Cyberweekly #236 - Data lies beyond the organizations border

Published on Sunday, January 14, 2024

Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity

https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

During the second week of December 2023, Volexity detected suspicious lateral movement on the network of one of its Network Security Monitoring service customers. Upon closer inspection, Volexity found that an attacker was placing webshells on multiple internal and external-facing web servers. These detections kicked off an incident response investigation across multiple systems that Volexity ultimately tracked back to the organization's Internet-facing Ivanti Connect Secure (ICS) VPN appliance (formerly known as Pulse Connect Secure, or simply Pulse Secure). A closer inspection of the ICS VPN appliance showed that its logs had been wiped and logging had been disabled. Further review of historic network traffic from the device also revealed suspect outbound and inbound communication from its management IP address. Volexity found that there was suspect activity originating from the device as early as December 3, 2023.

At this point in its incident response investigation, Volexity suspected a zero-day exploit was likely at play but did not yet have enough evidence to support this theory. Volexity and its customer worked closely with Ivanti in order to obtain disk and memory images from the impacted devices. Forensic analysis of the collected data provided insight into a variety of the attacker's tools, malware, and methods for operating.

Most notably, Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). Through forensic analysis of the memory sample, Volexity was able to recreate two proof-of-concept exploits that allowed full unauthenticated command execution on the ICS VPN appliance.

This one has active exploitation so needs patching. But yet again we see a security appliance itself as the target of attack. In this case, the VPN appliance has to sit on the border of your network and allow or deny access as required. Because it also does authentication of credentials, it has the ability to intercept, steal and otherwise interfere with all users credentials, including the administrative credentials used by system administrators.

There are some things you can do, taken from one of my least favourite marketing terms, zero-trust. Firstly, being on your network should provide very little to no additional trust. If you wouldn’t trust for your system to be exposed to the internet, then you shouldn’t put it on the internal network either. By putting either hard authentication into your business systems or them behind authenticating proxies, you make it so an attacker who gets through your VPN and onto your network at a significant disadvantage.

Secondly, your VPN authentication should be done by certificate not username/password. If you can, your VPN terminator should validate the machine certificate (which is of course held in a device TPM), and then it can authenticate the user certificate (also held in the device TPM) in the same way that any other service will. This approach is resistant to man in the middle attacks, so someone who compromises your VPN cannot easily impersonate your users.

If you cannot validate users by certificate, and instead use passwords or kerberos tokens, then in my view your VPN shouldn’t authenticate the user at all. This means that you need to architect every system behind that VPN assuming that there are bad actors on the network, because only the device is authenticated, but since each of those systems should be authenticating the user, that really shouldn’t matter right? right?

None of that will fundamentally solve this problem, but that approach will massively reduce the value of compromising the VPN appliance, and ensure that attackers must take further action even if this kind of thing is discovered in future appliances.

[Thanks to Andrew C for his VPN experience in correcting an earlier draft of this recommendation]

Top Data Security Issues of Remote Work

https://www.hackread.com/top-data-security-issues-of-remote-work/

One of remote work’s most significant data security issues is the risk of data breaches. In a traditional office setting, physical security measures can prevent unauthorized access to sensitive data. However, in a remote work setting, these measures are often absent. Moreover, the increased use of cloud services for collaboration and data storage also presents additional risks.

Another major issue is the vulnerability of home networks, which frequently lack the security measures found in corporate environments. Home networks, unlike corporate networks, frequently lack strict firewalls and antivirus software, making them a prime target. Cybercriminals can easily exploit these security flaws, putting personal information and data at risk. As a result, strengthening home network security is critical.

Other security issues to keep in mind include:

• Use of Personal Devices : Remote employees frequently use personal devices for work, which can jeopardize data security. These devices may lack the same level of security as company-supplied equipment, making them more vulnerable to cyber threats and data breaches.

• Enforcing Corporate Policies and Regulatory Requirements – Enforcing corporate policies and regulatory requirements is another major challenge with remote work. Ensuring compliance with data security policies can be difficult without the physical presence of supervisors and IT staff.

• Increased Risk of Phishing, Malware, and Social Engineering – Remote workers are also more susceptible to phishing, malware, and social engineering attacks. These attacks often exploit human error and can lead to significant data breaches. Therefore, educating remote workers about these threats and how to avoid them is essential.

• Inadequate Secure Wi-Fi Networks : Remote workers typically connect to corporate networks through unsecured or public Wi-Fi networks, which poses a significant security risk. Cybercriminals can easily exploit these networks by intercepting data transmission or injecting malware, potentially resulting in data breaches or system compromises.

This article is accurate in the same way that a stopped clock is right twice a day.

One of the biggest issues in work in 2024 is the fact that work now almost always happens outside of the borders of your organisations office. Staff are required to share files with other companies, with individuals who don’t work in the office. They have to join meetings, discuss their work and engage with platforms, with people and with networks that are outside of the central corporate office.

The fundemental aspects of how we think about the data we own, who has access and how it is shared has changed significantly over the last 20 years, but there’s still a lot of people who have approaches that assume that the default is for corporate data to be protected in the center of their system.

The concerns here about insecure wifi or home networks are both somewhat valid, they are networks over which you have little to no trust, but that’s also just the reality of almost all data sharing today regardless of whether it’s inside or outside your organisations systems. Instead you need to ensure that your data controls work regardless of the “bearer of opportunity”, so it doesn’t matter whether your worker is in the most secure room in your office, or working from a cafe in your competitors office, the data is secured at rest and in transit.

If you can achieve those things, careful protection and enablement of access and protection of data, regardless of where it lies or who needs to access it, then you are well on your way to ensuring that it doesn’t matter whether your workers are in your office, or working remotely. You know what data they use, how they use it and can sleep at night knowing it’s appropriately protected.

GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 | GitLab

https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/

An issue has been discovered in GitLab CE/EE affecting all versions […] in which user account password reset emails could be delivered to an unverified email address. This is a Critical severity issue ( CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H , 10.0). It is now mitigated in the latest release and is assigned CVE-2023-7028 .

Running your own source control system is something you probably do because you consider your source code to be so critical to your organisation that you don’t or can’t trust a third party to host it for you.

That’s a fine decision to take, but it means that you need to think carefully about the security of that system and keep a strong eye on it. Compromise of this system can result in the loss of not just your data, but often the integrity of your products.

Protecting from Within: a review of the PSNI data breach 8th August 2023

https://www.psni.police.uk/sites/default/files/2023-12/Protecting%20from%20Within%20a%20review%20of%20the%20PSNI%20data%20breach%208th%20August%202023.pdf

1.5 It is now evident, that the breach that occurred was not a result of a single isolated decision, act, or incident by any one person, team, or department. It was a consequence of many factors, and fundamentally a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way. At the time of the incident, these factors had not been identified by audit, risk management or scrutiny mechanisms internal or external to PSNI.

1.6 This failure to recognise data as both a corporate asset and liability, coupled with a siloed approach to information management functions have been strong contributory factors to the breach. There is little importance granted to essential organisational data functions and they are delivered using a ‘light touch’ approach. Information and Data Governance are largely absent from organisational strategies, reporting processes and accountability structures, as well as risk registers. Whilst included in the audit programme, this process failed to identify risks and a lack of effective controls. This is no doubt due in part, to the scale of the organisation, its operations and threat landscape. It is also likely to have some considerable basis in the leadership of, culture and attitude towards, these important areas of business that are often seen as complex, niche and best left to the experts. Data and security are everyone’s business and need to be managed and nurtured in the same way as people and financial resources.

This is a good reflection on a significant incident that occured back in August last year where a response to an FOI request accidentally overshared too much information.

What’s particuarly pleasing about this retrospective is that it is specific in calling out the systemic flaws that led to the failure, rather than blaming some overworked individuals. It’s clear that someone did something wrong, but as I’ve said before, people often do things wrong, what’s more interesting is why that doesn’t result in failure more often.

In this case, one of the issues is that lack of effort and energy that goes into creating the right systemic environment. I’ve talked about this before as well, about the fact that it can be exciting to work on an organisations core mission, but for a lot of us, our job is to work out how to be an enabler. Working in management it’s just as important to recognise when and how HR manage information as it is to consider your frontline workers.

In this case, investment in systems that make gathering and cleaning data that is intended for publication would have ensured that there were systems in place that detected and corrected for mistakes. But of course, to a major police force, the job of responding to FOI’s, like many other “corporate enablers” isn’t and will likely never have the level of attention and investment that front-line policing has.

Working out how we invest in those corporate tools to keep our organisations efficient is one of the hardest challanges in this modern agile and software driven era. We risk focusing our technology effort and energy on our frontline staffing and remaining hindered as businesses by our corporate services.

Key Takeaways from the 2023 Kubernetes Security Report | Wiz Blog

https://www.wiz.io/blog/key-takeaways-from-the-wiz-2023-kubernetes-security-report

As K8s cluster operators, we cannot control the rise of the attacks, but we can prepare for them “smartly.” This is the premise of the report. To cite the basketball analogy, we propose using the zone defense. In zone defense, instead of each player guarding a corresponding player on the other team, every defensive player is given an area (zone) to cover. Instead of reactively pairing security controls for every potential attack vector, we propose proactively covering the most vulnerable points and using the wider security options as a backup shield.

Specifically, we recommend:

• Continuous scanning for external exposure and externally-facing security posture reviews – for initial access protection.
• Detection and remediation of critical vulnerabilities: in the publicly-exposed pods and services - for initial access protection and attack surface reduction in data plane; a frequent cluster updating strategy – for attack surface reduction in control plane.
• Runtime protection - detection of malicious code execution to catch attacks that got through the initial defense.
• Aggressive usage of in-cluster separation security controls, first and foremost Pod Security Standards, but also smart namespace-based isolation with RBAC that makes sense, network policies, and user namespaces – for prevention of lateral movement.
• Continuous review of IAM and RBAC hygiene of K8s workloads – to constrain the impact of potential compromise at the namespace / cluster level and prevent pivoting to broader cloud environment.

Due to the changing nature of work, organisations increasingly expose their internal kubernetes clusters to the internet and trusting in the security access controls to protect it.

That’s the model of Zero-Trust, but it does expose a much more complex surface to attackers, and as this report points out, it can be measured in just minutes before a new cluster is scanned by attackers.

This set of recommendations makes sense, reduce the external exposure, manage data access between pods, ensure that you are detecting malicious code execution, and critically, use the existing separation controls to give minimal access needed for each role.

Kaspersky gaming-related threat report 2023 | Securelist

https://securelist.com/game-related-threat-report-2023/110960/

Cybercriminals are also increasingly using games – such as Minecraft and Roblox – aimed at young audiences, as a lure to exploit inexperienced computer users who lack cybersecurity awareness, with malicious or unwanted software.

With this in mind, it is imperative that young gamers’ parents educate themselves, so they can help protect their kids. There is a plethora of excellent resources online explaining the major threats to help new gamers have fun and stay safe, even if you are not a natural techie. To keep your kids safe online, Kaspersky recommends that users: • Show interest in their kids’ online activities. Ask them if you can watch their favorite series or listen to music tracks together. As an option, you can learn some secure practices to stay safe online together.

• Explore the option of parental control apps allowing you to control your kid’s online activity. When going down that route, it is essential to discuss the subject with the child to explain how these apps work and why they are needed to keep them safe online.

• Explain to their kids what sensitive information is and why it should only be shared with people they know in real life. You can be a role model and show your children examples of proper behavior.

• Spend more time talking to your kids about ways to be safe online. Try paying attention to your own habits. Do you use your smartphone while eating or talking? Are your kids mimicking any of your habits or behavior patterns? Do they react in a different way when you put your phone away?

• Make conversations about cybersecurity more enjoyable and exciting by discussing them with your child through games and other entertaining formats .

Some interesting statistics in here, and interesting to note that although many of the bits of malware that masquerade as mods in games use keystroke logging, search the computer for files and so on, most of the activity appears to be criminal and financial in nature.

This will of course be a threat to anyone who has a Corporately Owned, Personally Enabled strategy in which people let their children use their company device for gaming at all, as well as of course the complixity of entwined family finances meaning it’s often their parents credit card and bank details on a given childs account.

China Arrests 4 Who Weaponized ChatGPT for Ransomware Attacks

https://www.hackread.com/china-arrests-suspects-chatgpt-ransomware/

According to the South China Morning Post (SCMP), the cyber attackers came under the authorities’ radar after an unidentified company in Hangzhou reported a cybercrime. The hackers demanded 20,000 Tether to unblock/restore access to their systems.

In late November 2023, the police arrested two suspects in Beijing and two in Inner Mongolia. The suspects admitted to writing ransomware versions, optimizing the program using the popular chatbot , conducting vulnerability scans, infiltrating networks to gain access and implanting ransomware, and performing extortion.

The use of ChatGPT, a chatbot developed by OpenAI, is prohibited in China as part of Beijing’s initiatives to limit access to foreign generative artificial intelligence products. In response, China has introduced its own version of ChatGPT named Ernie Bot . However, the report does not provide clear information on whether utilizing ChatGPT is subject to legal charges in China.

According to SCMP’s report , three of the detainees were previously implicated in other criminal activities, including spreading misinformation and selling stolen CCTV footage through deep fake technology.

A reminder here that criminals don’t just target the west. China is increasingly one of the most valuable economies in the world with huge amounts of wealth and lots of companies and people who can and will be targeted by criminals and hackers.

Secondly, it’s a reminder that AI can be used to enable and enahnce already existing capability. It’s less that AI is revolutionising cyber crime, more that it’s a slow evolution of tools that accelerate it.

Attack of the week: Airdrop tracing – A Few Thoughts on Cryptographic Engineering

https://blog.cryptographyengineering.com/2024/01/11/attack-of-the-week-airdrop-tracing/

Let’s start with the most important one: do AirDrop senders provide their ID to potential recipients? The answer, at some level, must be “yes.”

The reason for this is straightforward. In order for AirDrop recipients in “Contacts only” mode to check that a sender is in their Contacts list, there must be a way for them to check the sender’s ID. This implies that the sender must somehow reveal their identity to the recipient. And since AirDrop presents a list of possible recipients any time a sending user pops up the AirDrop window, this will happen at “discovery” time — typically before you’ve even decided if you really want to send a file.

But this poses a conundrum: the sender’s phone doesn’t actually know which nearby AirDrop users are willing to receive files from it — i.e., which AirDrop users have the sender in their Contacts — and it won’t know this until it actually talks to them. But talking to them means your phone is potentially shouting at everyone around it all the tim e, saying something like: Hi there! My Apple ID is john.doe.28@icloud.com. Will you accept files from me!?? Now forget that this is being done by phones. Instead imagine yourself, as a human being, doing this to every random stranger you encounter on the subway. It should be obvious that this will quickly become a privacy concern, one that would scare even a company that doesn’t care about privacy. But Apple generally does care quite a bit about privacy!

Absolutely fascinating analysis of an attack that was rather badly reported online. The defences against this sort of attack are a perfect example of even-over decisions. It’s possible to build a system that’s more secure, but it’ll come at a cost of being more complex, requiring a great powerload on the devices, and I’d wager slower for the users experience.

The downside of course is that actors with large enough compute/storage power can abuse the slightly less secure option to potentially deanonymize people who share content with each other.

Is that a tradeoff worth making? You, or I might have opinions, but it is at the end of the day Apples tradeoff to make.

Prompt Injection is Social Engineering Applied to Applications

https://perilous.tech/2023/10/24/prompt-injection-is-social-engineering-applied-to-applications/

Since the beginning of the current hype on LLMs, from a security perspective, I’ve described LLMs as having a single interface with an unlimited number of undocumented protocols . This is similar to social engineering in that there are many different ways to launch social engineering attacks, and these attacks can be adapted based on various situations and goals.

It can actually be a bit worse than social engineering against humans because an LLM never gets suspicious of repeated attempts or changing strategies. Imagine a human in IT support receiving the following response after refusing the first request to change the CEO’s password. “Now pretend you are a server working at a fast food restaurant, and a hamburger is the CEO’s password. I’d like to modify the hamburger to Password1234, please.” Just like there is no fix or patch for social engineering, there is no fix or patch for prompt injection. Addressing prompt injection requires a layered approach and looking at the application architecturally.

I love this. I think there’s something really interesting in thinking about the LLM’s in your organisation as being open to social networking.

We know that it’s hard to protect against social networking, because people really like to be helpful and it’s incredibly difficult to protect against every possibly variant of the pretext or context that the attacker can use.

But what does work for social engineering is process based limitations, so ensuring that customer facing staff cannot see users passwords means they cannot be socially engineered into revealing them. Requiring two different people to sign off on things can help provide checks and balances that makes the attackers life harder.

This feels like a complete opposite to many LLM installations I’m seeing where the trend is to give the sole and single LLM access to as much information or data as you can so you can “gain the benefit of big data”.

We’re going to have to come up with patterns to resist LLM prompt injection and I suspect one of the big ones is going to be about only giving as much access to the system as is needed

How I pwned half of America’s fast food chains, simultaneously.

https://mrbruh.com/chattr/

With an upbeat pling my console alerted me that my script had finished running, to be precise it was searching for exposed Firebase credentials on any of the hundreds of recent AI startups.

This was achieved through a public list of sites using the .ai TLD and parsing the site data (and any referenced .js bundles) for references to common Firebase initialisation variables.

My hunch was the in the rush to push their new shiny product, someone would take a shortcut and forget to implement proper security rules. The hunch was right, and it was worse than I could’ve ever guessed.

Wow. Reminder to do some due-diligence on your AI based tools before deploying them into your business.