Robert Grupe's AppSecNewsBits 2024-07-20

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
 "The Largest IT Outage in History" Global Microsoft Meltdown Tied to Bad Crowdstrike
An errant update shipped by Crowdstrike began causing Windows machines running the software to display the dreaded “Blue Screen of Death,” rendering those systems temporarily unusable. The fix involves booting Windows into Safe Mode or the Windows Recovery Environment (Windows RE), deleting the file “C-00000291*.sys” and then restarting the machine.
Several individuals have recently started working at firm Crowdstrike and have expressed their excitement and pride in their new roles. They have shared their experiences of pushing code to production on their first day and are looking forward to positive outcomes in their work.
[rG History repeats itself for those too naive to heed lessons from the past: This is what happens when QA isn't done properly; the consequence of sacrificing proper release testing in the pursuit of reducing costs through "rapid" pipeline deployments. Any production release should have rigerous functional, integration, and regression testing. To not have detected crashing on any supported platform prior to release is irresponsible; but sadly not unusual. Likewise, enterprises have cut IT costs by eliminating updates validation; resuling in crippled operations that could have been avoided.]
Angry admins share the CrowdStrike outage experience
Since the failure leaves an affected device stuck in a Blue Screen Of Death (BSOD) boot loop, implementing a workaround tends to involves in-person intervention unless remote access that does not use the operating system is possible.
"The fix, while pretty simple, requires hands on the machine, which is not great when most are remote. Talking a warehouse operator through the intricacies of BitLocker recovery keys and command prompts is not for the faint-hearted!"
"They sent us a patch but it required we boot into safe mode. We can't boot into safe mode because our BitLocker keys are stored inside of a service that we can't login to because our AD is down. Most of our comms are down, most execs' laptops are in infinite bsod boot loops, engineers can't get access to credentials to servers."
"Maybe less time sponsoring every sports team and more time testing would fix the issue!"

Major Microsoft 365 outage caused by Azure configuration change
A backend cluster management workflow deployed a configuration change causing backend access to be blocked between a subset of Azure Storage clusters and compute resources in the Central US region. This resulted in the compute resources automatically restarting when connectivity was lost to virtual disks.

Microsoft 365 remains 'degraded' as Azure outage resolved
Microsoft 365 (the artist formerly known as Office 365) [warned] that customers [were] not be able to access SharePoint Online, OneDrive for Business, Teams, Intune, PowerBI, Microsoft Fabric, Microsoft Defender, Viva Engage, and Xbox Live.
The Central US region is located in Iowa and boasts three availability zones – meaning Microsoft operates three discrete physical facilities that are fewer than two milliseconds apart in terms of network connection speed. Like its hyperscale rivals, Microsoft promotes availability zones as improving resilience and enabling faster disaster recovery. But that idea relies on at least one availability zone being available – right now all three are out.
Microsoft's Azure status page recommends "Customers with disaster recovery procedures set up can consider trying to take steps to failover their services to other regions, and may consider using programmatic options for this if they experience issues." Such measures are precisely the thing that use of availability zones is supposed to obviate.

MediSecure: Ransomware gang stole data of 12.9 million people
MediSecure, an Australian prescription delivery service provider, revealed that approximately 12.9 million Australians who used the prescription delivery service during the approximate period of March 2019 to November 2023 are impacted by this Incident based on individuals’ healthcare identifiers. However, MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set.
On 13 April 2024, MediSecure was made aware of the Incident when it was discovered a database server had been encrypted by suspected ransomware. On 17 May 2024, with the assistance of IT specialists, MediSecure successfully restored a complete backup of the server and took immediate steps to investigate the impacted information.

Rite Aid says breach exposes sensitive details of 2.2 million customers
Rite Aid, the third biggest US drug store chain, said that more than 2.2 million of its customers have been swept into a data breach that stole personal information, including driver's license numbers, addresses, and dates of birth. RansomHub, the name of a relatively new ransomware group, has taken credit for the attack, which it said yielded more than 10GB of customer data.
"On June 6, 2024, an unknown third party impersonated a company employee to compromise their business credentials and gain access to certain business systems. We detected the incident within 12 hours and immediately launched an internal investigation."
[rG: "Detection" doesn't mean that the attackers weren't in the systems much longer, and "Investigating" are not the same response or remedidation. There could be additional compromises and disruptions that simply haven't come to light yet. User accounts are always a primary compromise vector that can't be relied upon to provide sensitive data protection. Questions are: why was that data able to be copied in an unencrypted form and then exfiltrated successfully.]

Weak Security Defaults Enabled Squarespace Domains Hijacks
At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. But many customers still haven’t set up their new accounts. Malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.
Squarespace can’t support users who need any control or insight into the activity being performed in their account or domain. You basically have no control over the access different folks have. You don’t have any audit logs. You don’t get email notifications for some actions. The owner doesn’t get email notification for actions taken by a ‘domain manager.’ This is absolutely insane.
Researchers have published a comprehensive guide for locking down Squarespace user accounts, which urges Squarespace users to enable multi-factor authentication (disabled during the migration). Determining what emails have access to your new Squarespace account is step 1. Most teams DO NOT REALIZE these accounts even exist, let alone theoretically have access. The guide also recommends removing unnecessary Squarespace user accounts, and disabling reseller access in Google Workspace.
[rG: This is what happens when M&A to expand customers doesn't go through assessments to identify product customer support and security requirements. Digital assets aren't raw materials that can be simply moved and run; but require new refactoriing, integration, upgrading, with on-going maintenance and support.]

Vulnerability in Cisco Smart Software Manager lets attackers change any user password
An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
[rG: This vulnerability could have been prevented by doing an SSDLC design threat assessment, or a human Pen Test; automated vulnerability scanning wouldn't have detected. Authorization and Input Validation are critical for API security, but are often skipped to reduct development costs and development effort.]

Email addresses of 15 million Atlassian Trello users leaked on hacking forum
A threat actor has released shared the entire list of 15,115,516 profiles on the Breached hacking forum for eight site credits (worth $2.32). The accounts were collected using an unsecured API in January.
While almost all of the data in these profiles is public information, each profile also contained a non-public email address associated with the account. The data was stolen using an unsecured REST API that allowed developers to query for public information about a profile based on users' Trello ID, username, or email address.
Many organizations attempt to secure APIs using rate-limiting rather than through authentication via an API key. However, threat actors simply purchase hundreds of proxy servers and rotate the connections to constantly query the API, making the rate limiting useless.

HACKING
She Made $10,000 a Month Defrauding Apps like Uber and Instacart. Meet the Queen of the Rideshare Mafia
rG: Very informative and entertaining read about identity theft.

The biggest data breaches in 2024: 1 billion stolen records and rising
AT&T, Change Healthcare, U.K. pathology lab Synnovis, Ticket Masters

Here’s how carefully concealed backdoor in fake AWS files escaped mainstream notice
Two fake AWS packages downloaded hundreds of times from the open source NPM JavaScript repository contained carefully concealed code that backdoored developers' computers when executed.
The packages—img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy—were attempts to appear as aws-s3-object-multipart-copy, a legitimate JavaScript library for copying files using Amazon’s S3 cloud service. The fake files included all the code found in the legitimate library but added an additional JavaScript file named loadformat.js. That file provided what appeared to be benign code and three JPG images that were processed during package installation. One of those images contained code fragments that, when reconstructed, formed code for backdooring the developer device.
[rG: Underscoring the importance of software developers to use an actively managed binary repository for 3rd party components with SCA vulnerability scanning; for blocking of illegitimate copies, quick notification of new security concerns, immediate impact analysis, and remediation response guidance.]

Akira Ransomware: Lightning-Fast Data Exfiltration in 2-ish Hours

Cloudflare reports almost 7% of internet traffic is malicious
Cloudflare thinks the rise is due to wars and elections. For example, many attacks against Western-interest websites are coming from pro-Russian hacktivist groups such as REvil, KillNet, and Anonymous Sudan.
What's particularly alarming is the speed at which new vulnerabilities are exploited. In one case, attackers attempted to exploit a JetBrains TeamCity DevOps authentication bypass a mere 22 minutes after the proof-of-concept code was published. That speed is faster than most organizations can read the security advisory, let alone patch their systems.
There are also more zero-day exploits. Attackers target old, known vulnerabilities, so don't put off security patches.
Distributed Denial of Service (DDoS) attacks continue to be cybercriminals' weapon of choice, making up over 37% of all mitigated traffic. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That is nearly a third of all the DDoS attacks they mitigated the previous year. The sophistication of these attacks is increasing, too. Last August, Cloudflare mitigated a massive HTTP/2 Rapid Reset DDoS attack that peaked at 201 million requests per second (RPS). That number is three times bigger than any previously observed attack. Google Cloud reported the same attack peaked at an astonishing 398 million RPS.
With 60% of dynamic web traffic now API-related, these interfaces are a prime target for attackers. API traffic is growing twice as fast as traditional web traffic. What's worrying is that many organizations appear not to be even aware of a quarter of their API endpoints.
38% of all HTTP requests processed by Cloudflare are classified as automated bot traffic. As many as 93% of bots are potentially bad.
If you're working at a company, you must protect your website and net services with defenses from companies such as Cloudflare and its rivals, including Akamai CDN, Fastly, and Varnish Software.
As for making your code safe, look for assistance from software supply chain security companies, such as Anchore, Codenotary, and Chainguard.

Notorious FIN7 hackers sell EDR killer to other threat actors
FIN7 is known for sophisticated phishing and engineering attacks to gain initial access to corporate networks, including impersonating BestBuy to send malicious USB keys and developing custom malware and tools.
To add to the exploits, they created a fake security company named Bastion Secure to hire pentesters and developers for ransomware attacks without the applicants knowing how their work was being used.
AvNeutralizer/AuKill abused the legitimate SysInternals Process Explorer driver to terminate antivirus processes running on a device. The threat actors claimed that this tool could be used to kill any antivirus/EDR software, including Windows Defender and products from Sophos, SentinelOne, Panda, Elastic, and Symantec. FIN7 have updated AVNeutralizer to utilize the Windows ProcLaunchMon.sys driver to hang processes, making them no longer function correctly.

Revolver Rabbit gang registers 500,000 domains for malware campaigns
To operate at such scale, the threat actor relies on registered domain generation algorithms (RDGAs), an automated method that allows registering multiple domain names in an instant.
Revolver Rabbit is controlling more than 500,000 .BOND top-level domains that are used to create both decoy and live C2 servers for the malware. .BOND domains related to Revolver Rabbit are the easiest to see but the threat actor has registered more than 700,000 domains over time, on multiple TLDs. Considering that the price of a .BOND domain is around $2, the “investment” Revolver Rabbit made in their XLoader operation is close to $1 million, excluding past purchases or domains on other TLDs.

Release the hounds! Securing datacenters may soon need sniffer dogs
Tech evangelist Len Noe has acquired access cards used to enter controlled premises, cloned them in his implants, and successfully walked into buildings by just waving his hands over card readers. Unless staff are vigilant enough to notice he didn't use a card, his entrance appears to be a normal, boring, instance of an RFID being scanned.
Like most electronics, implants include a chemical called triphenylphosphine oxide. Sniffer dogs have thus been trained to sniff out the chemical to detect electronic devices. Noe thinks hounds are therefore currently the only reliable means of finding humans with implants that could be used to clone ID cards.

APPSEC, DEVSECOPS, DEV
Firms skip security reviews of major app updates about half the time
Complicated, costly, time-consuming – pick three
The likelihood that major code updates undergo a security review resembles a bell curve. Twenty-two percent of respondents confessed they did a security review under half of the time, and the same percentage claim to have reviewed code 50 to 74 percent of the time.
At the lower end of the spectrum, over a fifth of those surveyed responded that they only reviewed major code changes in less than a quarter of instances. On the other side, a third said they did so at least 75 percent of the time.
Skipping the review process isn't simply down to neglect and laziness. Reviews take time, and time is often money. Only 19 percent said a security review took less than a day, while 46 percent estimated one to three days were needed. A further 29 percent claim reviews could take three to five days to complete.
On average, employees said they had ten code reviews per week, with each one requiring 16 or 17 team members. Based on this, CrowdStrike calculated the average yearly cost of security reviews at nearly $1.2 million. Even when doing the same math, but with median number of reviews per week and employees per review, the annual expenditure for code reviews was $188,000.

Python GitHub token leak shows binary files can burn developers too
Scrubbing tokens from source code is not enough.
A personal GitHub access token with administrative privileges to the official repositories for the Python programming language and the Python Package Index (PyPI) was exposed for over a year. The access token belonged to the Python Software Foundation’s director of infrastructure and was accidentally included in a compiled binary file that was published as part of a container image on Docker Hub.
The incident shows that scrubbing access tokens from source code only, which some development tools do automatically, is not enough to prevent potential security breaches. Sensitive credentials can also be included in environment variables, configuration files and even binary artifacts as a result of automated build processes and developer mistakes.
Aside from scanning binary artifacts and configuration files for potential secrets, developers should use the new fine-grained GitHub personal access tokens that were introduced two years ago instead of the classic ones.

The Architect’s Guide to the New Private Cloud
Forrester’s 2023 Infrastructure Cloud Survey had 79% of the 1,300 enterprise decision-makers who responded saying they are implementing private clouds. According to a Citrix report in the UK, 93% of IT leaders had been involved with a repatriation effort. The venerable IDC found that 80% of companies repatriated some or all of their data within a year of moving that data to the cloud.
The primary reason that companies repatriate is cost. They save up to 70% by repatriating.
Related — but not the same — is predictability. Private clouds come with less elasticity, but greater predictability. (We address some elasticity hacks below.) For most CIOs who understand their workloads, this trade-off is well worth it. For CFOs, it is an even easier choice.
Security issues come in third. This is not to say the public cloud is inherently insecure, it is not. It does say that CISOs don’t entirely trust their public cloud partners — indeed, most cloud providers retain the right to look into your buckets — on this front. The stakes only get higher in the age of AI.
Maturity ranks, too. The modern cloud is an operating model, not a location. That model, once the exclusive purvey of the major public clouds, is now everywhere — from the edge to the core. Containerization, orchestration, microservices, software-defined infrastructure and RESTful APIs are standard operating procedures. It doesn’t matter where you run them — and if it doesn’t matter, why would you pay two to three times the cost?

How platform teams lead to better, faster, stronger enterprises
More than three-quarters of high-performing organizations are adopting platform teams. Organizations today rely on platform teams to eliminate the complexities of the modern software landscape, thus speeding digital transformation, fostering a culture of innovation and efficiency, and ultimately leading to better, faster, stronger enterprises.
Gartner predicts that 80% of software engineering organizations will establish platform teams by 2026 — and that 75% of those will include developer self-service portals.

VENDORS & PLATFORMS

Kaspersky Lab Closing U.S. Division; Laying Off Workers
Antivirus software – whether made by Kaspersky or U.S.-based firms like Symantec – requires excessive privileges and access to files in order to scan them for malicious code. Given the potential for abuse, and Russia's adversarial relationship with the U.S., the government has deemed Kaspersky software a risk, though officials have never provided evidence that Kaspersky or the Russian government used its software to spy on customers.
The sudden move comes after the U.S. Commerce Department announced last month that it was banning the sale of Kaspersky software in the U.S. beginning July 20. The company has been selling its software here since 2005. Kaspersky did not say how many workers in the U.S. division were being let go except to say "it affects less than 50 employees in the U.S."
The recent ban on new sales of its software in the U.S. also prevents Kaspersky from providing updates for software already being used in the U.S. – that ban begins September 29. This means the Kaspersky antivirus software will become less effective over time, since the company will not be able to update it with signatures to detect new threats as they're discovered. Kaspersky software also continues to be embedded in systems sold by other vendors; the ban means that those vendors and customers who have it embedded in systems will have to replace the Kaspersky code with a different solution. Users of the software will not face legal penalties if they continue to use Kaspersky products.

Exchange Online adds Inbound DANE with DNSSEC for security boost
DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Security Extensions (DNSSEC) work together to defend against downgrade and man-in-the-middle (MiTM) attacks.
The SMTP DANE security protocol uses a TLS Authentication (TLSA) DNS record to verify the identity of destination mail servers and the authenticity of the certificates used for securing email communication.
DNSSEC DNS extensions provide cryptographic verification of DNS records during transit, preventing spoofing, hijacking, and interception of email messages.

LEGAL & REGULATORY

Judge mostly drags SEC's lawsuit against SolarWinds into the recycling bin
A judge has mostly thrown out a lawsuit brought by America's financial watchdog that accused SolarWinds and its chief infosec officer of misleading investors about its computer security practices and the backdooring of its Orion product.
Engelmayer did, however, sustain the regulator's claims of securities fraud based on SolarWinds' pre-SUNBURST statement about the security of its Orion product. Other statements and filings made by SolarWinds supported the SEC's claims regarding the developer's "porous" security. These charges will proceed.

Lawsuits target Patelco Credit Union as ransomware attack effects linger; concerns over personal info exposed
Plaintiffs allege, "Defendant created, collected and stored Representative Plaintiff's and Class Members' Private Information with the reasonable expectation and mutual understanding that Defendant would comply with its obligations to keep such information confidential and secure from unauthorized access. Despite this, Representative Plaintiff and the Class Members remain, even today, in the dark regarding what particular data was stolen, the particular malware used and what steps are being taken, if any, to secure their Private Information going forward. Representative Plaintiff and Class Members are thus left to speculate as to where their Private Information ended up, who has used it and for what potentially nefarious purposes."

Craig Wright admits he isn't the inventor of Bitcoin after High Court judgment in UK
Aussie definitely not Satoshi Nakamoto, faces £6M legal bill and possible perjury trial.

And Now For Something Completely Different …

A New Formula for Pi Is Here. And It’s Pushing Scientific Boundaries
The digits of pi extend into infinity, and pi is itself an irrational number, meaning it can’t be truly represented by an integer fraction (the one we often learn in school, 22/7, is not very accurate by 2024 standards). But it can be represented pretty quickly and well by a series. That’s because a series can continue to build out values well into the tiniest digits. If a mathematician compiles a series’ terms, they can use the resulting abstraction to do math that isn’t possible with an approximation of pi that’s cut off at 10 digits by a standard desk calculator.
Arnab Priya Saha and Aninda Sinha combined two existing ideas from math and science: the Feynman diagram of particle scattering and the Euler beta function for scattering in string theory. What results is a series—something represented in math by the Greek letter Σ surrounded by parameters.