Malicious Python Modules Found on PyPI; Oracle Finally Patches Complex Critical Flaw; FTC Fines Residual Pumpkin for Café Press Breach and Applies Sanctions to Acquirer Planet Art, Too

Another day, another malicious Python package. Sonatype is making a good case for not only scanning code you write, but also scanning code you are using from repositories like PyPi.

Johannes Ullrich

A reminder to not just trust modules provided externally. Make sure that you're using the version you've qualified versus an imposter with “added functionality.” Even so, you're doing static and dynamic code analysis, right? Consider limiting outbound connections to prevent connection to C2 services.

Lee Neely

Developers are reminded that they are responsible for the quality of all code that they include or distribute in their products, regardless of its source.

William Hugh Murray

Deserialization issues are all too common in middleware, and can be difficult to patch right. The usual fix employed by Oracle in the past is to establish blocklists to not allow the instantiation of very specific, deemed to be dangerous, objects. But these blocklists have been bypassed in the past if they were not defined well. A huge ecosystem of applications relies on this middleware and Oracle does need to pay attention to minimize the possibilities of breaking these applications.

Johannes Ullrich

As we’ve seen with Microsoft and many other vendors of large complex software, some software flaws can take several months to fix and test. But, Oracle has been silent on why this one took so long or in providing any guidance to customers in shielding or workaround actions to take while awaiting a real fix.

John Pescatore

One exploit involves chaining two vulnerabilities, CVE-2022-21445 (deserialization of untrusted data) and CVE-2022-21497 (SSRF), to achieve pre-authentication RCE. The time to release a patch was likely due to interdependency and regression testing and resolution. You should have already deployed the April CPU. If not, the publishing of the exploit details should be seen as a call to act.

Lee Neely

Having been on the inside of some of these decisions, one can testify that the vendors are often between a rock and a hard place, in a dilemma that cannot be recognized or appreciated from the outside. Moreover, the vendor may be aware of many vulnerabilities more severe than those reported from the outside and is fixing them in the most efficient order. One is inclined to cut the vendor some slack. That said, six months with no explanation or guidance to customers is a little much. One starts to question the vendors priorities.

William Hugh Murray

This is a good report to use to convince management of the importance of cybersecurity review being part of Merger and Acquisition decisions. Planet Art acquired Café Press after the 2019 and may have adjusted the amount they paid downward. However, 3 years later Planet Art will be subject to the FTC action on their security program, even if the original parent company (Residual Pumpkin) has to pay the fine.

John Pescatore

It's not a bad idea to review where you're storing PII and make sure you're aligned with the relevant privacy laws, (CCPA, GDPR, etc.) to include retention and appropriate use restrictions. Be sure to check online services used, such as event registration services, for data collected and stored to ensure they also meet protection requirements. Leverage your legal team to understand how these laws apply to your business. Build awareness training for both developers and users as well as creating any needed supporting KB articles and/or policies.

Lee Neely

Of course, that $100M was only worth $30M a few days later… Hard to get real data on “cryptocurrency” use but it seems clear more of it is stolen each year than is used for actual business transactions.

John Pescatore

Harmony transfers cryptocurrencies, stablecoins and non-fungible tokens between their blockchain and other networks. The Ethereum tokens were what was stolen. The attackers used 11 transactions which extracted the ETH tokens on the bridge. Moreover, these were doubly encrypted via passphrase and key management service. The pilfered keys were able to satisfy the multi-signature contract allowing the funds to be transferred. The point is you need to understand how your crypto is protected, how exchanges are authorized and what recourse you have if compromised.

Lee Neely

Same is often true of denial of service attacks that are often used as distractions from the main tactics, or are used simply to flood SIEM consoles with alerts that will slow the security team from handling the critical alerts.

John Pescatore

View this as a twist to current ransomware + extortion techniques. The ransomware is used to obfuscate evidence, distract investigators and otherwise cover the indications relating to exfiltration of data. The attackers are using the HUI loader, which is a custom DLL loaded by legitimate programs subject to DLL search order hijacking. The loader then installs a RAT such as Cobalt Strike, PlugX, SodaMaster and QuasarRAT. The attack leverages weaknesses in your boundary control devices, taking us back to making sure they are patched, the configuration is verified as secure, and you're using MFA for remote access. Leverage the IOCs in the Secureworks article.

Lee Neely

The key line in this 53 page report is “One option that has been proposed is to tie federal assistance for cyber-related losses to cybersecurity requirements.” Insurance can’t cover catastrophic losses that are due to lack of basic security hygiene. Like any form of insurance, to be useful to businesses, or for the government to step in when state-sponsored or terrorist-initiated attacks cause broad damage, cyberinsurance policies have to be based on proof of maintaining baseline standards. In this case, the government will likely point to the NIST framework.

John Pescatore

Insurance companies have been revising language and criteria in response to trends in ransomware claims. Review your cyber insurance to understand what it covers and what are the triggers. For example, the GAO believes that incidents may not meet the criteria needed to be categorized as terrorism, resulting in a non-payment. Determine if there are new criteria, such as vulnerability assessments or MFA you are also now required to meet for your insurance to be valid, don't delay closing any gaps here.

Lee Neely

VMware released fixes for Log4J back in December. If you have any systems which are still not updated, you're going to want to forensicate them fully before trusting them. Make sure that you're minimizing the services exposed to the Internet, that accounts are audited, removing which are unused or no-longer-needed. Lastly, strong authentication is pretty important, don't overlook it, keep an eye on excepted users, find a way to not have any exceptions.

Lee Neely

Post SolarWinds, assuming persistent but covert compromise, might well be the appropriate default. In the face of such compromise, the efficient defensive strategy is strong process-to-process isolation. The goal should be so-called “zero trust.”

William Hugh Murray

TIC is a mixed bag. In some scenarios such as HPC, a non-starter for effective connectivity across the internet. The goal is to achieve a version of TIC which is aligned with Zero-Trust and a cloud based service architecture. Take a hard look at the draft and provide feedback to ensure the end model is usable.

Lee Neely

The malicious applications masquerade as account recovery applications. Consider carefully requests to install applications to support actions like this, verify, out-of-band that they are indeed part of the process. Make sure that your users understand the recovery processes for accounts associated with applications they use. Make sure that users only install applications from trusted app stores, including what to do when they are requested to install one from another source.

Lee Neely

The China Chopper web shell is installed, which allows for svchost to load the malicious "iiswmi.dll" which then uses a .Net loader to execute the Samurai backdoor; which is hard to detect. The SecureList blog post includes IOCs for you to incorporate into your processes to discover this activity. Make sure your Exchange infrastructure is up to date. Given the low-profile of this attack group, proactively scanning for the IOCs is a good idea.

Lee Neely