SANS NewsBites

Check Apps for Baked-in Cloud Credentials; Inspect and Guard Your CI/CD Pipelines; Check for Go-based Malware Protect Against Payloads Hidden in Webb Space Telescope Images

September 2, 2022  |  Volume XXIV - Issue #68

Top of the News


2022-09-01

Baked-in AWS Credentials in Found in Hundreds of Apps

Researchers from Symantec’s Threat Hunter Team have discovered more than 1,800 apps that contain hard-coded AWS credentials. Nearly all of the affected apps are iOS apps. More than half of the apps were found to be using the same AWS tokens that were found in other apps.

Editor's Note

These days, every wave of new technology use goes through the same pattern: (1) security needed; (2) security gets in the way; (3) shortcuts taken; (4) security compromised. This is actually an improvement over a decade ago when step (1) was ignored. Today, requiring testing of all software by off the shelf tools will detect most common instances of (3) shortcuts taken.

John Pescatore
John Pescatore

For years in the Cloud Penetration Testing class, we have told students that we find hardcoded AWS keys in software. Many architects or students who work on the defensive side find this hard to believe. This type of example doesn’t surprise those that have been doing this type of work for a while, but examples like this help us point to practices that are less than ideal, surely very insecure. Now for the wider impact of this, you need to dig into the details. 1,800 is a fraction of the 2 million apps in the app store today. I will say that compiled apps make it much harder to uncover flaws like this, so there are more than likely more apps that have this issue in those stores.

Moses Frost
Moses Frost

The challenge is to take the time to fully understand the frameworks and services used in delivering a service or application. Make sure that you understand what access is granted. Hardcoded credentials are easier to use than rotating or transient credentials, and not only do your developers need to stop with hardcoded credentials, but also make sure that the access granted by the credentials used are only for the objects and services needed. Where using third party services, stop to understand what access they require and how that access is managed, to include separations from others using their services. Lateral movement, data modification and exfiltration risks all need to be considered.

Lee Neely
Lee Neely

2022-09-01

GitHub Environment Injection Vulnerability Affects Two Open Source Projects

Researchers from Legit Security have found continuous integration/continuous delivery (CI/CD) vulnerabilities in the GitHub environments of open source projects from Google and Apache. The flaws can be exploited to take control of the projects’ GitHub Actions CI/CD pipeline and modify source code, steal data, and move laterally within organizations.

Editor's Note

Another one on which we do have sections on in the Cloud Penetration Testing lab is CI/CD pipelines. We abuse Environments in our labs to read sensitive items out of the CI/CD pipeline. What is really interesting here is that the attacker can fork the project, attempting to act as a developer and inject their own code. It’s not clear why GitHub is displaying sensitive data when abusing a different variable, but it is something very interesting to note. This is just one thing that you can do with Supply Chain attacks. Guard your CI/CD pipelines closely because this is just one example of how an attacker can attack these platforms. This attack is novel because it does not require you to obtain access to the repo. The repo is already visible, but instead of injecting code, you are abusing the CI/CD itself without necessarily having repo access.

Moses Frost
Moses Frost

This attack takes advantage of environment variable information in the GitHub ecosystem which, if allowed to be manipulated during the build process, could allow unexpected code to be included. In 2020 a Google researcher discovered manipulation options which GitHub addressed, essentially making them read-only, via the prior practice which leveraged STDOUT. The problem is there are manipulation options using their FileCommandManager which GitHub is not going to change as they still have legitimate use. As such, you need to be extremely careful when manipulating the GITHUB_ENV file. Never write untrusted data to that file, make sure you're enforcing least privileges on your workflow, use Actions which output parameters not environmental variables, and really understand the triggering workflow, particularly if initiated from a forked repository.

Lee Neely
Lee Neely

2022-08-31

Malware-Laced Webb Telescope Images

Hackers are tricking users into infecting their devices with malware by hiding the malware in images from the James Webb telescope. The malware is written in Golang, a cross-platform language that is difficult to reverse-engineer and analyze.

Editor's Note

The story has been twisted a bit as it made it into more popular media outlets. The issue here is not that people will be infected by Webb Telescope images. Instead, these are systems that are already infected and the malware downloads additional code attached to images. The intent is to fool automated detection systems. So, in some ways it is worse: Malware is downloaded and you do not even get to see the images. Enjoy those great images and have fun watching Artemis 1 (hopefully) taking off this weekend. Malware written in Go has been on the increase in recent years, in part because the defensive tooling for malware analysis has been a bit lacking for Go.

Johannes Ullrich
Johannes Ullrich

The initial entry point is a Phishing email with a loaded MS Word attachment, which then downloads an image with embedded base 64 code that looks like a certificate, calls certutil to decode it into a malicaious executable which is then executed. Currently the tested EDR platforms as well as Virustotal didn't detect this attack, you need to add the IOCs from the Securonix Blog to your arsenal and make sure that you're clean: https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/

Lee Neely
Lee Neely

The Rest of the Week's News


2022-09-01

FBI Warns Hackers are Exploiting DeFi Vulnerabilities to Steal Cryptocurrency

The FBI has published a Public Service Announcement warning of an increase in hackers exploiting vulnerabilities in Decentralized Finance (DeFi) platforms and stealing cryptocurrency. Specifically, the attackers are exploiting vulnerabilities in DeFi platform smart contracts.

Editor's Note

Show your CFO this sentence in the FBI warning: “A smart contract is a self-executing contract with the terms of the agreement between the buyer and seller written directly into lines of code that exist across a distributed, decentralized blockchain network.” If that doesn’t worry your CFO, explain why anything with “self-executing,” “buyer and seller” and “written directly into lines of code” in the same sentence should automatically trigger financial risk alarms to go off.

John Pescatore
John Pescatore

SANS held the Blockchain Security Summit 2022 this week with talks and workshops in both English and Spanish. Slides and recordings of talks will be up shortly. Highly recommend watching the keynote and talks.

Jorge Orchilles
Jorge Orchilles

Make sure that you understand the risks and regulations relating to crypto currency. Consider that if something goes wrong, the money is gone. As such you need to do your own research into the security of DeFi providers, to include understanding their testing and vetting processes, verify they have been independently audited, including a code audit, be wary of limited time opportunities (your phishing/scam light should go off here), don't rely on crowdsourced/open source security vetting - too much is at stake.

Lee Neely
Lee Neely

Interesting that the FBI is giving this warning as there is still a tenuous relationship between the government and this community. It is, however, important to realize that this is still software. This is highly complex software and is subject to vulnerabilities. Exchanges have many vulnerabilities that we have seen when performing penetration testing on them at work, and many of the vulnerabilities are not even on the blockchain/smart contract side. Still, they tend to steer toward general web application vulnerabilities that stem from these applications.

Moses Frost
Moses Frost

2022-08-30

Classified Cyberthreat Briefing for US Aviation Sector

This month, the White House will hold a classified cybersecurity briefing for executives in the aviation industry. The Biden administration has been offering the briefings to executives in certain critical infrastructure sectors to encourage them to invest in cyber defenses.

Editor's Note

Nothing against threat briefings, but if the US government wants to drive improvements in commercial cybersecurity, it needs to use its buying power to do so. The Bureau of Transportation Statistics shows that the US spends about $20B per year on air transportation (not counting the $60B in aid during the pandemic peak disruption), about 10% of overall US airline revenue. If all federal procurements for air travel services included requirements for essential security hygiene, that would cause industry CEOs and CFOs to see direct threats to today’s revenue, not just potential future threats to future profits.

John Pescatore
John Pescatore

This follows the successful August 4th briefing for the Railroad industry. As with that briefing, communication options will be provided for those not in attendance. Pro-tip - if you're invited, don't miss the actual meeting. Making this type of specific information available to the private sector helps provide context and a basis for the threats to support the case for acting. One hopes they are also provided a non-classified version of the briefing they can share with those who need to know, to include financial decision makers.

Lee Neely
Lee Neely

2022-09-01

NSA, CISA, and ODNI Offer Supply Chain Cybersecurity Guidelines for Developers

The US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) have released supply chain cyber security guidance for software developers. The document was designed by the Enduring Security Framework (ESF) public-private working group. ESF plans to release two additional software supply chain cybersecurity documents – one for one for software suppliers and one for customers.

Editor's Note

This 64-page document is a good framework for long term changes, but when the airplane is in the air, the engine is sputtering and the ground is getting closer, some immediate action is required. In the spirit of the Critical Security Controls Implementation Group 1, a starting point is requiring all software vendors to certify their software is at least free of the latest OWASP Top 10 vulnerabilities.

John Pescatore
John Pescatore

The alert contains listings and references of secure development frameworks and guidance you can leverage, as well as specific design recommendations and guidance. Walk through the documents with your development team, discovering both opportunities and things you're already doing, then set a roadmap for future improvements where needed.

Lee Neely
Lee Neely

2022-09-01

Ransomware Attack Targeted Chilean Government Agency

An unspecified Chilean government agency has been hit with a ransomware attack. The attack began on August 25 and affected Microsoft and VMware ESXi servers. According to Chile's national computer security and incident response team (CSIRT), the malware used in the attack has the capability to steal credentials from browsers and evade antivirus detection.

Editor's Note

Attacks on Latin American governments and organizations are on the rise. Please see the warnings and prepare. Test your organization with these well-known adversary behaviors so you can detect and respond to a ransomware attack before the data leaves your network and/or is encrypted.

Jorge Orchilles
Jorge Orchilles

While the specific strain and actors are not yet fully understood, the basics still apply. Use current EDR, keep your boundary protections updated, validate their configuration, keep OS and applications updated. Don't overlook your hypervisor. Actively manage user accounts and MFA all publicly accessible entry points. If you're not able to actively monitor, hire it out. Last, but far from least, make sure that you not only have good backups but also are able to restore from the ground up if needed.

Lee Neely
Lee Neely

2022-08-31

Chrome Update Includes Fixes for Two Dozen Vulnerabilities

Google has released Chrome 105 to the stable channel for Windows and for macOS/Linux. The newest versions of the browser address 24 security issues, including a critical use after free vulnerability in Network Service. The updates also address nine high-severity flaws, including use after free, heap buffer overflow, inappropriate implementation, and insufficient validation of untrusted input issues.

Editor's Note

So you were wondering why you were getting prompted to relaunch Chrome? With the continuing influx of Chrome updates, your security teams should have already been pushing this update to both Chrome and Chromium-based browsers. Leverage managed Chrome options to not only notify users about relaunch but also limit the time they can postpone relaunching - default is 7 days.

Lee Neely
Lee Neely

2022-08-31

Japan’s Digital Minister Wants Government to Stop Using Floppy Disks

The Japanese government still requires the use of floppy disks for roughly 1,900 procedures; the country’s minister of digital affairs is calling for that to change. The US Department of Defense stopped using floppy disks in 2019.

Editor's Note

Yeah, we all did a double take at "Floppy Disks." This is really about keeping systems modernized. Japan still has business processes which require the use of disks - floppy, CD, MD, etc. The challenge is to keep processes current with modern technology and to make sure that you've migrated data stored on old formats to new media which can continue to be used. Don't be the one saying "Yes, I have your data here, excuse me while is search online for something that will read it." When looking at updating processes, make sure not to overlook implied security, actual or perceived, e.g., fax machines are seen as point to point and therefore more secure than digital transmission, irrespective of actual implementation.

Lee Neely
Lee Neely

2022-09-02

Former NSA Operatives Who Worked for DarkMatter Debarred from Arms Exports

Three former NSA operatives have been prohibited from taking part in international arms exports. After leaving the NSA, the three individuals worked for DarkMatter, a security company based in the United Arab Emirates (UAE). While employed there, they conducted surveillance on dissidents, journalists, and US companies.

Editor's Note

Be aware of ITAR and export control restrictions, particularly if working with US government data. In today's world of distributed and remote workers, it's very easy to employ effective workers which are not only outside our borders but also not US persons, and are not entitled to that information. When in doubt consult an expert, and if you have an issue take steps to rectify, not ignore it.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Jolokia Scans: Possible Hunt for Vulnerable Apache Geode Servers

https://isc.sans.edu/diary/Jolokia+Scans%3A+Possible+Hunt+for+Vulnerable+Apache+Geode+Servers+%28CVE-2022-37021%29/29006


Underscores and DNS: The Privacy Story

https://isc.sans.edu/diary/Underscores+and+DNS%3A+The+Privacy+Story/29002


Two things that will never die: bash scripts and irc

https://isc.sans.edu/diary/Two+things+that+will+never+die%3A+bash+scripts+and+IRC%21/28998


Microsoft Basic Authentication Deprecation in Exchange Online

https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437


Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mobile-supply-chain-aws


Malware Disguised as Google Translate Desktop App

https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/


GitLab Update

https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/#brute-force-attack-may-guess-a-password-even-when-2fa-is-enabled


iOS 12.5.6 Update

https://support.apple.com/en-us/HT201222


Apache Geode Deserialization Flaw

https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr


Foxit PDF Reader Update

https://sec-consult.com/vulnerability-lab/advisory/outdated-javascript-engine-leads-to-rce-in-foxit-pdf-reader/


Malware using James Webb Telescope images

https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/


Malicious Chrome Extensions

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users/


\Chromium Based Browsers Allow Access to Clipboard

https://bugs.chromium.org/p/chromium/issues/detail?id=1334203