Robert Grupe's AppSecNewsBits 2024-08-31

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Tired of airport security queues? SQL inject yourself into the cockpit, claim researchers
Cybersecurity researchers say they've found a vulnerability that allowed them to skip US airport security checks and even fly in the cockpit on some scheduled flights. The Known Crewmember (KCM) queue caught their attention at an airport during their routine travel. The lane can sometimes be seen at airports and it allows verified pilots and crew to skip the often lengthy security queues, courtesy of a Transportation Security Administration (TSA) initiative.
FlyCASS essentially offers airlines a way to manage KCM and CASS requests without having to develop their own infrastructure. It pitches itself as a service requiring zero upfront cost to airlines that can be fully set up in 24 hours, with no technical staff required.
"With only a login page exposed, we thought we had hit a dead end. Just to be sure though, we tried a single quote in the username as a SQL injection test, and immediately received a MySQL error. This was a very bad sign, as it seemed the username was directly interpolated into the login SQL query. Sure enough, we had discovered SQL injection and were able to use sqlmap to confirm the issue. Using the username of ' or '1'='1 and password of ') OR MD5('1')=MD5('1, we were able to login to FlyCASS as an administrator of Air Transport International!" After gaining access, the pair say they were able to create new approved pilots on the CASS program without any additional checks.
Bobby Tables
[rG: Ooops – developers obviously hadn’t followed secure software development best practices of sanitizing and validating input, nor had conducted security vulnerability scans and security code reviews which would have caught this historically well know type of attack weakness.]

City of Columbus sues man after he discloses severity of ransomware attack
The order, issued by a judge in Ohio's Franklin County, came after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city’s data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group’s dark web site, which is accessible to anyone with a TOR browser.
Columbus Mayor Andrew Ginther said on August 13 that a “breakthrough” in the city’s forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them “unusable” to the thieves.
Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.
The city of Columbus sued Ross for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him “interacting” with them and required special expertise and tools. the sensitive data remains available to anyone who looks for it. Friday’s order may bar Ross from accessing the data or disseminating it to reporters, but it has no effect on those who plan to use the data for malicious purposes.

ServiceBridge: 31.5M invoices, contracts, patient consent forms, and more exposed to the internet
"Ninety-five percent of cyber-crime is financially based. At the end of the day, criminals want money. Who has money? Businesses."
Nearly 2.7 TB of sensitive data — 31.5 million invoices, contracts, HIPPA patient consent forms, and other business documents regarding numerous companies across industries — has been exposed to the public internet in a non-password protected database for an unknown amount of time. Some of the millions of exposed documents dated back to 2012, and included business contracts and proposals, work orders, inspection forms, agreements, and other records including those mentioned above. The documents were in PDF and HTML formats, and organized in folders by year and month. the files pertained to what appeared to be. ServiceBridge clients ranging from "private homeowners, schools, and religious institutions, to well-known chain restaurants, Las Vegas casinos, medical providers, and many others.
Upon notifying the Chicago-based firm, which was bought by Arizona fleet management biz GPS Insight in 2020, of the mishap, the database was closed off to the public. The ressearcher said he never heard back from ServiceBridge about the exposure. "You have to let your customers know, and the reason for that is so they are aware and they can look out for suspicious behavior. If they're not aware, they are sitting ducks and really blind to the fact that someone may be armed with insider information that the customer has no reason to doubt."

Watchdog warns FBI is sloppy on secure data storage and destruction
The FBI has made serious slip-ups in how it processes and destroys electronic storage media seized as part of investigations, according to an audit by the Department of Justice Office of the Inspector General.
Drives containing national security data, Foreign Intelligence Surveillance Act information and documents classified as Secret were routinely unlabeled, opening the potential for it to be either lost or stolen. The OIG report notes that it found boxes of hard drives and removable storage sitting open and unattended for "days or even weeks" because they were only sealed once the boxes were full. This potentially allows any of the 395 staff and contractors with access to the facility to have a rummage around.
Typically, seized computers are tagged for tracking, but as a cost-saving measure, agents are advised to send in media storage devices containing national security information without the chassis. While there is a requirement to tag removable storage, there isn't the same requirement for internal hard drives.
The FBI has assured the regulator that it has the problem in hand and has drafted a Physical Control and Destruction of Classified and Sensitive Electronic Devices and Material Policy Directive, which will require data to be marked up and destroyed safely.

Chinese Hackers Breach US, India Internet Firms, Lumen Says
Chinese hacking campaign known as Volt Typhoon has breached four US firms, including internet service providers, and another in India through a vulnerability in a Versa Networks server product. Versa, which is based in Santa Clara, California, said it issued an emergency patch for the bug at the end of June, but only began flagging the issue widely to customers in July once it was notified by one that claimed to have been breached. The code was a web shell that allowed hackers to gain access to a customer’s network via legitimate credentials and then behave as if they were bona fide users.
Versa said that customer, which it didn’t identify, didn’t follow previously published guidelines on how to protect its systems via firewall rules and other measures. 2015 guidelines include advising customers to close off internet access to a specific port, which the customer had failed to follow. Since last year, he said, Versa has now taken measures of its own to make the system “secure by default,” meaning customers will no longer be exposed to that risk even if they haven’t followed company guidelines.
The bug carries a “high” severity rating, according to the National Vulnerability Database. On Friday, the Cybersecurity and Infrastructure Security Agency, known as CISA, ordered federal agencies to patch Versa products or stop using them by Sept. 13.

Unpatchable 0-day in surveillance cam is being exploited to install Mirai
The attacks target the AVM1203, a surveillance device from Taiwan-based manufacturer AVTECH, network security provider Akamai said Wednesday. Unknown attackers have been exploiting a 5-year-old vulnerability since March. The zero-day vulnerability, tracked as CVE-2024-7029, is easy to exploit and allows attackers to execute malicious code. The AVM1203 is no longer sold or supported, so no update is available to fix the critical zero-day. The attackers are exploiting the vulnerability so they can install a variant of Mirai, which arrived in September 2016 when a botnet of infected devices took down cybersecurity news site Krebs on Security. Mirai contained functionality that allowed a ragtag army of compromised webcams, routers, and other types of IoT devices to wage distributed denial-of-service attacks of record-setting sizes.
[rG: Security camera as one of those install and forget devices that typically aren’t bothered with as long as they appear to be functioning correctly. Operational Technologies are increasingly seen by hackers as opportunities to gain a foothold into networks for further lateral movement and exploitation. Application integrations with “trusted” devices needs to also validate vendor support and patch level support.] 

HACKING
FBI: RansomHub ransomware breached 210 victims since February
Since surfacing in February 2024, RansomHub ransomware affiliates have breached over 200 victims from a wide range of critical U.S. infrastructure sectors. This relatively new ransomware-as-a-service (RaaS) operation extorts victims in exchange for not leaking stolen files and sells the documents to the highest bidder if negotiations fail. RansomHub has claimed responsibility for breaching American not-for-profit credit union Patelco, the Rite Aid drugstore chain, the Christie's auction house, U.S. telecom provider Frontier Communications, and oil services giant Halliburton. RansomHub's data leak site also leaked stolen Change Healthcare data after the BlackCat/ALPHV ransomware operation shut down.

Cybercrime and sabotage cost German firms $300 bln in past year
Some 70% of companies that were targeted attributed the attacks to organised crime, the survey found, adding 81% of companies reported data theft, including customer data, access data and passwords, as well as intellectual property such as patents.
Around 45% of companies said they could attribute at least one attack to China, up from 42% in the previous year. Attacks blamed on Russia came in second place at 39%.
The increase in attacks has prompted companies to allocate 17% of their IT budget to digital security, up from 14% last year, but only 37% said they had an emergency plan to react to security incidents in their supply chain.

North Korean Hackers Target Developers with Malicious npm Packages
The latest wave, which was observed between August 12 and 27, 2024, involved packages named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console. Contagious Interview refers to an ongoing campaign that seeks to compromise software developers with information stealing malware as part of a purported job interview process that involves tricking them into downloading bogus npm packages or fake installers for video conferencing software such as MiroTalk hosted on decoy websites. The end goal of the attacks is to deploy a Python payload named InvisibleFerret that can exfiltrate sensitive data from cryptocurrency wallet browser extensions and set up persistence on the host using legitimate remote desktop software such as AnyDesk. These attacks are characterized by using obfuscated JavaScript to write and execute batch and PowerShell scripts. The scripts download and decrypt a remote payload, execute it as a DLL, and then attempt to clean up all traces of malicious activity, leaving behind a seemingly benign package on the victim's machine.

Bug bounty programs take root in Russia — with possible far-reaching implications
In March 2022, international sanctions against Russia led to third-party platforms and companies hosting their inhouse bug bounty programs to stop paying out bounties to Russian and Belarusian hackers. HackerOne, the world’s largest vulnerability research platform, refused to pay out a US$25,000 bug bounty reward to Belarusian hacker xnwup. Similarly, Anton Subbotin, the top Russian bug bounty hunter on HackerOne in early 2022, revealed publicly that he was denied a payout of US$50,000, which even included bug reports he submitted to HackerOne prior to Russia’s invasion. Most recently, in June 2024, Apple’s Security Bounty Program refused to pay out a bounty to Kaspersky Lab after the company discovered four zero-click zero-days in iOS that were used to spy on the iPhones of Kaspersky employees and Russian diplomats.
In 2023, the total number of bug hunters on Russian platforms amounted to 20,000 people. The increasing number of companies participating in these platforms shows Russian companies’ growing interest in better protecting their products. Today, major Russian companies from the banking, retail, and IT sectors, such as T-Bank, Ozon, and social media platform VK offer their programs on the platform — including companies that no longer work with HackerOne. Positive Technologies itself offers the highest bounties on Standoff 365 Bug Bounty with up to 60 million rubles (US$680,000). The bug bounty payout structure is comparable to those of HackerOne and other Western platforms.
From a Western perspective, a potential problematic development could be that Russian hackers decide to sell vulnerabilities found in Western products to Russian zero-day acquisition companies such as Operation Zero. Thus, instead of reporting them to Western bug bounty platforms for free, they sell to the highest bidder.

Russian government hackers found using exploits made by spyware companies NSO and Intellexa
Google is linking the reuse of the code to Russia because the researchers previously observed the same cookie-stealing code used by APT29 during an earlier campaign in 2021. Google said it is not sure how the Russian government acquired the exploits, but said this is an example of how exploits developed by spyware makers can end up in the hands of “dangerous threat actors.”
Google said it found the hidden exploit code embedded on Mongolian government websites between November 2023 and July 2024. During this time, anyone who visited these sites using an iPhone or Android device could have had their phone hacked and data stolen, including passwords, in what is known as a “watering hole” attack. The exploits took advantage of vulnerabilities in the iPhone’s Safari browser and Google Chrome on Android that had already been fixed at the time of the suspected Russian campaign. Still, those exploits nevertheless could be effective in compromising unpatched devices.

From Copilot to Copirate: How data thieves could hijack Microsoft's chatbot
Johann Rehberger detailed the attack chain and confirmed that Microsoft fixed the issue, although it's "unclear" exactly what the mitigation involved.
Rehberger's exploit begins with a phishing email that contains a Word document that instructs Copilot to become a scammer, called "Microsoft Defender for Copirate," allowing an attacker to take control of the chatbot and use it to interact with users' emails. Next, the attack uses automatic tool invocation. This technique calls on Copilot to invoke a tool sent via the prompt injection payload, instructing it to search for additional emails or other sensitive info. In this case, Rehberger told Copilot to provide a bullet list of key points from the previous email. This prompts the chatbot to search for Slack MFA codes because the earlier email it analyzed told it to do so. "This means an attacker can bring other sensitive content, including any PII that Copilot has access to, into the chat context without the user's consent. For this attack, Copilot renders a "benign-looking" URL that secretly contains the hidden Unicode characters. Assuming the user clicks on the URL, and as we've seen countless times before users will click on just about anything, the contents of the email are then sent to an attacker-controlled server.
This exploit chain highlights the ongoing challenges in protecting LLMs from prompt injections and other new attack techniques, which Rehberger notes "are not even two years old." It's an important topic, and one that all the enterprises building their own apps based on Copilot or other LLMs should be paying close attention to in order to avoid security and data privacy pitfalls.

VENDORS & PLATFORMS
CrowdStrike's meltdown didn't dent its market dominance … yet
CrowdStrike's faulty Falcon sensor update in July bricked 8.5 million Windows machines, grounding thousands of flights worldwide, delaying medical services and downing some US states' 911 emergency services. Nonetheless, it reported better-than-expected revenue for the second quarter. While CrowdStrike did slightly cut its full-year guidance in response to the July incident – to between $3.89 billion and $3.90 billion, compared to its earlier FY 2025 revenue projection of $3.98 billion to $4.01 billion – "our execution following the July 19 incident highlights the resiliency of Crowdstrike's business."
Existing customers – especially those who have gone all in with CrowdStrike's security products – aren't likely to go anywhere, despite any lingering frustrations about the flawed update. 48 percent of customers spending at least $100,000 annually on CrowdStrike use at least eight modules – and replacing these products with equivalents from different vendors would be a "costly and time consuming process."

LEGAL & REGULATORY
Judge Rules $400 Million Algorithmic System Illegally Denied Thousands of People’s Medicaid Benefits
The TennCare Connect system—built by Deloitte and other contractors for more than $400 million—is supposed to analyze income and health information to automatically determine eligibility for benefits program applicants. But in practice, the system often doesn’t load the appropriate data, assigns beneficiaries to the wrong households, and makes incorrect eligibility determinations. TennCare Connect did not consider whether applicants were eligible for all available programs before it terminated their coverage.
Deloitte was a major beneficiary of the nationwide modernization effort, winning contracts to build automated eligibility systems in more than 20 states, including Tennessee and Texas. Advocacy groups have asked the Federal Trade Commission to investigate Deloitte’s practices in Texas, where they say thousands of residents are similarly being inappropriately denied life-saving benefits by the company’s faulty systems.

Feds claim sinister sysadmin locked up thousands of Windows workstations, demanded ransom
Daniel Rhyne, 57, of Kansas City, Missouri, now faces up to 35 years behind bars for the alleged failed ransom attempt after being charged with one count of extortion in relation to a threat to cause damage to a protected computer, one count of intentional damage to a protected computer, and one count of wire fraud.
His extortion scheme commenced at around 1600 EST on November 25, 2023, it's claimed, when network admins received password reset notifications for a domain administrator account and hundreds of user accounts. About 44 minutes later, the company's employees received an email with the subject line: "Your Network Has Been Penetrated."
The email warned workers that all IT admins were locked out, or had their accounts deleted, and all backups had been erased. Then came the threat to shut down 40 servers a day until a ransom was paid. Rhyne allegedly scheduled tasks to delete 13 domain administrator accounts and change the passwords belonging to 301 domain user accounts and two local admin accounts. This would lock these users out of 254 Windows servers. The suspected sinister sysadmin also changed passwords for two other local admin accounts that would affect 3,284 workstations, and shut down "several" servers and workstations over several days. Rhyne is said to have used Windows' net user and Sysinternals Utilities' PsPasswd tool to modify these accounts and change the passwords to "TheFr0zenCrew!"
The Feds claim they traced a hidden virtual machine used to remotely access an admin account back to Rhyne's company-issued laptop. He also used the same password, "TheFr0zenCrew!" for this compromised account.

Alaska man busted with 10,000+ child sex abuse images despite his many encrypted apps
The rise in child sexual abuse material (CSAM) has been one of the darkest Internet trends, but after years of covering CSAM cases, I've found that few of those arrested show deep technical sophistication.
But I've never seen anyone who, when arrested, had three Samsung Galaxy phones filled with "tens of thousands of videos and images" depicting CSAM, all of it hidden behind a secrecy-focused, password-protected app called "Calculator Photo Vault." Nor have I seen anyone arrested for CSAM having used all of the following:

• Potato Chat ("Use the most advanced encryption technology to ensure information security.")

• Enigma ("The server only stores the encrypted message, and only the users client can decrypt it.")

• nandbox [presumably the Messenger app] ("Free Secured Calls & Messages,")

• Telegram ("To this day, we have disclosed 0 bytes of user data to third parties, including governments.")

• TOR ("Browse Privately. Explore Freely.")

• Mega NZ ("We use zero-knowledge encryption.")

• Web-based generative AI tools/chatbots

Seth Herrera not only used all of these tools to store and download CSAM, but he also created his own disturbing varieties using AI. The government is cagey about how, exactly, this criminal activity was unearthed, noting only that Herrera "tried to access a link containing apparent CSAM." Presumably, this "apparent" CSAM was a government honeypot file or web-based redirect that logged the IP address and any other relevant information of anyone who clicked on it. In the end, given that fatal click, none of the "I'll hide it behind an encrypted app that looks like a calculator!" technical sophistication accomplished much.