SANS NewsBites

All Travis CI Free Tier User Tokens Exposed By Design – Rotate Keys ASAP or Terminate; Hard to Exploit Hardware Vulnerability Found in Apple CPU; User Email Exposes 70,000 Customer Records at Kaiser Permanente

June 14, 2022  |  Volume XXIV - Issue #47

Top of the News


2022-06-13

Travis CI API Exposes User Tokens

Researchers from Aqua’s Team Nautilus discovered that Travis CI API clear-text logs are available to anyone. The logs contain “tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub.”

Editor's Note

It appears that in CI/CD, exposing credentials is a feature, not a bug. Automate rotating your credentials and assume they are lost if you are using the free version of Travis CI. This is likely to affect many open source projects using Travis CI to manage code deployment. This particular issue has existed in some form for years.

Johannes Ullrich
Johannes Ullrich

This is described as the intended behavior for the Free Tier version of Travis CI. If you are going to continue to use the free tier version, the best mitigation, today, is to proactively rotate access tokens, minimizing the interval they are viable if discovered. Better still investigate other options with a higher bar on protection of access tokens and related information, and properly fund key components such as your CI/CD tools.

Lee Neely
Lee Neely

2022-06-10

PACMAN Hardware Attack Defeats Apple M1 Pointer Authentication

Researchers at MIT’s Computer Science & Artificial Intelligence Laboratory (CSAIL) have developed a new attack that defeats a security measure in Apple’s M1 CPU. Dubbed PACMAN, the hardware attack involves targeting the chip’s Pointer Authentication feature.

Editor's Note

This is a good example of needing to look at least two levels deep when thinking of vulnerabilities and risk. For this attack to succeed, among other things vulnerable software needs to be running on the processor. I can imagine the CPU test team running exhaustive tests when designing, sizing and testing the Pointer Authentication Code but not specifically trying enough combinations of unpatched/vulnerable OS and applications.

John Pescatore
John Pescatore

The exploitability and significance of this vulnerability outside of a lab demo has been disputed in part due to the limitations imposed on collecting high resolution timing data. At this point, this isn't anything you should spend time worrying about. Skip this story.

Johannes Ullrich
Johannes Ullrich

This is essentially a proof of concept attack, and the Pac-Man write up is an interesting read. Expect Apple to continue to take steps to limit loading kernel modules to mitigate risks for this sort of attack.

Lee Neely
Lee Neely

2022-06-13

Kaiser Permanente Breach Affects 70,000 Patients

Kaiser Permanente says that an employee’s email account was compromised in early April, putting personally medical information of close to 70,000 patients at risk of exposure. The compromised data include names, medical record numbers, and lab test results. The US Department of health and Human Services Office for Civil Rights is investigating the incident.

Editor's Note

Kaiser Permanente says its time-to-detect was a few hours, so the bigger question is why were medical records for 70,000 customers accessible in an employee’s email? The question is not why such sensitive data was in email – it almost always is, because quite often IT does not provide users with collaboration and analysis tools (or the users ignore them) and good old spreadsheets or .csv files are exchanged between users to meet immediate business needs. Not all that hard to detect (auditors find it all the time) but a regular process should be in place to detect PHI in user email queues.

John Pescatore
John Pescatore

Email mailboxes are a treasure trove for attackers as people often use their mailbox as a database for storing all types of data, including passwords, personal data, and other highly sensitive material. However, most companies do not apply appropriate security to their email systems thinking of it as being only a communications channel. Companies should ensure users have MFA deployed for all email users, monitor for unusual login patterns, apply DLP for sensitive content, and where possible restrict access to sensitive mailboxes or mailboxes of high value targets from known and trusted locations.

Brian Honan
Brian Honan

Kaiser has multiple regions with segmented data. This breach impacted Kaiser Foundation health plan of Washington. While we have been focused on security of patient facing devices in healthcare, don’t overlook back-end systems such as email which are also under attack and can also benefit from MFA and context driven access controls.

Lee Neely
Lee Neely

The compromise of an employee's e-mail account should not be sufficient to compromise PPI. One notes that, again for reasons of convenience, strong authentication is rarely required on e-mail. E-mail, along with browsing, messaging, and social media, is a major source of credential compromise and must be effectively controlled (strong authentication) and isolated from mission critical applications.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-06-10

The World Economic Forum’s Atlas Initiative Aims to Map Cybercrime Ecosystem

The World Economic Forum Atlas Initiative is a collaborative research project with the goal of mapping the cybercrime ecosystem. The project will trace relationships between criminal groups and their infrastructure. Derek Manky, chief security strategist at FortiGuard Labs, which is one of the participating organizations, said, “We're looking at the non-traditional artifacts. Think: crypto addresses and bank accounts, phone numbers, emails, things that ultimately help to build the challenge of attribution, which we always say is the holy grail.”

Editor's Note

Hopefully this interesting initiative will provide additional information and data on how we can tackle criminal gangs not just at the technical level but perhaps in other ways, such as financial measures and sanctions.

Brian Honan
Brian Honan

2022-06-12

Ransomware Attacks Targeting Costa Rica are Among First Targeting a Country’s Government

The ransomware attacks that have plagued Costa Rica since April are unusual in that the group responsible for the attacks has openly called for the overthrow of the country’s government. Costa Rica has declared a national emergency due to the attacks. The first attack began in April targeted systems of government ministries. The second attack began on May 31 and targeted the Costa Rican Social Security Fund (CCSS) which oversees most of the country’s public healthcare system.

Editor's Note

Think about having all your locations and affiliates under attack. Then consider how you would respond, contain, eradicate and prevent recurrence. Do you have the plan and supporting relationships, practice and training? How about your suppliers? Don’t forget to verify your NDAs cover these use cases.

Lee Neely
Lee Neely

2022-06-13

Envoy Proxy DoS Vulnerability

Researchers from JFrog Security discovered a denial-of-service (DoS) vulnerability in Envoy Proxy. The flaw exists because “the code that is in charge of decompressing the user supplied data does not implement a size limit for the output buffer.” The vulnerability could be exploited to crash the proxy server; it has been fixed in Envoy versions 1.19.5, 1.20.4, 1.21.3 and 1.22.1. If upgrading is not possible, JFrog recommends that organizations ensure their configuration does not allow Brotli decompression.

Editor's Note

You need to update to the new firmware. Also, if you’re enabling decomposition of Brotli or GZip files. change the Brotli decompressor for GZip. Better still, disable that decompression.

Lee Neely
Lee Neely

2022-06-13

Google Fixes Seven Vulnerabilities in Chrome for Desktop

Google has updated the stable channel for Chrome Desktop to version 102.0.5005.115 for Windows, Mac and Linux. The newest version of the browser includes fixes for seven security issues; four are rated high severity: a use-after-free vulnerability in WebGPU; an out-of-bounds memory access vulnerability in WebGL; an out-of-bounds read vulnerability in Chrome’s compositing component; and a use-after-free vulnerability in ANGLE.

Editor's Note

Don’t expect browser updates to settle into a patch Tuesday rhythm anytime soon. With the attention to finding and exploiting browser vulnerabilities, make sure you can readily and actively keep your browsers updated, including a defined process where the relaunch, required to activate the new version, is enforced. Be certain you’re actively tracking not just Chrome, but chromium-based browsers as well. Don’t ignore your other browsers, they are also being researched for vulnerabilities.

Lee Neely
Lee Neely

2022-06-13

Gallium Hacking Group’s New Remote Access Trojan is Hard to Detect

Researchers from Palo Alto Networks’ Unit 42 have found that a known state-sponsored Chinese hacking group is now using a new remote access trojan (RAT). The RAT, dubbed “PingPull,” uses the Internet Control Message Protocol (ICMP) to hide communications with its command-and-control infrastructure. While this is not a new approach, many organizations still do not monitor ICMP traffic. The Gallium hacking group is known for targeting telecommunications companies, financial institutions, and government organizations.


2022-06-09

Travel Companies Forced to Share Data

Recently unsealed court documents revealed that authorities compelled two travel companies – US-based Sabre and UK-based Travelport – to provide information regarding the movements of a Russian individual who was the subject of a hacking investigation. The target of the surveillance, Aleksei Burkov, was arrested in Israel in 2015 and extradited to the US in 2019.

Editor's Note

Another case of using the All Writs Act (which is very broad) to compel companies to release information relevant to an investigation. You may recall this was also used against Apple in the 2015 San Bernardino shooting case where the FBI wanted them to unlock the suspects phone. The trick is to make sure requests like this are not only specific to the active case, but also represent responses those served can actually provide.

Lee Neely
Lee Neely

Any data collected is accessible via a court order. Most privacy policies and related legislation have specific exemptions built in to allow this. Not sure why anybody is surprised that this is happening.

Johannes Ullrich
Johannes Ullrich

This action involved the courts, was narrowly crafted, and was disclosed on a timely basis. However, it involved the use of the ancient "All Writs Act" which the ACLU has found troubling and which has not been recently tested by appeals.

William Hugh Murray
William Hugh Murray

2022-06-13

Goodbye, IE (Mostly)

Microsoft will stop supporting most versions of Internet Explorer (IE) as of Wednesday, June 15. The browser was launched in August 1995. The IE desktop application will be disabled. Users are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.

Editor's Note

The market share of IE is below 1%, so not a big issue. Browser-specific applications should by now be anomalies – from a security perspective, Chrome-based browsers are the market share big dog that vulnerability management needs to focus on, but Safari, Firefox and Edge will stay in the mix.

John Pescatore
John Pescatore

Use Edge with the IE Mode if needed. Suggest rigorous testing without IE Mode to determine your reliance on backwards compatibility, possibly eliminating browser lock in.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Translating Saitama's DNS Tunneling

https://isc.sans.edu/forums/diary/Translating+Saitamas+DNS+tunneling+messages/28738/


EPSScall: An Exploit Prediction Scoring System App

https://isc.sans.edu/forums/diary/EPSScall+An+Exploit+Prediction+Scoring+System+App/28732/


Travis CI Logs Expose Users to Cyber Attacks

https://blog.aquasec.com/travis-ci-security


Linux Threat Hunting: "Syslogk" a kernel rootkit found under development in the wild

https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/


Mitel Desk Phone Backdoor

https://blog.syss.com/posts/rooting-mitel-desk-phones-through-the-backdoor/


PACMan Attack

https://pacmanattack.com

https://twitter.com/wdormann/status/1535245913857351680


Carrier LenelS2 HID Mercury access panel vulnerability

https://www.cisa.gov/uscert/ics/advisories/icsa-22-153-01


Malicious Python Modules

https://www.bleepingcomputer.com/news/security/pypi-package-keep-mistakenly-included-a-password-stealer/