Top exploited vulnerabilities of 2022 and more - This Week in Security - Dec 26th to Dec 30th
Happy New Year! As we start the year, it's a good time to reflect on the state of cybersecurity. Looking back at the past year, it's clear that cyber threats continue to evolve and pose a significant risk to businesses and individuals alike. The top exploited vulnerabilities of 2022, according to CISA, has a total of 8 vulnerabilities including the notorious Log4J (CVE-2021-44228). F5’s own CVE-2022-1388 made the list at number 5. This is a good reminder that if you have a system impacted by CVE-2022-1388 please remediate this vulnerability as described inhttps://support.f5.com/csp/article/K23605346. Top Exploited Vulnerabilities of 2022 Vulnerability Description Affected Systems Exploited By Follina (CVE-2022-30190) Zero-click remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (ms-msdt) Microsoft Windows Chinese APT groups (TA413), APT28 (Russia) Microsoft Office Bug (CVE-2017-11882) Memory corruption glitch in Microsoft Office’s Equation Editor enabling remote code execution on vulnerable devices Microsoft Office Chinese, North Korean, and Russian hackers Log4Shell (CVE-2021-44228) Zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution Java applications Chinese and Iranian state threat actors, APT10 and DEV-0270 ProxyNotShell (CVE-2022-41082) Vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 allowing attackers to escalate privileges to run PowerShell and gain arbitrary or remote code execution on compromised servers Microsoft Exchange Server Ransomware groups F5 BIG-IP (CVE-2022-1388) Unauthenticated attacker with network access can execute arbitrary system commands, create or delete files, or disable services F5 BIG-IP systems Multiple state sponsored APTs Chrome zero-day (CVE-2022-0609) Fresh uses after free vulnerability allowing remote attacker to potentially exploit heap corruption via a crafted HTML page Google Spring4Shell (CVE-2022-1388) critical vulnerability in Spring Framework Spring Framework unknown threat actor Atlassian Confluence (CVE-2022-26134) OGNL injection that allows unauthenticated attackers to execute arbitrary code Atlassian Confluence 8220 gang https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF Breaking RSA with a Quantum Computer Some Chinese researchers have published a paper claiming that they have found a way to break 2048-bit RSA encryption. This is potentially a significant development because RSA encryption is widely used for secure communication. The researchers used a combination of classical lattice reduction techniques and a quantum approximate optimization algorithm, which allowed them to factor numbers using a relatively small quantum computer with only 10 qbits. While the research has not yet been tested on a larger scale, it raises concerns about the security of RSA encryption. The Chinese government has not classified the research, which is notable because it suggests that the government does not view the research as posing a threat to national security. https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.html https://arxiv.org/pdf/2212.12372.pdf Vulnerabilities affecting hundreds of millions of vehicles Several car brands have fixed vulnerabilities that could have allowed hackers to remotely control various functions of certain cars made after 2012. A security researcher at Yuga Labs discovered the vulnerabilities while researching the mobile apps for several car brands that allow customers to remotely start, stop, lock, and unlock their vehicles. The researcher and other researchers initially studied Hyundai and Genesis cars and found that the verification process for gaining access to a vehicle relied on registered email addresses, which they were able to bypass to gain full control. Top 5: Company Details Impact AT&T Full compromise of an undisclosed system used by AT&T which would've allowed an attacker to send and receive text messages, retrieve live geolocation, and disable hundreds of millions of SIM cards which were installed in the following vehicles: Tesla, Subaru, Toyota, Lexus, Ford, Fiat Chrysler Automobiles, Land Rover, Mazda, Volvo, Honda, BMW, Cruise Affected hundreds of millions of SIM cards managed by tens of thousands of companies. The impact of this vulnerability went far beyond the scope of car hacking and affected nearly every industry (nearly anything which uses a SIM card) Spireon Multiple vulnerabilities, including: Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware. Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon. Ability to fully takeover any fleet (this would’ve allowed tracking & shutting off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”). Full administrative access to all Spireon products, including GoldStar, LoJack, FleetLocate, NSpire, and Trailer & Asset. In total, there were 15.5 million devices (mostly vehicles) and 1.2 million user accounts (end user accounts, fleet managers, etc.) Affected 15.5 million devices, mostly vehicles, and 1.2 million user accounts. The impact of this vulnerability went beyond just vehicles and also affected products and user accounts. Mercedes-Benz Access to hundreds of mission-critical internal applications via improperly configured SSO, including multiple Github instances, internal chat tool, SonarQube, Jenkins, internal cloud deployment services, and internal vehicle-related APIs. Remote code execution on multiple systems. Memory leaks leading to employee/customer PII disclosure and account access. Impacted internal systems and applications, potentially leading to the disclosure of employee and customer personal information and access to various internal accounts. BMW, Rolls Royce Company-wide core SSO vulnerabilities which allowed access to any employee application as any employee, including access to internal dealer portals and applications used by remote workers and dealerships. Impacted internal systems and applications, potentially leading to access to various internal accounts and dealer information. Ferrari Full zero-interaction account takeover for any Ferrari customer account Impacted internal systems and applications, potentially leading to access to various internal accounts and dealer information. You can read the complete list on the blog post by Sam Curry. There is a great in-depth coverage of each category of vulnerability. https://samcurry.net/web-hackers-vs-the-auto-industry/ https://twitter.com/samwcyo/status/1610216145142878212 High cost of call center scams Romance-related scams carried out by Indian phishing gangs, have caused losses of more than $3 billion to US citizens in the last two years alone. Total money lost in all internet/call centre-related frauds in the last 11 months has been estimated at $10.2 billion, an increase of 47% against last year’s $6.9 billion. Most of the victims of these frauds are elderly above the age of 60 years. The FBI has deputed a permanent representative at the US embassy in New Delhi to work with the CBI, Interpol, and Delhi Police to bust these gangs and freeze money transferred through wire and crypto currencies to syndicates operating from India. The FBI is ready to supplement the investigative gaps by providing evidence to local law enforcement agencies in prosecuting criminals involved. The scams affecting Americans are also impacting the elderly population in India. The authorities in India have been slow to react to these issues, possibly because the police do not fully understand the impact of these scams or because they are corrupt and involved in the mafia that runs them. This issue is depicted in the Netflix series "Jamtara," which shows how these scams are connected to the political system and driven by the desire for money and anti-American sentiment. https://timesofindia.indiatimes.com/india/illegal-desi-call-centres-behind-10-billion-loss-to-americans-in-2022/articleshow/96501320.cms https://en.wikipedia.org/wiki/Jamtara_%E2%80%93_Sabka_Number_Ayega Private code repositories of Slack stolen from GitHub Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. According to the details published on theirblog: "On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase." Source code is stolen to explore vulnerabilities and develop zero-day exploits. From security perspective, this is simply about the cost to penetrate security versus the benefit to the attacker. Access to private code is where the benefit to the attacker goes up faster than the company can afford to cover, and the company must coverallthe attack surfaces. https://slack.com/blog/news/slack-security-updateLastpass Breach, SBOM, & Cryptocurrency Bounties - This Week in Security - August 22nd to 28th 2022
This Week in Security August 22nd to August 28th 2022 Jordan here as your editor this week. This week I reviewed the LastPass breach, supply chain security efforts lead by the US government, and cryptocurrency bounties.Keeping up to date with new technologies, techniques and information is an important part of our role in the F5 SIRT.The problem with security news is that it's an absolute fire-hose of information, so each week or so we try to distill the things we found interesting and pass them on to you in a curated form. It's also important for us to keep up to date with the frequently changing behaviour of bad actors.Bad actors are a threat to your business, your reputation, your livelihood. That'swhy we take the security of your business seriously. When you'reunder attack, we'llwork quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running.So next time you are under security emergency please contact F5 SIRT. LastPass Breach Last week, the popular password management company LastPass experienced a data breach. According to the company’s blog post, compromised developer credentials were used by an attacker to infiltrate their development environment. At this time we know the attacker was able to obtain source code and "some proprietary LastPass technical information" before the attacker was isolated from moving further. This is an ongoing investigation so I want to caveat that additional details may come out later which expand the scope of the breach. While quickly identifying and mitigating an active attack is extremely important, the benefits of designing a product architecture with security in mind from the beginning is what I think deserves a highlight here.A key component of the LastPass product architecture is that they make use of zero knowledge encryption (they call it "zero knowledge security"). Now the term "zero knowledge security" to the un-initiated may sound strange, it might even make you think they have zero knowledge of security, but this is not the case. Zero knowledge means LastPass doesn't have the master encryption keys (in the form of a password) the customer uses to encrypt their data. LastPass only stores encrypted secrets and cannot decrypt them, only the end user can do that. LastPass has zero knowledge of the encryption key used. Since there is no centralized key to protect the data, any breach of the system should only turn up encrypted data. Encrypted data is less valuable to an attacker, especially since brute force decryption of AES-256 is in the trillions of years time scale and is not feasible given modern computing constraints. The key takeaway for LastPass customers is thatcurrentlythere is no action required on your part and your data can be considered safe.The key takeaway for system designers should be that implementing a secure zero knowledge / zero trust architecture from the beginning can minimize the impact of a security incident. https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/ https://www.lastpass.com/security/zero-knowledge-security https://scrambox.com/article/brute-force-aes/ Software Supply Chain Risk Management Supply chain risk management is a topic that is slowly but surely gaining more traction across many industries. In support of this, the US CyberSecurity and Infrastructure Security Agency (CISA) has kicked off various working groups to help shape the future of Software Bill of Materials (SBOM). It's important to note that the working groups are not scoped to recommend or influence US government policy, instead the charter is to facilitatevendor neutral problem solving and collaboration in specific domains such as Cloud & Online Applications, On-Ramps & Adoption, Sharing & Exchanging, and Tooling & Implementation. While the groups are just starting on scoping some of the core problems to solve, I have found the community discussions to be insightful and am excited to see the output from these groups. During a recent meeting, I learned about a few promising technologies for sharing of SBOMs such as the CycloneDX BOM Exchange API and Digital Bill of Materials projects. I was also exposed to an interesting project named GUAC which aims to "create a means to ingest, validate and parse artifact information (i.e. in-toto attestations, SBOM, etc.) from various data sources and represent and store them in a knowledge graph". The complexity of managing multiple SBOMs for a modern enterprise is fundamentally a data management problem and I believe graph databases are an excellent technology choice for the use case. If you are interested in joining the working groups or the aforementioned projects, please visit the links below. https://www.cisa.gov/sbom https://github.com/CycloneDX/cyclonedx-bom-exchange-api https://dbom-project.readthedocs.io/en/latest/what-dbom.html https://github.com/guacsec/guac Cryptocurrency Bug Bounties Ahead of a major event for the Ethereum blockchain commonly referredto as "The Merge", the Ethereum Foundation has raised the bug bounty payouts for critical vulnerabilities to $1 million dollars. This temporary 4x multiplier of their current bug bounty provides a great incentive for ethical hackers to work at discovering security issues.Performing pre-release penetration testing is a great way to discover vulnerabilities before deployment and a sign of a mature security program.As the Ethereum blockchain migrates over from aproof-of-work to proof-of-stake consensus mechanism, the stakes are high for getting it right and security is one of the top concerns. Perhaps surprisingly, this is not the largest bug bounty payout for vulnerabilitiesfound in the cryptocurrencyecosystem. The largest recent payout goes to a vulnerability found in a "bridge", which facilitates transactions acrossdivergentchains. If successfully exploited, the vulnerability would have allowed attackers to hold "the entire protocol ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever". Along with the ethical hackers finding bugs in the cryptocurrencyecosystem, cyber criminals are increasing the frequency oftheirattacks as well. The US Federal Bureau of Investigation (FBI) recently issued a public service announcement, warning that criminals are increasing their exploitation of Decentralized Finance platforms citing "between January and March 2022, cyber criminals stole $1.3 billion in cryptocurrencies". Even with the recent downturn in value of crypto currencies, criminals will continue to abuse the ecosystem to seek their fortune, often attacking the trading platforms and smart contracts, as they represent the most likely part of the stack to have a vulnerability which can be exploited. https://ethereum.org/en/bug-bounty/ https://portswigger.net/daily-swig/ethereum-foundation-offers-1m-bug-bounty-payouts-with-proof-of-stake-migration-multiplier https://portswigger.net/daily-swig/blockchain-bridge-wormhole-pays-record-10m-bug-bounty-reward https://www.ic3.gov/Media/Y2022/PSA220829 Defcon 30 - Mobile Hacking CTF A quick congratulations to F5 employee Purvesh Kothari for winning theGirls Hack VillageMobile Hacking CTF at Defcon 30. Congratulations Purvesh ! https://www.linkedin.com/posts/nowsecure_the-results-are-in-the-winner-for-the-activity-6968590642742448129-Dp4E/
Microsoft's Strike on Cybercriminals and SFX backdoor- April 1st-April 7th - This Week in Security
Hello Everyone, this week your editor is Dharminder. I am back again with another edition of This Week in Security, This week I have looked at a study on how fast AI powered tool can crack any password, hackers using SFX for stealthy backdoor and Microsoft's strike on cyber criminals. We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors.Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running.So next time you are under security emergency please contact F5 SIRT. Ok so let's get started to find details of security news. A study on AI’s ability to crack password We all have been listening a lot about AI and its capability to do various things. Latest addition to that is cracking password. A latest study published by Home Security Heroes shows that password cracking tool PassGAN can crack 51% of all common passwords in less than one minute, 65% in less than an hour, 71% in less than a day, and 81% in less than a month. Reason behind such a speed is that, instead of having to run manual password analysis on leaked password databases, PassGAN is able to “autonomously learn the distribution of real passwords from actual password leaks.” Here are the stats produced by Home Security Heroes on how much time it takes to crack the password using AI. Result is really alarming. In my opinion time has come that all applications should enforce a password which Use at least 15 characters. Have at least two letters (upper and lower-case), numbers, and symbols in the password. Avoid obvious password patterns, even if they have all the required character lengths and types. User should also follow best practices such as Use 2FA/MFA Avoid re-using passwords across accounts Use auto-generated passwords when possible Change passwords regularly, especially for sensitive accounts https://www.homesecurityheroes.com/ai-password-cracking/ https://leedaily.com/2023/04/10/ai-at-cracking-passwords/ Stealthy back-door using Self Extracting archives (SFX). The CrowdStrike has recently observed that hackers are using SFX archive to install backdoor to the target system. Before we understand more about the exploit let’s understand SFX files. SFX or Self-extracting archives are executable files which extracts information inside it. It does not require any utility to extract the package on the target system hence makes the distribution of archives easy. SFXfiles can be password-protected to prevent unauthorized access which is a common practice to protect important files. On the same lines, hackers are also using password protected SFX file to exploit. During the investigation and research CrowdStrike has observed that to lay the foundation hacker had abused utilman.exe functionality using stolen credentials to launch a password-protect SFX file which was planted before abusing utilman.exe. Since, utilman utility executes before user login, hence abusing this functionality helped attacker to bypass system authentication.Interestingly the password protected SFX file, executed by utilman in the exploit was an empty text file but the real Moto was hidden in the functionality of Winrar setup options. There is a functionality call setup options in Winrar where you may define what commands would you like to run before or after the extraction. Hacker had used this functionality to run powershell.exe,cmd.exeandtaskmgr.exe. Because SFX archive could be run from the logon screen, the adversary effectively had a persistent backdoor that could be accessed to run PowerShell, Windows command prompt and task manager with NT AUTHORITY\SYSTEM privileges, as long as the correct password was provided. As per Crowdstrike, this type of attack is likely to remain undetected by traditional antivirus software that is looking for malware inside of an archive (which is often also password-protected) rather than the behavior from an SFX archive decompressor stub. So far we have understood how the exploit works, but it is equally important to understand the options to combat such exploit. Here are some of tips provided by crowd strike. Examine SFX archives through unarchiving software or other tools to view any potential scripts or executables that are set to extract and run upon execution. Look beyond what is contained within an SFX archive, and examine the functionality provided by the SFX archive decompressor stub itself to identify any commands that will be run either during, before or after successful extraction. Develop a process to validate if a password-protected SFX archive contains malicious or suspicious content. Thoroughly examine any SFX archive that contains only a null-byte file for any added functionality. Wherever possible, use installed unarchiving software to extract or view a SFX archive rather than running the SFX archive itself. Because the archive exists as an overlay, it can also be carved out from the executable using a hex editor if required. https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/ https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-powershell-without-being-detected/ Microsoft's legal strike on cybercriminals abusing security tools These days one of the most common type of attack is Ransomware. Cobalt Strike is one of the tools which is commonly used by attackers, after obtaining initial access to a target environment to escalate privileges, lateral move across the network, and other related malicious activities. Cobalt Strike is a legitimate and popular post-exploitation tool used for adversary simulation provided by Fortra. Attackers uses Cobalt Strike cracked versions to launch destructive attack. As per Microsoft, The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few. The government of Costa Rica and Irish Health Service Executive are few known examples. To counter such attacks, Microsoft’s Digital Crime Unit (DCU), Fortra and Health Information Sharing and Analysis Center have come together. This time instead of targeting command and control channel, they are taking technical and legal action to remove cracked, legacy copies of Cobalt Strike and abused Microsoft software which are being used to distribute malware. Forta has vetted the legitimate security practitioner and also helping its customer in determining license compromise. Apart from that, Fortra has adapted the security controls in the Cobalt Strike software to eliminate the methods used by the hackers to crack older versions of Cobalt Strike. In my opinion this is very good initiative, I am hoping that more and more companies will take such initiatives to make environments safe and secure. https://blogs.microsoft.com/on-the-issues/2023/04/06/stopping-cybercriminals-from-abusing-security-tools/ https://thehackernews.com/2023/04/microsoft-takes-legal-action-to-disrupt.htmliOS and Chrome, Supply Chain and new Phishing attacks - This Week in Security - Aug 29 to Sept 4th
This Week in Security August 29th to September 4th "iOS and Chrome again, Supply Chain again and Phishing with telescopes" Aaron back with you as editor this week and as always there is plenty to cover. Security news can be incredibly difficult to keep on top of, so I'm going to pick a few highlights from the last week or so (officially, this issue covers the week of August 29th to September 4th, but you know I often stray!). First, a brief snippet about a story from this week rather than last: The Los Angeles Unified School District suffered a ransomware attack (https://www.latimes.com/california/story/2022-09-05/lausd-cyberattack-takes-down-la-unified-operations-schools-will-open-on-tuesday) over the weekend and I'm highlighting it here for two reasons: firstly, based on the news reports the response was swift and extremely effective, restoring full service within a couple of days and severely limiting the impact of the outage itself, and secondly so that I can remind you that keeping up with the news like this is important to the F5 SIRT, not only so that we can pass the news on to you, but also because it's important for us to keep up to date with the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That's why we take the security of your business seriously. When you're under attack, we'll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT. Housekeeping out of the way, let's move on to the more interesting news! iOS and Google Chrome updates In the last issue I wrote, I talked about some Apple 0day vulnerabilities for which urgent patches were released and I urged everyone to update to iOS 15.6.1 (and macOS 12.5.1) noting that earlier versions of macOS, at least, did not appear to be affected. Well, Apple has now released patches[1] for one of those two vulnerabilities for earlier iOS versions to support older devices. If you have a device stuck on iOS 12, you should update to iOS 12.5.6 as soon as possible (covering iPhone 5s, 6, 6 Plus, iPad Air, iPad mini 2, 3 and 6th gen iPod touches). I also urged Chrome (and Chromium based browser) users to upgrade to address a Critical vulnerability and, this week, I am going to tell you again to upgrade Chrome. This time, to avoid a known-to-be-exploited vulnerability affecting Mojo[2], a component used within Chrome to provide cross-platform inter-process communication mechanisms. Ensure you update to Chrome 105.0.5195.102 or later, as soon as possible - which should be as simple as restarting your browser in the case of Chrome itself. Handy, because you'll need to upgrade again soon to address a clipboard bug[3] Like the Apple vulnerability above, these are both issues which can be exploited simply by tricking a user into visiting a maliciously crafted webpage - I've seen a few folks asking if WAFs like Advanced WAF could protect against this and, at least in my opinion, that's really asking the wrong question.. if you look at the problem that way around what you are actually asking is: "Can my WAF stop an attacker from injecting the required malicious code into my webserver?" and the answer there is quite likely "Yes, using just the configuration you already have in place". The exception to that would be websites that need to accept arbitrary user input (forums, guest books - remember those?, blog comments etc) and in that case the chances are any WAF configuration sufficient to block the malicious code is going to block legitimate user input as well. If you are trying to look after random visitors then I applaud you, but you are better spending your time in education (help your visitors keep their browser up to date) because your site is just one of many they will visit today. Meanwhile if you are looking after a corporate network, invest your time in client side detection and mitigation - mandate browser updates, have strong endpoint inspection tools and robust anomaly reporting. https://support.apple.com/en-us/HT213428 https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html https://thehackernews.com/2022/09/google-chrome-bug-lets-sites-silently.html Hard coding credentials is a bad thing in your supply chain This shouldn't really need saying, but hard coding credentials into an application is a bad idea - especially when that application is going to be distributed to uncontrolled endpoints like mobile handsets. Symantec's researchers[1] recently conducted a survey of mobile applications and found over 1,800 applications that contained hard coded AWS credentials; 98% of those being iOS apps and just 2% being Android! Many of those credentials could be used to directly access private cloud services, including databases that should otherwise be secure, and could allow the exposure of user account details, logs, internal communications and so on depending on the app. In three instances the hard-coded credentials actually existed within SDKs being used by multiple applications and exposed access to private customer data, potentially banking information and, in one particularly egregious example, an SDK which provided full admin access to the back-end infrastructure behind numerous sports betting platforms! Considering that SDKs are often consumed by application developers, tasked with writing full featured applications extremely quickly, they are often used without in depth security audits and, indeed, may be partially closed-source or black-box in nature making audits particularly difficult. This is yet another example of the difficulty of securing the supply chain in modern software, as we have seen in earlier issues of TWIS with the typo-squatting Python and GitHub packages, or more recently where Python package maintainers fell victim to phishing campaigns to take control of legitimate packages[2]. The NSA, CISA and the ODNI have released a joint advisory detailing how they suggest developers secure the software supply chain[3] titled "Securing the Software Supply Chain, Recommended Practices Guide for Developers". Chapter 2.3 deals directly with the verification of third party components including a section on Software Bill of Materials with other chapters on developing secure code, hardening the build environment and delivering code securely to end users. Personally I think that, as an industry, we have come a long way in terms of building security mindset in development teams such that they can develop more secure code from the ground up (Chapter 2.2) and modern language development (e.g. Rust) further tries to address that by providing memory safe languages to develop in. I also think that hardened environments are pretty well understood at this point as is secure software delivery, leaving third party components as our biggest challenge right now. Clearly it has a lot of focus, because we see issues like the ones I've discussed here disclosed with increasing regularity; indeed, Python seems to be a particular focus right now with Checkmarx[4] also noting that a third of Python packages execute code automatically when they are downloaded and installed via pip; when performed by a trusted package this is a useful feature allowing for dependencies to be automatically satisfied, but clearly could be easily mis-used to install malware or exfiltrate sensitive information from a target system. I think we are barely scratching the surface at this point, given the number of different package management systems across the numerous development environments and languages in use today, but it's great that we are at least starting. These efforts being encouraged both by US Government mandates as well as private enterprise like Google, who recently introduced a new bug bounty programme specifically aimed at improving supply chain security[5] https://www.bleepingcomputer.com/news/security/over-1-000-ios-apps-found-exposing-hardcoded-aws-credentials/ https://twitter.com/pypi/status/1562442188285308929 https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/ https://thehackernews.com/2022/09/warning-pypi-feature-executes-code.html https://thehackernews.com/2022/08/google-launches-new-open-source-bug.html The latest phishing lure? Images of space! Phishing is an ever-present threat and one that is probably best countered by user education and vigilance (of course email filtering helps, but the best crafted phish will always slip through) - often the lures are attachments purporting to be something relating to the targets job function - perhaps a fake PDF invoice asking for domain credentials to view or an Office document "sent" by a colleague with embedded macros - or something that a reader just couldn't resist clicking on (like an attachment "LOVE-LETTER-FOR-YOU"). Apparently, the latter category also includes "pictures of space taken with a shiny new telescope"[1].. actually, flippancy aside, the full attack chain goes something like this: Phishing email with an attached Microsoft Office file (Word document, Excel sheet, etc) Office document contains a malicious external entity reference (basically Follina, we've written about this before) The malicious entity is downloaded and executed, which downloads a second stage JPG file The JPG, which is an entirely valid JPG and will display as an image from the Webb telescope if you open it, is passed to certutil.exe and decodes to a binary executable That last step should probably make you stop and go "say, what?". The image actually has a "certificate" included within it which is ignored for the purposes of displaying it as a picture. Certutil, however, will do its best to decode this certificate, which is actually a base64 encoded executable, and then write it out to disk. The resulting executable is malware written in Golang which will, upon execution, begin communicating with a C2 server via TXT DNS requests to an attacker controlled DNS server to both send and receive data. Golang has been steadily rising in popularity over the last couple of years (most recently this, Agenda[2] and BianLian[3]) because it enables easy cross-platform development and simultaneously makes reverse engineering considerably more time consuming and difficult for researchers. Despite that difficulty however, Securonix[4] have a full write-up on their blog which I recommend reading if you'd like more details including indicators of compromise and detection rules; if you haven't the time to read through everything then I recommend at least skipping to the IoC section and onward. At a minimum, consider blocking DNS lookups for, and access to: xmlschemeformat[.]com updatesagent[.]com apiregis[.]com 185[.]247.209.255 139[.]28.36.222 https://www.darkreading.com/vulnerabilities-threats/james-webb-telescope-images-loaded-with-malware-are-evading-edr https://thehackernews.com/2022/08/new-golang-based-agenda-ransomware-can.html https://thehackernews.com/2022/09/researchers-detail-emerging-cross.html https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/F5 SIRT This Week In Security - Jan 21st-27th-LNKs & XLLs for malware, CVE-2022-34689, FBI on APT28
F5 SIRT This Week In Security Jan 21st - 27th, 2023 LNKs & XLLs for malware, CVE-2022-34689, FBI on APT28 Introduction Hello! Arvin is your editor for F5 SIRT's This Week In Security (TWIS) covering 21-27 January 2023, my first for this year. First on the list, Windows LNK files - the common Windows shortcut - has become the alternate to "Office Macros" previously used by Threat Actors to deliver malware to a victim device. As observed in the past Threat Actors and Malware campaigns, the initial delivery of first stage malware usually thru email phishing and spreading malicious links that downloads a malicious file. In recent years, using Office Documents with Macros enabled, when opened, will execute code that downloads malware. As Microsoft disabled Macros by default, threat actors now need an alternative way of delivering the initial commands to download malware, and this they found in Windows LNK files. Windows LNK files are deceptive and easy to trust as one might think it is relatively harmless, however, research by the security community brings light on how these LNK files might have more sinister use. Another MS Office based file which threat actors used as an alternate to Office Macros, the XLL, an MS Excel add-in, is a file we should be aware of. Similar to windows LNK file, this file type can be easily ignored but may also contain potentially malicious code. In general and mentioned a few times in previous TWIS editions, take care when opening url links and files from emails. A healthy level of awareness goes a long way when dealing with the amount of information we receive every day, phishing emails may be one of them, and recognizing one would help cut off the malware's initial delivery. Akamai released their analysis on CVE-2022-34689 - a Windows spoofing bug in CryptoAPI, particularly, the root of the issue, their research on Certificate thumbprint MD5 collisions. In the past, MD5 collisions were exploited where 2 files with the same MD5 hashes - which in essence, breaks MD5 and any cryptographic hash function promise - NO two distinct message ( in most cases "files", "certificates", "executables" ) should have the same MD5 hash. Microsoft has fixed this vulnerability back in August 2022, however, per the research, a recent scan of previously scanned endpoints are still unpatched. Applications and Web Browsers which uses the Windows Crypto API are potential victims should this CVE is leveraged by an attacker, example, a man in the middle scenario where an attacker presents a spoofed certificate thumbprint. Promptly, it is recommended to update vulnerable systems to mitigate this CVE. FBI confirmed Lazarus Group (APT28) was behind the $100 million worth in crypto assets stolen from the Harmony blockchain - which was what the infosec and crypto communities have been saying for a while now. Back in June 2022, security incident in the Harmony Horizon Ethereum Bridge where closely protected private keys were decrypted by attackers and were able to execute unauthorized transactions and steal crypto assets. It was speculated that the attack was executed using a server/key compromise or thru social engineering. Tracking Lazarus Group (APT28) crypto transactions, it used Tornado Cash – a mixer used to launder stolen crypto assets. The FBI and US agencies will continue to attack Lazarus Group activities. Crypto exchanges and projects should closely secure sensitive assets/keys to prevent future incidents. Borrowing this from a Crypto Expert: Use of multi-signatures to manage high-value assets is best practice. Requiring more validators and ensuring that the compromise of a single private key does not place others at risk. I hope you find these security news educational and informative. See you on my next TWIS edition! Threat Actors and malware's alternative to Office Macros Windows LNK files Microsoft took its macros and went home, so miscreants turned to Windows LNK files Microsoft's move last year to block macros by default in Office applications is forcing miscreants to find other tools with which to launch cyberattacks, including the software vendor's LNK files – the shortcuts Windows uses to point to other files. "When Microsoft announced the changes to macro behavior in Office at the end of 2021, very few of the most prevalent malware families used LNK files as part of their initial infection chain," Guilherme Venere, threat researcher at Talos, wrote in a report dated January 19. "In general, LNK files are used by worm type malware like Raspberry Robin in order to spread to removable disks or network shares." The files are also helping criminals gain initial access into victims' systems before running such threats as the Qakbot backdoor malware, malware loader Bumblebee, and IcedID, a malware dropper, according to the Talos researchers. The advanced persistent threat (APT) group Gamaredon has also put LNK files to work, including a campaign that started in August 2022 against organizations in Ukraine. The shift to other techniques and tools in the wake of Microsoft's VBA macros move was swift. Soon after the macros were blocked, Proofpoint researchers noted that cybercriminals were looking for alternatives, including ISO and RAR attachments, plus LNK files. https://www.theregister.com/2023/01/23/threat_groups_malicious_lnk/ https://blog.talosintelligence.com/following-the-lnk-metadata-trail/ In LNK file, the target part reveals that LNK invokes a process - examople, the Windows Command Processor (cmd.exe). The target path has only 255 characters visible. However, command-line arguments can be up to 4096, so malicious actors can take advantage of this and pass on long arguments as they will be not visible in the properties. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/#:~:text=An%20LNK%20file%20is%20a,to%20access%20another%20data%20object. The warhawk backdoor initial delivery was thru a Windows LNK file https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0 XLL files, MS Excel Add-in Microsoft closes another door to attackers by blocking Excel XLL files from the internet In December, Cisco's Talos threat intelligence group detailed another tool that cybercriminals were targeting: Excel XLL files. The Talos researchers not only broke down how the crooks use the XLL files but detailed a sharp increase in their use since Microsoft shut the VBA macros door, noting that the first malicious samples were submitted to VirusTotal in 2017. "For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report. That shouldn't come as a surprise, Dave Storie, adversarial collaboration engineer at LARES Consulting, told The Register. "When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," Storie said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives." Even before this year, some researchers were seeing miscreants make their way to XLL files. Researchers with HP's Wolf Security said that in Q4 2021, there was a 588 percent year-over-year jump in attackers using the files to compromise systems, adding that they expected the trend to continue in 2022, though it was unclear at the time if Excel add-ins would replace Office macros as the cyber-weapon of choice. XLL files are a type of DLL file that are only opened in Excel and enable third-party applications to add more functionality to spreadsheets. In Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, triggering Excel to display a warning about possible dangerous code, similar to that shown when an Office document containing VBA macro code is opened. And as with VBA macros, users often will disregard the warning. "XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote. Andrew Barratt, vice president at Coalfire, told The Register that reducing the number of dialog boxes which users have to deal with – and that cybercriminals know will be ignored by many – is a win for security teams. "To steal a typical infosec buzzword, the best way to think of these are like 'next-gen' macro attacks," Barratt said. "As with many of these types of attacks, the best position for the software to take is to disable the capability and have a prompt-and-alert process. The challenge is that over time we see the 'are you sure, you're sure' fatigue set in." https://www.theregister.com/2023/01/25/microsoft_excel_xll_closed/ https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/ Use of XLL files in delivery of Agent Tesla malware Chains of Infection Two possible chains of infection A victim receives an email with a malicious attachment. The attachment is either a malicious XLL or XLM file. In the case of an XLL, when run it will either: Drop an intermediate dropper that in turn will drop an Agent Tesla payload. Download Agent Tesla payload from Discord. Download Dridex payload from Discord. In the case of an XLM, when run it will drop a VBS downloader that downloads and executes a Dridex sample from Discord. While Agent Tesla and Dridex infection chains are not necessarily distributed by the same actor, they seem to be part of a new trend of infection vectors. https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/ MD5 Collissions application - Certificate MD5 thumbprint collisions Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched Most Windows-powered datacenter systems and applications remain vulnerable to a spoofing bug in CryptoAPI that was disclosed by the NSA and the UK National Cyber Security Center (NCSC) and patched by Microsoft last year, according to Akamai's researchers. CryptoAPI helps developers secure Windows-based apps using cryptography; the API can be used, for instance, to validate certificates and verify identities. The vulnerability in question (CVE-2022-34689) can be exploited by miscreants to digitally sign malicious executables in a way that tricks Windows and apps into believing the files are from trusted, legitimate sources and can be opened or installed. Exploiting this will involve getting said files onto victims' machines and run. Alternatively, an attacker can craft a TLS certificate that appears to belong to another organization and trick an application into trusting the cert, if that application uses CryptoAPI to analyze the certificate. The app believes the attacker is the spoofed organization. The bug isn't a remote code execution flaw; it's a vulnerability that allows someone to pretend to be another to an application or operating system, in the context of identity and certificate cryptography checks on Windows. There's a video [MP4] you can watch demonstrating exploitation against Chrome but here's the short version of that spoofing attack simply put. https://user-images.githubusercontent.com/114926055/214040642-beb765f7-4788-45e8-836c-a08dc441b5b4.mp4 At the heart of it, Microsoft used the hashing algorithm MD5 to index and compare security certificates. It's trivial to break MD5 with what's called a collision: a situation where two different blocks of data result in the same MD5 hash value. What's more, Microsoft used the four least-significant bytes of a certificate's MD5 thumbprint to index it. So what you need to do is this: trick an application such as Chrome 48, which uses the Windows CryptoAPI, into connecting to a man-in-the-middle server that wants to pretend to be the website the user actually wanted. The malicious server sends the impersonated website's legit HTTPS cert to the browser, which passes it to CryptoAPI for processing and the cert is cached in memory on the user's PC. The cert is stored in this cache using part of the MD5 thumbprint of the cert's data as the index. The malicious server meanwhile modifies the legit certificate so it can masquerade as the website, and ensures this new tampered-with evil certificate results in the same MD5-computed cache index as the real one. The server causes the browser to ask for the website's certificate again, at which point the server hands over the evil cert. The CryptoAPI library computes the MD5 fingerprint for the evil cert and its index in the cache, sees that there's already a valid cert in the cache for that index, and thus trusts the evil certificate. Now you've tricked the system into thinking the malicious cert is real. How this is exploited in the real world to cause actual harm... well, you need to be a skilled and determined miscreant, and there are probably easier security weaknesses to target. See the above link to Akamai's write-up for full technical details. "The root cause of the bug is the assumption that the certificate cache index key, which is MD5-based, is collision-free," the researcher duo explained. "Since 2009, MD5's collision resistance is known to be broken." https://www.theregister.com/2023/01/26/windows_cryptoapi_bug_akamai/ Certificate spoofing via MD5 collisions MD5 collisions were first used to spoof SSL certificates. There is one major difference between that first attack and the scenario we deal with today: the previous scenario attacked MD5 signatures, but in the current vulnerability we are dealing with MD5 thumbprints. Certificate MD5 thumbprint collisions Now, we can piece things together and provide a recipe for manipulating an existing, already-signed certificate to collide with a malicious certificate’s MD5 thumbprint. Take a legitimate RSA-signed end certificate, such as a website’s TLS certificate (our “target certificate”). Modify any interesting fields (subject, extensions, EKU, public key, etc.) in the TBS part of the certificate to create the malicious certificate. Note: We don’t touch the signature, so the malicious certificate is incorrectly signed. Modifying the public key is important here — this allows the attacker to sign as the malicious certificate. Modify the parameters field of the signatureAlgorithm field of both certificates, so that there is enough space to put MD5 collision blocks starting in the same offset of both certificates. Truncate both certificates at the position where MD5 collision blocks are to be placed. Perform an MD5 chosen prefix collision computation and copy the result into the certificates. Concatenate the legitimate certificate’s signature value (suffix E in the explanation above) to both incomplete certificates. https://www.akamai.com/blog/security-research/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi MD5 Collision research https://www.mscs.dal.ca/~selinger/md5collision/ https://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-ps3s/ One basic requirement of any cryptographic hash function is that it should be computationally infeasible to find two distinct messages that hash to the same value. MD5 fails this requirement catastrophically; such collisions can be found in seconds on an ordinary home computer. https://en.wikipedia.org/wiki/MD5 FBI catches up with infosec and crypto communities, blames Lazarus Group for $100 million heist The FBI has confirmed what cybersecurity researchers have been saying for months: the North Korean-sponsored Lazarus Group (APT28) was behind the theft last year of $100 million in crypto assets from blockchain startup Harmony. Attackers on June 22, 2022, hit Harmony's Horizon Bridge – a cross-chain service used to transfer assets between Harmony's blockchain and other blockchains – and stole Ethereum, Wrapped Bitcoin, Binance Coin, and Tether. In its January 23 statement on the matter, the FBI said the attack on Harmony was part of a North Korean malware campaign named "TraderTraitor." https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft The federal investigators said that on January 13, unnamed North Korean criminals used the privacy protocol Railgun to launder more than $60 million of Ethereum stolen during the Horizon Bridge hack and that a portion of the stolen Ethereum was then sent to several virtual asset service providers and converted to Bitcoin. Some of the funds were frozen, while the remaining Bitcoin was sent to almost a dozen addresses. Two crypto exchanges – Binance and Huobi – froze the accounts used by Lazarus Group to launder the stolen Harmony assets. The FBI said it and other US agencies will continue to attack North Korea's cyber crime activities. The Treasury Department last year slapped sanctions on both Tornado Cash and another crypto mixer, Blender – in large part for their work helping the Lazarus Group launder stolen crypto assets. https://www.theregister.com/2023/01/25/fbi_lazarus_harmony_crypto/ Our incident response team has discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge. Funds were stolen on the Ethereum side of the bridge. The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys. The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH and WBTC. All assets were then swapped to ETH and currently remain on the hacker’s account on the Ethereum network. No steps have currently been taken by the hacker to anonymize ownership of these assets. https://medium.com/harmony-one/harmonys-horizon-bridge-hack-1e8d283b6d66 Next steps and remedial actions taken by the Harmony Protocol The Harmony Protocol team stated that they have upgraded the Ethereum side of the Horizon bridge to a 4-of-5 MultiSig in the wake of the incident, and are working continuously to enhance their operations and infrastructure security. Furthermore, the team emphasized that it is working closely with law enforcement officials and blockchain tracing partners as a part of ongoing investigations. They have also offered $1 million for the return of Horizon bridge funds and any information about the exploit. The Harmony Protocol team also claimed that they will advocate for no criminal charges after the funds are returned. Reportedly, the cryptosphere has raised concerns about the size of the bounty, which is just 1% of the total amount stolen. It has been suggested that the bounty fee may be insufficient to incentivize the attackers to return the stolen funds, particularly considering that our analysis shows funds have already been laundered through Tornado Cash. https://blog.merklescience.com/hacktrack/hacktrack-analysis-horizon-bridge-exploit LESSONS LEARNED FROM THE ATTACK The use of multi-signatures to manage high-value assets is best practice, but a 2 of 5 signature scheme provides little security. Requiring more validators and ensuring that the compromise of a single private key does not place others at risk (i.e. storing keys on separate systems, protecting them with unique passphrases or keys, etc.) can help to prevent similar attacks in the future. https://halborn.com/explained-the-harmony-horizon-bridge-hack/ChatGPT and security - This Week in Security Feb 18th to Feb 25th, 2023
Editor's introduction This week in security editor is Koichi.Not a day goes by these days that we don't hear about AI. In particular, ChatGPT, theOpenAI's AI chat bot, responds in a very natural way which is hard to distinguish from human's response.. This week, I have collected stories about ChatGPT and security for considering what kind of cybersecurity threats this useful and revolutionary tool brings. We in F5 SIRT invest loa t of time to understand the frequently changing behavior of bad actors.Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running.So next time you are under security emergency please contact F5 SIRT Editor's introduction ChatGPT can program - therefore, fake application is also possible. No confidential information should be given. ChatGPT had service down. AI synthesized voice can be used for attacking. Cybersecurity Experts Warn the threat of more sophiscated phishing mail. ChatGPT can program - therefore, fake application is also possible. "This massive popularity and rapid growth forced OpenAI to throttle the use of the tool and launched a $20/month paid tier (ChatGPT Plus) for individuals who want to use the chatbot with no availability restrictions." Bleeping Computer reported on February 22, that, many cyber attack taking advantage of the ChatGPT is observed. The methodology is to create a fake services and apps by ChatGPT and place it on the site as a bait of malware infection and information theft. Please be careful not to fall for non-existent apps or non-official websites, now those are easily created. Hackers use fake ChatGPT apps to push Windows, Android malware No confidential information should be given. “If the employees want to chat, they'll just have to talk to each other instead.” JP Morgan had issued a restriction on the use of OpenAI's ChatGPT in the workplace due to compliance concerns. Considering the risk of leakage of confidential information, the ban on the use of ChatGPT is not limited to JP Morgan. For example, if you use a service that requires you to enter information or upload files, you should always consider the risk of that information or file being harvested by the service provider. For example, VirusTotal has a service that checks files for viruses. However, this means that not only the presence or absence of a virus, but also the data it contains will be passed on to VirusTotal. Similarly, if you do not use these services after removing sensitive information, the sensitive information will be harvested by OpenAI. Giant Bank JP Morgan Bans ChatGPT Use Among Employees ChatGPT had service down. On on February 21, ChatGPT (Both of the ChatGPT's website and API ) had down. Down means, it does not give response. When you submit a question to the ChatGPT,you will receive a message saying, "A server error occurred while processing your request. We are sorry. Please retry your request or contact the Help Center if the error persists."It recovered within a day, however,it was observed not only this time, but alsolast week. When you see similar message, better to check the site below. https://downdetector.com/status/openai/ AI synthesized voice can be used for attacking. “Banks in the U.S. and Europe tout voice ID as a secure way to log into your account. I proved it's possible to trick such systems with free or cheap AI-generated voices.”In this article, AI synthesized voice had passed the voice recognition authentication and break into the bank account. Some banks in the U.S. allow access to bank accounts after a few conversations with voice recognition. One of the text-to-speech service, ElevenLabs' service, wh was able to do pass the authentication. https://vice.com/en/article/dy7axa/how-i-broke-into-a-bank-account-with-an-ai-generated-voice One more for thinking about cyber security (not this week): Cybersecurity Experts Warn the threat of more sophiscated phishing mail. 2 articles discussing about the impact and usage of ChatGPT for cybersecurity.The common threat in the two articles is the increase in phishing e-mails. Usually, phishing e-mails are easily detected because of the unnatural wording and phrasing. This is a barrier for non-native speakers to create effective phishing emails. However, ChatGPT allows non-native speakers to write natural sentences, which risks generating a large number of naturally worded phishing emails. OpenAI's new ChatGPT bot: 10 dangerous things it's capable of ChatGPT and more: What AI chatbots mean for the future of cybersecurityLastPass, Mastodon, and AI/ML - Dec 31st - Jan 6th - F5 SIRT - This Week in Security
Editor's introduction Hello, MegaZone is back this week as our rotation continues. I hope everyone had a good holiday season. Let's hope that 2023 is a good year. A couple of things I want to plug, in case you weren't aware. All of the This Week in Security articles are tagged, so you can easily find all of them. Actually, there are two tags - TWIS and series-F5SIRT-this-week-in-security. Same results, but TWIS is easier to remember. Additionally, all of the content created by the F5 SIRT is also tagged with, wait for it, F5 SIRT. That's not only TWIS, but several other articles you may find valuable. Most recently that's included: Using iControl REST API to manage F5 BIG-IP Advanced Firewall Manager (AFM) by Tikka Nagi Why We CVE by myself Avoiding Common iRules Security Pitfalls by Jordan Zebor Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures by Arvin Fopalan Stay tuned for more content from the F5 SIRT, we have a lot in the pipeline. LastPass /~ LastPass, oh, I gave you my creds / But the very next day you gave them away / This year, to save me from breach / I'll give them to someone diff'rent ~/ So, what lit the infosec world on fire last week? I know my feeds were full of one thing - LastPass. Sure, technically the new broke just before xmas, but I think the holidays delayed some of the reaction into the new year. The timing was itself the subject of a lot of negative reaction, as some feel like it was deliberately withheld until the Thursday just before xmas in an attempt to bury the news. I'm not sure I agree with that, but it certainly wasn't great that the full extent of the issue, with customer password records being downloaded, was only revealed months after the initial disclosure. The initial disclosure on August 25th, and the first update on September 15th, stressed that the breach was only to the development environment. The next update on November 30th (previously on TWIS) was the first indication that the scope may be larger. But it wasn't until December 23rd that the full scope, including the loss of customer data, was disclosed. Presuming we do indeed now have the full scope, of course. The infosec fediverse was pretty much non-stop chatter about this, as well as the press, etc. There was some lively discussion about this internally at F5 as well. A lot of people use, or should I say used, LastPass. LastPass has had issues in the past, but then so have most vendors. This time though it was a combination of the extent of the breach and how they handled it that has collapsed the trust for many - myself included. I used to include LastPass at the top of my list of recommended credential managers as it was something most users could readily use, was cross-platform, integrated with browsers well, etc. And their past issues seemed to be handled well enough. But I can no longer recommend LastPass. I know a lot of security geeks are ready to recommend super-secure systems that you host yourself, don't include syncing, etc. Because I saw plenty of that in the past week. Which is fine if you're that type of user. But for most they need something easy to use and understand - or they won't use it. The most common features I see requested are multi-device, cross platform support - Windows/MacOS, Android/iOS, perhaps ChromeOS, etc. - with syncing between devices. And browser integration for ease of use. I'm sure I'll get a lot of flak for this, but for many users the password manager built into Chrome or other browsers is probably fine. I heard the groans. I'm aware of the issues, but if the tradeoff is between using bad, but easily remembered, passwords - or the same password everywhere - or using the built-in manager, the latter is the better option. They check many, if not all, of the boxes. If you're a Chrome browser user and use the built-in manager it'll sync across the desktop, Android, and ChromeOS transparently. I'm not an Apple user but I understand their ecosystem is similar via the iCloud Keychain. I can barely get my father to not use the same password everywhere, let alone try to get him to deal with 3rd party password managers. For users looking to step up I saw a few leading contenders emerge from the discussions: 1Password - This seemed to be the top recommendation for those looking to move from LastPass to a similar commercial product with a better track record. Bitwarden - This was a top recommendation, and it is open-source. KeePassXC - This seemed to be a favorite mostly from the geekier users. Also open-source. Note, none of this is an endorsement by F5, Inc, the F5 SIRT, nor even myself. Personally all of the discussions made me curious about Bitwarden, as I haven't previously checked it out, so I'm planning to do that to see what it is like. If you have a favorite password manager, or have feedback on these, leave a comment below. https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ https://gizmodo.com/hackers-lastpass-users-password-vaults-change-now-1849926968 https://grahamcluley.com/lostpass-after-the-lastpass-hack-heres-what-you-need-to-know/ https://www.scmagazine.com/analysis/cloud-security/researchers-advise-teams-to-change-master-passwords-and-2fa-keys-after-lastpass-disclosure https://restoreprivacy.com/password-manager/reviews/bitwarden/ https://en.wikipedia.org/wiki/List_of_password_managers Mastodon Tramples Twitter The other big subject of discussion I've seen lately is the continued corrosion of Twitter, and the resulting migration to the Fediverse. I don't want to get into the politics here, though I certainly have my opinions, but from a strictly functional standpoint I've been getting far more errors from Twitter in the past couple of months than for the previous several years. Error messages, content not loading, links failing, etc. It is kind of painful. But the security connection is somewhat meta - a huge swath of InfoSec professionals who used to be active on Twitter have pulled stakes and moved to the Fediverse, mostly various Mastodon instances. And primarily, at least for my circles, that's Infosec.Exchange and DefCon.Social. It is social media, and if the people I want to follow and interact with are moving, that's a reason for me to do so as well - so I did. I'm not saying anyone needs to abandon Twitter - I still use my account mainly to follow those friends who remain there even if I've all but stopped tweeting myself. But if you do want to follow a lot of the activity in InfoSec social media circles I'd suggest at least checking it out. There are some useful tools and guides to help you get started: Moving from Twitter to Mastodon.txt - A guide from Deviant Ollam Your Guide to Joining and Using Mastodon - A video presentation by Deviant Ollam There are several tools which can help you find your Twitter connections in the Fediverse: Movetodon Twitodon Fedifinder Debirdify You can also turn your Twitter archive into HTML with this tool Darius Kazemi. I've been around long enough to have gone through BBSes, mailing lists, USENet, SixDegrees, Friendster, MySpace, Orkut, Google+, LiveJournal, etc. This is just one more evolution. I know there are other guides and tools, feel free to share your favorites in the comments. But let's try to keep it civil and not get into political arguments, etc. They're just tools and people can use whatever works for them. The Robot Uprising As we kick off 2023 there has a been a lot of chatter about artificial intelligence (AI), machine learning (ML), and the impact on information security. (Also a lot of chatter about 'AI Art', but that's a different, if loosely related, issue.) It is easy to dismiss AI/ML as sci-fi/fantasy content, something we don't have to worry about for a long time. But the future arrives sooner than you expect it to, and the models used by these systems are growing by orders of magnitude very, very quickly. GPT-3 has already been used to create working exploits, as well as analyze existing code - including obfuscated and decompiled code - for vulnerabilities. And GPT-4 is expected to be vastly more sophisticated and capable. A few of our team members have been playing around with ML tools, including ChatGPT, and the results have been interesting, even surprising. Sometimes they do swing very wide of the mark, but a lot of the time they're producing pretty solid output. If not 'ready-to-use', at least a major leg up with some finishing work required. And, as I said, the models used by the various tools continue to improve at an astounding rate and the tools themselves continue to be refined. This will change the infosec landscape, for both attackers and defenders, and you ignore it at your own peril. I was fairly skeptical until recently, but I've come around after seeing some of the results. This is definitely a space to watch, and be ready to adapt to. AI/ML is coming and it will shake up a lot of industries, for better and for worse. This is beyond lazy students trying to get ChatGPT to write essays for them. Be it art, content creation, or infosec, AI/ML is coming to shake things up. And, to quote Ani DiFranco, "Every tool is a weapon - if you hold it right." https://research.checkpoint.com/2023/opwnai-cybercriminals-starting-to-use-chatgpt/ https://www.blackhat.com/us-21/briefings/schedule/#turing-in-a-box-applying-artificial-intelligence-as-a-service-to-targeted-phishing-and-defending-against-ai-generated-attacks-22925 https://www.scmagazine.com/analysis/emerging-technology/cybercriminals-are-already-using-chatgpt-to-own-you https://www.scmagazine.com/feature/emerging-technology/2023-tech-predictions-ai-and-machine-learning-wicome-into-their-own-for-security https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-emerging-ai-threat-landscape/ https://www.sasa-software.com/hacking-for-the-millions-the-dark-side-of-chatgpt/ https://en.wikipedia.org/wiki/ChatGPT
Twitter/Mudge, Uber Hack, Kiwifarms - This Week in Security - September 12th to 17th
Editor's introduction Kyle Fox here, this week we have a couple of breaches and a whistle-blower complaint. Twitter/Mudge Peiter Zatko, best known as famed hacker Mudge, who had previously been the head of security at Twitter testified this week about the wide ranging issues with Twitter's security after his whisleblower complaint. Mudge was hired by previous Twitter CEO Jack Dorsey after a series of security issues at the social media giant, was fired by current Twitter CEO Parag Agrawal at the beginning of 2022. Mudge outlined a number of issues including the lack of adequate access controls, audit trails for administrative access, controls to keep foreign intelligence from infiltrating the organization and a basic lack of personnel to keep up with manipulation and exploitation of the platform. In response there has been efforts to uncover dirt on Mudge, which has not had much results. https://s3.documentcloud.org/documents/22186683/twitter-whistleblower-disclosure.pdf https://www.youtube.com/watch?v=UFPrcG-4NhY https://www.newyorker.com/news/news-desk/the-search-for-dirt-on-the-twitter-whistle-blower https://slate.com/news-and-politics/2022/09/twitter-whistleblower-mudge-hearing-dirt-nope.html Uber Hack Uber suffered a breach after an attacker was able to social engineer a password out of an employee and their way past multi-factor authentication and gain access to Uber's internal network. After the attacker was able to gain access they found a file share with PowerShell scripts that contained credentials for Uber's cloud infrastructure. In the end the hacker was able ot gain control of Uber's AWS, HackerOne, ECS, GSuite and other accounts through credentials for an admin account in the Thycotic access management system being in those PowerShell scripts. This breach highlights the need to separate credentials from code and systematically look through file shares and other network resources for sensitive data being left out. https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell https://twitter.com/hacker_/status/1570582202697809920 https://twitter.com/MalwareTechBlog/status/1570600059909345280 Kiwifarms If you have not heard of Kiwifarms consider yourself blessed. It is a site where sinister actors collect data, rumours and speculations on minor internet celeberties to average participants in subcultures for the purposes of doxxing and harassment. After picking a fight with a transgender activist going by the name Keffals, the site was the target of an aggressive campaign to get CloudFlare to drop it as a client, as CloudFlare had been taken to task for this before, they continued to argue their neutrality before blocking KiwiFarms traffic and firing them as a client on the 3rd of September as threats from Kiwifarms escalated. The site tried to operate for a period of time under different DDoS protection services and through a TOR .onion location, but experienced a data breach some time in the week prior to the 18th, the breach was possible because of the lack of WAF protections, and as a result of the breach there is a possibility that psudo-anonymous site users may be unmasked. https://blog.cloudflare.com/kiwifarms-blocked/ https://www.wired.com/story/keffals-kiwifarms-cloudflare-blocked-clara-sorrenti/ https://arstechnica.com/information-technology/2022/09/kiwi-farms-has-been-breached-assume-passwords-and-emails-have-been-leaked/ https://twitter.com/gossithedog/status/1571417934911643648
