GitLab Vulnerability, Secure by Design Pledge, & Near Miss Supply Chain Attack
Hello, this week Jordan_Zebor is your editor looking at the notable security news for a critical GitLab Vulnerability, the CISA Secure by Design Pledge & a near miss Supply Chain Attack. GitLab Pipeline Takeover Vulnerability GitLab has recently disclosed a critical vulnerability (CVE-2024-6385) affecting its CI/CD pipeline functionality in both Community Edition (CE) and Enterprise Edition (EE) versions 15.8 to 17.1.1. This vulnerability, with a CVSS score of 9.6, allows authenticated attackers to trigger pipelines as other users under certain conditions, potentially compromising the security and integrity of CI/CD processes. The low privilege requirements prevent this vulnerability from receiving a <insert sarcasm here> "perfect 10" score in CVSS. Either way, the issue still falls under the qualitative severity of critical, meaning security teams should be assessing their risk ASAP. The flaw was identified through GitLab’s HackerOne bug bounty program and has been addressed in the latest security updates. I've not seen reports of active exploitation so hopefully defenders get some time to patch this issue before proof of concept / exploit code is released. CISA Secure by Design Pledge The CISA 'Secure by Design' initiative, launched in April 2023, aims to enhance product security by encouraging vendors to adopt measures like multi-factor authentication, reducing default passwords, and improving vulnerability management. F5 has committed to this pledge, reflecting its dedication to advancing security in its products. F5 isn't starting from scratch, as we already adhere to many of the principles outlined in the CISA pledge. We have a strong track record in CVE vulnerability disclosure, ensure transparency and effective patching through Quarterly Security Notifications and our established vulnerability disclosure policy ensures the timely identification, assessment, and remediation of vulnerabilities, with clear communication channels for public disclosure. Additionally, iHealth enhances customers' ability to gather evidence of intrusions, helping organizations detect and respond to cybersecurity threats efficiently. Python Ecosystem Near Miss Supply Chain Attack JFrog's Security Research team discovered a critical security issue involving a leaked PyPI secret token within a public Docker container. PyPI (Python Package Index) is a repository for Python packages, widely used by developers to share and distribute code. The token, found 17 minutes after its commit, could have allowed attackers to inject malicious code into Python packages or insert malicious code into PyPI’s Warehouse code, potentially granting attackers backdoor access to manipulate popular packages. PyPI's security team promptly revoked the token, preventing potential damage and according to their transparentincident report, concluded that no malicious activity was detected. This near-miss underscores the severe risk of supply chain attacks if such credentials fall into malicious hands and highlights that scanning for secrets in source code is not enough; both source code and binary data need auditing, as critical data sometimes resides only in binary form.Midnight Blizzard, Polyfill.io and cyber workforce, June 23rd – 29th - This Week In Security
Going over the security news sometimes is an overwhelming experience with security incidents all over. This edition include news from 23 rd – 29th and this week a lone there are 50 different security items across the various news, and those are the ones that make it to the news. Out of those 50, there are around 20 items that relate to actual incident response. Looking at CVE details the past week has 615 vulnerabilities with 41 critical. As a security personnel, if only one of those hits you per quarter, you are busy, very busy. One interesting point and a place for hope is that incident response is done properly and damage control evaluations are making progress. With the general security assumption of: it is a matter of time until you get hacked, the next important thing is to manage the incident properly and get back online as fast as you can to prevent money lose. Finally, research shows that the cyber security workforce is growing at large organizations as they prioritize security, which is good news. Until next time, stay safe. Lior Microsoft Alerts More Customers to Email Theft in Expanding Midnight Blizzard Hack Poper IR being proactive, embracing transparency and collecting the data on the incident response at the level I would expect MS to demonstrate. Well done. “Earlier this year, Microsoft described the incident as an “ongoing attack” According to published reports, Redmond’s incident response team is providing a secure portal for customers to view specifics of emails stolen by the Midnight Blizzard threat actor. “You are receiving this notification because emails were exchanged between Microsoft and accounts in your organization, and those emails were accessed by the threat actor Midnight Blizzard as part of their cyber-attack on Microsoft,” the company said. “As part of our commitment to transparency, we are proactively sharing these emails. We have custom built a secure system to enable the approved members of your organization to review the exfiltrated emails between Microsoft and your company,” according to the notifications.“ https://www.securityweek.com/microsoft-alerts-more-customers-to-email-theft-in-expanding-midnight-blizzard-hack/ Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts Sometimes security products themselves are the hacking point. While this shouldn’t happen, things do happen. Also learned new wording “rogue administrator accounts” “Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions. “The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” Wordfence security researcher Chloe Chamberland saidin a Monday alert. “In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.” It’s currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024. “ https://thehackernews.com/2024/06/multiple-wordpress-plugins-compromised.html Google Introduces Project Naptime for AI-Powered Vulnerability Research The defensive security keeps on providing more tools and research, this time for AI. “Google has developed a new framework calledProject Naptimethat it says enables a large language model (LLM) to carry out vulnerability research with an aim to improve automated discovery approaches. The approach, at its core, seeks to take advantage of advances in code comprehension and the general reasoning ability of LLMs, thus allowing them to replicate human behavior when it comes to identifying and demonstrating security vulnerabilities. It encompasses several components, such as a Code Browser tool that enables the AI agent to navigate through the target codebase. A Python tool to run Python scripts in a sandboxed environment for fuzzing; a Debugger tool to observe program behavior with different inputs; and a Reporter tool to monitor the progress of a task. https://thehackernews.com/2024/06/google-introduces-project-naptime-for.html Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites Supply chain attacks always have big impact. Hit the source and it will spread. A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for aWeb supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. The malicious activity follows the sale of the domain polyfill.io to a Chinese organization earlier this year. Security researchers are warning that the cdn . polyfill . io domain has been compromised to serve malicious code in scripts to end users in a widespread attack. The site allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user’s browser. "This attack places an estimated +100k websites at immediate risk," he wrote. "When a once-safe domain is embedded in thousands of websites and concealed likeJavaScript threatsare, it becomes a tempting path for malicious actors." https://www.darkreading.com/remote-workforce/polyfillio-supply-chain-attack-smacks-down-100k-websites Cyber Workforce Grows 15% at Large Organizations as Security is Prioritized Two areas made progress this year: cloud security and data security. Large organizations will significantly strengthen their cyber workforce in 2024, according to cyber consultancy Wavestone. In itsCyber Benchmark 2024report, Wavestone found that, on average, companies with over $1bn in revenues have one expert dedicated to cybersecurity for 1086 employees. In 2023, the same organizations had one cyber professional for 1285 employees — a 15% increase. The best in class are financial businesses, which boast an average of one cyber expert per 267 employees, while industrial groups have an average of one cyber expert for 1390 employees. https://www.infosecurity-magazine.com/news/cyber-workforce-grows-15-large/ TeamViewer Credits Network Segmentation for Rebuffing APT29 Attack The hacking group APT29 aka Midnight Blizzard, is busy. “This week, TeamViewer said that while the Russian group APT29, aka Midnight Blizzard, managed to access its corporate network, the threat actors were limited to the company's internal IT network because of "strong segmentation" between its environments. Thus, no customers were affected. In public statementson June 27 (reiterated today), the German maker of remote desktop software said, "[W]e keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our 'defense in-depth' approach." …because of the potential mischief a bad actor with desktop access can wreak, TeamViewer users should up their security game, according to industry groups. The NCC Group, which originally issued a warning under an amber/limited classification but then changed it to green/public, advised its customers that, while awaiting final confirmation of the extent of compromise, they remove TeamViewer from their systems if possible and closely monitor hosts that had the application installed if not.” https://www.darkreading.com/cyberattacks-data-breaches/teamviewer-network-segmentation-apt29-attack
Apple Passwords, Microsoft Recall, and DJI - May 10th - 16th - This Week In Security
This edition of this week in security is brought to you byKyle_Fox from the F5 SIRT team. This time we touch on Apple's new password manager, Microsoft's attempt to AI everything in Windows, and ongoing attempts to ban DJI drones from use in the United States. Included at the end is a roundup of other news from last week. Apple to include password manager in Apple OSes Apple has announced that they will be including a password management application in their operating systems, this will allow Apple users to store their passwords securely and sync them between all of their Apple devices using iCloud as a backend. This continues Apple's general trend towards identifying use cases being filled by third-party software and creating an inhouse replacement. Hopefully this will push regular users towards more secure passwords and password storage. Microsoft Says They Will Make Security a Priority Just a few weeks ago Microsoft announced a new Windows 11 feature calledRecall. Thisfeature would allow Windows to record all your actions in the operating system and allow you to search with AI for something that happened in the past. This is essentially Microsoft's various CoPilot products, but for the entire operating system. Expects were quick to note that this could provide aneasily to tap supply of surveillance data from a compromised system, allowing attackers to siphon off any data a Windows user is working on. This comes a year after a major breach of Microsoft infrastructure by the Storm-0558 threat actor, for which Microsoft has received a lot of criticism in its handling. This criticism includes a report from the US DHSCyber Safety Review Board report detailing failures that lead to that intrusion as well as further whisleblower complaints related to Microsoft's handling of security in recent years. Microsoft has now backtracked on deploying Recall to all Windows 11 installs, and will be working to make it more secure before release. Microsoft president Brad Smith has further stated to congress that they are working tomake all of their systems and products more secure. But only time will tell if the single highest-risk target for threat groups will live up to the promise of having the most secure software and systems. Congress moves to ban DJI drones amid fears of spying. Recently, lawmakers have been acting on what has seemed to be a long tail of "what ifs" and passing legislation to ban the import and potentially use of DJI drones in the United States. Some following this legislation are not surprised by its sponsors backing, noting thatRep Stefanik is backed by US based drone maker Skydio and industry association AUVSI. I'll admit, I own a couple DJI drones, so I have an interest in them at least being supported in the future, but this recent flare up seems more like a protectionist move without evidence of any actions on the part of the allegedly guilty player. This reminds me a lot of the Supermicro allegations from Bloomberg in 2018, in which Bloomberg alleged that Supermicro server motherboards had been embedded with spying devices. After the report Supermicro worked to audit their supply chain and examine those motherboards for any implants, and found thatno such implants existed. Bloomberg would continue to insist its reporting was correct,doubling down with a new set of allegations in 2021. To date, no such implants have been identified. This same long history of allegations exists in the case of DJI, with the Department of Defense reiterating spying concerns back in 2021 amid concerns about government use of DJI drones. Just like the Huewei ban, this concern also exists in Australia,extending to the general public's use of DJI drones there. So its not surprising the concern has morphed from the military use of DJI drones, to government use, andnow to the US public using them. None of these concerns cite actual actions of DJI, nor has any malicious code been identified yet. Roundup The YouTube recommendation for this time around is Practical Engineering. If your wanting to jump right in with something related to infrastructure security, try the series on the Electric Grid. Toorcamp, literally hacker summer camp, will be happening next week on Orcas Island in Washington. Two people have been arrested in the UK for using a home built cellular base station to send SMS phishing messages. The Australian border force continues its deep inspection of people visiting and returning to Australia with over 10,000 travelers phones searched in the last two years. The French are now entering the Mess With DNS to Block Bad Stuff(TM) game. SpaceX to introduce a miniaturised Starlink terminal.
SORBS Shutdown, Microsoft Recall and TikTok's Zero-day and Apple's Passwords App
Notable security news for the week of June 2nd-8th 2024, SORBS spam blacklist service which was shutdown by the owner Proofpoint, Tiktok's zero-day vulnerability which was used by attackers to compromise high profile user accounts, Microsoft's Recall feature changed from default to opt-in in Windows 11 and Apple's new "Passwords" app.Dell & Ticketmaster breaches, CVE & patch roundup and ProxyShell is back
Notable security news for the week of May 20th-26th, 2024, brought to you by the F5 Security Incident Response Team. This week, AaronJB is taking a look at breach news from Dell, a novel DNS attack technique, how threat actors still exploit old CVEs (like Exchange's ProxyShell CVE-2021-34473, CVE-2021-34523 & CVE-2021-31207), why Industrial Control Systems shouldn't be connected to the Internet and a quick round-up of vendor patches you should take a look at from Ivanti, Fortinet, TP-Link and F5. Huge breaches, still in fashion I originally had this segment planned so that I could talk about the recentDell data breach which exposed the records of 49 million customers- name,physical address, Dell order information - you know, the usual kind of information that an adversary could use to construct averyconvincing spearphishing attack (yet Dell consider low risk, apparently); but there is some late breaking news which potentially makes this breach look tiny. I'll get onto that later. The Dell breach is interesting though as it was actually achieved using one of the most basic techniques (which I thought was long since 'fixed') - web scraping. The attackers simply registered a partner account using fake company details and then used a generated list of service tags to scrape the details of every order relating to those service tags - they sent 5000 requests per minute for three weeks straight, and nobody noticed a thing. Dell Service Tags are a unique asset identifier consisting of seven alphanumeric digits - consider them a serial number - so the attackers just needed to generate every possible combination of service tag and then, one by one, request the details of the order behind that tag. Apparently, the attackerseven tried to disclose this security issue to Dellbut received no response and set about monetizing their discovery instead. It strikes me that there are so many places this could have been fixed ahead of time: Least privilege: Doeseverypartner accountreallyneed to be able to access the details ofeverypossible service tag? (I would have thought no!) Rate limiting: Does that APIreallyneed to be able to support endless requests from a single partner account? (I would have thought no!) Logging: I don't know what the base requests-per-second rate is for that API, but shouldn't there at least have been some logging happening to a central SIEM about suspicious activity? Any of the above could have stopped this attack dead - heck, I get the impression that Dell could have stopped the attack had they interacted with the original report sent to them; though perhaps the original report (in part redacted) was looking for a bounty and Dell declined to interact on such basis. Still, the published partial email does seem to indicate that the attackers provided a full PoC from the outset.. But wait, I said there was something bigger? Yes! This is late breaking and we don't have all the facts yet, but a couple of days ago posts began appearing on X suggesting thatTicketmaster had suffered a breachof1.3TBof data which included names, physical addresses, email addresses, phone numbers andthe last four digits and expiryof payment cards associated with orders - 560 million rows of data. The validity of this wasinitially questionedbut, unfortunately for us,later verified to be true; as vx-underground says: Sometime in April an unidentified Threat Group was able to get access to Ticketmaster AWS instances by pivoting from a Managed Service Provider. At least this wasn't a simple web scraping attack, I suppose, but it highlights something for me: You need to beverycareful who you trust to manage your systems, becauseyoursecurity is entirely intheirhands. Meanwhile, your reputation is entirely in your hands - when and if you are breached, your customers won't come with pitchforks for your MSP, they will come foryou. This is also true of SaaS services, of course, and why SaaS companies (including ours) invest heavily in internal training, processes and patch management.. I wonder if the MSP did, in this case? Vendor patch watch It's like Spring Watch (for UK readers; for the rest of the world, that's a daytime TV show where cameras get shoved in badger sets, bird houses etc and people watch baby animals that were born in springtime), but for vulnerabilities.. Ivanti published patches forsixCritical severity vulnerabilities (plus four High)in Ivanti EPM, and a handful of other Ivanti products; if you use any of those youreallyshould patch ASAP, although none have appeared inCISA's Known Exploited Vulnerabilities (KEV) listyet. Proof of Conceptexploits were released for Fortinet's CVE-2024-23108(disclosed in January) so if you haven't patched, you absolutely must as the time from PoC availability to widespread exploitation is typically 24 hours or less. Rather unfortunately, the PoC reveals that CVE-2024-23108 is basically CVE-2023-34992 just in a different argument - still, we have all been there! TP-Link discloseda CVSS10.0 vulnerability in their Archer C5400Xgaming router and if you have one of those then you really need to patch - home routers are common targets for attackers looking to create botnets to carry out further attacks, andearlier TP-Link CVEs quickly appeared in CISA's KEV listas well asF5 Labs' Sensor Intel Serieswhich showed that CVE-2023-1389 (TP-Link Archer AX-21) wasthe most targeted vulnerabilityin March 2024! Finally, and not to be outdone, F5 had two disclosures in May; this is unusual for us as we typically coordinate our disclosures for Quarterly Security Notifications however, this month, we had both a QSN and an Out-of-Band notification affecting NGINX products. You can find the details of our May 8th QSN inK000139404and details of our NGINX-specific May 29th OOBSN inK000139628; fortunately for us the highest CVSS in our QSN was an 8.0, and in our OOBSN a 6.5 (and the OOBSN NGINX issues are all specific to QUIC, as well). As I say, we try to coordinate our disclosures for QSNs so that our customers can have a predictable cadence around which to plan updates & upgrades; we are committed to security, to working with external researchers, and to the security of the open-source community however, and in some cases we must disclose issues out of band in order to best protect and serve our customer base, and maintain the balance between transparency and security. Novel DNS attack - DNSbomb DNSbomb- I originally spotted this a couple of weeks ago, but last week it was the topic of a talk at the2024 IEEE Symposium on Security and Privacyso has had a bit more coverageandthere is now an easy-to-digestslide setavailable (with a video to follow) and even a one-pageposterfor your wall (seriously though, I actually love the idea of a one-page poster like this for new research; it's great for those of us who are attention-span challenged!). The idea behind this attack is to use a low-rate of requests from a large number of hosts to fly under the radar, but rather than simply having those hosts query the target victim, those hosts send their queries to some intermediary concentrator (which could be a recursive resolver, CDN or similar) which will queue all of those requests up and send them in one big burst to the target victim (hence the "bomb" part of the name). The technique is interesting and novel, promising a theoretical amplification factor of 20,000x or greater and a peak "bomb" in the 9Gb/s range, but I must admit that I haven't been able to properly go through the research paper or try to replicate their findings yet. Perhaps that will be the basis of a future DCCO article! If anyone has had chance to really understand the research - or better still, was at the IEEE Symposium - I'd love to hear from you! Don't put your Industrial Control Systems on the Internet? I thought this fell under the heading of "obvious news" but apparently, not so obvious;Rockwell Automation and CISA have "encouraged" customers to assess and secure their public internet exposed ICS assets. Personally, I'm struggling to understand why Industrial Control Systems would be exposed to the Internet, ever, but perhaps I am being naïve here? Is the public internet just considered "easy connectivity" for ICS & IoT systems? Certainly, a quick google for things like "water treatment plant internet" shows plenty of articles discussing IoT for waste treatment monitoring, but do you really want the gate valves separating brown water from clean being controlled by a PLC hooked up to the Internet? OK, silly example, but my point stands - industrial controls typically look after things that are mission- or human-critical, toxic waste, nuclear power stations, manufacturing plants and so on. Noneof that stuff shouldeverbe connected to the internet, and it terrifies me that Rockwell & CISA felt the need to reiterate that... One last thing.. An article about MS Exchange flaws being leveraged todeploy keyloggers in highly targeted attacks. What caught my eye there wasn't the keylogger part (although thatis neat; at least neat to see something that isn't just ransomware!) but rather that the threat actor is leveraging Exchange vulnerabilities from2021in the form of ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). I talk about this often, but as an industry wehaveto get better at patching exposed systems; perhaps the problem is we simply don't know what systems are exposed, perhaps the problem is a lack of time to patch, or a lack of corporate will to suffer potential downtime and push-back by Change Advisory Boards, but whatever the problem is we really have to tackle it. I'd love to hear your stories from the front lines of patching things like ProxyShell; how long did it take, was there any fallout, management push-back etc? Ancient Exchange flaws exploited -https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.htmlPowerPoint, ArcaneDoor, the Z80 and Kaiser Permanente
Notable security news from the week of April 21st with a small side of nostalgia for the Z80 CPU; we'll dive into the exploitation of an old PowerPoint CVE from 2017, ArcaneDoor and the targeting of Cisco perimiter devices and an enormous breach of Kaiser Permanente user information!
