Home / Robin's Newsletter

Robin’s Newsletter #139

Dependency confusion: all up in your package manager and automated build process. Florida water treatment plant compromised. Details of cyber-attacks on Isis. Bloomberg back again with The ~~Big~~ Long Hack.

 Vol. 4  Iss. 7  14/02/2021, last updated 21/02/2021   Robin Oldham  ~8 Minutes

Subscribe to Robin's Newsletter

Roses are red, Violets are blue, Thank you for permission, To write to you ❤️

This week

Dependency confusion

An excellent bit of research and write up from Alex Birsan on what is being dubbed ‘dependency confusion’. His research looked at how the package manages for various programming languages - such as Python, NodeJS and Ruby - install the dependencies and modules requested by software packages.

He found that often the official repository was favoured over other sources, such as internal repos, that might be specified via command-line arguments. With a bit of digging, he was able to identify the names of internal packages written by the likes of Apple, Microsoft, Telsa, Yelp and dozens of other tech companies.

By publishing his alternative, fake modules using the same names as the internal packages the build processes would erroneously prefer his code over the internal code. The result is that his code was downloaded, compiled and run automatically by build processes.

It’s a novel and clever way to infiltrate a company via its software supply chain and the trust placed in such package managers.

Microsoft has published a blog with three mitigations that DevOps teams may wish to consider. Ultimately the algorithms used by package managers also need to be reviewed, along with perhaps additional checks on specifying ‘official’ and ‘external’ libraries.

According to SC Magazine, over 150 copycat packages have appeared in libraries since the research was published. medium.com, microsoft.com, scmagazine.com

Interesting stats

A mega haul of interesting numbers for you this week…

768% increase in attack attempts against Windows Remote Desktop (RDP) in 2020, according to ESET theregister.com

89% of malware campaigns last a single day, while 80% of phishing campaigns last less than one week (median less than three days), and 1.64x more likely for 55-64 year olds to be targeted than those aged 18-24… plus many more really interesting observations in this great paper from Stanford University and Google Who is targeted by email-based phishing and malware? Measuring factors that differentiate risk googleapis.com (PDF)

96% of ransomware attacks use vulnerabilities identified prior to 2019, according to RiskSense scmagazine.com

$2BN stolen over five years by cyber campaigns tied to North Korea, including $316M by compromising crypto-currency exchanges in 2019 and 2020, according to a U.N. Security Council report on sanctions against the state theregister.com

-8.6% stock price performance vs NASDAQ average one year after a breach, -11.9% in the second year, and -15.6% three years after a breach, according to analysis by Comparitech comparitech.com

$304M lost to romance scams in 2020, according to the U.S. FTC, with $2,500 the median amount obtained by scammers.

Losses have increase 4X since 2016

Losses have increase 4X since 2016 ftc.gov

Other newsy bits

Weak TeamViewer password led to Florida water treatment plant compromise

Lots of headlines this week after a water treatment plant outside of Oldsmar, Florida (northwest of Tampa) was compromised and the attacker tried to increase the level of sodium hydroxide in the treatment process to 111x its intended amount.

Water treatment plant personnel immediately noticed the change in dosing amounts - in fact, they were watching the screen as the attacker adjusted the values - and quickly set the correct value even before the SCADA system detected and raised an alarm on the change. The plant continued to operate as normal and no poisonous water was ever released.

The Cybersecurity and Infrastructure Agency has released an alert that indicates poor password security, and an outdated operating system was the root cause of the unauthorised access. The plant was running the end-of-life Windows 7 operating system and TeamViewer with a weak password.

Brian Krebs raises a good point: that the most interesting thing is that we have heard about it at all. There are plenty of examples of these sorts of ‘human-machine interfaces’ (HMIs) accessible online, however, thankfully, mostly those who find them choose not to meddle with industrial processes they do not understand. arstechnica.com, reuters.com, cisa.gov, krebsonsecurity.com

Details of 2016-2017 U.K. cyber-attacks against Isis

Details of the cyber-attacks against Isis, conducted by U.S. and U.K. ‘cyber forces’ (vol. 2, iss. 19, 39) has been scant. Now, in an interview with Sky News’ Into the Grey Zone podcast, former GCHQ director Jeremy Flemming, and General Sir Patrick Sanders, head of UK Strategic Command, has outlined some of the thinking behind attacks that disabled drones, jammed phones and disabled servers.

Sanders says that they “wanted to ensure that when they tried to co-ordinate attacks on our forces, their devices didn’t work, that they couldn’t trust the orders that were coming to them from their seniors,” going on to add “We wanted to deceive them and to misdirect them, to make them less effective, less cohesive and sap their morale.” sky.com, ft.com

The Long Hack: Bloomberg back with more sources over alleged Supermicro compromise

Bloomberg is doubling down on its 2018 report The Big Hack (vol. 1, iss. 16). Published this week, The Long Hack is, primarily a rehash of 2018’s allegations. Two years ago it was widely panned by infosec experts and explicit denials were forthcoming from Supermicro, Amazon, Apple, and even the NSA.

The new reporting is “drawn from interviews with more than 50 people,” including some willing to go on the record, and says that U.S. intelligence community first became aware of the attack in 2010. The stories cited by Bloomberg over many years could be a coincidence, taking 2+2 and making 5, however they believe strongly enough to revisit the story.

As I wrote back in 2018, information leaked by Edward Snowden purportedly shows NSA operatives altering Cisco devices bound for foreign states. In light of the recent SolarWinds story, perhaps the world is ready to pay a little more credence. Though, contrary to the Solorigate attack, as The Register points out: still, no one has come forward with any evidence of the chip or attack. bloomberg.com, theregister.com

In brief

Attacks, incidents & breaches

  • A sysadmin at Russia’s Yandex search company sold access to almost 4,887 mailboxes bleepingcomputer.com
  • Polish games company CD Projekt, behind titles like Cyberpunk2077 and The Witcher, became the victim to ransomware this week, with attackers claiming to have stolen copies of (unreleased) source code, financial, HR and investor documents too theguardian.com. The company was praised for its transparency and statement that it would not negotiate with the attackers … meanwhile the beleaguered games developer also released a patch this week to fix a vulnerability in the way the game handled DLLs for custom mods and save game files bleepingcomputer.com
  • 102M consumers exposed in suspected breach of Brazilian telcos Vivo and Claro, being investigated by ANPD (Brazilian data protection authority) zdnet.com
  • Three similar attacks on web hosting companies which may host pirate material compromised and given ultimatum to pay 2 bitcoin (~$92K), shutdown their operations, or have their customer details shared with law enforcement zdnet.com
  • Ransomware attack against French health insurance company Mutuelle Nationale des Hospitaliers (MNH) has left website, systems offline since 5th February bleepingcomputer.com
  • Webcam app Adorcam left elastic search database accessible, exposing details of thousands of users and their connected cameras techcrunch.com
  • It’s “always DNS”: Notion suffers outage apparently caused by DNS issues techcrunch.com

Threat intel

  • Domestic Kitten and Infy/Prince of Persia groups, with ties to Iran, linked to campaigns targeting dissidents in 12 countries, according to CheckPoint cyberscoop.com
  • Increasing number of web shells being deployed by actors to gain or mating access, according to Microsoft bleepingcomputer.com

Vulnerabilities

  • Patches for Fortinet FortiProxy SSL VPN and FortiWeb WAF available to close Remote Code Execution (RCE), SQL Injection, and Denial of Service (DoS) vulnerabilities bleepingcomputer.com

Security engineering

  • Google planning ‘Open Source Vulnerabilities’ database to help improve security in open source projects theregister.com

Internet of Things

  • IoT devices often aren’t using random numbers in TCP connections, making them easier to hijack zdnet.com

Privacy

  • Virgina set to adopt California-style privacy legislation, though lacks the right for individuals to pursue legal action (only the regulator would be able to) arstechnica.com
  • iOS 14.5 will proxy safe browsing requests to Google APIs in a move to protect Apple customers zdnet.com

Public policy

  • Third cyber diplomacy event hosted by Estonia this week aims to “put the cyber behavior of governments and nations into the lens of diplomacy” cyberscoop.com

Law enforcement

  • Ukraine police arrest the suspected author of the uPanel aka U-Admin phishing service. The service sold for $80-$800 and had approximately 200 customers. In Australia it is estimated that 50% of all phishing attacks were carried out using uPanel krebsonsecurity.com, zdnet.com

Mergers, acquisitions and investments

  • SentinelOne has acquired log management firm Scalyr in a $155M equity-and-cash deal, for capability to query unstructured data scmagazine.com
  • SecuriThings closes $14M Series A round for platform to discover, manage IoT devices techcrunch.com

And finally

Medieval security for authenticity and integrity

Castle keeps, moats, and the like are often used to explain security concepts. However there were also techniques in use to provide authentication and preserve the integrity of text, highlighted in photos posted by Sonja Drimmer on twitter (H/T Bruce Schneier) @Sonja_Drimmer