Search This Blog

Showing posts with label Supply Chain Attack. Show all posts

NIST Seeking Feedback for a New Cybersecurity Framework and Supply Chain Guidance

 

Addressing the SolarWinds disaster and other major third-party assaults targeting vital infrastructure, the National Institute of Standards and Technology is due to publish advice for securing organizations against supply chain breaches. [Special Publication 800-161] is the most important cybersecurity supply chain risk management guidance.' Angela Smith of the National Institute of Standards and Technology (NIST) stated. 

Angela Smith of the NIST talked at an Atlantic Council session on Tuesday about initiatives to protect information and communications technology supply chains. The first big revised version will be released by the end of next week, so stay tuned if you haven't already reviewed some of the public drafts. 

The NIST upgrade comes as the Biden administration tries to use the government's procurement power to prod contractors such as IT management firm SolarWinds and other software vendors to improve the security of their environments. 

Vendors of the underlying information and communications technology are pitching in and the Cybersecurity and Infrastructure Security Agency consider expanding private-sector partnerships and taking a more comprehensive approach to tackling dangers to critical infrastructure. 

Future guidelines on trying to manage cybersecurity risks that emerge through the supply chain, according to Smith, would focus more on actions for providers along the chain to address, in addition to the upcoming change. The current literature on the subject has been centered on the organizations' responsibilities for integrating supply-chain aspects into existing surroundings. 

The previous draft version, R2, which was released in October 2021, had a new appendix, Appendix F, which gave implementation assistance for Executive Order 14028 to government agencies. Following NIST's February 4, 2022, Secure Software Development Framework (SSDF) Recommendations, the SP 800-161 release scheduled for next week is likely to deliver more EO 14028 guidance.

The CSF was last updated by NIST in 2018. "There is no single reason causing this transition, This is a scheduled upgrade to keep the CSF current and consistent with other regularly used tools," said Kevin Stine, Chief Cybersecurity Advisor at the NIST. NIST is seeking public input on three primary topics to help guide the revision: revisions to the CSF itself, relationships and alignment between the CSF and other resources, and approaches to improve supply chain cybersecurity. President Barack Obama directed NIST to develop the CSF and directed federal agencies to use it, as well as advising the private sector to do so.

NIST should give a definition for an agency to "use" the framework, and agencies should furnish NIST with cybersecurity risk documents developed and used to comply with this requirement. For enterprises that are utilizing or considering adopting the NIST Cybersecurity Framework, seeing how it is used by US government entities would be extremely beneficial.

Forged Kubernetes Apps is used to Extract Sensitive Data from Argo CD Setups

 

Argo CD is among the most popular Kubernetes continuous deployment technologies. Besides being easy to operate, it has a lot of power too. Kubernetes GitOps is the first tool that comes to mind. For cluster bootstrapping, Argo CD uses the App of Apps pattern.

Instead of manually developing each Argo CD app, we can make it programmatically and automatically. The idea is simple: make a single Argo CD application that looks for a git repo directory and puts all of the Argo CD application configuration files there. As a result, whenever an application definition file is created on the git repo location, the Argo CD application is immediately produced. Inspiringly, any Kubernetes object, including Argo CD, can be generated or handled. 

Apiiro's Security Research team discovered a vulnerability scanning supply chain 0-day vulnerability (CVE-2022-24348) in Argo CD, another famous open source Continuous Delivery platform, which allows attackers to access sensitive data like secrets, passwords, and API keys. 

Argo CD organizes and instigates the operation and monitoring of post-integration application deployment. A user can create a new deployment pipeline by specifying an Archive or a Kubernetes Helm Chart file which contains:
  • The metadata and data required to deploy the correct Kubernetes setup.
  • The ability to update the cloud setup dynamically as the manifest is changed. 

A Helm Infographic is a YAML document that has multiple fields which constitute a declaration of assets and configurations required for an application to be deployed. File names and indirect paths to self-contained software sections in other files are one form of value that can be found in the application in question. 

In reality, Argo CD contributors predicted as this type of exploitation will be available in 2019 and designed a dedicated framework to facilitate it. The vulnerability has two consequences: 

First, the direct consequences of reading contents from other files on the repository, which may contain sensitive data. The aforementioned can have a significant influence on a company. 

Second, because application files typically contain a variety of transitive values of secrets, tokens, and environmentally sensitive settings, the attacker can effectively use this to expand the campaign by moving laterally through different services and escalating the privileges to gain more ground on the system and target organization's resources. 

Argo CD-reposerver is a central server or pod where repositories are saved; apart from file architecture, there is no robust segmentation, hence the anti-path-traversal technique is a crucial component of file security. The mechanism's inner workings are mostly contained in a single source code file called util/security/path traversal.go, which details the systematic cleanup of origin path input.

SureMDM Vulnerabilities Expose Organizations to Supply Chain Attacks

A chain of vulnerabilities in 42Gears' SureMDM device management products could have led to a supply chain disruption via the platform. 42Gears, based in Bangalore, was established in 2009 and offers mobile device management and productivity products for organizations with an extensive mobile workforce. 

The website's list consists of major customers, which include Deloitte, Saab, Lufthansa, Thales, Tesco, Intel, etc. Experts at Immersive Labs found and revealed the first flaws to 42Gears on July 6, 2021. A series of extra bugs disclosure along with 'failed' private security patches. 

It means efficient public security fixes were not issued until November 2021 and January 2022. 
"An authentication method can be turned on by the user, but an oversight in the setup allows Linux and Mac devices to bypass the authentication step. This has been fixed in the latest patch, but it is still not the default setting and requires the user to manually enable it," reports Security Week. Earlier in January, 42Gears told Immersive that they continuously applied additional patches beyond the reports by the experts. 

At this moment, Immersive thought that everything necessary for ensuring principles of trustworthy disclosure was done, and they could publicize their discovery. The identified vulnerabilities include a few that affect the 42Gears web console and also other Linux agents. 

But most critical are the web console vulnerabilities. Chaining these will allow a hacker to shut down security tools and enable malware into macOS, Linux, or Android devices that installed SureMDM. The Linux agent flaws can allow an attacker to execute remote code on the systems, mirroring the root user. 

Hackers can use authentication methods against the users via an oversight in the setup that lets Mac and Linux devices evade the authentication level. Security Week reports, "the SureMDM agent vulnerabilities include command injection on the Linux agent. Users with physical access to a device can use a hidden key sequence to launch SureLock (kiosk software included with SureMDM) as the root user. The attacker can then use command injection to gain local privilege escalation."

Lazarus Has Started to Target the IT Supply Chain

 

The Lazarus hacker gang, which is backed by North Korea, has shifted its emphasis to new targets and has been detected by Kaspersky security experts improving its supply chain assault capabilities. After breaching a Latvian IT provider in May, Lazarus utilized a new form of the BLINDINGCAN backdoor to attack a South Korean research tank in June.

Lazarus built an infection chain in the first case found by Kaspersky researchers, which began with legitimate South Korean security software distributing a malicious payload. The target in the second case was a Latvian company that develops asset monitoring solutions, an unusual victim for Lazarus. CISA and the FBI were the first to notice the backdoor utilized in these assaults. It can elude detection by removing itself from infiltrated computers, exfiltrate data, create and destroy processes, and tamper with file and folder timestamps, according to the researchers. 

The infection chain included the Racket downloader, which was signed with a stolen certificate. The hacker gang infiltrated weak web servers and installed scripts that gave them control over the dangerous implants. 

Lazarus has been targeting the defence industry using the MATA malware architecture for cyber-espionage purposes for some months, according to Kaspersky. MATA had previously been utilized by the gang for a variety of reasons, including data theft and ransomware transmission. A downloader was used to collect further malware from the command and control (C&C) server in the attacks, which leveraged a multi-stage infection chain. For this campaign, Lazarus upgraded the MATA framework and signed some of its components with a legitimate but stolen digital certificate. 

“Through this research, we discovered a stronger connection between MATA and the Lazarus group, including the fact that the downloader malware fetching MATA malware showed ties to TangoDaiwbo, which we had previously attributed to the Lazarus group,” Kaspersky said. 

Lazarus, also known as Hidden Cobra, has been active since at least 2009 and is suspected of orchestrating a number of high-profile strikes. In 2020, the group targeted COVID-19 research, as well as members of the security research community and vaccine maker Pfizer. 

"These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks," said Ariel Jungheit, a senior security researcher at Kaspersky. "When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year."

Siamesekitten Launches New Operations Against Israeli Organizations


 


To mask their actual objectives, hackers affiliated with the government of Iran have concentrated their offensive efforts on IT and communications businesses in Israel. Ever since least 2018, operations have indeed been ascribed to the APT group of Iranians known as Lyceum, Hexane, and Siamesekitten. 

At the epicenter of a cyberattack on the supply chain, IT and communications companies in Israel has been led by Iranian threat actors who have impersonated businesses and their HR professionals to target victims with fraudulent employment proposals to infiltrate their systems and obtain access to the firms' customers. ClearSky claimed that the cyberattacks on IT and telecom firms are designed to make supply chain attacks on its customers simpler.

The operations, which took place in two phases in May and July 2021, are connected with the hacking group Siamesekitten, which has mainly pinpointed the Middle East and African oil, gas, and telecommunications suppliers. The attackers coupled social engineering technology with an enhanced malware version to provide remote access to the affected machine. 

In one case, the cybercriminals used the username of a former HR manager of ChipPC company to construct a fraudulent LinkedIn profile, a strong indication that the hackers had been doing their research even before the campaign was launched.

In addition to using Lure documents as the initial vector of attacks, its network comprised the establishment of fraudulent websites, which imitated the impersonation of the organization, and the creation of false LinkedIn profiles. The bait files take the shape of a macro-embedded Excel table, detailing alleged job offers and of a portable (PE) file containing a 'catalog' of products utilized by the impersonated firm. 

"This campaign is similar to the North Korean 'job seekers' campaign, employing what has become a widely used attack vector in recent years - impersonation," the Israeli cybersecurity company said. "The group's main goal is to conduct espionage and utilize the infected network to gain access to their clients' networks. As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware." 

Whatever file the victim downloads, the attack chain is completed with a C++-based Milan backdoor installation. The attacks against Israel's enterprises in July 2021 are especially noteworthy since Milan had been substituted by the threat player with a new installation named Shark, written in.NET.

1.2 Million People Affected by Practicefirst's Supply Chain Ransomware Breach

 

One of the largest health data breaches disclosed to federal regulators so far this year is a supply chain ransomware attack that affected over 1.2 million people. Practicefirst, a medical management services company situated in Amherst, New York, disclosed a data breach to federal officials on July 1. According to the company's breach notification statement, the company paid a ransom in exchange for the attackers promising to destroy and not further expose files seized in the incident. 

The HIPAA Breach Reporting Tool, a website run by the Department of Health and Human Services that lists health data breaches impacting 500 or more people, says that Practicefirst reported the event affecting more than 1.2 million people. The Practicefirst hack was the sixth-largest health data breach reported on the HHS website so far in 2021 as of Tuesday.

According to Practicefirst's breach notification statement, on December 30, 2020, "an unauthorized actor who attempted to deploy ransomware to encrypt our systems copied several files from our system, including files that include limited patient and employee personal information." When the corporation learned of the situation, it says it shut down its systems, changed passwords, notified law enforcement, and hired privacy and security specialists to help.

"The information copied from our system by the unauthorized actor before it was permanently deleted, included name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, employee username with password, employee username with security questions and answers, and bank account and/or credit card/debit card information," Practicefirst says. 

"We are not aware of any fraud or misuse of any of the information as a result of this incident," the company says. "The actor who took the copy has advised that the information is destroyed and was not shared." Many security experts believe that such promises made by hackers are untrustworthy. "Cybercriminals who infiltrate information systems are not reputable or reliable. By their nature, they will lie, cheat and steal," says privacy attorney David Holtzman of consulting firm HITprivacy LLC. 

"Vendors to healthcare organizations should be transparent to the public and to the organizations contracted with those providers to make clear statements as to what happened, what data may have been compromised and what steps they are taking to notify the organizations they serve of the data that was put at risk."

Mongolian Certificate Authority Hacked Eight Times

 

The unidentified hackers attacked the website of MonPass, one of Mongolia's leading certificate authorities, to backdoor its installation software with Cobalt Strike binaries in yet another software supply chain attack. 

According to a study published on Thursday by Czech cybersecurity software provider Avast, the trojanized client was accessible for download between February 8, 2021, and March 3, 2021. 

In addition, the researchers discovered eight distinct web shells and backdoors on a public webserver hosted by MonPass, which shows that it was compromised as many as eight times. After discovering the backdoored installation and implant on one of its clients' PCs, Avast launched an inquiry into the matter. 

"The malicious installer is an unsigned [Portable Executable] file," the researchers stated. "It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the 'C:\Users\Public\' folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious." 

The installer downloads a bitmap image (.BMP) file from a remote server to extract and execute an encrypted Cobalt Strike beacon payload, which is notable for its use of steganography to send shellcode to the victim's device. 

On April 22, MonPass was informed of the situation, and the certificate authority took measures to resolve the compromised server and notify those who had downloaded the backdoored client. The incident is the second time that certificate authority software has been used to attack targets with malicious backdoors. ESET revealed a campaign called "Operation SignSight" in December 2020, in which a digital signature toolset from the Vietnam Government Certification Authority (VGCA) was modified to incorporate spyware competent in collecting system data and installing additional malware. 

The development also comes as Proofpoint's announced earlier this week that the use of the Cobalt Strike penetration testing tool in threat actor campaigns has increased by 161% year over year from 2019 to 2020. 

According to Proofpoint analysts, “"Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020."