Money, Agents, Apologies, Switcheroos, Hype, and Hope
MegaZoneis your editor once again, for this belated issue of This Week In Security, covering the week of September 22-28, 2024. Apologies, it was a very hectic week and every time I thought I'd have a chance to sit down and write this, something came up. I planned to work on it Monday and the next thing I knew it was Friday afternoon and I still hadn't had a chance. Sometimes that's just how the week goes. Oddly, a few of the items Icovered last time are back in the news this week - or, perhaps, still in it. And here... we... go...GC Document AI Transitive Access Abuse, make-me-root holes in VMWare fixed and more
Hello! ArvinF is your editor for this week's edition of TWIS covering 15-21 Sept 2024. Let's dive in. Google Cloud Document AI flaw (still) allows data theft despite bounty payout Google Cloud's Document AI service could be abused by data thieves to break into Cloud Storage buckets and steal sensitive information. Traxler of Vectra AI detailed this attack in research published alongside a proof-of-concept (POC) demonstrating how Document AI's access controls were bypassed, swiped a PDF from a source Google Cloud Storage bucket, altered the file and then returned it. https://www.vectra.ai/blog/transitive-access-abuse-data-exfiltration-via-document-ai https://github.com/KatTraxler/document-ai-samples/tree/main During batch processing, the service uses a Google-managed service account called a service agent. It's used as the identity in batch processing, and it ingests the data and outputs the results. Therein lies the problem.. The pre-set service agent permissions are too broad, and in batch-processing mode the service uses the service agent's permissions, not the caller's permissions. The permissions granted to the service agent allow it to access any Google Cloud Storage bucket within the same project, thus allowing the service to move data that the user normally wouldn't have access to. "This capability enables a malicious actor to exfiltrate data from GCS to an arbitrary Cloud Storage bucket, bypassing access controls and exfiltrating sensitive information," Traxler wrote. "Leveraging the service (and its identity) to exfiltrate data constitutes transitive access abuse, bypassing expected access controls and compromising data confidentiality." Google's initial assessment thru their Vulnerability Reward Program was the researcher's report did not "meet the bar for a financial reward". The researcher did receive an acknowledgement. Google changed the status of the reported bug as "fixed" and rewarded the bounty. However, follow up checks by the researcher showed that it can still be abused. Good on the researcher for validating the fix and providing feedback to ensure that the flaw cannot be abused. https://www.theregister.com/2024/09/17/google_cloud_document_ai_flaw/ VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation Broadcom has emitted a pair of patches for vulnerabilities in VMware vCenter Server that a miscreant with network access to the software could exploit to completely commandeer a system. This also affects Cloud Foundation. The first flaw, CVE-2024-38812, is a heap overflow vulnerability in the Distributed Computing Environment/Remote Procedure Calls (DCERPC) system that could be exploited over the network to achieve remote code execution on unpatched systems. Corrupting the heap could allow an attacker to execute arbitrary code on the system. Broadcom rates it as a critical fix and it has a CVSS score of 9.8 out of 10. The second one, CVE-2024-38813, is a privilege escalation flaw that ranks a CVSS score of 7.5 and one that VMware-owned Broadcom rates as important. Someone with network access to VMware's vulnerable software could exploit this to gain root privileges on the system. Broadcom chose to pair the flaws together in its advisory and FAQ https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968 https://blogs.vmware.com/cloud-foundation/2024/09/17/vmsa-2024-0019-questions-answers/ The discovery of both flaws stemmed from the Matrix Cup Cyber Security Competition, held in June in China, which was organized by 360 Digital Security Group and Beijing Huayunan Information Technology Company. Over 1,000 teams competed to report holes in products for $2.75 million in prizes. Zbl and srs of Team TZL at Tsinghua University were credited with discovering the bugs, which were disclosed to Broadcom to patch. https://web.archive.org/web/20240708061854/https:/360.net/about/news/article66836ac56ddf08001f91a723#menu The team bagged the competition's Best Vulnerability Award, along with a $59,360 payday, showing once again that bug bounties and competitive hacking really work. Disclosing vulnerabilities responsibly to affected vendors helps the vendor to fix the flaw and in turn help their customer base. It has a ripple effect - organizations running secure software minimizes their attack surface and contributes to the overall security of the services offered and data being protected. Chinese national accused by Feds of spear-phishing for NASA, military source code A Chinese national has been accused of conducting a years-long spear-phishing campaign that aimed to steal source code from the US Army and NASA, plus other highly sensitive software used in aerospace engineering and military applications. At least some of the spears hit their targets, and some of this restricted software made its way to China, according to a Department of Justice announcement and an indictment https://www.justice.gov/opa/pr/justice-department-announces-three-cases-tied-disruptive-technology-strike-force https://regmedia.co.uk/2024/09/16/song_wu_indictment.pdf The DoJ claims Song was employed as an engineer at Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate headquartered in Beijing. While in that role, Song allegedly started to send phishing emails around January 2017 and continued through December 2021. One email cited in the indictment – sent on April 28, 2020 from one such "imposter email account" to "Victim 2" – requested NASCART-GT, which appears to be used in NASA projects. The email read: "Hi [Victim 2], I sent Stephen an email for a copy of NASCART-GT code, but got no response right now. He must be too busy. Will you help and sent (sic) it to me?" Some of the scams worked, according to the DoJ. While the indictment doesn't detail exactly what sensitive IP Song is alleged to have stolen, it does note that: "In some instances, the targeted victim, believing that defendant SONG … was a colleague, associate, or friend requesting the source code or software electronically transmitted the requested source code or software to defendant Song." If snared and convicted, Song faces a maximum penalty of 20 years in prison for each count of wire fraud. He also faces two-year penalties in prison for each count of aggravated identity theft. The age old technique of spear-phishing has been effective for a very long time. Granted, the spear-phishing activities were done 7 years ago and perhaps, organizations by now would have implemented technologies and safe guards against spear-phishing. Organizations should have implemented Security Awareness training on this as well. The victims of the spear-phishing on this report are likely very technical people in their fields which reminds us that we should always be vigilant and have that security mindset to identify potential spear-phishing attempts and report it per respective organizations IT policies. Security is everyone's responsibility and as end users that may potentially be targetted by such spear-phishing attempts, care and healthy dose of suspicion should be applied to suspicious looking emails. If in doubt, ask - ask and follow defined policies by your IT organization. https://www.theregister.com/2024/09/17/chinese_national_nasa_phishing_indictment/ 23andMe settles class-action breach lawsuit for $30 million Also: Apple to end NSO Group lawsuit; Malicious Python dev job offers; Dark web kingpins busted; and more Filed in a San Francisco federal court indicate 23andMe will fork over the pot of money to settle claims from any of the 6.4 million US citizens (per court documents) whose data was stolen during the incident. The settlement includes an agreement to provide three years of privacy, medical and genetic monitoring. https://regmedia.co.uk/2024/09/13/23andme-settlement.pdf 23andMe, which offers genetic testing services, suffered from a massive data breach in 2023 that saw millions of its customers' data stolen and put up for sale on the dark web. https://www.theregister.com/2023/10/19/latest_23andme_data_leak_takes/ It is never good to have personal information leaked as it opens up the opportunity for it to be used for fraud in the future, putting the original owner in a potentially uncomfortable scenarios. 30M split among the 6.4M affected users is roughly under 5 dollars. Having the privacy, medical and genetic monitoring included in the settlement helps. It would have been better if the breach did not happen in the first place. Apple drops suit against NSO Group Worried the case might ultimately do more harm than good, Apple has moved to drop its lawsuit against Pegasus spyware maker NSO Group. https://www.theregister.com/2021/11/23/apple_nso_group/ https://www.theregister.com/2024/03/01/nso_pegasus_source_code/ Court documents filed by Apple last Friday indicate the fruit cart is worried that the discovery process against Israel-based NSO Group would see sensitive Apple data reach in NSO and companies like it – enabling the creation of additional spyware tools used by nation states. https://www.theregister.com/2023/05/30/nso_owner_hacking/ Organizations would have to do what protects their interest. I will leave it at that. Beware that job offer, Pythonista: It could be a malware campaign Malware campaigns that mimic skills tests for developers are nothing new, but this one targeting Python developers is. Reported by researchers at ReversingLabs, the malware uses a similar tactic to previously spotted campaigns that try to trick developers into downloading malicious packages masquerading as skills tests. After the victim compiles the code and solves whatever problems the packages contain, their system is infected. https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages https://www.theregister.com/2023/10/04/lazarus_group_lightlesscan_malware_upgrade/ As reported, North Korean threat actors have been behind several campaigns using fake job offers to infect systems with backdoors and infostealers. In previous campaigns it's been fake jobs at Oracle, Disney or Amazon used as lures – this time it appears the attackers are posing as financial services firms. https://www.theregister.com/2022/03/25/chrome_exploits_north_korea/ I remember a similar news a few months back, likely this one, https://www.bleepingcomputer.com/news/security/fake-job-interviews-target-developers-with-new-python-backdoor/ where it also involves a fake job interview and the goal is to drop/install a RAT - remote access trojan. As in any engagements, due care should be done when installing or downloading and executing files from unknown sources. Also, be vigilant and confirm and verify that who you are talking to - in this case, a job interview - is indeed who they claim to be. Dark web kingpins indicted A pair of Russian and Kazakh nationals have been arrested and charged in connection to running dark web markets, forums and training facilities for criminals. Kazakhstani Alex Khodyrev and Russian Pavel Kublitskii were arrested in Miami and charged with conspiracy to commit access device fraud and conspiracy to commit wire fraud , elated to a site they ran for a decade called wwh[.]club[.]ws. https://www.justice.gov/usao-mdfl/pr/russian-and-kazakhstani-men-indicted-running-dark-web-criminal-marketplaces-forums-and WWH Club users could buy and sell stolen personal information, discuss best practices for conducting various types of illegal activity, and even take courses on how to commit fraud and other crimes. Khodyrev, Kublitskii and others involved in the site "profited through membership fees, tuition fees, and advertising revenue," the DoJ alleged. Good on the authorities taking down this fraudulent group. The stolen data, in my opinion is the most important information as it opens up opportunities for fraud activities and taking down the site lessens the chances for the already stolen data to further spread among fraud groups. https://www.theregister.com/2024/09/16/security_in_brief/ In closing I hope the news I shared has been educational and kept you up to date. If this is your first TWIS, you can always read past editions. You can also check out all of the content from the F5 SIRT. Thank You and till next time.. Stay safe and secure.Scuba Gear from CISA, ROBLOX Malware Campaign, and RUST backdoo-rs
Hello, this week Jordan_Zebor is your editor looking at the notable security news for Scuba Gear from CISA, a ROBLOX Malware Campaign, & a Rust based meterpreter named Backdoo-rs. Scuba Gear from CISA ScubaGear is a CISA-developed tool designed to assess and verify whether a Microsoft 365 (M365) tenant’s configuration aligns with the Secure Cloud Business Applications (SCuBA) Security Configuration Baseline. This tool ensures that organizations are following CISA’s recommended security settings for cloud environments, helping to identify vulnerabilities or misconfigurations in their M365 setup. The value of running ScubaGear lies in its ability to enhance an organization’s cybersecurity posture, mitigate risks, and maintain compliance with security standards, which is crucial for protecting sensitive data in cloud-based systems. ScubaGear addresses the growing need for secure cloud deployments by automating the assessment process, making it easier for IT and security teams to identify gaps and take corrective actions. Regular assessments with this tool can help reduce the chances of data breaches, unauthorized access, and other security threats, thereby maintaining the integrity and confidentiality of business operations. Additionally, it supports organizations in staying ahead of compliance requirements by ensuring they meet the security baselines recommended by CISA. ROBLOX Malware Campaign Checkmarx recently discovered a year-long malware campaign targeting Roblox developers through malicious npm packages that mimic the popular “noblox.js” library. The attackers used tactics like brandjacking and typosquatting to create malicious packages that appeared legitimate, aiming to steal sensitive data like Discord tokens, deploy additional payloads, and maintain persistence on compromised systems. Despite efforts to remove these packages, new versions keep appearing on the npm registry, indicating an ongoing threat. RUST backdoo-rs The article "Learning Rust for Fun and backdoo-rs" describes the author's journey of learning Rust by developing a custom meterpreter. While Rust is designed to avoid common programming errors, ensuring software is secure from the outset, the choice of using it to create red teaming tools is also a great use case. A key aspectI covered recently is how Rust helps eliminate vulnerabilities like buffer overflows and use-after-free errors. These are traditionally common in C and C++, but Rust's ownership model prevents such risks by ensuring safe memory usage. In addition, Rust's growing adoption in the cybersecurity community, driven by companies like Google and Microsoft, emphasizes its role in secure software development, underscoring the "secure by design" principles that CISA advocates for. Projects like "backdoo-rs" demonstrate Rust’s potential for secure, reliable development in any context.
