Lastpass Breach, SBOM, & Cryptocurrency Bounties - This Week in Security - August 22nd to 28th 2022
This Week in Security August 22nd to August 28th 2022 Jordan here as your editor this week. This week I reviewed the LastPass breach, supply chain security efforts lead by the US government, and cryptocurrency bounties.Keeping up to date with new technologies, techniques and information is an important part of our role in the F5 SIRT.The problem with security news is that it's an absolute fire-hose of information, so each week or so we try to distill the things we found interesting and pass them on to you in a curated form. It's also important for us to keep up to date with the frequently changing behaviour of bad actors.Bad actors are a threat to your business, your reputation, your livelihood. That'swhy we take the security of your business seriously. When you'reunder attack, we'llwork quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running.So next time you are under security emergency please contact F5 SIRT. LastPass Breach Last week, the popular password management company LastPass experienced a data breach. According to the company’s blog post, compromised developer credentials were used by an attacker to infiltrate their development environment. At this time we know the attacker was able to obtain source code and "some proprietary LastPass technical information" before the attacker was isolated from moving further. This is an ongoing investigation so I want to caveat that additional details may come out later which expand the scope of the breach. While quickly identifying and mitigating an active attack is extremely important, the benefits of designing a product architecture with security in mind from the beginning is what I think deserves a highlight here.A key component of the LastPass product architecture is that they make use of zero knowledge encryption (they call it "zero knowledge security"). Now the term "zero knowledge security" to the un-initiated may sound strange, it might even make you think they have zero knowledge of security, but this is not the case. Zero knowledge means LastPass doesn't have the master encryption keys (in the form of a password) the customer uses to encrypt their data. LastPass only stores encrypted secrets and cannot decrypt them, only the end user can do that. LastPass has zero knowledge of the encryption key used. Since there is no centralized key to protect the data, any breach of the system should only turn up encrypted data. Encrypted data is less valuable to an attacker, especially since brute force decryption of AES-256 is in the trillions of years time scale and is not feasible given modern computing constraints. The key takeaway for LastPass customers is thatcurrentlythere is no action required on your part and your data can be considered safe.The key takeaway for system designers should be that implementing a secure zero knowledge / zero trust architecture from the beginning can minimize the impact of a security incident. https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/ https://www.lastpass.com/security/zero-knowledge-security https://scrambox.com/article/brute-force-aes/ Software Supply Chain Risk Management Supply chain risk management is a topic that is slowly but surely gaining more traction across many industries. In support of this, the US CyberSecurity and Infrastructure Security Agency (CISA) has kicked off various working groups to help shape the future of Software Bill of Materials (SBOM). It's important to note that the working groups are not scoped to recommend or influence US government policy, instead the charter is to facilitatevendor neutral problem solving and collaboration in specific domains such as Cloud & Online Applications, On-Ramps & Adoption, Sharing & Exchanging, and Tooling & Implementation. While the groups are just starting on scoping some of the core problems to solve, I have found the community discussions to be insightful and am excited to see the output from these groups. During a recent meeting, I learned about a few promising technologies for sharing of SBOMs such as the CycloneDX BOM Exchange API and Digital Bill of Materials projects. I was also exposed to an interesting project named GUAC which aims to "create a means to ingest, validate and parse artifact information (i.e. in-toto attestations, SBOM, etc.) from various data sources and represent and store them in a knowledge graph". The complexity of managing multiple SBOMs for a modern enterprise is fundamentally a data management problem and I believe graph databases are an excellent technology choice for the use case. If you are interested in joining the working groups or the aforementioned projects, please visit the links below. https://www.cisa.gov/sbom https://github.com/CycloneDX/cyclonedx-bom-exchange-api https://dbom-project.readthedocs.io/en/latest/what-dbom.html https://github.com/guacsec/guac Cryptocurrency Bug Bounties Ahead of a major event for the Ethereum blockchain commonly referredto as "The Merge", the Ethereum Foundation has raised the bug bounty payouts for critical vulnerabilities to $1 million dollars. This temporary 4x multiplier of their current bug bounty provides a great incentive for ethical hackers to work at discovering security issues.Performing pre-release penetration testing is a great way to discover vulnerabilities before deployment and a sign of a mature security program.As the Ethereum blockchain migrates over from aproof-of-work to proof-of-stake consensus mechanism, the stakes are high for getting it right and security is one of the top concerns. Perhaps surprisingly, this is not the largest bug bounty payout for vulnerabilitiesfound in the cryptocurrencyecosystem. The largest recent payout goes to a vulnerability found in a "bridge", which facilitates transactions acrossdivergentchains. If successfully exploited, the vulnerability would have allowed attackers to hold "the entire protocol ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever". Along with the ethical hackers finding bugs in the cryptocurrencyecosystem, cyber criminals are increasing the frequency oftheirattacks as well. The US Federal Bureau of Investigation (FBI) recently issued a public service announcement, warning that criminals are increasing their exploitation of Decentralized Finance platforms citing "between January and March 2022, cyber criminals stole $1.3 billion in cryptocurrencies". Even with the recent downturn in value of crypto currencies, criminals will continue to abuse the ecosystem to seek their fortune, often attacking the trading platforms and smart contracts, as they represent the most likely part of the stack to have a vulnerability which can be exploited. https://ethereum.org/en/bug-bounty/ https://portswigger.net/daily-swig/ethereum-foundation-offers-1m-bug-bounty-payouts-with-proof-of-stake-migration-multiplier https://portswigger.net/daily-swig/blockchain-bridge-wormhole-pays-record-10m-bug-bounty-reward https://www.ic3.gov/Media/Y2022/PSA220829 Defcon 30 - Mobile Hacking CTF A quick congratulations to F5 employee Purvesh Kothari for winning theGirls Hack VillageMobile Hacking CTF at Defcon 30. Congratulations Purvesh ! https://www.linkedin.com/posts/nowsecure_the-results-are-in-the-winner-for-the-activity-6968590642742448129-Dp4E/LastPass, Mastodon, and AI/ML - Dec 31st - Jan 6th - F5 SIRT - This Week in Security
Editor's introduction Hello, MegaZone is back this week as our rotation continues. I hope everyone had a good holiday season. Let's hope that 2023 is a good year. A couple of things I want to plug, in case you weren't aware. All of the This Week in Security articles are tagged, so you can easily find all of them. Actually, there are two tags - TWIS and series-F5SIRT-this-week-in-security. Same results, but TWIS is easier to remember. Additionally, all of the content created by the F5 SIRT is also tagged with, wait for it, F5 SIRT. That's not only TWIS, but several other articles you may find valuable. Most recently that's included: Using iControl REST API to manage F5 BIG-IP Advanced Firewall Manager (AFM) by Tikka Nagi Why We CVE by myself Avoiding Common iRules Security Pitfalls by Jordan Zebor Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures by Arvin Fopalan Stay tuned for more content from the F5 SIRT, we have a lot in the pipeline. LastPass /~ LastPass, oh, I gave you my creds / But the very next day you gave them away / This year, to save me from breach / I'll give them to someone diff'rent ~/ So, what lit the infosec world on fire last week? I know my feeds were full of one thing - LastPass. Sure, technically the new broke just before xmas, but I think the holidays delayed some of the reaction into the new year. The timing was itself the subject of a lot of negative reaction, as some feel like it was deliberately withheld until the Thursday just before xmas in an attempt to bury the news. I'm not sure I agree with that, but it certainly wasn't great that the full extent of the issue, with customer password records being downloaded, was only revealed months after the initial disclosure. The initial disclosure on August 25th, and the first update on September 15th, stressed that the breach was only to the development environment. The next update on November 30th (previously on TWIS) was the first indication that the scope may be larger. But it wasn't until December 23rd that the full scope, including the loss of customer data, was disclosed. Presuming we do indeed now have the full scope, of course. The infosec fediverse was pretty much non-stop chatter about this, as well as the press, etc. There was some lively discussion about this internally at F5 as well. A lot of people use, or should I say used, LastPass. LastPass has had issues in the past, but then so have most vendors. This time though it was a combination of the extent of the breach and how they handled it that has collapsed the trust for many - myself included. I used to include LastPass at the top of my list of recommended credential managers as it was something most users could readily use, was cross-platform, integrated with browsers well, etc. And their past issues seemed to be handled well enough. But I can no longer recommend LastPass. I know a lot of security geeks are ready to recommend super-secure systems that you host yourself, don't include syncing, etc. Because I saw plenty of that in the past week. Which is fine if you're that type of user. But for most they need something easy to use and understand - or they won't use it. The most common features I see requested are multi-device, cross platform support - Windows/MacOS, Android/iOS, perhaps ChromeOS, etc. - with syncing between devices. And browser integration for ease of use. I'm sure I'll get a lot of flak for this, but for many users the password manager built into Chrome or other browsers is probably fine. I heard the groans. I'm aware of the issues, but if the tradeoff is between using bad, but easily remembered, passwords - or the same password everywhere - or using the built-in manager, the latter is the better option. They check many, if not all, of the boxes. If you're a Chrome browser user and use the built-in manager it'll sync across the desktop, Android, and ChromeOS transparently. I'm not an Apple user but I understand their ecosystem is similar via the iCloud Keychain. I can barely get my father to not use the same password everywhere, let alone try to get him to deal with 3rd party password managers. For users looking to step up I saw a few leading contenders emerge from the discussions: 1Password - This seemed to be the top recommendation for those looking to move from LastPass to a similar commercial product with a better track record. Bitwarden - This was a top recommendation, and it is open-source. KeePassXC - This seemed to be a favorite mostly from the geekier users. Also open-source. Note, none of this is an endorsement by F5, Inc, the F5 SIRT, nor even myself. Personally all of the discussions made me curious about Bitwarden, as I haven't previously checked it out, so I'm planning to do that to see what it is like. If you have a favorite password manager, or have feedback on these, leave a comment below. https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ https://gizmodo.com/hackers-lastpass-users-password-vaults-change-now-1849926968 https://grahamcluley.com/lostpass-after-the-lastpass-hack-heres-what-you-need-to-know/ https://www.scmagazine.com/analysis/cloud-security/researchers-advise-teams-to-change-master-passwords-and-2fa-keys-after-lastpass-disclosure https://restoreprivacy.com/password-manager/reviews/bitwarden/ https://en.wikipedia.org/wiki/List_of_password_managers Mastodon Tramples Twitter The other big subject of discussion I've seen lately is the continued corrosion of Twitter, and the resulting migration to the Fediverse. I don't want to get into the politics here, though I certainly have my opinions, but from a strictly functional standpoint I've been getting far more errors from Twitter in the past couple of months than for the previous several years. Error messages, content not loading, links failing, etc. It is kind of painful. But the security connection is somewhat meta - a huge swath of InfoSec professionals who used to be active on Twitter have pulled stakes and moved to the Fediverse, mostly various Mastodon instances. And primarily, at least for my circles, that's Infosec.Exchange and DefCon.Social. It is social media, and if the people I want to follow and interact with are moving, that's a reason for me to do so as well - so I did. I'm not saying anyone needs to abandon Twitter - I still use my account mainly to follow those friends who remain there even if I've all but stopped tweeting myself. But if you do want to follow a lot of the activity in InfoSec social media circles I'd suggest at least checking it out. There are some useful tools and guides to help you get started: Moving from Twitter to Mastodon.txt - A guide from Deviant Ollam Your Guide to Joining and Using Mastodon - A video presentation by Deviant Ollam There are several tools which can help you find your Twitter connections in the Fediverse: Movetodon Twitodon Fedifinder Debirdify You can also turn your Twitter archive into HTML with this tool Darius Kazemi. I've been around long enough to have gone through BBSes, mailing lists, USENet, SixDegrees, Friendster, MySpace, Orkut, Google+, LiveJournal, etc. This is just one more evolution. I know there are other guides and tools, feel free to share your favorites in the comments. But let's try to keep it civil and not get into political arguments, etc. They're just tools and people can use whatever works for them. The Robot Uprising As we kick off 2023 there has a been a lot of chatter about artificial intelligence (AI), machine learning (ML), and the impact on information security. (Also a lot of chatter about 'AI Art', but that's a different, if loosely related, issue.) It is easy to dismiss AI/ML as sci-fi/fantasy content, something we don't have to worry about for a long time. But the future arrives sooner than you expect it to, and the models used by these systems are growing by orders of magnitude very, very quickly. GPT-3 has already been used to create working exploits, as well as analyze existing code - including obfuscated and decompiled code - for vulnerabilities. And GPT-4 is expected to be vastly more sophisticated and capable. A few of our team members have been playing around with ML tools, including ChatGPT, and the results have been interesting, even surprising. Sometimes they do swing very wide of the mark, but a lot of the time they're producing pretty solid output. If not 'ready-to-use', at least a major leg up with some finishing work required. And, as I said, the models used by the various tools continue to improve at an astounding rate and the tools themselves continue to be refined. This will change the infosec landscape, for both attackers and defenders, and you ignore it at your own peril. I was fairly skeptical until recently, but I've come around after seeing some of the results. This is definitely a space to watch, and be ready to adapt to. AI/ML is coming and it will shake up a lot of industries, for better and for worse. This is beyond lazy students trying to get ChatGPT to write essays for them. Be it art, content creation, or infosec, AI/ML is coming to shake things up. And, to quote Ani DiFranco, "Every tool is a weapon - if you hold it right." https://research.checkpoint.com/2023/opwnai-cybercriminals-starting-to-use-chatgpt/ https://www.blackhat.com/us-21/briefings/schedule/#turing-in-a-box-applying-artificial-intelligence-as-a-service-to-targeted-phishing-and-defending-against-ai-generated-attacks-22925 https://www.scmagazine.com/analysis/emerging-technology/cybercriminals-are-already-using-chatgpt-to-own-you https://www.scmagazine.com/feature/emerging-technology/2023-tech-predictions-ai-and-machine-learning-wicome-into-their-own-for-security https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-emerging-ai-threat-landscape/ https://www.sasa-software.com/hacking-for-the-millions-the-dark-side-of-chatgpt/ https://en.wikipedia.org/wiki/ChatGPTEnd of Year 2022 security challenges and new year wishes
This Week in Security December- 11th - 16th , 2022 "End of Year 2022 security challenges and New Year Wishes " Editor's introduction This Week editor is Lior Rotkovitch. Another year went by with may more security challenges and the news this week reflect the incidents in the past year and tells us that the security challenge is everywhere. Exploitation of old and new CVE’s such as log4shell that was published a year ago Dec 2021 and is still actively exploited. Open-source repositories infected with phishing packages by the thousands, ransomware that thrives on illegal markets and even weaponizing the protection products are just a few examples for the wild ride security industry is experiencing. With all the massive amount software being used the prediction for the new year is just more of every possible attack, much more. But, as always not all is lost, as we, are a force for Security Incident Mitigation. Happy holidays, see you next year. Editor's introduction A Year Later, That Brutal Log4j Vulnerability Is Still Lurking Fortinet Warns of Active Exploitation of New SSL-VPN Pre-auth RCE Vulnerability High-Severity Memory Safety Bugs Patched With Latest Chrome 108 Update Citrix patches critical ADC flaw the NSA says is already under attack from China Apple Zero-Day Actively Exploited on iPhone 15 Researchers Demonstrate How EDR and Antivirus Can Be Weaponized Against Users FBI seized domains linked to 48 DDoS-for-hire service platforms The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets Hackers Bombard Open Source Repositories with Over 144,000 Malicious Packages Google Announces Vulnerability Scanner for Open Source Developers Microsoft patches Windows zero-day used to drop ransomware VMware fixes critical ESXi and vRealize security flaws A Year Later, That Brutal Log4j Vulnerability Is Still Lurking "Despite mitigation, one of the worst bugs in internet history is still prevalent—and being exploited." "The situation resonates with larger discussions about the software supply chain and the fact that many organizations do not have an adequate accounting of all the software they use in their systems, making it more difficult to identify and patch vulnerable code. Part of the challenge, though, is that even if an organization has a list of all the software it's bought or deployed, those programs can still contain other software components—particularly open-source libraries and utilities like Log4j—that the end customer isn't specifically aware of and didn't intentionally choose. This creates the ripple effect of a vulnerability like Log4Shell as well as the long tail of patching, in which organizations either aren't aware that they have exposure or don't recognize the urgency of investing in upgrades." https://www.wired.com/story/log4j-log4shell-one-year-later/ Fortinet Warns of Active Exploitation of New SSL-VPN Pre-auth RCE Vulnerability "Fortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild. Tracked as CVE-2022-42475 (CVSS score: 9.3), the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests. The company said it's "aware of an instance where this vulnerability was exploited in the wild," urging customers to move quickly to apply the updates. " https://thehackernews.com/2022/12/fortinet-warns-of-active-exploitation.html High-Severity Memory Safety Bugs Patched With Latest Chrome 108 Update All five security defects are use-after-free flaws, a type of memory safety bug that has been prevalent in Chrome over the past years, and which Google has long-battled to eliminate. According to Google’s advisory, four of these issues are high-severity bugs, impacting components such as Blink Media, Mojo IPC, Blink Frames, and Aura. The vulnerabilities have been issued CVE identifiers CVE-2022-4436 to CVE-2022-4439 and are accompanied by CVE-2022-4440, a medium-severity use-after-free. Google says it has paid $17,500 in bug bounties to the reporting researchers, but the final amount might be higher, as only four out of five rewards have been disclosed. An attacker in a position to exploit a use-after-free vulnerability may be able to crash the application, corrupt data, or execute arbitrary code on the machine. In Chrome, use-after-free flaws may be used to escape the browser sandbox, which requires the exploitation of additional security defects. https://www.securityweek.com/high-severity-memory-safety-bugs-patched-latest-chrome-108-update Citrix patches critical ADC flaw the NSA says is already under attack from China "The China-linked crime gang APT5 is already attacking a flaw in Citrix's Application Delivery Controller (ADC) and Gateway products that the vendor patched today. Citrix says the flaw, CVE-2022-27518, "could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance" if it is configured as a SAML service provider or identity provider (SAML SP, SAML IdP). Unusually, Citrix has a policy of not revealing the Common Vulnerability Scoring System (CVSS) scores for its flaws. CVSS rates flaws on a ten point scale, with anything rated above 9.0 deemed Critical and therefore worthy of urgent attention due to the significant risk of exploitation. The Register suggests the flaw may be closer to a 10.0 score than a 9.0 rating, because Citrix's announcement of the flaw was quickly followed by publication of a threat hunting guidance [PDF] from the United States' National Security Agency (NSA), which believes a China-linked crime gang known as APT5 (aka UNC2630 and MANGANESE) has already "demonstrated capabilities" to attack Citrix ADCs. " https://www.theregister.com/2022/12/14/chinas_apt5_attacks_citrix_adc_flaw/ Apple Zero-Day Actively Exploited on iPhone 15 The latest Apple security update includes a fix for an actively exploited security vulnerability that could allow arbitrary code execution on iPhone 8 and above. The bug, fixed with the iOS 16.1.2 update, is a type confusion issue in the WebKit browser engine. Type confusion occurs when a piece of code doesn't verify the type of object that is passed to it; in this case, it can be be triggered when processing specially crafted content, Apple noted in its advisory. https://www.darkreading.com/attacks-breaches/apple-zero-day-actively-exploited-iphone-15 Researchers Demonstrate How EDR and Antivirus Can Be Weaponized Against Users "High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers."This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable," SafeBreach Labs researcher Or Yair said. "It does all that without implementing code that touches the target files, making it fully undetectable." https://thehackernews.com/2022/12/researchers-demonstrate-how-edr-and.html FBI seized domains linked to 48 DDoS-for-hire service platforms "The US Department of Justice has seized 48 Internet domains and charged six suspects for their involvement in running ‘Booter’ or ‘Stresser’ platforms that allow anyone to easily conduct distributed denial of service attacks. Booters are online platforms allowing threat actors to pay for distributed denial-of-service attacks on websites and Internet-connected devices. Essentially, they are "booting" the target off of the Internet. The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets " https://www.bleepingcomputer.com/news/security/fbi-seized-domains-linked-to-48-ddos-for-hire-service-platforms/ The Dark Web is Getting Darker - Ransomware Thrives on Illegal Markets In April 2022, the U.S. Treasury sanctioned the Russia-based Hydra Market. Hydra, the world’s largest dark web market, provided malicious cybercrime and cryptocurrency exchange services to global threat actors. The U.S. and Germany shut Hydra down around the same time. How the sale and purchase of RaaS works Costs for joining a RaaS are low, considering the damage the malware does and the large payments it draws from victims. For example, Venafi reported that a customized version of DarkSide, the same ransomware that criminal hackers used to close Colonial Pipeline, sold for $1,262 on the dark web. RaaS solutions, related source code, and custom-built RaaS services sell directly on the dark web, using cryptocurrencies like bitcoin to transact the sales. For such a niche enterprise, these RaaS offerings are getting more and more legitimized—some include subscription packages, user instructions, and tech support. Threat actors involved with these types of operations often purchase access to a network from Initial Access Brokers (IABs). Initial access includes stolen credentials that open access tools, such as Citrix, Microsoft RDP, and Pulse Secure VPN. It’s easier for criminals to buy compromised credentials than to collect the passwords themselves through phishing or brute-force attacks. https://www.bleepingcomputer.com/news/security/the-dark-web-is-getting-darker-ransomware-thrives-on-illegal-markets/ Hackers Bombard Open Source Repositories with Over 144,000 Malicious Packages "NuGet, PyPi, and npm ecosystems are the target of a new campaign that has resulted in over 144,000 packages being published by unknown threat actors.""The packages were part of a new attack vector, with attackers spamming the open source ecosystem with packages containing links to phishing campaigns," researchers from Checkmarx and Illustria said in a report published Wednesday. https://thehackernews.com/2022/12/hackers-bombard-open-source.html Google Announces Vulnerability Scanner for Open Source Developers Google last year launched an open source vulnerability database, and is now providing a front-end for that database, in the form of the OSV-Scanner. “The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer’s list of packages and the information in vulnerability databases,” Google says. “Our plan for OSV-Scanner is not just to build a simple vulnerability scanner; we want to build the best vulnerability management tool—something that will also minimize the burden of remediating known vulnerabilities,” https://www.securityweek.com/google-announces-vulnerability-scanner-open-source-developers Microsoft patches Windows zero-day used to drop ransomware "Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver Magniber ransomware and Qbot malware payloads. The attackers used malicious standalone JavaScript files to exploit the CVE-2022-44698 zero-day to bypass Mark-of-the-Web security warnings displayed by Windows to alert users that files originating from the Internet should be treated with caution." https://www.bleepingcomputer.com/news/security/microsoft-patches-windows-zero-day-used-to-drop-ransomware/ VMware fixes critical ESXi and vRealize security flaws The VMware ESXi heap out-of-bounds write vulnerability is tracked as CVE-2022-31705 and has received a CVSS v3 severity rating of 9.3. "A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," mentions the security advisory. VMware released security updates to address a critical-severity vulnerability impacting ESXi, Workstation, Fusion, and Cloud Foundation, and a critical-severity command injection flaw affecting vRealize Network Insight. "On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed." Because CVE-2022-31705 is in the USB 2.0 controller (EHCI), the recommended workaround for those who can't apply the security update is to remove the USB controller from their instances. https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-esxi-and-vrealize-security-flaws/F5 SIRT - This Week in Security - June 20th to 26th, 2022 - USB(ooze), 24 Billion Credentials, I Spy
This Week in Security June 20-26, 2022 "USB(ooze), 24 Billion Credentials Can't Be Wrong, I Spy With My Little Eye" The theme this week is information and it's (mis)management. Drunk (USB) Driving 24BILLIONUsername/Password Combinations Ransomware Goes Big Drunk (USB) Driving To err is human, but adding alcohol definitely helps the process along. Of course, the prerequisite conditions for this colossal mistake would not have existed had proper information security procedures been followed. The information should not have been copied onto the USB drive in the first place. That rule having been broken, once the work was completed the information should have been deleted. Failing to do even that, not getting pass-out-in-the-gutter drunk with the unsecured drive in his bag might have been a better life, and career, choice. The drive is reportedly encrypted, which might offer some reassurance to the 465-thousand people whose personal information was on the missing drive. Though, given the worker's chain of excellent decisions I'm not sure I'd put a lot of faith in his correctly encrypting the drive. Drunken gentleman gets USB flash drive stolen — too bad it had personal info on every city resident | Boing Boing Japan: Man loses USB flash drive with data on entire Amagasaki city's residents after night out - CNN 24BILLIONUsername/Password Combinations <Insert Your Own Dr. Evil 'Billion' Joke Here> For those of us in infosec the popularity of credential stuffing attacks is no surprise. They've been increasingly common over the past few years, aided by multiple massive credential leaks. But the number of username/password credentials available on the dark web is truly staggering now - 24billioncombinations. 6.7 billion unique - a 1.7 billion increase from 2020. For the average consumer, who will use one email address as their username pretty much everywhere (as is the de facto standard these days), this highlights the risk of password reuse. Leaks are so prevalent, and credential stuffing so common, that the risks are high for users who reuse their credentials. One leak and accounts on multiple sites may get popped. The best way to protect ourselves from this is by using unique passphrases (not just passwords) for each site, likely aided by password managers since our brains aren't great at remembering all of those, and using multi-factor authentication (MFA) (aka two-factor authentication (2FA)) everywhere it is offered. Using apps like Authy, Duo, Google Authenticator, etc., is probably the best choice for most users. Physical tokens are great, but the tradeoff in usability and convenience is probably not justified for most users. Even SMS-based authentication is better than nothing. Yes, SIM-jacking and other attacks exist, but the risk to any random user is fairly low. It isn't perfect, but it raises the level of effort required. Of course, unique passphrases would be a huge improvement given 1 out of 200 of the passwords in the collection are '123456'. And 49 of the 50 most common passwords can be cracked in under a second with standard tools. The users are not alright. 24+ Billion Credentials Circulating on the Dark Web in 2022 — So Far 24 billion username, password combinations can be found on cybercriminal forums | SC Media Ransomware Goes Big Nearlythree millionpatient records, and counting, have been potentially compromised by a breach at Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye care practices. The breach took place back in early December, but the scope - and tally of affected records - just keeps growing. Eye care providers large and small are affected - in the running list being maintained by HIPAA Journal the smallest provider had 1,337 patients at risk while the largest had 1,290,104. While there is not yet evidence that patient records were successfully exfiltrated or otherwise accessed, the systems with the information were compromised and patient record access or exfiltration cannot be ruled out. Eye Care Leaders claims they provide software solutions to over 9,000 ophthalmologists and optometrists, so the list of affected practices, and therefore the number of patient records at risk, seems likely to continue to grow from the 33 listed today. As the investigation is ongoing, and it doesn't look like any findings have been released at this point, there aren't really any new recommendations stemming from this breach. It just goes to show how far reaching the impact of a breach in a services provider can be. With all of the practices storing their data in 'the cloud', as provided by ECL, the risks for operators are higher, as are the rewards for black hats. Eye Care Leaders Hack Impacts Millions of Patients Eye Care Leaders EMR Data Breach Tally Surpasses 2 Million Breach at Eye Care Software Vendor Hits Millions of Patients | SecurityWeek.Com 5 more organizations added to Eye Care Leaders attack total, now biggest PHI breach of 2022 | SC MediaChatGPT and security - This Week in Security Feb 18th to Feb 25th, 2023
Editor's introduction This week in security editor is Koichi.Not a day goes by these days that we don't hear about AI. In particular, ChatGPT, theOpenAI's AI chat bot, responds in a very natural way which is hard to distinguish from human's response.. This week, I have collected stories about ChatGPT and security for considering what kind of cybersecurity threats this useful and revolutionary tool brings. We in F5 SIRT invest loa t of time to understand the frequently changing behavior of bad actors.Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running.So next time you are under security emergency please contact F5 SIRT Editor's introduction ChatGPT can program - therefore, fake application is also possible. No confidential information should be given. ChatGPT had service down. AI synthesized voice can be used for attacking. Cybersecurity Experts Warn the threat of more sophiscated phishing mail. ChatGPT can program - therefore, fake application is also possible. "This massive popularity and rapid growth forced OpenAI to throttle the use of the tool and launched a $20/month paid tier (ChatGPT Plus) for individuals who want to use the chatbot with no availability restrictions." Bleeping Computer reported on February 22, that, many cyber attack taking advantage of the ChatGPT is observed. The methodology is to create a fake services and apps by ChatGPT and place it on the site as a bait of malware infection and information theft. Please be careful not to fall for non-existent apps or non-official websites, now those are easily created. Hackers use fake ChatGPT apps to push Windows, Android malware No confidential information should be given. “If the employees want to chat, they'll just have to talk to each other instead.” JP Morgan had issued a restriction on the use of OpenAI's ChatGPT in the workplace due to compliance concerns. Considering the risk of leakage of confidential information, the ban on the use of ChatGPT is not limited to JP Morgan. For example, if you use a service that requires you to enter information or upload files, you should always consider the risk of that information or file being harvested by the service provider. For example, VirusTotal has a service that checks files for viruses. However, this means that not only the presence or absence of a virus, but also the data it contains will be passed on to VirusTotal. Similarly, if you do not use these services after removing sensitive information, the sensitive information will be harvested by OpenAI. Giant Bank JP Morgan Bans ChatGPT Use Among Employees ChatGPT had service down. On on February 21, ChatGPT (Both of the ChatGPT's website and API ) had down. Down means, it does not give response. When you submit a question to the ChatGPT,you will receive a message saying, "A server error occurred while processing your request. We are sorry. Please retry your request or contact the Help Center if the error persists."It recovered within a day, however,it was observed not only this time, but alsolast week. When you see similar message, better to check the site below. https://downdetector.com/status/openai/ AI synthesized voice can be used for attacking. “Banks in the U.S. and Europe tout voice ID as a secure way to log into your account. I proved it's possible to trick such systems with free or cheap AI-generated voices.”In this article, AI synthesized voice had passed the voice recognition authentication and break into the bank account. Some banks in the U.S. allow access to bank accounts after a few conversations with voice recognition. One of the text-to-speech service, ElevenLabs' service, wh was able to do pass the authentication. https://vice.com/en/article/dy7axa/how-i-broke-into-a-bank-account-with-an-ai-generated-voice One more for thinking about cyber security (not this week): Cybersecurity Experts Warn the threat of more sophiscated phishing mail. 2 articles discussing about the impact and usage of ChatGPT for cybersecurity.The common threat in the two articles is the increase in phishing e-mails. Usually, phishing e-mails are easily detected because of the unnatural wording and phrasing. This is a barrier for non-native speakers to create effective phishing emails. However, ChatGPT allows non-native speakers to write natural sentences, which risks generating a large number of naturally worded phishing emails. OpenAI's new ChatGPT bot: 10 dangerous things it's capable of ChatGPT and more: What AI chatbots mean for the future of cybersecurity
What Infrastructure Do You Depend On? - Jan 14th - 20th, 2023, F5 SIRT - This Week in Security
This Week in Security Jan 14th - 20th, 2023 What Infrastructure Do You Depend On? Introduction This week seems to be filled with infrastructure news, or more accurately, I am full of infrastructure security concerns. From new books on the topic of infrastructure to federal bills to fix and enhance it, to attack and disruptions to it, detailed below, infrastructure has been on the forefront of the civic zeitgeist. This week we tour some infrastructure failures, providing evidence that security and infrastructure resilience go hand in hand. Some of these infrastructure issues are in information infrastructure, such as the NOTAM outage that grounded flights around the United States, the leak of the No Fly List, or tales of Southwest Airlines mishap. And others are in traditional infrastructure such as the power grid. Ultimately I hope you go away with dueling questions: What infrastructure does my security posture depend on, and what happens when that infrastructure goes away. 0wn an Airline and get the No Fly List. One day maia crimew was browsing through open Jenkins servers and discovered something interesting, seeing words like "ACARS" and "crew" they had discovered an open Jenkins server belonging to the airline CommuteAir. CommuteAir is a regional airline that flies Embraer ERJ-145 jets under the brand United Express, being one of United Airlines contract carriers for its feeder service. Reginal airlines operate in the United States based on either contracting with major airlines to provide feeder service using aircraft seating 50~100 people from low volume airports to the major's hubs, or by providing subsidized service, often with even smaller aircraft to even smaller airports. maia had noticed references in the code they uncovered to the fabled TSA No Fly list, and after some days searching for it after uncovering more and more files left around that included AWS credentials and the likes, they found it. And well, it was subsequently leaked. Analysis of the list reveals many things, including that 10% of the entries on the list have Muhammad in the first or last name fields. Of course, this is the problem, as Bruce Schneier puts it, with having to give a copy of your secret list to lots of people. There are hundreds of scheduled airlines that are based in the US or fly to the US, so each of these airlines needs the list and its updates to check against passenger booking data to flag passengers, either denying them a ticket or as part of the process of giving their boarding pass the dreaded SSSS mark. While an airline may spend a lot of security effort on securing systems handling passenger and crew data, the leaked list was not found in those systems, but in testing infrastructure being used to develop those systems, and as happens time and again, real data is being used to test. This all speaks to having robust and well defined data security policies, if real data needs to be used to test systems, those systems should have the same or more protection than the production systems working with the same data. I am a firm advocate of placing more protections around testing infrastructure than production infrastructure, because sometimes testing infrastructure needs to go without a WAF or other protections while the WAF policies are being developed or adapted to the new updates, or protections built in the application are unfinished or unused in testing. Power Substation Attacks A series of power substation attacks has plunged parts of the United States in to darkness. The first series of attacks were in North Carolina, where two substations in Moore County were attacked by currently unknown assailants. Analysis of the attack by Grady Hillhouse of Practical Engineering reveals potentially some inside knowledge by the attackers, having specifically attacked step-down transformers that serve as a link to Moore County with rifles. The resultant damage required several days of work to temporarily restore power while inspection of the damaged transformers and subsequent repair took quite a bit longer. The incident and subsequent incidents detailed below are under investigation by the FBI. In the days following the South Carolina attacks, attacks on substations owned by Portland General Electric, Bonneville Power Administration, Cowlitz County PUD and Puget Sound Energy occurred, the motive for many of these attacks is not known, so these may be copycat attacks or a coordinated effort. These initial attacks in Oregon and Washington remain unsolved and the FBI has warned of possible plots by radical right-wing groups to continue disrupting power infrastructure in furtherance of a "accelerationist" plot. Later that month, during Christmas, four more substations were taken offline in a series of attacks. After intense investigation with the assistance of the FBI, two men were arrested for attacks on four of the Pacific Northwest substations, offering a explanation that they were trying to disrupt power in furtherance of a robbery. Some may remember an incident in 2013 where a sniper attacked a PG&E substation on the outskirts of San Jose, California. The sophistication of that previous attack has lead investigators to believe that the attackers had specific inside knowledge of both the power infrastructure and substation design, how that infrastructure connected to the wider grid and use of high powered rifles. All of these attacks reveal the potential vulnerability of the United States power infrastructure to sophisticated attacks. Following similar incidents in the past, utilities have started installing concrete walls to protect transformers from gunfire and have upped their CCTV game to include more cameras and hardened storage and transmission of CCTV video. After a number of fiber cuts that occurred before the San Jose incident and that incident, fiber optic providers have upgraded security on fiber vaults and cabinets. But even with all of these upgrades some facilities may still consist of an unlocked cabinet or a substation with just a chain-link fence and a sign warning of deadly voltages inside. As Grady noted in the his analysis linked above, the massive size and spread of the US power infrastructure prevents any substantial preventative measures from being used, but also provides for its resilience. Despite these attacks spanning three states and a dozen power providers, the relative impact was small, only disrupting power for a fraction of those states' residents and businesses and restoration in some cases took mere hours. So, what does this mean for your infrastructure? Time and again I have seen larger disasters turn a well planned disaster response plan into a mess, as the scope of the disaster exceeds what was planned for. In this case we can see an obvious issue right away: While you may have power protections in place, how long are they designed to last? You have diesel generators, but how many days or weeks of fuel do you have onsite? Do you have a plan for getting more? How long can your generators run without maintenance, do you have a plan for when you have to take them offline for planned or unplanned maintenance? Do you have a plan for your people's needs during a disaster? Roundup: Twitter has started "enforcing long standing API rules" that have resulted in the death of a few different third party twitter clients. Credit card canary tokens are a thing, allowing those who have some reason to store credit card numbers an opportunity to find out if those numbers were secretly stolen. You know, before your merchant bank drops the bad news. Flights in the United States were disrupted by a computer system going down at the FAA. The NOTAM or NOtice To Air Missions system, often derided [PDF], went down due to mistakes by FAA contractors. The system was subsequently brought back up and flights resumed. In case you missed it, Southwest Airlines had an operational failure as a result of their dispatch systems and scheduling systems becoming out of sync. In a ray of hope for power infrastructure, heat pumps are starting to make a comeback. Some of us know about heat pumps and how they are able to move heat more efficiently than creating it, and for those who don't, there is Technology Connections. A while back street lights in the Vancouver, BC area started turning purple, some may be disappointed that this is not the result of a sudden onset of a cyberpunk dystopia, but of manufacturing defects leading to the mechanical seperation of the phosphor from the chips in the white LEDs.
