2021 is the year of software supply chain attacks. The latest involves code tampering in the official PHP Git repository. This is alarming because 79% of websites online use PHP as their server-side programming language. Two malicious changes upstream were pushed as “commits” by known PHP developers and maintainers, and made in the name of PHP’s creator.
As supply chain attacks seek to do, this abuses trust, which appears inherent in the commit process that allows for forged sign-offs to come from anyone else locally. To ensure better security going forward, PHP changes will now go through GitHub and not the PHP git server and contributors will need to be added to an authorized group. Sounds good 👍
Critical Netmask bug impacts hundreds if thousands of applications per Bleeping Computer
Netmask is the npm library used worldwide by hundreds of thousands of applications to parse or compare IPv4 addresses and CIDR blocks. It gets 3 million weekly downloads, and 278,000 GitHub repos depend on it.
A critical networking bug was identified, CVE-2021-28918, affecting how netmask handles when IPv4 decimal addresses have a leading zero. It could lead to server-side request forgery bypasses or remote file inclusion. Which impacts the ability of appliances or tools like Web Application firewalls to protect and defend, or perimeter security controls. Fixes are available on Npm downloads.
Ah, the wonderful world of speculative attacks aka known as the “sky is falling!” Spectre and Meltdown introduced us to a series of vulnerabilities allowing for things that were “never supposed to happen”. We know “trust but verify”, but need to add “never say never”.
Two new vulnerabilities could potentially allow attackers to bypass mitigations and get their paws on sensitive information from the kernel memory. All versions of Linux prior to 5.11.8 are affected. Patches were being released as of March 20.
WordPress sites are prime targets and rapidly exploited for unpatched vulnerabilities. If you are using Thrive Theme Legacy and plugins, about 100,000 sites are vulnerable and being actively exploited since patches were released March 12. The attached link to Wordfence will tell you what to do. There’s a couple other fixes for the Facebook for WordPress plugin that were highlighted today and found on over 500,000 sites that need your attention. Stay safe!
NAS boxes are great for storage and QNAP is very common. Unfortunately that has made it a prime target for attacks, including targeted ransomware. Right now attackers are using automation assistance to crack credentials for the boxes. There are recommendations out now to secure your QNAP: change the default access port number, make your password really strong, then enable password policies and finally disable the admin account that is being targeted currently. That takes a little more work but worth it. The link to the article walks you through what you need to do 😊
Patch It Now:Critical bug fix for Cisco Jabber per Bleeping Computer. The bug affects Jabber client software for Windows, macOS, Android and iOS. With some work, a remote authenticated attacker could execute arbitrary programs on a device with the vulnerable Jabber software running. I know it’s an enterprise org thing, so there’s plenty of patching to be done before somebody starts exploiting it.
CISA issued an advisory March 16 warning of critical vulnerabilities in GE’s Universal Relay power management devices. GE has released patches for 9 vulnerabilities affecting numerous relay models. Exploitation of these unpatched flaws could let attackers reboot the UR, access sensitive information, gain privileged access to go deeper and cause more harm, or create a denial of service condition. Also of note is firmware versions prior to 8.1x were found using weak encryption and MAC algorithms for SSH communication (trust me not good) so they were more vulnerable to brute-force attacks for initial access.
Critical infrastructure, like power utilities, is essential to our daily lives, but most people don’t realize there isn’t just standard IT in use, but specialized operational tech systems, often left in place for years with the mindset “if it ain’t broke don’t fix it”. As these once-sequestered systems get increasingly connected or exposed to the Internet, they are less patched and more susceptible to compromise than standard IT.
There has been a steady increase in both the size of the target and the ransom demanded. Sierra Wireless, a major global IoT solutions provider, disclosed they were hit March 20. The company sells products and services a number of verticals: healthcare, industry, energy, technology and more. The company is not sharing more except that they shut down manufacturing plants worldwide and they have “a clear separation between its internal IT and customer facing products and services”.
Telecom communications are critical infrastructure, and never more so than during a pandemic. We know attackers will aim for the pain points to ensure payment. I expect more attacks will be delivering disruptions to essential services at mass scale.
Patch It Now:Google reports targeted exploitation of unpatched devices with Qualcomm chipsets. CVE-2020-11261 It isn’t world on fire and local access to the device is needed – watering hole delivery of evil code will also work.
This weekend security researcher Marcus Hutchins reported seeing a threat actor run a script to compromise all Exchange servers vulnerable to ProxyLogon. It dropped a Black KingDom ransomware note but did not encrypt anything.
However, Michael Gillepsie of ID Ransomware claims he’a seen 30 unique submissions to his system and device encryptions. Also of note is that back in 2020 corporate networks were being targeted via Pulse VPN vulnerabilities and hit with ransomware known as BlackKingdom, and it’s being determined if these are the same. Stay tuned and more importantly – stay vigilant!
This particular Apache product is “a Java-based web framework” for automating open source enterprise resource planning systems or ERP. I’m guessing there’s a lot out there. CVE-2021-26295 can allow for remote code execution by unauthorized parties via unsafe deserialization in the attack. Deserialization exploits do bad things with data integrity.
This vulnerability affects versions before 17.12.06 so upgrade asap. Please! Because we all recall what happened to unpatched Apache Struts vulnerabilities! Cough – Equifax – cough.
Keep Watch: Active exploits against BIG-IP by F5 ongoing. If you aren’t patched, assume compromise. Seriously 😐
#ShareTheMicInCyber is a campaign on both Twitter and LinkedIn to boost the profiles and share the experiences of black women in cyber security and privacy. These are just some of the amazing women and supporters featured today. Let’s keep amplifying and lift each other up!
We love all the cool fun stuff Apple makes. To enable the creativity there is a free application development environment known as Xcode, where devs can share things. Collaboration is powerful, saving time and money when you can use something already made. Over 2020 we saw more attackers accessing online repositories to mess with the code, which can become a supply chain attack when tainted code gets distributed by a trusted source.
A malicious version of legit iOS “TabBarInteraction” Xcode was found by SentinelOne researchers. It had an obfuscated command that opens a remote shell back home and uses the EggShell backdoor. Apple devices have an established rep for being secure, which comes with the expectation that associated apps and services will be too. For attackers, this presents a major opportunity to gain access by abusing that inherent trust.
Deception. Or, what you can’t see may hurt you. Steganography continues to evolve as an attack tactic that lets attackers hide their malicious code inside media files. Hide in plain sight. There were two new developments this week.
In one, security researcher David Buchanan shared how to hide MP3 audio files and ZIP archives in PNG images on Twitter, because of how Twitter handles PNG uploads. There are some limitations, but nothing a motivated attacker couldn’t work around.
In the other, researchers at Sucuri found Magecart attackers were hiding the stolen payment card data they skimmed in JPG files on websites they injected with malicious code. Magecart attacks are hard to detect unless you know where to look in the code and are actively watching for them. Over 2020 these attacks rose sharply and Magento sites are a favourite target.
MS Exchange Server Hits: Chilean banking regulator reports server compromise. 32 Indian organizations have been compromised.
SolarWinds Update: per Bleeping Computer. Mimecast, a major email security provider, reported they were accessed via the Sunburst backdoor. The attackers accessed email, contact info, and took source code. Mimecast says it does not look like enough code was taken to do anything significant, but given the number of things that come to light post compromise I am pessimistic. Also: Note the abuse of certificates in the attack. Mimecast published an Incident Report with more details.
Security researcher at Grimm identified three bugs in the Linux kernel that fortunately are now patched and which no one else noticed in all this time. Read their report here. This was for iSCSI implementation, which isn’t something at the forefront anymore. However – as we know so well with Windows and older Linux libraries – age doesn’t matter. There are many components that have been around for years, even decades, in which major vulnerabilities are currently being identified. Some are critical, allowing for RCE and total system compromise. And with Linux systems some of these kernel modules are configured to be automatically loaded by certain apps. Not to be overly dramatic but there could be a ticking time bomb buried deep within the network