Information Technology

Some naive people may still think they’re not using open-source software. They’re wrong. Everyone does. According to the Synopsys Cybersecurity Research Center (CyRC) 2021 “Open Source Security and Risk Analysis” (OSSRA) report, 95% of all commercial programs contain open-source software. By CyRC’s count, the vast majority of that code contains outdated or insecure code. But how can you tell which libraries and other components are safe without doing a deep code dive? Google and the Open Source Security Foundation (OSSF) have a quick and easy answer: The OpenSSF Security Scorecards.

Open Source

These Scorecards are based on a set of automated pass/fail checks to provide a quick review of many open-source software projects. The Scorecards project is an automated security tool that produces a “risk score” for open-source programs. That’s important because only some organizations have systems and processes in place to check new open-source dependencies for security problems. Even at Google, though, with all its resources, this process is often tedious, manual, and error-prone. Worse still, many of these projects and developers are resource-constrained. The result? Security often ends up a low priority on the task list. This leads to critical projects not following good security best practices and becoming vulnerable to exploits.  The Scorecards project hopes to make security checks easier to make security easier to achieve with the release of Scorecards v2.  This includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis.For developers, Scorecards help reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain. Consumers can automatically access the risks to make informed decisions about accepting the program, look for an alternative solution, or work with the maintainers to make improvements. Here’s what new:  Identifying Risks: Since last fall, Scorecards’ coverage has grown; the project has added several new checks, following Google’s Know, Prevent, Fix framework. Spotting malicious contributors:  Contributors with malicious intent or compromised accounts can introduce potential backdoors into code. Code reviews help mitigate such attacks. With the new Branch-Protection check, developers can verify that the project enforces mandatory code review from another developer before code is committed. Currently, this check can only be run by a repository admin due to GitHub API limitations. For a third-party repository, use the less informative Code-Review check instead. Vulnerable Code: Even with developers and peer review’s best efforts, bad code can still enter a codebase and remain undetected. That’s why it’s important to enable continuous fuzzing and static code testing to catch bugs early in the development lifecycle. The project now checks to see if a project uses fuzzing and SAST tools as part of its continuous integration/continuous deployment (CI/CD) pipeline.Build system compromise: A common CI/CD solution used by GitHub projects is GitHub Actions. A danger with these action workflows is that they may handle untrusted user input. Meaning, an attacker can craft a malicious pull request to gain access to the privileged GitHub token, and with it the ability to push malicious code to the repo without review. To mitigate this risk, Scorecard’s Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default. Bad dependencies: A program is only as secure as its weakest dependency. This may sound obvious, but the first step to knowing our dependencies is simply to declare them… and have your dependencies declare them too. Armed with this provenance information, you can assess the risks to your programs and mitigate those risks.  That’s the good news. The bad news is there are several widely used anti-patterns that break this provenance principle. The first of these anti-patterns are checked-in binaries — as there’s no way to easily verify or check the contents of the binary in the project. Thanks in particular to the continued use of proprietary drivers, this may be an unavoidable evil. Still, Scorecards provides a Binary-Artifacts check for testing this.Another anti-pattern is the use of curl or bash in scripts, which dynamically pulls dependencies. Cryptographic hashes let us pin our dependencies to a known value. If this value ever changes, the build system detects it and refuses to build. Pinning dependencies is useful everywhere we have dependencies: Not just during compilation, but also in Dockerfiles, CI/CD workflows, etc. Scorecards checks for these anti-patterns with the Frozen-Deps check. This check is helpful for mitigating against malicious dependency attacks such as the recent CodeCov attack.Even with hash-pinning, hashes need to be updated once in a while when dependencies patch vulnerabilities. Tools like dependabot or renovatebot can review and update the hashes. The Scorecards Automated-Dependency-Update check verifies that developers rely on such tools to update their dependencies.It is important to know vulnerabilities in a project before using it as a dependency. Scorecards can provide this information via the new Vulnerabilities check, without subscribing to a vulnerability alert system. That’s what new. Here is what the Scorecards project has done so far.  It now has evaluated security for over 50,000 open source projects. To scale this project, its architecture has been massively redesigned. It now uses a Pub/Sub model. This gives it improved horizontal scalability and higher throughput. This fully automated tool periodically evaluates critical open source projects and exposes the Scorecards check information through weekly updated public BigQuery dataset 

To access this data, you can use the bq command-line tool. The following example shows how to export data for the Kubernetes project. For your purposes, substitute the Kubernetes repo url with the one for the program you need to check:$ bq query –nouse_legacy_sql ‘SELECT Repo, Date, Checks FROM openssf.scorecardcron.scorecard_latest WHERE Repo=”github.com/kubernetes/kubernetes”‘You can also see the latest data on all Scorecards analyzed projects. This data is also available in the new Google Open Source Insights project and the OpenSSF Security Metrics project. The raw data can also be examined via data analysis and visualization tools such as Google Data Studio. With the data in CSV format, you can examine it with whatever your favorite data analysis and visualization tool may be.  One thing is clear from all this data. There’s a lot of security gaps still to fill even in widely used packages such as Kubernetes. For example, many projects are not continuously fuzzed, don’t define a security policy for reporting vulnerabilities, and don’t pin dependencies. According to Google, and frankly, anyone who cares about security: “We all need to come together as an industry to drive awareness of these widespread security risks, and to make improvements that will benefit everyone.” As helpful as Scorecards v2 is, much more work remains to be done. The project now has 23 developers, more would be welcomed.  If you would like to join the fun, check out these good first-timer issues. These are all accessible via GitHub.If you would like us to help you run Scorecards on specific projects, please submit a GitHub pull request to add them. Last but not least, Google’s developers said, “We have a lot of ideas and many more checks we’d like to add, but we want to hear from you. Tell us which checks you would like to see in the next version of Scorecards.” Looking ahead, the team plans to add:If I were you, I’d start using Scorecards immediately. This project can already make your work much safer and it promises to do even more to improve not only security for your programs but the programs it covers.Related Stories: More

A brute force password-hacking campaign led by Russian military intelligence tied to the group Fancy Bear has been targeting US and European organizations since mid-2019, said a joint advisory by the National Security Agency, the FBI, the Department of Homeland Security and the UK’s GCHQ on Thursday.

National security officials said the exploitation is almost certainly ongoing and is part of a broader effort by Russia’s GRU and 85th GTsSS to obtain information on a wide range of sensitive targets.The attackers are using brute force techniques — in which repeated login attempts are used to uncover usernames, passwords and valid account credentials — to infiltrate the networks of government and private sector organizations including military defense contractors, energy and logistics companies, law firms, think tanks, media outlets and universities. While the brute force tactic is nothing new, the Russian hackers uniquely leveraged Kubernetes software containers to scale the brute force attempts, the advisory said. The attackers also attempted to evade detection by routing the Kubernetes brute force attacks through TOR and commercial VPN services.According to the advisory, GRU hackers are using compromised account credentials in conjunction with known software vulnerabilities, including exploits for Microsoft Exchange servers like CVE-2020-0688 and CVE-2020-17144, in order to gain access to internal servers. Once the attackers gain remote access, they’re combining a number of techniques to move laterally within the network and to access protected data, including email.”NSA encourages Department of Defense (DoD), National Security Systems (NSS), and Defense Industrial Base (DIB) system administrators to immediately review the indicators of compromise (IOCs) included in the advisory and to apply the recommended mitigations,” the advisory said. “The most effective mitigation is the use of multi-factor authentication, which is not guessable during brute force access attempts.”  More

Cybersecurity researchers have released a decryption tool which allows victims of Lorenz ransomware to decrypt their files for free – and crucially, without the need to pay a ransom demand to cyber criminals. This is particularly important for Lorenz, as bug in the ransomware’s code means that even if victims paid for the decryption key, some of the encrypted files can’t be recovered. But following analysis of the malware, researchers at Dutch cybersecurity company Tesorion found that were able to engineer a decryption tool for Lorenz ransomware – and now it’s available for free via No More Ransom. No More Ransom is a joint project by law enforcement agencies including Europol’s European Cybercrime Centre, along with partners across Europe in cybersecurity and academics, which aims to disrupt the business of ransomware gangs by providing decryption keys which allow victims to retrieve their files without paying a ransom. The decryption key for Lorenz ransomware is the 120th decryptor to be made available on No More Ransom since the project began in 2016. Lorenz ransomware first emerged in April this year and those behind it have targeted organisations around the world.   SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

The cyber criminals behind Lorenz steal data before encrypting it and attempt to use this as additional leverage in the attack by threatening to publish the stolen information if the ransom isn’t paid. This double extortion technique has become common among the most successful ransomware operations. Typically, the cyber criminals behind Lorenz demand a ransom of between $500,000 and $700,000 in Bitcoin in exchange for the decryption key – but thanks to cybersecurity researchers at Tesorion and the No More Ransom initiative, those who fall victim to Lorenz can retrieve their files for free. However, the best way for organisations to prevent disruption from a ransomware attack is to avoid falling victim to one in the first place by having a sound cybersecurity strategy. Recommendations on how to achieve this from No More Ransom include regularly updating backups and storing them offline, so in the event of a ransomware attack, the data won’t be destroyed by cyber criminals. It’s also recommended that that organisations use robust antivirus software and that all software and operating systems across the network are up to date with the latest updates and security patches so that cyber criminals can’t exploit known vulnerabilities to gain access to the network to install ransomware. MORE ON CYBERSECURITY More

Microsoft has disclosed a series of vulnerabilities in Netgear routers which could lead to data leaks and full system compromise.

On June 30, Jonathan Bar Or, a member of Microsoft’s 365 Defender Research Team, revealed the vulnerabilities, which were patched prior to public disclosure.  Bar Or said that the trio of bugs impacted DGN-2200v1 series routers — running firmware prior to v1.0.0.60 — which “opened the gates for attackers to roam untethered through an entire organization.” Microsoft’s security team discovered the vulnerabilities after noting strange behavior in the router’s management port. While communication was protected with TLS encryption, it was still flagged as an anomaly when machine learning models were applied.  Upon further investigation of the router firmware, the security researchers found three HTTPd authentication flaws.  The first allowed the team access to any page on a device — including those that should require authentication, such as router management pages — by appending GET variables in requests within substrings, allowing a full authentication bypass.  The second security flaw permitted side-channel attacks, and this was found in how the router verified users via HTTP headers. If exploited, attackers could extract stored credentials. 

Finally, the third vulnerability utilized the prior authentication bypass bug to extract the router’s configuration restore file which was encrypted using a constant key, “NtgrBak,” allowing remote attackers to decrypt and extract stored secrets.  Netgear was made aware of the security issues privately through the Microsoft Security Vulnerability Research (MSVR) program.  The firmware vulnerabilities have been patched by Netgear, which issued a security advisory in December detailing the security flaws. The bugs have been assigned as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365 and have been issued CVSS severity scores of between 7.1 and 9.4, rating them critical.  Netgear recommends that customers install the latest firmware available for their routers by visiting Netgear Support, typing their model number into the search box, and downloading the newest firmware version. Alternatively, updates can be accessed via Netgear apps.  “The rising number of firmware attacks and ransomware attacks via VPN devices and other internet-facing systems are examples of attacks initiated outside and below the operating system layer,” Microsoft says. “As these types of attacks become more common, users must look to secure even the single-purpose software that run their hardware — like routers.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A ransomware gang installed remote desktop software on over 100 machines across a network, and their plans to encrypt the network were only foiled at the last minute when cybersecurity experts were called into a company after suspicious software was found on its network. The efforts made by criminals to lay the foundations for a ransomware attack, which resulted in legitimate remote access software being installed on 130 endpoints, were discovered when security company Sophos was brought in to investigate the unnamed company after Cobalt Strike was detected on its network. 

Cobalt Strike is a legitimate penetration testing tool, but it’s commonly used by cyber criminals in the early stages of a ransomware attack. One of the reasons it is used by cyber criminals is that is it partially runs in-memory, making it difficult to detect. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) The goal of the gang was to encrypt as much of the network as possible with REvil ransomware, but because the cyber criminals were detected before they could finalise their preparations, the attack wasn’t successful – although they managed to encrypt data on some unprotected devices and deleted online backups after they noticed they’d been spotted by investigators.  A ransom note left by REvil on one of the few devices that was encrypted revealed a demand of $2.5 million in bitcoin for a decryption key – although this wasn’t paid. But the attackers had managed to gain enough control of the network in the runup to install software on over 100 machines – and the company that was being targeted didn’t notice.

“As a result of the pandemic, it’s not unusual to find remote access applications installed on employee devices,” said Paul Jacobs, incident response lead at Sophos. “When we saw Screen Connect on 130 endpoints, we assumed it was there intentionally, to support people working from home. It turned out the company knew nothing about it – the attackers had installed the software to ensure they could maintain access to the network and compromised devices.” This was just one of several methods that cyber criminals used to maintain their hold on the network, including creating their own admin accounts. But how did cyber criminals get onto the network in the first place in order to use Colbalt Strike, set up remote access accounts and gain admin privileges? “From what we have seen in our investigations, there is a variety of methods used, most commonly it is users being phished often weeks or months earlier, then there is the exploitation over firewall and VPN vulnerabilities or brute forcing RDP if it is exposed to the internet,” Peter Mackenzie, manager of Sophos Rapid Response told ZDNet.

In this instance, the attempted ransomware attack wasn’t successful, but ransomware is so prolific at the moment, organisations are regularly falling victim. REvil, the ransomware used in the incident investigated by Sophos, was deployed in the successful ransomware attack against JBS, with the cyber criminals behind it making off with $11 million in bitcoin. SEE: Security Awareness and Training policy (TechRepublic Premium) However, there are steps that all organisations can take to avoid cyber criminals from being able to gain access to the network in the first place. “Firstly, ensure every single computer on your network has security software installed and managed centrally. Attackers love unprotected machines. Next, make sure they are getting patches regularly and remember if a computer hasn’t rebooted for a year, then it likely hasn’t applied any patches either,” said Mackenzie. But while using technology correctly can help protect against cyberattacks, it’s also useful to have eyes on the network. People who have a good understanding of what’s on the network can detect and react to any potentially suspicious activity – such as the use of Colbalt Strike, which resulted in the ransomware attack detailed in this case being discovered before significant damage was done. “For the best cybersecurity, you need people watching what is happening and reacting to it live, that is what can make the biggest difference,” said Mackenzie.

MORE ON CYBERSECURITY More

Law enforcement in Colombia has arrested an alleged cybercriminal who apparently acted as a distributor for the Gozi Trojan. 

As reported by the Associated Press, Mihai Ionut Paunescu, also known as “Virus,” was one of three major suspects considered to be responsible for the spread of the virus that impacted over a million PCs between 2007 and 2012. He was recently arrested at Bogotá El Dorado international airport and faces extradition to the United States on charges of running a bulletproof hosting service. Paunescu was arrested in his home country in 2012, but the Romanian national was previously able to avoid extradition. Bulletproof hosting is commonly used by cybercriminals for backend infrastructure in the distribution of spam, malware, exploit kits, and to host stolen data. These murky online services are known for turning a blind eye to the activities of their customers. Paunescu faces allegations of computer intrusion and financial fraud at the Southern District Court of New York, according to Colombian state officials (translated).  First discovered in 2007, the Gozi banking Trojan was spread through weaponized .PDF documents attached to emails. Once downloaded, the malware would lurk in the background and harvest bank account information and account details, which were then sent to the Trojan’s command-and-control (C2) server for operators to use in accessing accounts and conducting fraudulent transactions. 

Threat actors were able to ‘rent’ out the malware and its underlying infrastructure for $500 a week in what was an early form of today’s Malware-as-a-Service (MaaS) criminal setups. Gozi’s source code was leaked in 2010, leading to the creation of variants still in active use today.  In 2016, the Russian creator of Gozi, Nikita “76” Kuzmin, was sentenced in US court to 37 months behind bars and was ordered to pay close to $7 million in restitution after pleading guilty to various computer intrusion and fraud charges.  Another participant in the criminal ring, Latvian Deniss “Miami” Calovskis, was also sentenced in the same year. He served 21 months for writing web injects and contributing to Gozi’s code.  The FBI estimates that the malware caused victims losses amounting to tens of millions of dollars. NASA was one of the most high-profile victims.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Chinese-speaking hacking group is performing ongoing cyberattacks against the Afghan government by impersonating its president. 

On Thursday, Check Point Research (CPR) said that the Office of the President of Afghanistan, representing President Ashraf Ghani, is being used as a lure in spear phishing emails designed to infiltrate government agencies in the country, of which a successful attack has led to the compromise of the Afghan National Security Council (NSC).It is thought that an advanced persistent threat (APT) group called IndigoZebra is responsible. The Chinese-speaking cyberattackers have targeted former Soviet Republics previously, as noted by Kaspersky.  Dupe email samples seen by the cybersecurity firm pretend to be from the president’s office and ask for an urgent review of modifications to a document relating to an upcoming press conference. The researchers say that these emails are sent from the compromised email inboxes of past, high-profile victims. 
CPR
The file is a password-protected .RAR archive named NSC Press conference.rar. If a victim opens the file, they receive a Windows executable (NSC Press conference.exe), which deploys a malware dropper and the “xCaon” backdoor which maintains persistence by setting a registry key. The backdoor is able to download and upload files, run commands issued through a command-and-control (C2) server, and steal data. Dropbox is being abused as a form of C2 server in the latest version of this backdoor, dubbed “BoxCaon” by CPR.

Every victim secured by the threat actors is assigned a unique and pre-configured folder, named after a victim’s MAC address, which contains instructions for the malware and also acts as a storage bucket for exfiltrated data.  CPR says that by using the Dropbox API, this “masks their malicious activities, as no communication to abnormal websites takes place.” IndigoZebra will also deploy a NetBIOS scanner tool adopted by another Chinese APT, APT10/Stone Panda, and may maliciously execute network utility tools for reconnaissance in the quest for further targets.   Malware utilized by the group also includes Meterpreter, Poison Ivy, xDown, and the xCaon backdoor. CPR says that the APT in question is also likely responsible for attacks dating back to 2014, in which political entities in Kyrgyzstan and Uzbekistan were targeted.  “While the IndigoZebra actor was initially observed targeting former Soviet republics such as Uzbekistan and Kyrgyzstan, we have now witnessed that its campaigns do not dial down, but on the contrary — they expand to the new targets in the region, with a new toolset,” the researchers commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Financial Industry Regulatory Authority (FINRA) has fined Robinhood close to $70 million for allegedly causing “significant harm” to “millions of customers.”

On June 30, the regulator said that Robinhood, a commission-free stock trading app that promises to “democratize finance for all,” must pay a fine of $57 million and an additional $12.6 million in restitution, plus interest, to thousands of customers. According to FINRA, the penalty is the largest imposed on a company to date.  Robinhood has been accused of systematic failures including major outages in March 2020, as well as the impact on millions of customers who “received false or misleading information” from the company.  In addition, Robinhood allegedly allowed thousands of customers to trade options when it was not “appropriate” for them to do so — relying on an algorithm and bots to make this decision, rather than performing due diligence to determine eligibility.  FINRA says that these actions caused “widespread and significant harm.” In relation to the claim that users received false information, the regulator cited “negligent” communication sent to clients since 2016 — including whether or not users could place trades on margin, how much positive or negative buying power customers had, and what the risk of loss was in relation to some options trades and margin calls. 

A tragic case was that of a user who took his own life in June last year after becoming confused concerning margins and securities purchases. The 20-year-old user’s account incorrectly showed a negative balance of $730,000. “Due to Robinhood’s misstatements, thousands of other customers suffered more than $7 million in total losses,” FINRA says. “As part of this settlement, Robinhood is required to pay more than $7 million in restitution to these customers.” Customers impacted by technical outages are eligible for over $5 million in damages.  Additionally, Robinhood has been held to account for allegedly failing to submit reports properly to FINRA between 2018 and 2020.  “Robinhood failed to report to FINRA tens of thousands of written customer complaints that it was required to report,” the regulator claims. “Robinhood’s reporting failures were primarily the result of a firm-wide policy that exempted certain broad categories of complaints from reporting, even though those categories fell within the scope of FINRA’s reporting requirements.” Robinhood has neither admitted nor denied the charges. FINRA’s penalty is the latest blow to the organization, which is already under scrutiny over the GameStop fiasco, in which Robinhood was accused of helping hedge funds by preventing users from trading in the stock during January. In a blog post on Wednesday, the trading app said that “we continue to grow and enhance our legal, compliance, and risk functions and programs, and have hired dozens of experienced professionals in the past year alone.” The company says that customer support services have been expanded — including those for clients able to perform options and margin calls — as well as increased phone support and new education resources. The root cause of the March 2020 outages is also being addressed.  “Our customers are at the forefront of every decision we make and we’re committed to making continuous improvements so that investing can be accessible to all,” the company added. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More