SANS NewsBites

Malicious Code Founds in xz utils; US House of Representatives Bans Microsoft Copilot AI Chatbot; Help Us Improve NewsBites

April 2, 2024  |  Volume XXVI - Issue #26

Top of the News


2024-04-01

Malicious Code Founds in xz utils

Both RedHat and the US Cybersecurity and Infrastructure Security Agency (CISA) have warned of embedded malicious code in xz utils data compression library versions 5.6.0 and 5.6.1. CISA recommend downgrading to an unaffected version of the library. Researchers Andres Freund reported the vulnerability to Openwall on Friday, March 29.

Editor's Note

Luckily, this can be classified as a win for the good guys. But the danger to the supply chain is real. Not only was the backdoor very unique and sophisticated, but it was supported by a long term social engineering campaign at least as complex as the backdoor itself. Take a minute this week, and send a thank you note to an open source project that made a difference for you this week.

Johannes Ullrich
Johannes Ullrich

This incident brings strong echoes of the famous Ken Thompson's paper, “Reflections on Trusting Trust”. If you have not read it, I strongly recommend you do. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

Brian Honan
Brian Honan

This attack would have been highly effective if not for an engineer’s curious mind. Of note is the use of an advanced cryptographic scheme that ensures only they can use the bug for attack – a level of sophistication often found in nation-state backed operations. While the focus will be on the integrity of open-source software, it’s also a reminder for product vendors and the security controls they have in place for software configuration management.

Curtis Dukes
Curtis Dukes

APT class actors have discovered the potential efficiency of the supply-chain. We must hold suppliers accountable for shipping malicious code. Open-Source is an easy target and a big risk. At a minimum, we should require open source contributors to sign their work and include a SBOM for any code that they reuse.

William Hugh Murray
William Hugh Murray

What makes this one different is the sophistication and the targeting. This hidden code only appeared on compilation through an M4 macro and within the test trees. This requires a high degree of understanding of how to manipulate compiled binaries in systems. It appears that this was targeting xz’s use in SSH on specific systems. This would be a very innocuous and hard-to-understand backdoor in one of the most critical and trusted secure protocols that we rely on.

Moses Frost
Moses Frost

2024-04-01

US House of Representatives Bans Staffers from using Microsoft Copilot AI Chatbot

The US House of Representatives has barred staff members from using the Microsoft Copilot AI chatbot. Microsoft Copilot “has been deemed by the Office of Cybersecurity to be a risk to users due to the threat of leaking House data to non-House approved cloud services.“ This is not the first timer legislators have restricted the use of AI applications: in June 2023, the House banned staffers’ use of the free version of ChatGPT and allowed only limited use of the paid version of the application.

Editor's Note

Microsoft stated “We recognize that government users have higher security requirements for data,” and release a set of tools presumably safe enough for government use. But, basically every business handling customer information needs to protect the privacy and security of that data and self-inflicted wounds from poorly secured and managed AI tools is a risk for all.

John Pescatore
John Pescatore

Wise move. Two concerns need to be settled. First, how is your information used and protected? Second, copyright: who owns the information created by the service?

Lee Neely
Lee Neely

2024-04-02

Help Us Improve NewsBites

Please take 3 minutes to give us your suggestions.

The Rest of the Week's News


2024-03-31

NIST Updates NVD Program Announcement

The US National Institute of Standards and Technology (NIST) has posted a new statement regarding the backlogs of analyzed CVEs in the National Vulnerability Database (NVD). Thousands of recently-reported CVEs have not undergone analysis, leaving them without important enrichment data. NIST says they are prioritizing the most pressing issues for analysis and “are working with [their] agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.” More than 20 security professionals recently signed an open letter to Congress and Commerce Secretary Gina Raimondo. The letter underscores the NVD’s importance to the cybersecurity community and “urges [the recipients] to expeditiously investigate the ongoing issues with the NVD to ensure NIST is provided with the necessary resources to not only resume normal operations of this critical service but to also improve it further to resolve extant issues that preceded the February 2024 service degradation.”

Editor's Note

Maybe this program needs to look for partners outside of government agencies. I would think this could become a good program for some academic partnerships.

Johannes Ullrich
Johannes Ullrich

2024-03-29

JetBrains Updates TeamCity to Fix 26 Security Issues

On March 27, JetBrains released TeamCity 2024.03, which includes fixes for 26 security issues. While JetBrains did not disclose details about the issues addressed in the update, they did note that it includes fixes for seven CVEs, including a high-severity improper validation of consistency with input issue (CVE-2024-31136) that could be exploited to bypass two-factor authentication. The other six CVEs are rated medium severity.


2024-04-01

Linux WallEscape Vulnerability

A vulnerability affecting the “wall” command in the util-linux core utilities package can be exploited to leak passwords and modify the clipboard. The researcher who discovered the vulnerability, which has been dubbed “WallEscape” described the issue in an advisory: “The util-linux wall command does not filter escape sequences from command line arguments.”

Editor's Note

The "wall" vulnerability is interesting in that it may not sound that the real danger comes from being able to misrepresent the console output. This is also a good reminder to not allow regular users access to "wall".

Johannes Ullrich
Johannes Ullrich

Escape mechanisms are fundamentally problematic. Proper filtering for triggers is essential. That said, because it is increasingly difficult for developers to understand the environment in which their code will run, knowing what to filter for is not easy. At a minimum, one should look to the OWASP guidance.

William Hugh Murray
William Hugh Murray

2024-03-29

PyPI New User and Projects Registrations Temporarily Suspended Due to Malicious Package Uploads

Last week, Python Package Index (PyPI) maintainers temporarily suspended new project creation and user registration while mitigating a malware upload campaign. The issue has been resolved and the suspension has been lifted. PyPI imposed a similar temporary suspension between December 27, 2023 and January 2, 2024.


2024-03-29

TheMoon Malware Campaign Creates Botnet

Researchers at Lumen have identified “a multi-year campaign” that uses malware known as TheMoon. The campaign has been targeting end-of-life home and small office routers and IoT devices, recruiting them into a botnet that the threat actors rent out as a proxy service for cyber criminals. As of earlier this year, the botnet comprised more than 40,000 devices in 88 countries. TheMoon was first detected a decade ago.

Editor's Note

It is amazing how things do not change, and how little impact we have made to the IoT world. TheMoon worm was first described in a isc.sans.edu post ten years ago.

Johannes Ullrich
Johannes Ullrich

This campaign highlights three ugly truths: 1) IoT devices are typically installed using default configuration (passwords); 2) they are rarely if ever updated (software, firmware); and 3) they continue in service well past their expiration date (EoL). The miscreants know this and are simply taking advantage of these weaknesses to great effect.

Curtis Dukes
Curtis Dukes

2024-03-29

NYC MyCity Chatbot is Giving Bad Advice

A chatbot set up by New York City government to answer questions about city policy, laws, and regulations has been found to provide incorrect information about housing policy, rules regarding employee rights, whether businesses may refuse to accept cash payments (they may not), and other issues. In February, a court forced Air Canada to honor an inaccurate refund policy offered by its chatbot. In an emailed statement, a spokesperson for the NYC Office of Technology and Innovation said that they “will continue to focus on upgrading this tool so that we can better support small businesses across the city.”

Editor's Note

Human support personnel (especially poorly trained ones) obviously can give out bad advice, too – but much more slowly. Making sure AI models are properly tested and trained will required certification processes just like training of humans does.

John Pescatore
John Pescatore

I’m not sure we can put the chatbot genie back in the bottle. The offsetting people cost is too great. A new skillset needs to emerge, effectively the QA of chatbots plugged into LLMs, along with a core understanding that they are authoritative for your company.

Lee Neely
Lee Neely

I have an idea: Tell it to talk to another AI chatbot for advice. It’s just going to be AI chatbots down instead of turtles. But honestly, this technology is new to the broader audience it’s being used in, and I’m sorry the adoption rate is so rapid that this will happen. I am not sure this technology is ready to remove the training wheels fully, but it’s happening anyway. Actually, I will run this answer through the Bing chatbot because it will probably have the highest likelihood of terrible advice—one second. How does a chatbot Blue Screen? Moving on.

Moses Frost
Moses Frost

2024-03-28

FCC Asks Comm Providers About Progress Securing Networks Against SS7 and Diameter Protocol Weaknesses

The US Federal Communications Commission’s (FCC’s) Public Safety and Homeland Security Bureau (PSHSB) wants to know more about how communications service providers are implementing security measures to prevent spying via wireless protocols. Specifically, the FCC wants to know what the providers have done to harden their networks against the exploitation of the SS7 and Diameter protocols, which contain algorithmic weaknesses that could expose communications. The PSHSB also wants to know of any instances in which the protocols were successfully exploited.


2024-04-01

AT&T Says Breach Affects More Than 70 Million Individuals

AT&T has acknowledged that data leaked to dark web last month includes more than 70- million records of data belonging to current and former customers. Of those roughly 7.6 million are current customers; AT&T has reset passcodes for those individuals. All the compromised data appear to be from 2019 or earlier.

Editor's Note

On its face this appears to have been a data breach circa 2021. Ok. Whether through an internal compromise, since closed, or via a third party, AT&T is responsible. Unfortunately, the data has been out there and available for years and simply resetting passcodes doesn’t solve the problem of identity theft.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

The amazingly scary xz sshd backdoor

https://isc.sans.edu/diary/The+amazingly+scary+xz+sshd+backdoor/30802

The xz-utils backdoor in security advisories by national CSIRTs

https://isc.sans.edu/diary/The+xzutils+backdoor+in+security+advisories+by+national+CSIRTs/30800

xz-utils Backdoor CVE-2024-3094

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://tukaani.org/xz-backdoor/

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

Backdoor reverse analysis

https://bsky.app/profile/did:plc:x2nsupeeo52oznrmplwapppl/post/3kowjkx2njy2b

YARA Rule

https://github.com/byinarie/CVE-2024-3094-info/blob/main/CVE-2024-3094.yar

Social Engineering Attempts to Include Backdoor in Distros

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708

https://news.ycombinator.com/item?id=39866275

Statements from Distributions

https://www.kali.org/blog/about-the-xz-backdoor/

https://archlinux.org/news/the-xz-package-has-been-backdoored/

https://access.redhat.com/security/cve/CVE-2024-3094

https://bugs.gentoo.org/928134

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024

Checking CSV Files

https://isc.sans.edu/diary/Checking+CSV+Files/30796

Infostealers Pose Threat to macOS

https://www.jamf.com/blog/infostealers-pose-threat-to-macos/