Check Apps for Baked-in Cloud Credentials; Inspect and Guard Your CI/CD Pipelines; Check for Go-based Malware Protect Against Payloads Hidden in Webb Space Telescope Images

These days, every wave of new technology use goes through the same pattern: (1) security needed; (2) security gets in the way; (3) shortcuts taken; (4) security compromised. This is actually an improvement over a decade ago when step (1) was ignored. Today, requiring testing of all software by off the shelf tools will detect most common instances of (3) shortcuts taken.

John Pescatore

For years in the Cloud Penetration Testing class, we have told students that we find hardcoded AWS keys in software. Many architects or students who work on the defensive side find this hard to believe. This type of example doesn’t surprise those that have been doing this type of work for a while, but examples like this help us point to practices that are less than ideal, surely very insecure. Now for the wider impact of this, you need to dig into the details. 1,800 is a fraction of the 2 million apps in the app store today. I will say that compiled apps make it much harder to uncover flaws like this, so there are more than likely more apps that have this issue in those stores.

Moses Frost

The challenge is to take the time to fully understand the frameworks and services used in delivering a service or application. Make sure that you understand what access is granted. Hardcoded credentials are easier to use than rotating or transient credentials, and not only do your developers need to stop with hardcoded credentials, but also make sure that the access granted by the credentials used are only for the objects and services needed. Where using third party services, stop to understand what access they require and how that access is managed, to include separations from others using their services. Lateral movement, data modification and exfiltration risks all need to be considered.

Lee Neely

Another one on which we do have sections on in the Cloud Penetration Testing lab is CI/CD pipelines. We abuse Environments in our labs to read sensitive items out of the CI/CD pipeline. What is really interesting here is that the attacker can fork the project, attempting to act as a developer and inject their own code. It’s not clear why GitHub is displaying sensitive data when abusing a different variable, but it is something very interesting to note. This is just one thing that you can do with Supply Chain attacks. Guard your CI/CD pipelines closely because this is just one example of how an attacker can attack these platforms. This attack is novel because it does not require you to obtain access to the repo. The repo is already visible, but instead of injecting code, you are abusing the CI/CD itself without necessarily having repo access.

Moses Frost

This attack takes advantage of environment variable information in the GitHub ecosystem which, if allowed to be manipulated during the build process, could allow unexpected code to be included. In 2020 a Google researcher discovered manipulation options which GitHub addressed, essentially making them read-only, via the prior practice which leveraged STDOUT. The problem is there are manipulation options using their FileCommandManager which GitHub is not going to change as they still have legitimate use. As such, you need to be extremely careful when manipulating the GITHUB_ENV file. Never write untrusted data to that file, make sure you're enforcing least privileges on your workflow, use Actions which output parameters not environmental variables, and really understand the triggering workflow, particularly if initiated from a forked repository.

Lee Neely

The story has been twisted a bit as it made it into more popular media outlets. The issue here is not that people will be infected by Webb Telescope images. Instead, these are systems that are already infected and the malware downloads additional code attached to images. The intent is to fool automated detection systems. So, in some ways it is worse: Malware is downloaded and you do not even get to see the images. Enjoy those great images and have fun watching Artemis 1 (hopefully) taking off this weekend. Malware written in Go has been on the increase in recent years, in part because the defensive tooling for malware analysis has been a bit lacking for Go.

Johannes Ullrich

The initial entry point is a Phishing email with a loaded MS Word attachment, which then downloads an image with embedded base 64 code that looks like a certificate, calls certutil to decode it into a malicaious executable which is then executed. Currently the tested EDR platforms as well as Virustotal didn't detect this attack, you need to add the IOCs from the Securonix Blog to your arsenal and make sure that you're clean: https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/

Lee Neely

Show your CFO this sentence in the FBI warning: “A smart contract is a self-executing contract with the terms of the agreement between the buyer and seller written directly into lines of code that exist across a distributed, decentralized blockchain network.” If that doesn’t worry your CFO, explain why anything with “self-executing,” “buyer and seller” and “written directly into lines of code” in the same sentence should automatically trigger financial risk alarms to go off.

John Pescatore

SANS held the Blockchain Security Summit 2022 this week with talks and workshops in both English and Spanish. Slides and recordings of talks will be up shortly. Highly recommend watching the keynote and talks.

Jorge Orchilles

Make sure that you understand the risks and regulations relating to crypto currency. Consider that if something goes wrong, the money is gone. As such you need to do your own research into the security of DeFi providers, to include understanding their testing and vetting processes, verify they have been independently audited, including a code audit, be wary of limited time opportunities (your phishing/scam light should go off here), don't rely on crowdsourced/open source security vetting - too much is at stake.

Lee Neely

Interesting that the FBI is giving this warning as there is still a tenuous relationship between the government and this community. It is, however, important to realize that this is still software. This is highly complex software and is subject to vulnerabilities. Exchanges have many vulnerabilities that we have seen when performing penetration testing on them at work, and many of the vulnerabilities are not even on the blockchain/smart contract side. Still, they tend to steer toward general web application vulnerabilities that stem from these applications.

Moses Frost

Nothing against threat briefings, but if the US government wants to drive improvements in commercial cybersecurity, it needs to use its buying power to do so. The Bureau of Transportation Statistics shows that the US spends about $20B per year on air transportation (not counting the $60B in aid during the pandemic peak disruption), about 10% of overall US airline revenue. If all federal procurements for air travel services included requirements for essential security hygiene, that would cause industry CEOs and CFOs to see direct threats to today’s revenue, not just potential future threats to future profits.

John Pescatore

This follows the successful August 4th briefing for the Railroad industry. As with that briefing, communication options will be provided for those not in attendance. Pro-tip - if you're invited, don't miss the actual meeting. Making this type of specific information available to the private sector helps provide context and a basis for the threats to support the case for acting. One hopes they are also provided a non-classified version of the briefing they can share with those who need to know, to include financial decision makers.

Lee Neely

This 64-page document is a good framework for long term changes, but when the airplane is in the air, the engine is sputtering and the ground is getting closer, some immediate action is required. In the spirit of the Critical Security Controls Implementation Group 1, a starting point is requiring all software vendors to certify their software is at least free of the latest OWASP Top 10 vulnerabilities.

John Pescatore

The alert contains listings and references of secure development frameworks and guidance you can leverage, as well as specific design recommendations and guidance. Walk through the documents with your development team, discovering both opportunities and things you're already doing, then set a roadmap for future improvements where needed.

Lee Neely

Attacks on Latin American governments and organizations are on the rise. Please see the warnings and prepare. Test your organization with these well-known adversary behaviors so you can detect and respond to a ransomware attack before the data leaves your network and/or is encrypted.

Jorge Orchilles

While the specific strain and actors are not yet fully understood, the basics still apply. Use current EDR, keep your boundary protections updated, validate their configuration, keep OS and applications updated. Don't overlook your hypervisor. Actively manage user accounts and MFA all publicly accessible entry points. If you're not able to actively monitor, hire it out. Last, but far from least, make sure that you not only have good backups but also are able to restore from the ground up if needed.

Lee Neely

So you were wondering why you were getting prompted to relaunch Chrome? With the continuing influx of Chrome updates, your security teams should have already been pushing this update to both Chrome and Chromium-based browsers. Leverage managed Chrome options to not only notify users about relaunch but also limit the time they can postpone relaunching - default is 7 days.

Lee Neely

Yeah, we all did a double take at "Floppy Disks." This is really about keeping systems modernized. Japan still has business processes which require the use of disks - floppy, CD, MD, etc. The challenge is to keep processes current with modern technology and to make sure that you've migrated data stored on old formats to new media which can continue to be used. Don't be the one saying "Yes, I have your data here, excuse me while is search online for something that will read it." When looking at updating processes, make sure not to overlook implied security, actual or perceived, e.g., fax machines are seen as point to point and therefore more secure than digital transmission, irrespective of actual implementation.

Lee Neely

Be aware of ITAR and export control restrictions, particularly if working with US government data. In today's world of distributed and remote workers, it's very easy to employ effective workers which are not only outside our borders but also not US persons, and are not entitled to that information. When in doubt consult an expert, and if you have an issue take steps to rectify, not ignore it.

Lee Neely