers in deployment metrics.
A mere 14% can get code into production in a single day. As for deploying code multiple times per day, it’s actually shrunk to 9%.
Only 11% of DevOps users reported being able to restore service in under an hour. 41% of users report taking more than a week to restore service.
In Q3 2023, 33% of developers were using CI to build and test automatically their code changes. In Q1 2024, it was down to 29% of developers. Similarly, 29% in Q3 2023 used CD to automate their code deployments. In Q1 2024. It was 29%.
Deployment performance is worse when using multiple CI/CD tools of the same form. That’s because of interoperability challenges.
While deployments tend to go faster for people who use more DevOps tools, they also add more mental load to their work. A particularly troublesome example of this is alarm fatigue. When one program after another constantly chirps at you with one alert after another, it’s all too easy to stop paying attention and let real problems slide into your production pipeline.

Despite OS shields up, half of America opts for third-party antivirus – just in case
49% use on their PCs,
18% use it on their tablets, and
17% on their phones.
Of those who solely rely on their operating system's built-in security – such as Microsoft's Windows Defender, Apple's XProtect, and Android's Google Play – 12% are planning to switch to third-party software in the next six months.

Backstage on Kubernetes
In this article, you will learn how to integrate Backstage with Kubernetes. We will run Backstage in two different ways. Firstly, it will run outside the cluster and connect with Kubernetes via the API. In the second scenario, we will deploy it directly on the cluster using the official Helm chart.

8 Free Online Software Development Courses In 2024

VENDORS & PLATFORMS

Google now pays $250,000 for KVM zero-day vulnerabilities
Google has launched kvmCTF, a new vulnerability reward program (VRP) first announced in October 2023 to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor that comes with $250,000 bounties for full VM escape exploits. KVM, an open-source hypervisor with over 17 years of development, is a crucial component in consumer and enterprise settings, powering Android and Google Cloud platforms.

OpenAI’s ChatGPT Mac app was storing conversations in plain text
OpenAI’s recently launched ChatGPT macOS app had a potentially worrying security issue: it wasn’t hard to find your chats stored on your computer and read them in plain text. That meant that if a bad actor or malicious app had access to your machine, they could easily read your conversations with ChatGPT and the data contained within them.
[rG: Uhmmm, couldn't the same be said for all normal document and messaging files???]
After The Verge contacted OpenAI about the issue, the company released an update that it says encrypts the chats.

Latest Intel CPUs impacted by new Indirector side-channel attack
 

Microsoft patents a system that encrypts documents so you can read them in public without being visually hacked
The system then uses eye tracking to display the encoded version of the document in the peripheral regions of the user's view and the decoded portion at the user's fixation point. 

LEGAL & REGULATORY

US Supreme Court ruling will likely cause cyber regulation chaos
The Supreme Court ruled that courts — not regulatory agencies — are the ultimate arbiters of what governing congressional law says, casting into doubt thousands of federal regulations affecting virtually all aspects of society, from environmental safety to financial fraud. The Court gutted a legal precedent known as the Chevron deference. Decided in a 1984 Supreme Court case, Chevron instructed lower courts to defer to expert regulatory agencies in cases requiring interpretation of congressional intent.
While the Court’s decision has the potential to weaken or substantially alter all federal agency cybersecurity requirements ever adopted, a series of cyber regulatory initiatives implemented over the past four years could become the particular focus of legal challenges.
A host of recently adopted cyber regulations will likely be challenged following the Court’s ruling, but some recent regulations stand out as leading candidates for litigation. Among these are:
SEC cyber incident reporting requirements
FCC data breach reporting rules
CISA cyber incident reporting requirements
TSA pipeline regulations
TSA passenger and freight railroad carriers cybersecurity requirements
TSA cybersecurity requirements for airport and aircraft operators
TSA cybersecurity requirements for surface transportation owners and operators
Gramm-Leach-Bliley Act Requirements
It remains to be seen how this will unfold over time. But the most likely immediate effect could well be legal challenges to regulations.

EU Competition Commissioner says Apple’s decision to pull AI from EU shows anticompetitive behaviour
Apple announced it will not launch its homegrown AI features in the EU, saying that interoperability required by the EU’s Digital Markets Act (DMA) could hurt user privacy and security. Apple’s move to roll back its AI plans in Europe is the most “stunning, open declaration that they know 100% that this is another way of disabling competition where they have a stronghold already,” Vestager, the Commission’s vice president for a Europe fit for the digital age and Commissioner for Competition said.
The “short version of the DMA [Digital Markets Act]” is that to operate in Europe, companies have to be open for competition, said Vestager. The DMA foresees fines of up to 10% of annual revenue, which in Apple’s case could be over €30 billion, based on its previous financial performance. For repeated infringements, that percentage could double.
Newer versions of Apple’s operating systems, compatible with many of the company’s devices, will come with Apple Intelligence, as well as an integration of OpenAI’s ChatGPT. The AI features will be embedded in voice assistant Siri to help with queries and tasks. Apple Intelligence will not be a standalone chatbot, like ChatGPT, and will instead be used through a suite of apps. A lack of interoperability with non-Apple apps could be construed as an anti-competitive behaviour.