InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
August 2022 has been a lesson in being careful with whom you provide sensitive information. In a month that saw the former US president accused of misappropriating classified government documents, there were also a spate of malicious insiders compromising their employer’s systems.
Meanwhile, the bastion of password security, LastPass, announced that its systems had been breached – although the organisation is confident that customers’ details remain secure.
In total, we identified 112 publicly disclosed security incidents in August, resulting in 97,456,345 compromised records.
You can find the full list of incidents below, broken into their respective categories.
Our much-loved iPhone 6+, now nearly eight years old but in pristine, as-new condition until a recent UDI (unintended dismount incident, also known as a bicycle prang, which smashed the screen but left the device working fine otherwise), hasn’t received any security updates from Apple for almost a year.
The last update we received was back on 2021-09-23, when we updated to iOS 12.5.5.
Every subsequent update for iOS and iPadOS 15 has understandably reinforced our assumption that Apple had dropped iOS 12 support for evermore, and so we relegated the old iPhone to background duty, solely as an emergency device for maps or phone calls while on the road.
(We figured that another crash would be unlikely to wreck the screen any further, so it seemed a useful compromise.)
But we’ve just noticed that Apple has decided to update iOS 12 again after all.
This new update applies to the following models: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation. (Before iOS 13.1 and iPadOS 13.1 came out, iPhones and iPads used the same operating system, referred to as iOS for both devices.)
We didn’t receive a Security Advisory email from Apple, but an alert Naked Security reader who knows we still have that old iPhone 6+ let us know about Apple Security Bulletin HT213428. (Thanks!)
Simply put, Apple has published a patch for
CVE-2022-32893
, which is one of the two mysterious zero-day bugs that received emergency patches on most other Apple platforms earlier in August 2022:
As you will see in the article just above, there was a WebKit remote code execution bug, CVE-2022-32893, by means of which a jailbreaker, a spyware peddler, or some devious cybercriminal could lure you to a booby-trapped website and implant malware on your device, even if all you did was glance at an otherwise innocent-looking page or document.
Then there was a second bug in the kernel, CVE-2022-32894, by which said malware could extend its tentacles beyond the app it just compromised (such as a browser or a document viewer), and get control over the innards of the operating system itself, thus allowing the malware to spy on, modify or even install other apps, bypassing Apple’s much vaunted and notoriously strict security controls.
So, here’s the good news: iOS 12 isn’t vulnerable to the kernel-level zero-day CVE-2022-32894, which almost certainly avoids the risk of total compromise of the operating system itself.
But here’s the bad news: iOS 12 is vulnerable to the WebKit bug CVE-2022-32893, so that individual apps on your phone definitely are at risk of compromise.
We’re guessing that Apple must have come across at least some high-profile (or high-risk, or both) users of older phones who were compromised in this way, and decided to push out protection for everyone as a special precaution.
The danger of WebKit
Remember that WebKit bugs exist, loosely speaking, at the software layer below Safari, so that Apple’s own Safari browser isn’t the only app at risk from this vulnerability.
All browsers on iOS, even Firefox, Edge, Chrome and so on, use WebKit (that’s an Apple requirement if you want your app to make it into the App Store).
And any app that displays web content for purposes other than general browsing, such as in its help pages, its About screen, or even in a built-in “minibrowser”, is also at risk because it will be using WebKit under the covers.
In other words, just “avoiding Safari” and sticking to a third-party browser is not a suitable workaround in this case.
What to do?
We now know that the absence of an update for iOS 12 when the latest emergency patches came out for more recent iPhones was not down to the fact that iOS was already safe.
It was simply down to the fact that an update wasn’t available yet.
So, given that we now know that iOS 12 is at risk, and that exploits against CVE-2022-32893 are being used in real life, and that there is a patch available…
…then it’s an urgent matter of Patch Early/Patch Often!
Go to Settings > General > Software Update, and check that you have iOS 12.5.6.
If you haven’t yet received the update automatically, tap Download and Install to begin the process right away:
Go to Settings > General > Software Update. You’re looking for iOS 12.5.6. Use Download and Install if needed.
While cloud breaches are going to happen, that doesn’t mean we can’t do anything about them. By better understanding cloud attacks, organizations can better prepare for them.
Source: Wavebreakmedia Ltd IW-210409 via Alamy Stock Photo
Cloud breaches are inevitable.
It’s the reality we live in. The last few years have demonstrated that breaches occur, no matter how much security organizations put in place. The increased complexity of organizations — where a single mistake or vulnerability can lead to a compromise — coupled with the increased motivation, sophistication, and dedication of attackers, means breaches are here to stay. At the same time, organizations are transitioning to the cloud, making attackers shift focus to rapidly increase their attacks on cloud environments.
While this means that cloud breaches are inevitable, that doesn’t mean we can’t do anything about them. By better understanding cloud attacks, organizations can better prepare for them. Then, hopefully, they can contain and respond to attacks faster, reducing their impact and averting a crisis.
This two-part series will explore real-world attacks that unravel, investigate, and share insights on practical ways organizations can respond to cloud attacks in today’s threat landscape.
SaaS Marketplace Hack Leads to Major Breach
In the last few years, software-as-a-service (SaaS) platforms have been replacing traditional enterprise applications, making it easier for organizations to adopt and manage them. Part of the value such platforms provide is the ability to integrate and expand rapidly, supporting the ever-growing demands of users for more functionality. Further enhancing their platforms, SaaS vendors are creating a marketplace to allow third-party providers to add functionality and integration for its users. These marketplaces, however, can introduce substantial third-party risk, as can be seen in the following scenario.
After a company was notified by GitHub of a potential risk, GitHub didn’t provide any specific indicators of unauthorized access. Instead, GitHub provided only a generic notice that DeepSource, one of the apps the company had previously been using on the marketplace, was breached, making it hard to understand whether the organization was affected or not. An initial review done by the company of its GitHub logs did not help, as it could not see any access to its code by DeepSource.
The reason for this was rather simple — and it is at the heart of how many SaaS marketplaces operate. A few months before the breach, one of the company’s developers tried out the DeepSource app, wherein the developer granted DeepSource access to the code under his username. When the attackers used DeepSource’s access to download the entire code repository, what appeared in the logs was a pull request under the name of a legitimate user. The only indicator that it was malicious was the identification of an irregular IP address, which eventually was tied to other known attacks.
At this point, it became clear that the entire code repository had been stolen, and a full-blown response was needed to contain and recover from the breach. As with most code leakage cases, the immediate concern was access to secrets (passwords/keys) in the code. While it is generally bad practice to have hardcoded secrets in code, it is still a common practice by many — and this case was no different. By identifying the relevant secrets in the code, the next steps of the attackers — which, as expected, started accessing some of the Amazon Web Services (AWS) infrastructure — was predicted. By quickly identifying them, the company was able to block access to all relevant resources, contain the breach, and recover before more damage could be done.
Cryptominer Injected into a Virtual Machine Template
What if one could mine cryptocurrency at somebody else’s expense? This idea is at the heart of many cryptomining attacks we see today, where attackers take over cloud resources, then run cryptominers on them collecting cryptocurrency while the hacked organization pays the cloud compute bills for it.
In a recent incident, a company had identified unknown files on 18 AWS EC2 machines they were running in the cloud. Looking at the files, it became clear they had fallen victim to the ongoing TeamTNT Watchdog cryptomining campaign. It was initially unclear how the attackers managed to infect so many EC2 instances, but as the investigation unfolded, it became apparent that instead of targeting individual machines, the attackers targeted the Amazon Machine Image (AMI) template used to create each machine. During the creation of the original image, there was a short time where a service was misconfigured, allowing remote access. TeamTNT used automatic tools to scan the network, identify it, and immediately place the miners there, which then got duplicated to every new machine created.
This highlights another common attack pattern: implanting cryptominers in publicly available AMIs through the Amazon marketplace.
As demonstrated by these cases, cloud attacks are here to stay. They’re different from what we’re used to observing, so it’s time to better prepare for their arrival. Stay tuned for part two, where we will dive into cloud ransomware and how to avoid it.
Google’s latest Chrome browser, version 105, is out, though the full version number is annoyingly different depending on whether you are on Windows, Mac or Linux.
On Unix-like systems (Mac and Linux), you want 105.0.5195.52, but on Windows, you’re looking for 105.0.5195.54.
According to Google, this new version includes 24 security fixes, though none of them are reported as “in-the-wild”, which means that there weren’t any zero-days patched this time.
Nevertheless, there’s one vulnerability dubbed Critical, and a further eight rated High.
Of the flaws that were fixed, just over half of them are down to memory mismanagement, with nine listed as use-after-free bugs, and four as heap buffer overflows.
Memory bug types explained
A use-after-free is exactly what it says: you hand back memory to free it up for another part of the program, but carry on using it anyway, thus potentially interfering with the correct operation of your app.
Imagine, for instance, that the part of the program that thinks it has now sole access to the offending block of memory receives some untrusted input, and carefully verifies that the new data is safe to use…
…but then, in the instant before it starts using that validated input, your buggy “use-after-free” code interferes, and injects stale, unsafe data into the very same part of memory.
Suddenly, bug-free code elsewhere in the program behaves as if it were buggy itself, thanks to the flaw in your code that just invalidated what was in memory.
Attackers who can figure out a way to manipulate the timing of your code’s unexpected intervention may be able not only to crash the program at will, but also to wrest control from it, thus causing what’s known as remote code execution.
And a heap buffer overflow refers to a bug where you write more data to memory than will fit in the space that was originally allocated to you. (Heap is the jargon term for the collection of memory
blocks that are currently being managed by the system.)
If some other part of the program has a memory block just happens to be near to or next to yours in the heap, then the superfluous data that you just wrote out won’t overflow harmlessly into unused space.
Instead, it will corrupt data that’s in active use somewhere else, which similar consequences to what we just described for a use-after-free bug.
The “Sanitizer” system
Happily, as well as fixing misfeatures that weren’t supposed to be there at all, Google has announced the arrival of a new feature that adds protection against a class of browser flaws known as cross-site scripting (XSS).
XSS bugs are caused by the browser inserting untrusted data, say from a web form submitted by a remote user, directly into the current web page, without checking for (and removing) risky content first.
Imagine, for instance, that you have a web page that offers to show me what a text string of my choice looks like in your funky new font.
If I type in the sample text Cwm fjord bank glyphs vext quiz (a contrived but vaguely meaningful mashup of English and Welsh that contains all 26 letters of the alphabet in just 26 letters, in case you were wondering), then it’s safe for you to put that exact text into the web page you create.
In JavaScript, for example, you could rewrite the body of the web page like this, inserting the text that I supplied without any modification:
In JavaScript, for example, you could rewrite the body of the web page like this, inserting the text that I supplied without any modification:
document.body.innerHTML = "<p style='font-family:funky;'>Cwm fjord bank glyphs vext quiz"
But if I cheated, and asked you to “display” the text string Cwm fjord<script>alert(42)</script> instead, then it would be reckless for you to do this…
…because you would be allowing me to inject untrusted JavaScript code of my choosing directly into your web page, where my code could read your cookies and access data that would otherwise be off-limits.
So, to make what’s known as sanitising thine inputs easier, Chrome has now officially enabled support for a new browser function called setHTML().
This can be used to push new HTML content through a feature called the Sanitizer first, so that if you use this code instead…
…then Chrome will scan the proposed new HTML string for security problems first, and automatically remove any text that could pose a risk.
You can see this in action via the Developer tools by running the above setHTML() code at the Console prompt, and then retrieving the actual HTML that was injected into the document.body variable, as we did here:
Even though we explicitly put a <script> tag in the input that we passed to the setHTML() function, the script code was automatically purged from the output that was created.
If you genuinely need to add potentially dangerous text into an HTML element, you can add a second argument to the setHTML() function that specifies various types of risky content to block or allow.
By default, if this second argument is omitted as above, then the Sanitizer operates at its maximum security level and automatically purges all dangerous content that it knows about.
What to do?
If you’re a Chrome user. Check that you’re up to date by clicking Three dots > Help > About Google Chrome, or by browsing to the special URL chrome://settings/help.
If you’re a web programmer. Learn about the new Sanitizer and setHTML() functionality by reading advice from Google and the MDN Web Docs.
These five suggestions provide a great place to start building a scalable and affordable program for creating secure apps.
Source: Marek Uliasz via Alamy Stock Photo
Some security programs need to have the absolute highest possible level of security assurance for the systems and the data they protect. They need to be as close to perfect as they can be. Examples of this would be managing evidence for top secret counterterrorism activities, invaluable intellectual property such as the first COVID-19 vaccine, or systems that require uptimes of five 9s (99.999%) or higher, for which downtime of a single minute can cost millions of dollars.
That said, for most companies, a “good” application security (AppSec) program will suffice. A good program is one where your applications are safe against the most common types of attacks but could still fall to a determined, well-funded, and advanced attacker. Let’s discuss the differences, and how to create something that meets your company’s needs.
Elections Require Perfection
For a “perfect” AppSec program, every single potential vulnerability reported by any test must be investigated by a security expert. This means running static application security testing (SAST), dynamic application security testing (DAST), and other automated tools with the confidence level for findings set to report “any and all” possibilities. That requires hiring one or more security experts who are trained to run down each item and given weeks to check each application. It also means hiring several security professionals to do manual security testing and code review, for multiple viewpoints, and to re-test that the bugs are truly fixed and have not created new bugs in the process. It is both time-consuming and quite expensive.
A few years ago, I worked on an application that had to run on a 32-kilobit modem in the Arctic. It makes our elections in Canada happen, which meant it had to be absolutely perfect. We hired several different security professionals, who used a multitude of tools and manual techniques to find both security and non-security issues within our application. We did stress testing, performance testing, integration testing, and so much more. We set up a functional returning office (the place that you vote), with every system fully functional, and ran an entire 36-day mock election, with fake security incidents thrown into the mix, 6 months before the big day. We spent the following 6 months finalizing every detail. It’s unlikely you would have noticed, as when the 52nd General Election happened on Oct. 19, 2015, it went off without a hitch.
They don’t write news articles when everything goes right. We also put in quite a bit more work than what I shared above, which I am not at liberty to share. The point is that being perfect is not cheap, and it is not quick.
5 Ways to Make Good ‘Good Enough’
With that story in mind, does your organization need to be truly perfect? Or is “good” good enough? Let’s look at some ways your organization could create a scalable and affordable application security program that is good.
1. Automate. First off, leverage automation whenever possible. There are many free and paid security tools that can provide good results. When I say good, I mean most of the results they report are true positives, and the false negatives (missed bugs) are at a level your organization can be comfortable with. Some automated tools will allow you to set a confidence level for your results; starting with a confidence level of “high” in the first year of your program, and then shifting to “medium” in the second year, is a good way to get software developers to have faith in what you are reporting while not overwhelming them.
2. Use anti-pattern matching SAST. For SAST tools, when you’re aiming for “good” results, select a next-generation SAST that performs anti-pattern matching (regex looking for known-bad patterns) rather than an original SAST type that performs symbolic execution (running down every possible code outcome, searching for potential flaws and bugs). While the original types of SAST are ideal for creating a perfect application, next-generation SASTs are faster, provide more true positives, and are sometimes quite a bit cheaper as well.
3. Spell out technical requirements. When starting new projects, give your project team a list of expectations, both for technical security requirements and for activities you expect them to participate in as part of the project life cycle. You could create a list once for each type of technology (Web apps, APIs, serverless, infrastructure as code, containers, etc.), then reuse that list for every new project it applies to. This also allows a project manager to schedule time for the security activities to happen so that project teams don’t face unexpected overtime.
4. Run a threat model. During the design phase, reserve one hour with the product owner, the technical leader of the project, and a member of the AppSec team. Perform a simple threat model on your application and implement some of the recommendations from that session.
5. Train people on secure coding. Give your software developers secure coding training. There’s several free or almost-free courses on the Internet for this now, and every bug they help your people avoid creating saves you more time and money than you may realize.
Although this is just a short list of ways to build a scalable and affordable program for creating secure apps, these five suggestions provide a great place to start from or to add to an already existing program to make “good” software.
The role of the Chief Information Security Officer (CISO) is a relatively new senior-level executive position within most organizations, and is still evolving.
To find out how current CISOs landed in that role, their aspirations, the compensation they receive, and which risks they face and responsibilities they shoulder, analysts with international executive search firm Heidrick & Struggles have asked 327 CISOs (and CISOs in all but name) to participate in their 2022 Global CISO Survey.
The results of the survey revealed these main takeaways:
Who reports to CISOs and to whom do the CISOs report?
The main organizational functions that report to CISOs are SecOps (88%); governance, risk, and compliance (87%); penetration testing (87%); security architecture (86%); product and application security (79%); and business continuity planning or disaster recovery (79%).
CISOs mostly report to the CIO (38%); the CTO or senior engineering executive (15%); the COO or CAO (9%); the global CISO (8%); and the CEO (8%). But 88% of them also report to the company board and/or advisory committee.
CISO roles are often terminal
Most CISOs move laterally into their current role and the career path forward for CISOs is most often to another CISO role, the analysts found.
If they were not CISOs before – and 53% of them were! – they were mostly a deputy CISO, a regional or business unit CISO, and the senior information security executive in their organization.
Many CISOs aspire to be a board member next, but that ambition is unlikely to be realized. Even though cybersecurity experience is sorely needed on boards, many boards still frequently prefer board members with prior board experience, the analysts pointed out.
The Chief Security Officer (CSO) or the Chief Information Officer (CIO) roles are also coveted by many of the respondents.
Threats CISOs are facing and personal risks they are worried about
CISOs say ransomware attacks are the most significant cyber risk to their organization (67%), followed by insider threats (32%) and nation/state attacks (31%).
On a more personal note, CISOs are most worried about stress related to the role (59%) and burnout (48%), and much less about job loss as a result of a breach (25%) or being faced with personal financial accountability for a breach (11%).
“Our survey responses here tell a few different stories,” the analysts noted.
“One is that there is burnout and stress associated with this role, which should lead organizations to consider succession plans and/or retention strategies so that CISOs don’t make unnecessary exits. The second story is that CISOs feel relatively secure in their jobs—job loss as a result of a breach wasn’t the highest risk. That is, in part, because the best CISOs are able to command executive-level protections (D&O insurance coverage and severance, for example) that enable them to do their jobs unencumbered by the threat of career risk.”
CISO compensation keeps rising
“In the United States, reported median cash CISO compensation has risen to $584,000 this year, up from $509,000 last year and $473,000 in 2020. Median total compensation, including any annualized equity grants or long-term incentives, also increased, to $971,000 from $936,000,” the company found.
New CISOs, in particular, saw the highest rises in overall compensation – probably because talent to fill out the role is hard to find and organizations are competing fiercely to take hold of it.
In the UK, the median cash CISO compensation has risen to £318,000 this year, but there was a 14% drop in annual equity.
For those interested, Heidrick & Struggles’s report offers more granular insight on the various factors that impact CISO compensation in different geographical locations.
Cisco Talos researchers observed three separate, but related, campaigns between March and June 2022 that were delivering multiple malware, including the ModernLoader bot (aka Avatar bot), RedLine info-stealer and cryptocurrency miners to victims.
ModernLoader is a .NET remote access trojan that supports multiple features, including the capability of gathering system information, executing arbitrary commands, or downloading and running a file from the C2 server.
Threat actors use PowerShell, .NET assemblies, and HTA and VBS files to perform lateral movements across a targeted network and eventually drop other pieces of malware, such as the SystemBC trojan and DCRAT. The attackers’ use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.
The attack chain starts with an HTML Application (HTA) file that runs a PowerShell script hosted on the C2 server which executes the next stage of the loading process.
“The next stage is the PowerShell loader. The loader contains embedded code of three modules, which are loaded using reflection as additional .NET assemblies into the PowerShell process space. The downloaded PowerShell code also downloads and runs auxiliary modules and payloads.” reads the analysis published by Cisco Talos. “There are usually three modules in this loader format. The first disables AMSI scanning functionality, the second is the final payload, and the last injects the payload into the process space of a newly created process, usually RegSvcs.exe.”
The final payload appears to be a ModernLoader remote access trojan (RAT) and the XMRig miner. Talos reported that the March campaigns targeted users in Eastern Europe, including Bulgaria, Poland, Hungary, and Russia.
The threat actors behind the campaigns are likely Russian-speaking actors, that are experimenting with different technologies. Experts speculate that the usage of ready-made tools demonstrates that despite the actors understanding the TTPs required for a successful malware campaign, they haven’t the technical skills to develop their own arsenal.
Cisco Talos attributed the infections to a previously undocumented but Russian-speaking threat actor, citing the use of off-the-shelf tools. Potential targets included Eastern European users in Bulgaria, Poland, Hungary, and Russia.
The attackers also compromised vulnerable web applications to change their configuration to use malicious PHP scripts to deliver malware to their users.
The attackers attempted to compromise WordPress and CPanel installs to distribute the malware using files masquerades as fake Amazon gift cards.
“The actor is frequently using open-source components and code generators to achieve its goals. A number of remote access tools, stealers and cryptominers are used in the campaigns to eventually reap financial benefits for the actor. The actor has an interest in alternative distribution channels such as compromised web applications, archive infections and spreading by using Discord webhooks.” concludes the report. “Despite all the techniques and tactics used we estimate that the success of these campaigns is limited.”
Documents allegedly belonging to an EU defense dealer include those relating to weapons used by Ukraine in its fight against Russia.
Source: Andrey Khokhlov via Alamy Stock Photo
NATO is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web, according to a published report.
The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia.
Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack.
Contradicting the cyberattackers’ claims in their ads, nothing up for grabs is classified information, MBDA said. It added that the data was acquired from a compromised external hard drive, not the company’s internal networks.
NATO, meanwhile, is “assessing claims relating to data allegedly stolen from MBDA,” a NATO official told Dark Reading on Monday.
“We have no indication that any NATO network has been compromised,” the official said.
Double Extortion
MBDA acknowledged in early August that it was “the subject of a blackmail attempt by a criminal group that falsely claims to have hacked the company’s information networks,” in a post on its website.
The company refused to pay the ransom and thus the data was leaked for sale online, according to the post.
Specifically, threat actors are selling 80GB of stolen data on both Russian- and English-language forums with a price tag of 15 bitcoins, which is about $297,279, according to a report from the BBC, which broke the news about the NATO investigation Friday. In fact, cybercriminals claim to already have sold data to at least one buyer.
NATO is investigating one of the firm’s suppliers as the possible source of the breach, according to the report. MBDA is a joint venture between three key shareholders: AirBus, BAE Systems, and Leonardo. Though the company operates out of Europe, it has subsidiaries worldwide, including MBDA Missile Systems in the United States.
The company is working with authorities in Italy, where the breach occurred.
MBDA reported $3.5 billion in revenue last year and counts NATO, the US military, and the UK Ministry of Defense among its customers.
Classified Info & Ukraine
Hackers claimed in their ad for the leaked data to have “classified information about employees of companies that took part in the development of closed military projects,” as well as “design documentation, drawings, presentations, video and photo materials, contract agreements, and correspondence with other companies,” according to the BBC.
Among the sample files in a 50-megabyte stash viewed by the BBC is a presentation appearing to provide blueprints of the Land Ceptor Common Anti-Air Modular Missile (CAMM), including the precise location of the electronic storage unit within it. One of these missiles was recently sent to Poland for use in the Ukraine conflict as part of the Sky Sabre system and is currently operational, according to the report.
This might provide a clue about the motive of threat actors; advanced persistent threats (APTs) aligned with Russia began hitting Ukraine with cyberattacks even before the Russian official invasion on Feb. 24.
After the conflict on the ground began, threat actors continued to throttle Ukraine with a cyberwar to support the Russian military efforts.
The sample data viewed by the BBC also included documents labelled “NATO CONFIDENTIAL,” “NATO RESTRICTED,” and “Unclassified Controlled Information,” according to the report. At least one stolen folder contains detailed drawings of MBDA equipment.
The criminals also sent by email documents to the BBC including two marked “NATO SECRET,” according to the report. The hackers did not confirm whether the material had come from a single source or more than one hacked source.
Nonetheless, MBDA insists that the verification processes that the company has executed so far “indicate that the data made available online are neither classified data nor sensitive.”
Grab and deploy this backend update if you offer even repo read access
A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.
Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software, inclusive. Luckily there are no known exploits in the wild.
But considering the vulnerability, tracked as CVE-2022-36804, received a 9.9 out of 10 CVSS score in terms of severity, we’d suggest you stop what you’re doing and update as soon as possible as it’s safe to assume miscreants are already scanning for vulnerable instances.
As Atlassian explains in its security advisory, published mid-last week: “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.”
Additionally, the Center for Internet Security has labeled the flaw a “high” security risk for all sizes of business and government entities. These outfits typically use Bitbucket for managing source code in Git repositories.
Atlassian recommends organizations upgrade their instances to a fixed version, and those with configured Bitbucket Mesh nodes will need to update those, too. There’s a compatibility matrix to help users find the Mesh version that’s compatible with the Bitbucket Data Center version.
And if you need to postpone a Bitbucket update, Atlassian advises turning off public repositories globally as a temporary mitigation. This will change the attack vector from an unauthorized to an authorized attack. However, “this can not be considered a complete mitigation as an attacker with a user account could still succeed,” according to the advisory.
Security researcher @TheGrandPew discovered and reported the vulnerability via Atlassian’s bug bounty program.
This latest bug follows a series of hits for the popular enterprise collaboration software maker.
Last month, Atlassian warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of years-old, critical flaws threaten their security. It detailed the so-called Servlet Filter dispatcher vulnerabilities in its July security updates, and said the flaw allowed remote, unauthenticated attackers to bypass authentication used by third-party apps.
In June, Atlassian copped to another critical flaw in Confluence that was under active attack.
Plus, there was also the two-week-long embarrassing cloud outage that affected almost 800 customers this spring. This is less than half a percent of the company’s total customers, but still, as co-founder and co-CEO Mike Cannon-Brookes admitted on the firm’s most recent earnings call, it’s “one customer is too many.” And definitely not a good look for a cloud collaboration business. ®
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 10 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a high-severity security flaw (
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
According to the US agency, Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation). An attacker can trigger the flaw to cause an out-of-bounds write and achieve code execution.
It is important to highlight that there are no security patches to fix this issue and that the impacted product is end-of-life.
CISA also added to the catalog a Sanbox Bypass Vulnerability, tracked as CVE-2021-31010 (CVSS score: 7.5), in Apple iOS, macOS, and watchOS.
“In affected versions of Apple iOS, macOS, and watchOS, a sandboxed process may be able to circumvent sandbox restrictions.” reads the advisory.
The other vulnerabilities added to the catalog are:
CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability
CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability
CyberWire Inc. (Author)Flash cybersecurity advisories from the US Government. These alerts provide timely technical and operational information, indicators of compromise, and mitigations for current major security threats, vulnerabilities, and exploits. These alerts have been edited and adapted for audio by The CyberWire as a public service.
As technology advances, so must our ability to use such technology ethically. The rise of AI (artificial intelligence) and big data raises concerns about data privacy and cyber security. ITG have combined their latest titles into one bundle, saving you 20% – ideal for bank holiday reading.
Digital Ethics Book Bundle Understand the growing social, ethical and security concerns of advancing technology with this new collection:
What entity, or sector doesn’t engage with a third party in some way, shape or form? Not many. The reality is that outsourcing, contracting and subcontracting happen all the time and is the norm as businesses continue to embrace the core/context mindset and division of labor. The more you outsource, the more you need to have a robust third-party risk management process (TPRM), also known as vendor risk management, plan in place.
Risk management is not new, but the current iteration of TPRM logic typically focuses on three parts:
Risk assessment and analysis
Risk evaluation and
Risk treatment.
I had the pleasure of chatting with David Medrano, director of third-party risk management at Morgan Franklin, who shared his insight on the importance of TPRM and vendor oversight. Medrano explained that many enterprise entities may have over 1,000 separate third-party engagements and, therefore, must have a methodology to measure the risk each of those presents.
Medrano said that while many entities know their contractors, they may lack visibility into the contractor’s contractor; thus, a daisy chain of outsourced work may be taking place which places data at an unknown level of risk as the third party shares it with a fourth party and so on. The most important thing an organization can do, in this case, is to categorize vendors in the planning/strategy phase. Suggested risk buckets may include critical vendors, physical vendors and technology vendors.
“Bucket them according to how and what they do and how their third-party actions present a risk to you,” Medrano said. The risk from the coffee vendor, for instance, is not the same as the risk provided by an MSSP. He advised caution with regard to allowing more risk to be accepted than the vendor’s worth or value to the enterprise.
Medrano also advised keeping the methodology used uniform, as that can help manage risk while also showing customers, regulators and compliance entities that the company has a methodology in place to measure and address risk and explains the company’s thought processes with regard to its actions.
TPRM Tools
Ironically, there are a plethora of vendors (yes, third parties) who are prepared to provide you with tools to create your TPRM program, there are also standardized methodologies available from the U.S. government. For example, the National Institute of Standards and Technology (NIST) has created a TPRM framework to help companies create a consistent and uniform TPRM plan which is adaptable to their unique needs. The NIST framework can help you:
Prepare – Essential activities to prepare the organization to manage security and privacy risks
Categorize – Categorize the system and information processed, stored and transmitted based on an impact analysis
Select – Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
Implement – Implement the controls and document how controls are deployed
Assess – Determine if the controls are in place, operating as intended and producing the desired results
Authorize – Senior official makes a risk-based decision to authorize the system (to operate)
Monitor – Continuously monitor control implementation and risks to the system
In sum, every business unit should be using a TPRM system, regardless of if their engagement with third-party vendors is centralized or decentralized. Additionally, uniformity in the assessment is of paramount importance, Medrano said.
A survey of cybersecurity decision makers found 77 percent think the world is now in a perpetual state of cyberwarfare.
In addition, 82 percent believe geopolitics and cybersecurity are “intrinsically linked,” and two-thirds of polled organizations reported changing their security posture in response to the Russian invasion of Ukraine.
Of those asked, 64 percent believe they may have already been the target of a nation-state-directed cyberattack. Unfortunately, 63 percent of surveyed security leaders also believe that they’d never even know if a nation-state level actor pwned them.
The survey, organized by security shop Venafi, questioned 1,100 security leaders. Kevin Bocek, VP of security strategy and threat intelligence, said the results show cyberwarfare is here, and that it’s completely different to many would have imagined. “Any business can be damaged by nation-states,” he added.
According to Bocek, it’s been common knowledge for some time that government-backed advanced persistent threat (APT) crews are being used to further online geopolitical goals. Unlike conventional warfare, Bocek said, everyone is a target and there’s no military or government method for protecting everyone.
Nor is there going to be much financial redress available. Earlier this week Lloyd’s of London announced it would no longer recompense policy holders for certain nation-state attacks.
Late on Friday, Facebook agreed in principle to settle a US lawsuit seeking damages for letting third parties, including Cambridge Analytica, access the private data of users. The terms of the settlement have yet to be finalized.
Googlers uncover Charming email scraping tool
Researchers at Google’s Threat Analysis Group (TAG) have detailed email-stealing malware believed to be from Iranian APT Charming Kitten.
The tool, which TAG has dubbed Hyperscrape, is designed to siphon information from Gmail, Yahoo! and Outlook accounts. Hyperscrape runs locally on the infected Windows machine, and is able to iterate through the contents of a targeted inbox and individually download messages. To hide its tracks, it can, among other things, delete emails alerting users to possible intrusions.
Not to be confused with Rocket Kitten, another APT believed to be backed by Iran, Charming Kitten has been hijacking accounts, deploying malware, and using “novel techniques to conduct espionage aligned with the interests of the Iranian government” for years, TAG said.
In the case of Hyperscrape, it appears the tool is either rarely used, or still being worked on, as Google said it’s only seen fewer than two dozen instances of the software nasty, all located within Iran.
The malware is limited in terms of its ability to operate, too: it has to be installed locally on a victim’s machine and has dependencies that, if moved from its folder, will break its functionality. Additionally, Hyperscrape “requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired,” Google said.
While its use may be rare and its design somewhat restrictive, Hyperscrape is still dangerous malware that Google said it has written about to raise awareness. “We hope doing so will improve understanding of tactics and techniques that will enhance threat hunting capabilities and lead to stronger protections across the industry,” Google security engineer Ajax Bash wrote.
Security professionals can find the indicators of compromise data for Hyperscrape in Google’s report.
French agency may investigate Google – again
A French governmental agency that has twicefined Google over violations of data privacy regulations and the GDPR has been tipped off by the European Center for Digital Rights (NOYB) about another potential bad practice: dressing up adverts to look like normal email messages.
According to NOYB, Google makes ads appear in Gmail user’s inboxes that appear to be regular emails, which would be a direct violation of the EU’s ePrivacy directive, as folks may not have technically signed up or consented to see this stuff.
“When commercial emails are sent directly to users, they constitute direct marketing emails and are regulated under the ePrivacy directive,” NOYB said.
Because Google “successfully filters most external spam messages in a separate spam folder,” NOYB claims, when unsolicited messages end up in a user’s inbox it gives the impression it was something they actually signed up for, when that’s not the case.
“EU law already makes it quite clear: the use of email, for the purpose of direct marketing, requires user consent,” NOYB said, referencing an EU Court of Justice press release [PDF] from 2021 that outlines rules surrounding inbox advertising.
“It is quite simple. Spam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider,” said NOYB lawyer Romain Robert.
France’s Data Protection Authority (CNIL) has ruled in opposition to Google’s past behavior before. In February, Google was found to be breaching GDPR regulations by transmitting data to the US. Google has also been fined by the French Competition Authority for not paying French publishers when using their content.
NOYB said in its complaint [PDF] to CNIL that, because it accuses Google of violating the ePrivacy directive and not GDPR, the watchdog has no need to cooperate with, or wait for, the actions of other national data privacy authorities to decide to fine or otherwise penalize the American web giant.
Nobelium is back with a new post-compromise tool
Microsoft security researchers have described custom software being used by Nobelium, aka Cozy Bear aka the perpetrators of the SolarWinds attack, to maintain access to compromised Windows networks.
Dubbed MagicWeb by Redmond, this malicious Windows DLL, once installed by a high-privileged intruder on an Active Directory Federated Services (ADFS) server, can be used to ensure any user attempting to log in is accepted and authenticated. That’ll help attackers get back into a network if they somehow lose their initial access.
Microsoft noted that MagicWeb is similar to the FoggyWeb malware deployed in 2021, and added that “MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly.”
This isn’t a theoretical malware sample, either: Microsoft said it found a real-world example of MagicWeb in action during an incident response investigation. According to Microsoft, the attacker had admin access to the ADFS system, and replaced a legitimate DLL with the MagicWeb DLL, “causing malware to be loaded by ADFS instead of the legitimate binary.”
MagicWeb is a post-compromise malware that requires the attacker to already have privileged access to their target’s Windows systems. Microsoft recommends treating ADFS servers as top tier assets and protecting them just like one would a domain controller.
Additionally, Microsoft recommends domain administrators enable Inventory Certificate Issuance policies in PKI environments, use verbose event logging, and look out for Event ID 501, which indicates a MagicWeb infection.
Redmond said organizations can also avoid a MagicWeb infection by keeping an eye out for executable files located in the Global Assembly Cache (GAC) or ADFS directories that haven’t been signed by Microsoft, and adding AD FS and GAC directories to auditing scans.
Anti-cheat software hijacked for killing AV
It turns out role-playing game Genshin Impact’s anti-cheat software can be, and is being, used by miscreants to kill antivirus on victims’ Windows computers before mass-deploying ransomware across a network.
TrendMicro said it spotted mhyprot2.sys, the kernel-mode anti-cheat driver used by Genshin, being used kinda like a rootkit by intruders to turn off end-point protection on machines. The software is designed to kill off unwanted processes, such as cheat programs.
You don’t have to have the game installed on your PC to be at risk, as ransomware slingers can drop a copy of the driver on victims’ computers and use it from there.
It has the privileges, code signing, and features needed by extortionists to make their roll out of ransomware a cinch, we’re told. TrendMicro recommends keeping a look out for unexpected installations of the mhyprot2 driver, which should show up in the Windows Event Log, among other steps detailed in the link above. ®
Small businesses (SMBs) are increasingly targets of cyberattacks and are often financially devastated by a single successful attack. Even with a significant network of security tools in place, SMBs can be caught off guard by the increasing number of attack methods threat actors choose to employ. However, with the following information, SMBs can safeguard their business and their employees from two common attack types: Executive impersonation and business email compromise (BEC).
One of the most crucial things to watch out for is executive impersonation, which can start with a spear phishing attack on a key member of the executive team. A successful initial attack will lead to the compromise of the individual’s phone number or email account, providing a threat actor with both a window into internal events, but also a means to request funds transfers or other financial theft. Interestingly, once successful, the threat actor may also monitor the same executive’s social media accounts and wait until they are on vacation or out of the office before making first contact.
This is not directly part of the attack vector; however, it is an effective surveillance tool.
Identify Attacks
These types of phishing attacks are on the rise because they rely on human error rather than software or operating system vulnerabilities. Mistakes by well-intentioned employees are less preventable and predictable, but they can be identified and thwarted if recognized quickly. WMC Global recommends companies employ a service that monitors for active phishing attacks and for client interaction or compromise. Thus, when an employee in a business makes a mistake and visits a malicious site or provides credentials to a thief, the event can be identified quickly, and the company warned in real-time.
Securing Small Businesses Against BEC Attacks
When looking to secure small companies, the importance of employing BEC alerting also cannot be overlooked. According to the FBI, in 2021 small businesses lost upwards of $2.4 billion in email scams, including BEC attacks. Why are BEC attacks so successful? The threat actors do their research and are very selective about who they target. They complete full background profiles and potentially dox their targets as well. When employees fall for and submit credentials in these types of attacks, urgent action is needed to prevent damage and protect critical business systems.
So, how can small businesses protect their employees from these in both the short and long term?
1. Train Your Employees. Make sure to train employees about the signs of social engineering attacks at least quarterly. Emphasize identifying and avoiding phishing attacks sent not only to the business email but also via SMS phishing messages. 2. Develop Procedures for Critical Process. Ensure that your company has documented policies for making changes to key financial procedures, and especially external payments to suppliers and partners. 3. Test Your Employees. Run simulations to ensure that your employees can identify and report both phishing and social engineering attacks. 4. Keep Travel Plans Private. Key executives should avoid exposing personal travel plans on social media, especially on overseas trips. Threat actors will take advantage of difficult and limited communications in these situations to impersonate key business executives and make requests that are hard for the company to validate effectively – back to the need for the development of procedures for critical processes. 5. Continue Defense Measures. Leverage special intelligence that can identify if a business employee clicks on a malicious link or that urgently notifies the company when an employee’s email or credentials are recovered from an active phishing attack.
Guarding SMBs
It’s critical for small businesses to understand that they will always be vulnerable to cyberattacks, but the above measures can provide defense for companies from threats that lead to executive impersonation and business email compromise. Following these five tips, SMBs will be well guarded against any attacks launched against their organization. Staying vigilant can be a decision that ultimately liberates a small business from threat actors and marketplace attack trends.
Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.
Enterprise security teams, which over the years have honed their ability to detect the use of Cobalt Strike by adversaries, may also want to keep an eye out for “Sliver.” It’s an open source command-and-control (C2) framework that adversaries have increasingly begun integrating into their attack chains.
“What we think is driving the trend is increased knowledge of Sliver within offensive security communities, coupled with the massive focus on Cobalt Strike [by defenders],” says Josh Hopkins, research lead at Team Cymru. “Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected,” he says.
Security researchers from Microsoft this week warned about observing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver along with — or often as a replacement for — Cobalt Strike in various campaigns. Among them is DEV-0237 (aka FIN12), a financially motivated threat actor associated with the Ryuk, Conti, and Hive ransomware families; and several groups engaged in human-operated ransomware attacks, Microsoft said.
Growing Use
Earlier this year, Team Cymru reported observing Sliver being used in campaigns targeting organizations in multiple sectors, including government, research, telecom, and higher education. One campaign, between Feb. 3 and March 4, involved a Russian-hosted attack infrastructure, while another targeted government entities in Pakistan and Turkey. In many of these attacks, Team Cymru observed Sliver being used as part of the initial infection tool chain to deliver ransomware. In other instances, the threat intelligence firm found Sliver being used in opportunistic attacks involving potential exploitation of Log4j and VMware Horizon vulnerabilities.
Researchers from BishopFox developed and released Sliver, as an open source alternative to Cobalt Strike, in 2019. The framework is designed to give red-teamers and penetration testers a way to emulate the behavior of embedded threat actors in their environments. But as with Cobalt Strike, these same features also make it an attractive threat actor tool.
An Attractive Alternative for Adversaries
Sliver is written in the Go programming language (Golang), and therefore can be used across multiple operating system environments, including Windows, macOS, and Linux. Security teams can use Sliver to generate implants as Shellcode, Executable, Shared library/DLL, and as-a-Service, Microsoft said. Researchers added that Golang helps adversaries also because of the relatively limited tooling available for reverse engineering of Go binaries.
Sliver also supports smaller payloads — or stagers — with a handful of features that allow operators to retrieve and launch a full implant.
“Stagers are used by many C2 frameworks to minimize the malicious code that’s included in an initial payload (for example, in a phishing email),” Microsoft said. “This can make file-based detection more challenging.”
Sliver also offers many more built-in modules than Cobalt Strike, says Andy Gill, adversarial engineer at Lares Consulting; these built-in capabilities make it easier for threat actors to exploit systems and leverage tooling to facilitate access, Gill says. Cobalt Strike, in contrast, is more of a bring-your-own payload/module tool.
“Sliver lowers the barrier of entry for attackers. [It] offers more customization in terms of payload delivery and ways of adapting attacks to evade defenses,” he notes.
But the most appealing factor for threat actors currently is its relative obscurity and the lack of work that has been undertaken — so far, at least — in building detections for Sliver, Hopkins from Team Cymru says. “Sliver has a lot of the same capabilities as Cobalt Strike, but without such a large spotlight being shone on it,” he says. This has created a potential gap in detection coverage that some attackers are now trying to exploit.
And finally, the fact that it’s free, open source, and available on GitHub also makes Sliver attractive compared to Cobalt Strike, which is commercial and therefore requires threat actors to crack the license mechanism each time a new version is released, Gill says.
Cobalt Strike Remains Gold Standard — but Attackers Have Other Frameworks
At the same time, it would be a big mistake for organizations to discount adversarial use of Cobalt Strike, researchers warn.
In the first quarter of this year, for instance, Team Cymru observed some 143 Sliver samples that were likely being used as a first-stage tool in attack campaigns — compared with 4,455 samples of Cobalt Strike being used for potentially malicious purposes.
“Defenders would be unwise to take their eyes off Cobalt Strike,” Hopkins says. “Cobalt Strike is synonymous with — and the gold standard of — command-and-control networks.”
Sometimes, the tools are used in tandem. Researchers at Intel 471 earlier this year observed Sliver being deployed along with Cobalt Strike, Metasploit, and the IcedID banking Trojan via a new loader called “Bumblebee“. The company’s chief intelligence officer Michael DeBolt says the framework has one feature that likely makes it especially useful for threat actors.
“Sliver has a lot of features, [but] one that might be especially useful is its ability to limit execution to specific time frames, hosts, domain-joined machines, or users,” he says “This feature can prevent the implant from executing in unintended environments, such as sandboxes, which aids against detection.”
Sliver is just one of several C2 frameworks that attackers are using as alternatives to Cobalt Strike. Researchers from Intel 471, for instance, recently added detection for a legitimate red-teaming tool called Brute Ratel, after observing some threat actors using it for C2 purposes.
Earlier this year, Palo Alto Networks’ Unit 42 threat-hunting team uncovered what appeared to be Russia’s notorious APT29 (aka Cozy Bear) using Brute Ratel in an attack campaign.
Meanwhile, Gills from Lares pointed to Posh2, a C2 framework which, though not new, offers threat actors a chance of evading Cobalt Strike-centric detection mechanisms. And Hopkins from Team Cymru says his company is currently tracking a C2 framework called “Mythic” following some initial indications of adoption within the threat-actor community.
Frameworks tend to vary in capabilities such as lateral movement, injection, and call out, Gill says.
“[So], from a defensive standpoint, operators are better off profiling and generating signatures for techniques than analyzing specific C2 frameworks,” he notes.
Performing static analysis of a malicious binary means concentrating on analyizing its code without executing it. This type of analysis may reveal to malware analysts not only what the malware does, but also its developer’s future intentions (e.g., currently unfinished functionalities).
Dynamic analysis looks at the behavior of the malware when it’s run – usually in a virtual sandbox. This type of analysis should reveal the malware’s behavor and any detection evasion techniques it uses.
Malware analysis benefits security analysts by allowing them to, among other things:
Identify hidden indicators of compromise (IOCs).
Boost the effectiveness of IOC notifications and warnings.
Triage incidents according to severity.
All the malware analysis tools listed below can be freely downloaded and used.
capa: Automatically identify malware capabilities
capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
FLARE Obfuscated String Solver
The FLARE Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.
Ghidra Software Reverse Engineering Framework
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Malcom: Malware Communication Analyzer
Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.
Mobile Security Framework (MobSF)
MobSF is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline. The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
Pafish: Testing tool
Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do. The project is free and open source; the code of all the anti-analysis techniques is publicly available.
Radare2: The Libre Unix-like reverse engineering framework
The radare project started as a simple command-line hexadecimal editor focused on forensics. Today, Radare2 is a featureful low-level command-line tool with support for scripting. It can edit files on local hard drives, view kernel memory, and debug programs locally or via a remote gdb server. Radare2’s wide architecture support allows you to analyze, emulate, debug, modify, and disassemble any binary.
theZoo: A live malware repository
theZoo is a repository of live malware. The project was created to offer a fast and easy way of retrieving malware samples and source code in an organized fashion in hopes of promoting malware research.
The “0ktapus” cyberattackers set up a well-planned spear-phishing effort that affected at least 130 orgs beyond Twilio and Cloudflare, including Digital Ocean and Mailchimp.
The hackers who breached Twilio and Cloudflare earlier in August also infiltrated more than 130 other organizations in the same campaign, vacuuming up nearly 10,000 sets of Okta and two-factor authentication (2FA) credentials.
That’s according to an investigation from Group-IB, which found that several well-known organizations were among those targeted in a massive phishing campaign that it calls 0ktapus. The lures were simple, such as fake notifications that users needed to reset their passwords. They were sent via texts with links to static phishing sites mirroring the Okta authentication page of each specific organization.
“Despite using low-skill methods, [the group] was able to compromise a large number of well-known organizations,” researchers said in a blog post today. “Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
Such was the case with the Twilio breach that occurred Aug. 4. The attackers were able to social-engineer several employees into handing over their Okta credentials used for single sign-on across the organization, allowing them to gain access to internal systems, applications, and customer data. The breach affected about 25 downstream organizations that use Twilio’s phone verification and other services — including Signal, which issued a statement confirming that about 1,900 users could have had their phone numbers hijacked in the incident.
The majority of the 130 companies targeted were SaaS and software companies in the US — unsurprising, given the supply chain nature of the attack.
For instance, additional victims in the campaign include email marketing firms Klaviyo and Mailchimp. In both cases, the crooks made off with names, addresses, emails, and phone numbers of their cryptocurrency-related customers, including for Mailchimp customer DigitalOcean (which subsequently dropped the provider).
In Cloudflare’s case, some employees fell for the ruse, but the attack was thwarted thanks to the physical security keys issued to every employee that are required to access all internal applications.
Lior Yaari, CEO and co-founder of Grip Security, notes that the extent and cause of the breach beyond Group IB’s findings are still unknown, so additional victims could come to light.
“Identifying all the users of a SaaS app is not always easy for a security team, especially those where users use their own logins and passwords,” he warns. “Shadow SaaS discovery is not a simple problem, but there are solutions out there that can discover and reset user passwords for shadow SaaS.”
Time to Rethink IAM?
On the whole, the success of the campaign illustrates the trouble with relying on humans to detect social engineering, and the gaps in existing identity and access management (IAM) approaches.
“The attack demonstrates how fragile IAM is today and why the industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attack,” Yaari says. “The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta.”
The incident also points out that enterprises increasingly rely on their employees’ access to mobile endpoints to be productive in the modern distributed workforce, creating a rich, new phishing ground for attackers like the 0ktapus actors, according to Richard Melick, director of threat reporting at Zimperium.
“From phishing to network threats, malicious applications to compromised devices, it’s critical for enterprises to acknowledge that the mobile attack surface is the largest unprotected vector to their data and access,” he wrote in an emailed statement.
From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data.
Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn’t received.
The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin.
Cybersecurity agencies warn that despite networks being encrypted, victims shouldn’t pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.
Despite this, the unidentified organisation chose to pay the ransom after negotiating the payment down from half the original demand. But even though the company gave in to the extortion demands, the BlackMatter group still leaked the data a few weeks later – providing a lesson in why you should never trust cyber criminals.
Cybersecurity responders from Barracuda helped the victim isolate the infected systems, bring them back online, and restore them from backups.
Following an audit of the network, multi-factor authentication (MFA) was applied to accounts, suggesting that a lack of MFA was what helped the attackers gain and maintain access to accounts in the first place.
Researchers also warn that the number of recorded ransomware attacks against critical infrastructure has quadrupled over the course of the last year. However, the report suggests there are reasons for optimism.
“The good news is that in our analysis of highly publicized attacks, we saw fewer victims paying the ransom and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure,” it said.
In addition to applying MFA, organisations can take other actions to help secure their network against ransomware and cyberattacks, including setting up network segmentation, disabling macros to prevent attackers exploiting them in phishing emails, and ensuring backups are stored offline.
GAIROSCOPE: An Israeli researcher demonstrated how to exfiltrate data from air-gapped systems using ultrasonic tones and smartphone gyroscopes.
The popular researcher Mordechai Guri from the Ben-Gurion University of the Negev in Israel devise an attack technique, named GAIROSCOPE, to exfiltrate data from air-gapped systems using ultrasonic tones and smartphone gyroscopes.
The attack requires that the threat actor has in advance installed malware on the air-gapped system, as well as on a smartphone which must be located in the proximity of the system.
The malware installed in the air-gapped system generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope which produce tiny mechanical oscillations within the smartphone’s gyroscope.
The frequencies are inaudible and the mechanical oscillations can be demodulated into binary information.
The researcher pointed out that the gyroscope in smartphones is considered to be a ’safe’ sensor and can be used legitimately from mobile apps and javascript without specific permissions, unlike other components like the microphone.
The researchers added that in Android and iOS, there may be no visual indication, notification icons, or warning messages to the user that an application is using the gyroscope, like the indications in other sensitive sensors.
“Our experiments show that attackers can exfiltrate sensitive information from air-gapped computers to smartphones located a few meters away via Speakers-toGyroscope covert channel.” reads the research paper.
The malware on the air-gapped system gather sensitive data, including passwords and encryption keys, and encodes it using frequency-shift keying. In frequency-shift keying (FSK), the data are represented by a change in the frequency of a carrier wave.
Then the malware uses the device’s speakers to transmit the sounds at the inaudible frequencies.
On the receiving side, the phone receives the sounds using the device’s gyroscope and the malware running on the phone continuously samples and processes the output of the gyroscope. When the malware detects an exfiltration attempt, which is started using a specific bit sequence, it demodulates and decodes the data. The exfiltrated data can then be sent to the attacker using the phone’s internet connection.
“In the exfiltration phase, the malware encodes the data and broadcast it to the environment, using covert acoustic sound waves in the resonance frequency generated from the computer’s loudspeakers. A nearby infected smartphone ‘listens’ through the gyroscope, detects the transmission, demodulates and decodes the data, and transfers it to the attacker via the Internet (e.g., over Wi-Fi).” continues the paper. “The air-gapped workstation broadcasts data modulated on top of ultrasonic waves in the resonance frequencies that oscillates the nearby MEMS gyroscope. The application in the smartphone samples the gyroscope, demodulates the signal, and transmits the decoded data to the attacker through Wi-Fi.”
The test conducted by the researcher demonstrated that the GAIROSCOPE attack allows for a maximum data transmission rate of 8 bits/sec over a distance of up to 8 meters.
The following table shows the comparison with the existing acoustic covert channels previously devised by the researchers:
The researcher also provide countermeasures to mitigate the GAIROSCOPE attack, such as speakers elimination and blocking, ultrasonic filtering, signal jamming, signal monitoring, implementing sensors security, keping systems in restricted zones defined by a different radius, depending on the zone classification.
Find programming and software development online courses, created by experts to help you take your career to the next level.
Programming Online Courses
AWS Online Courses
You can choose the course based on your specific needs:
ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
If you have any questions, feel free to send us an email to info@deurainfosec.com
