Robert Grupe's AppSecNewsBits 2024-09-15

This Week: Lawsuits, Increased Power Needed for IT and AI, All Employees Password Rests After Breaches

Author

Robert Grupe
September 15, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Fortinet confirms data breach after hacker claims to steal 440GB of files
Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company's Microsoft Sharepoint server. Fortinet says that the incident affected less than 0.3% of its customer base and that it has not resulted in any malicious activity targeting customers.

 

TfL requires in-person password resets for 30,000 employees after hack
Transport for London (TfL) says that all staff (roughly 30,000 employees) must attend in-person appointments to verify their identities and reset passwords following a cybersecurity incident. The same approach was taken by DICK'S Sporting Goods' IT staff after an August cyberattack, manually validating employees' identities on camera before allowing them to regain access to internal systems.

 

HACKING
Sextortion scams now use your "cheating" spouse’s name as a lure
A new variant of the ongoing sextortion email scams is now targeting spouses, saying that their husband or wife is cheating on them, with links to the alleged proof.
What made most email recipients concerned was the use of names that are not generally associated with them or used online, such as maiden names, second last names, or even their pet's name. While it is unclear where the information comes from, many Reddit users claim they only shared it on a wedding planning site called The Knot. This includes the person who said they received the email about their "cheating" dog, Mr. Wiggles, whose name was also shared on the site.

 

Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries
Accidental credential leakage remains a prevalent method for gaining unauthorised access to cloud environments. SCATTERED SPIDER leverages leaked cloud authentication tokens, from publicly exposed code repositories like GitHub due to hardcoded credentials in application code. This allows attackers to use automated tools to scan and gain unauthorised access to cloud systems.

 

Lazarus Group tricks developers to load malware via fake recruiting tests
New malicious software packages tied to the North Korean Lazarus Group were observed posing as a Python coding skills test for developers seeking a new job at Capital One, but were tracked to GitHub projects with embedded malware.
The instructions sent by the threat actor set a timeframe for completing an assignment, which was to find a code flaw in the package and fix it. The researchers said the lure was clearly intended to create a sense of urgency for the job-seeker, making it more likely that they would download the malicious package.

 

DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe
DragonRank exploits targets' web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities. It's specifically designed to facilitate proxy ware and SEO fraud by turning the compromised IIS server into a relay point for malicious communications between its customers (i.e., other threat actors) and their victims. On top of that, it can modify the content served to search engines to manipulate search engine algorithms and boost the ranking of other websites of interest to the attackers.
The attack chains commence with taking advantage of known security flaws in web applications like phpMyAdmin and WordPress to drop the open-source ASPXspy web shell, which then acts as a conduit to introduce supplemental tools into the targets' environment. The primary objective of the campaign is to compromise the IIS servers hosting corporate websites, abusing them to implant the BadIIS malware and effectively repurposing them as a launchpad for scam operations by utilizing keywords related to porn and sex. Another significant aspect of the malware is its ability to masquerade as the Google search engine crawler in its User-Agent string when it relays the connection to the command-and-control (C2) server, thereby allowing it to bypass some website security measures.

 

 

1.3 million Android-based TV boxes backdoored; researchers still don’t know how
While only licensed device makers are permitted to modify Google’s AndroidTV, any device maker is free to make changes to open source versions. These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results.

 

How an Engineer Exposed an International Bike Theft Ring - By Its Facebook Friends
On Nov. 21, 2021, the Colorado attorney general’s office indicted eight people on 227 counts of theft, including 29 bike shop burglaries. The AG reported that in one burglary, “the suspects stole $90,000 worth of bicycles in under five minutes.”
A federal grand jury indicted Victoriano Romero on felony conspiracy charges for his alleged role in a scheme to purchase high-end stolen bicycles from thieves across the Bay Area and transport them to Mexico for resale.

 

FBI PSA Business Email Compromise/Email Account Compromises
BEC is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering (PSA I-041124-PSA) or computer intrusion to conduct unauthorized transfers of funds. Often times BEC variations involve compromising legitimate business email accounts and requesting employees' Personally Identifiable Information in order to compromise other accounts that may be related to other scams.
FBI filings with financial institutions between October 2013 and December 2023:
Domestic and international incidents: 305,033
Domestic and international exposed dollar loss: $55,499,915,582

 

Rogue WHOIS server gives researcher superpowers no one should ever have
It’s not every day that a security researcher acquires the ability to generate counterfeit HTTPS certificates, track email activity, and the position to execute code of his choice on thousands of servers—all in a single blow that cost only $20 and a few minutes to land.
Harris, the CEO and founder of security firm watchTowr, did all of this by registering the domain dotmobiregistry[.]net. The domain was once the official home of the authoritative WHOIS server for .mobi, a top-level domain used to indicate that a website is optimized for mobile devices. At some point—it’s not clear precisely when—this WHOIS server, which acts as the official directory for every domain ending in .mobi, was relocated, from whois.dotmobiregistry[.]net to whois[.]nic[.]mobi. Harris noticed that the previous dotmobiregistry[.]net owners had allowed the domain to expire. He then scooped it up and set up his own .mobi WHOIS server.

 

Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers
By remotely capturing and analyzing the virtual avatar video, an attacker can reconstruct the typed keys. The GAZEploit attack is the first known attack in this domain that exploits leaked gaze information to remotely perform keystroke inference.
Following responsible disclosure, Apple addressed the issue in visionOS 1.3 released on July 29, 2024. It described the vulnerability as impacting a component called Presence.

 

Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking
Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns. Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions. "However, Selenium Grid's default configuration lacks authentication, making it vulnerable to exploitation by threat actors.

 

APPSEC, DEVSECOPS, DEV
Platform Engineering Is Security Engineering
For modern applications built on Kubernetes and microservices, platform engineering is not just about building functional systems but also about embedding security into the fabric of those systems.
By designing a platform through a "security-first" lens, platform engineering leaders can set up their DevOps and AppDev teams for success and make them more efficient by minimizing the toil and cognitive load required to properly execute security policies and practices.
[rG: Correction – Platform Engineering is part of DevSecOps implementation, which is part of Security Engineering.]

 

China Governance framework promotes AI security
The introduction of a governance framework on artificial intelligence security marks a significant step in promoting collaborative efforts to address AI security across society, according to the National Technical Committee 260 on Cybersecurity of Standardization Administration of China. The first version of the framework was unveiled on Monday in Guangzhou.
Utilizing a risk management approach, the framework identifies and analyzes the sources of AI-related risks such as data, system and application security in areas such as networks, real-world operations and ethics. It proposes corresponding technical responses and preventive measures to ensure secure AI development and application.

 

 

 

VENDORS & PLATFORMS
The future of computing must be more sustainable, even as AI demand fuels energy use
Nations need to tap artificial intelligence to achieve sustainability, but the technology's growing adoption will drive power consumption.
The tech industry alone currently contributes an estimated 1.5% to 4% of global greenhouse gas emissions.
AI Power Consumption: Rapidly Becoming Mission-Critical
Nvidia’s A100 max power consumption is 250W with PCIe and 400W with SXM (Server PCIe Express Module), and the H100’s power consumption is up to 75% higher versus the A100. With PCIe, the H100 consumes 300-350W, and with SXM, up to 700W. The 75% increase in GPU power consumption happened rapidly, within two brief years, across one generation of GPUs. With 3.5 million H100 shipments through 2023 and 2024, that H100 alone could see total power consumption of 13.1 TWh annually.
Internet energy consumption: data, models, forecasts?
This data-file forecasts the energy consumption of the internet, rising from 800 TWH in 2022 to 2,000 TWH in 2030 and 3,750 TWH by 2050.

 

 

LEGAL & REGULATORY
Healthcare provider Lehigh Valley Health Network (LVHN) has reached a $65 million settlement in a class-action suit filed over a 2023 data breach
The hackers had stolen personal information such as names, addresses, phone numbers, medical and treatment information, and health insurance information. For some individuals, email addresses, driver’s license numbers, Social Security numbers, and banking information was also compromised. Over 130,000 patients and employees were potentially affected by the data breach.
Every individual who received a notification letter from LVHN is considered part of the lawsuit and should receive compensation, without having to take any action. Should the settlement be approved, every class member will receive a payment ranging from $50 to $70,000. Only those who had their nude photos leaked will receive the maximum amount.

 

23andMe to pay $30 million in genetics data breach settlement
DNA testing giant 23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023. The proposed class action settlement, filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval.
In October 2023, 23andMe revealed that unauthorized access to customer profiles occurred through compromised accounts. Hackers exploited credentials stolen from other breaches to access 23andMe accounts. After discovering the breach, the company implemented measures to block similar incidents, including requiring customers to reset passwords and enabling two-factor authentication by default starting in November.

 

Ireland's Watchdog Launches Inquiry into Google's AI Data Practices in Europe
The Irish Data Protection Commission (DPC) has announced that it has commenced a "Cross-Border statutory inquiry" into Google's foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users. The development comes weeks after social media platform X permanently agreed not to train its AI chatbot, Grok, using the personal data it collected from European users without obtaining prior consent. Meta, which recently admitted to scraping every Australian adult Facebook user's public data to train its Llama AI models without giving them an opt-out, has paused its plans to use content posted by European users following a request from the DPC over privacy concerns. It has also suspended the use of generative AI (GenAI) in Brazil after the country's data protection authority issued a preliminary ban objecting to its new privacy policy. Last year, Italy's data privacy regulator also temporarily banned OpenAI's ChatGPT because of concerns that its practices are in violation of data protection laws in the region.

 

US proposes requiring reporting for advanced AI, cloud providers
It would also require reporting on cybersecurity measures as well as outcomes from so-called red-teaming efforts like testing for dangerous capabilities including the ability to assist in cyberattacks or lowering barriers to entry for non-experts to develop chemical, biological, radiological, or nuclear weapons.