Chainguard Trains Spotlight on SBOM Quality Problem

Software engineers tracking the quality of software bill of materials have stumbled on a startling discovery: Barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

According to new data from software supply chain security startup Chainguard, SBOMs being generated by existing tools fail to meet the minimum data fields needed inside an SBOM to enable the management of software vulnerabilities, licenses, and inventory tracking.

“Only one percent of SBOMs were entirely conformant with the minimum elements. The minimum elements appear to be a high bar for SBOMs. Further research will need to address whether the standard is too high, whether SBOM generation tools must evolve, or whether the underlying software artifacts lack necessary package metadata,” Chainguard security data scientist John Speed Meyers explained.

Chainguard’s researchers collected about 3,000 SBOMs for analysis using four SBOM creation tools from a list of popular Docker Hub containers and used an NTIA conformance checker tool to measure SBOM conformance with minimum elements.

The team said the minimum element data fields include information about each software component (supplier, name, version, unique ID, relationships) and also metadata about the SBOM itself, including the author and the time of creation.

After parsing the data, the Chainguard team found the majority of SBOMs lacked specified suppliers for their components while about 1,000 SBOMs failed to specify a name or version for all components.

The latest Chainguard discovery is sure to add fuel to an ongoing debate over the value and quality of SBOMs to help mitigate supply chain attacks. 

A high-powered lobbying outfit representing some of the biggest names in technology has already signaled strong objection to the government’s SBOM mandate, arguing that “it is premature and of limited utility” because SBOMs are not currently scalable or consumable. 

The ITI lobbying outfit, which counts Amazon, Microsoft, Apple, Intel, AMD, Lenovo, IBM, Cisco, Samsung, TSMC, Qualcomm, Zoom and Palo Alto Networks among its prominent members, described the current SBOM process as immature. 

“At this time, it is premature and of limited utility for software producers to provide an SBOM. We ask that OMB discourage agencies from requiring artifacts until there is a greater understanding of how they ought to be provided and until agencies are ready to consume the artifacts that they request,” the group said.

In its research, Chainguard called attention to the ITI objections, cautioning that its findings are not meant to be viewed as evidence for what it called a cynical argument that SBOMs are “immature” and not yet “consumable.” 

“This analysis suggests that standard SBOMs already provide a great deal of information but not enough to satisfy  the minimum elements. Additionally, this research implies that the push to make SBOMs “everywhere” should be accompanied by an effort to measure and improve the quality of SBOMs,” the company said.

A tool-by-tool analysis suggests that none of the tools appear to consistently create minimum elements-compliant SBOMs,” Chainguard added.

Still, the company is advising caution against dismissing the usefulness of SBOMs. “The results suggest lots of variability: some SBOMs are high-quality, some are low-quality,” it said.

The SBOM mandate was included in a cybersecurity executive order issued last May, sending security leaders scrambling to understand the ramifications and prepare for downstream side-effects.

Related: Big Tech Vendors Object to US Gov SBOM Mandate

Related: Microsoft Releases Open Source Toolkit for Generating SBOMs 

Related: Cybersecurity Leaders Scramble to Decipher SBOM Mandate

view counter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series.
Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:
Tags:

https://www.securityweek.com/chainguard-trains-spotlight-sbom-quality-problem




Credential Leakage Fueling Rise in API Breaches

There is a problem with API security – it isn’t working very well, and it’s largely down to credential leakage. Most security professionals are confident in their own API credential management; but at the same time, most of the same professionals admit to having experienced a breach effected through compromised API credentials.

In a survey of more than 400 US-based professionals (more than 90% of whom were developers or security people), 53% claimed to have suffered an API breach, while 77% claimed their company was very or extremely effective in managing their tokens. Only 3% believed they are not effective in protecting the credentials – and yet API breaches continue to rise.

The cause of this apparent contradiction is probably threefold: a lack of visibility into existing APIs, the sheer volume of APIs that are in use, and the amount of time already being spent on managing the credentials for those APIs. The survey conducted by Corsha discovered that 64% of companies are managing more than 250 API credentials across their network (with 3% managing more than 1,000).

This volume, and the company effort, is reflected in the amount of time spent on protecting them. Eighty-six percent of the respondents spend up to 15 hours every week provisioning, managing, and dealing with API secrets. That is time taken away from app development – making API secrets a costly and expensive exercise that still doesn’t work. Corsha costed this on an average developer’s salary of about $120,000 per year: “That means each respondent could be spending up to $44,460 per year on secrets management.”

There would appear to be no way of preventing API credential leakage. Corsha sees them being leaked from code repositories, versioning control, CI build systems, test artifacts and cloud environments. This problem is only going to worsen. Cisco predicts there will be more than 500 million new digital applications in 2023. “More applications means that the army of machines requiring API access will only catapult,” notes the report.

Credential rotation is one of the best manual practices to keep API secrets secret. Today, 27% of the survey respondents reported (PDF) that they rotate their API secrets only once per quarter, and sometimes only once per year. The strain on existing resources in a difficult economy combined with a growing API usage will make credential leakage more widespread, and credential rotation more problematic.

“The heavy administrative workload and exceedingly manual processes for maintaining good security hygiene around secrets management create significant opportunities for error or oversight,” notes Scott Hopkins, COO at Corsha.

“Security and engineering teams are forced to divert their attention away from forward-facing engineering to focus on secrets management, yet their organizations remain vulnerable to attackers both through lateral attacks and leaked or compromised API secrets to gain illegitimate access to sensitive data,” adds Jared Elder, Chief Growth Officer Corsha. “Data is everything and the potential risk from data breaches associated with leaked API secrets is clearly high and growing.  Yet with an explosion of credentials to provision, rotate, and manage, the good guys find themselves constantly behind the eight ball.” 

Corsha’s own solution to the problem is to add MFA to credential usage. This has several advantages. Firstly, since most of the APIs are internal on company networks, MFA from machine to machines is a form of microsegmentation that conforms to the principles of a zero trust architecture. This limits lateral movement by adversaries already in the network.

Secondly, one-time MFA from machine to machine is immune to one of the most successful MFA attacks used against humans – MFA fatigue attacks.

Thirdly, and perhaps most attractively, it removes the problem of credential rotation. Even if credentials are lost, stolen, or leaked, they cannot be used by adversaries who are unable to get through the MFA.

“That’s the problem we’re solving,” Anusha Iyer, co-founder and CEO at Corsha, told SecurityWeek. “If you have MFA in place, you don’t have to worry about the frequent rotation, and the same extensive hygiene of these static credentials.” 

All the customer needs to do is place the Corsha proxy at a point where it can monitor the traffic. “We will see the traffic that is coming in with good credentials and good MFA tokens and allow it; and we’ll see the traffic that’s coming in with no MFA or bad MFA credentials and block it,” she added.

Bad credentials probably mean bad guys on the network – so Corsha’s solution increases both visibility and prevention. The core of the Corsha platform is a distributed ledger system. Corsha uses this as an out-of-band element in the generation and use of machine-to-machine MFA. “The process is analogous to Google Authenticator,” explained Iyer. “In one direction you’re keeping in sync with a seed on Google servers, while in the other direction you’re using that to check MFA credentials.”

Corsha was founded in 2018 by Anusha Iyer, and Chris Simkins. It is headquartered in Washington, DC. It raised $12 million in a Series A funding round led by Ten Eleven Ventures and Razor’s Edge Ventures, with participation from 1843 Capital in April 2022.

Other providers in the API Security space include, Cequence, 42Crunch, Traceable AI, Ghost Security, Pangea Cyber, Wib, FireTail, Salt Security.

Related: U.S. Postal Service API Flaw Exposes Data of 60 Million Customers

Related: Leaked Algolia API Keys Exposed Data of Millions of Users

Related: Leaked GitHub API Token Exposed Homebrew Software Repositories 

Related: The Next Big Cyberattack Vector: APIs

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:
Tags:

https://www.securityweek.com/credential-leakage-fueling-rise-api-breaches




Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability

Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns.

The CVE-2022-24086 bug (CVSS score of 9.8) is described as an improper input validation bug in the checkout process. It could be exploited to achieve arbitrary code execution, with in-the-wild exploitation observed roughly one week after patches were made available for it.

The initial fixes were found to be easily bypassed, and Adobe issued a second round of patches and a new CVE identifier (CVE-2022-24087) for the bug only days later. A proof-of-concept (PoC) exploit targeting the flaw was released around the same time.

To address the vulnerability, Adobe removed ‘smart’ mail templates and replaced the old mail template variable resolver with a new one, to prevent potential injection attacks.

However, the move caught many vendors off guard, and some of them “had to revert to the original functionality.” In doing so, they unknowingly exposed themselves to the critical vulnerability, despite having applied the latest security patch, Sansec explained.

The security firm has observed some vendors attempting to reintroduce the functionality of the deprecated resolver into production Magento stores, either by overriding the functionality of the new resolver, or by copying code from older versions of Magento and using it as a preference.

“We have observed this risky behavior at multiple agencies as well as extension vendors, likely to avoid the need to update their email templates to be compatible with the new [resolver],” Sansec added.

The company said some vendors attempted to mitigate security risks by adding to the ordering systems basic filtering on unsafe user inputs, but that does not prevent exploitation, given that the vulnerability can be triggered from other subsystems as well, if they touch email.

Related: Magento Vulnerability Increasingly Exploited to Hack Online Stores

Related: Malware Infects Magento-Powered Stores via FishPig Distribution Server

Related: CISA Urges Orgs to Patch Recent Chrome, Magento Zero-Days

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags:

https://www.securityweek.com/vendors-actively-bypass-security-patch-year-old-magento-vulnerability




Researchers: Brace for Zoho ManageEngine ‘Spray and Pray’ Attacks

Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.

The vulnerability, patched by Zoho last November, affects multiple Zoho ManageEngine products and can be reached over the internet to launch code execution exploits if SAML single-sign-on is enabled or has ever been enabled.

According to researchers at automated penetration testing firm Horizon3.ai, the CVE-2022-47966 flaw is easy to exploit and a good candidate for so-called “spray and pray” attacks. In this case, the bug gives attackers complete control over the system or an immediate beachhead to launch additional compromises.

“Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement,” the company said in a note documenting its work creating IOCs to help businesses hunt for signs of infection.

Horizon3.ai red-teamer James Horseman is calling attention to exposed attack surfaces that put thousands of organizations at risk. “Shodan data shows that there are likely more than a thousand instances of ManageEngine products exposed to the internet with SAML currently enabled,” Horseman said, estimating that roughly 10% of all Zoho Management products may be sitting ducks for these attacks.

“Organizations that use SAML in the first place tend to be larger and more mature and are likely to be higher value targets for attackers,” Horseman warned.

Although Zoho issued patches late last year, Horseman notes that some organizations are still be tardy on deploying the fixes. “Given how slow enterprise patch cycles can be, we expect that there are many who have not yet patched.”

“We want to highlight that in some cases the vulnerability is exploitable even if SAML is not currently enabled, but was enabled sometime in the past. The safest course of action is to patch regardless of the SAML configuration of the product,” Horseman added.

Zoho boasts that about 280,000 organizations across 190 countries use its ManageEngine product suite to manage IT operations.  

The Indian multinational firm, which sells a wide range of productivity and collaboration apps to businesses, has struggled with zero-day attacks and major security problems that have been targeted by nation-state APT actors.

The US government’s cybersecurity agency CISA has added Zoho vulnerabilities to its federal ‘must-patch’ list because of known exploitation activity.

Related: U.S. Agencies Warn of APTs Exploiting Zoho Zero-Day 

Related: Zoho Working on Patch for Zero-Day ManageEngine Vulnerability

Related: CISA Adds Zoho Flaws to Federal ‘Must-Patch’ List 

view counter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series.
Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:
Tags:

https://www.securityweek.com/researchers-brace-zoho-manageengine-spray-and-pray-attacks




Tesla Returns as Pwn2Own Hacker Takeover Target

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to complete vehicle compromise.

Tesla, in tandem with Pwn2Own organizations Zero Day Initiative, is offering a $600,000 cash prize to any hacker capable of writing exploits that pivot through multiple systems in the car to gain arbitrary code execution.

“Success here gets a big payout and, of course, a brand-new Tesla,” contest organizers announced Thursday.

This isn’t the first time Tesla has sought to attract the attention of advanced exploit writers at Pwn2Own. Back in 2019, the company gave away a Tesla Model 3 to a pair of researchers demonstrating successful exploits and this year the organizers plan to raise the level of complexity of what constitutes a successful car-hacking exploit.

Hackers can register an entry against either a Tesla Model 3 (Intel or Ryzen-based) or the Tesla Model S (Ryzen-based).

This year, the organizers are looking for exploits targeting Tesla’s Tuner, Wi-Fi, Bluetooth or Modem components.  Hackers must demonstrate a successful intermediate pivot to the vehicle’s infotainment system and execute code against VCSEC, Gateway or Autopilot.

In addition to the vehicle itself and $500,000, contestants can go for the additional options to raise the payout to $600,000. “This represents the single largest target in Pwn2Own history,” conference organizers said in a note posted Thursday.

Organizers believe a complete vehicle takeover exploit is a tough undertaking. “It’s difficult to express the complexity of completing such a demonstration, but we’re certainly hopeful that someone can show off their exploit skills and drive off a winner.”

Pwn2Own is also offering cash prizes ranging from $250,000 to $400,000 to entice attackers to showcase exploits pivoting through some of the vehicle’s sub-systems. “This level requires the contestant to get arbitrary code execution on two different sub-systems in the vehicle, which is certainly a difficult challenge.”

Pwn2Own also announced the addition of a Steam VM Escape category with both a Tesla Model 3 and a Tesla Model S available as targets.

The annual hacker contest will also offer prizes for exploits for VMWare virtual machine escapes, attacks against Microsoft DNS Server and ISC BIND, and exploits for enterprise collaboration tools Zoom and Microsoft Teams.

Related: Pwn2Own 2019: Researchers Win Tesla After Hacking Its Browser 

Related: $200,000 Awarded for Zoom Zero-Click Zoom Exploit at Pwn2Own

Related: Over $1.1 Million Awarded at Pwn2Own 2022 for 25 Zero-Day Vulns

Related: ICS Exploits Earn Hackers $400,000 at Pwn2Own Miami 2022

view counter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series.
Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:
Tags:

https://www.securityweek.com/tesla-returns-pwn2own-hacker-takeover-target




New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets

A new Android banking trojan has been found, targeting international banks from the United Kingdom and Italy (including in the U.S.). and five different cryptocurrency services. Twenty-two instances have been discovered, but more are expected.

The malware, first detected at the end of October 2021, appears to be new and still being developed. It was discovered by Cleafy, a Milan, Italy-based online fraud detection and prevention firm. Cleafy calls it ‘SharkBot’, named after the frequency of the word ‘sharked’ in its binaries.

SharkBot is not found in Google’s official marketplace. This means it must be sideloaded by delivering the APK to the device and ensuring it is manually loaded. In a technical analysis of the malware, Cleafy notes that it poses as a legitimate application using common names and icons.

If the deception succeeds and the malware is installed, it immediately attempts to enable Android’s Accessibility Services by delivering fake pop-ups to the victim – such as ‘Allow Media Player to have full control of your device’. If this is successful, SharkBot has all the permissions it needs. 

Once accepted the malware can enable keylogging (to steal typed credentials), intercept SMS messages (to circumvent MFA), deliver overlay attacks (to steal login credentials and credit card information) and remotely control the device because permissions were granted via the fake pop-up. “Basically,” comments Corey Nachreiner, CSO at WatchGuard Technologies, “the malicious Accessibility Services can read anything a user can read and can recreate any action a user can on the device.”

Notably, SharkBot also attempts a relatively novel technique known as an Automatic Transfer Systems (ATS) attack. “This technique has been seen recently from other banking trojans, such as Gustuff,” explains Cleafy. “ATS is an advanced attack technique (fairly new on Android) which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices.” 

The ATS functionality is contained in a module downloaded separately from the C2. “Given its modular architecture,” comments Cleafy, “we don’t exclude the existence of botnets with other configurations and targets.”

[ READ: Android Trojan Targets Banks, Crypto-Currencies, e-Commerce

The assumption is that ATS is used by SharkBot to bypass the behavioral detection measures used by many financial institutions. If ATS is used on what is a trusted device, a ‘new device enrollment’ phase is not necessary, SMS-based MFA can be bypassed,  and behavioral biometrics are not effective.

Although relatively few instances of SharkBot have been discovered in the wild, Cleafy suspects that the threat will grow. This is partly because it is new, and apparently still being developed.  

“The implications of becoming infected with SharkBot could be severe, so it’s important,” says Nachreiner, “to avoid being infected altogether.” This is not yet easy. The malware is new and not well detected by existing detection means. Apart from the DGA for its C2s, it also uses anti-analysis techniques including obfuscated strings and emulator detection.

The best solution is to avoid side-loading religiously. Without 100% certainty in the authenticity of the application and the validity of its source, simply do not install it. 

Related: Android Banking Trojan ‘Vultur’ Abusing Accessibility Services

Related: Android Trojan Targets Banks, Crypto-Currencies, e-Commerce

Related: Automatic Transfer System Evades Security Measures, Automates Bank Fraud

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:
Tags:

https://www.securityweek.com/new-%E2%80%98sharkbot%E2%80%99-android-banking-malware-hitting-us-uk-and-italy-targets




GBG to Acquire Acuant in $736 Million Deal

UK-based identity verification and fraud prevention solutions provider GBG on Thursday announced that it has agreed to acquire Acuant in a $736 million deal.

Acuant is based in California and it specializes in identity verification and Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. The acquisition, which is expected to close by the end of the month, will help GBG further expand into the United States.

GBG says Acuant’s product suite complements the services provided by its US-based subsidiary IDology.

The combined company has a revenue of roughly £265 million ($355 million), and more than 25,000 enterprise customers around the world.

When announcing the deal, the companies pointed out that the global identity verification market is projected to reach $15.8 billion and the identity fraud market is projected to be worth $9.6 billion by 2025.

Acuant has developed a trusted identity platform that provides a wide range of capabilities, including data capture, identity document authentication, facial recognition matching, anti-money laundering, know your customer, know your business, sanctions screening, transaction monitoring, and dark web checks.

“The US is the largest and most strategic market for location, identity and fraud services,” said Chris Clark, CEO at GBG. “The combination of GBG and Acuant provides a step-change in this market, increasing scale, growing our customer base and introducing us to new and exciting sectors. As importantly, it also strengthens the breadth of our technology portfolio which we can use to support our current customers in new ways in growth geographies such as APAC and Europe where we already have a strong footprint.”

Earlier this year, Acuant announced the acquisition of UK-based identity verification and KYC solutions provider Hello Soda.

Related: TransUnion Acquires Identity Security Company Sontiq for $638 Million

Related: Mastercard Acquires Digital Identity Verification Firm Ekata for $850 Million

Related: CyberArk Acquires Identity as a Service Provider Idaptive for $70 Million

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:
Tags:

https://www.securityweek.com/gbg-acquire-acuant-736-million-deal




Supply Chain Security Fears Escalate as Iranian APTs Caught Hitting IT Services Sector

Fears of software supply chain attacks escalated again this week with a new warning from Microsoft that it has caught Iranian threat actors breaking into IT services shops in India and Israel and using that access to hit the real targets.

Two of Redmond’s premier threat hunting units  — the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) — are sounding the alarm for a series of intrusions at companies that sell business management and integration software to millions of global organizations.

Once inside the IT services organizations, Microsoft said the Iranian hackers are “extending their attacks to compromise downstream customers,” much like the SolarWinds supply chain mega-hack that snagged thousands of corporate victims globally.

Microsoft warned of a significant surge in these attacks — more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020 — and warned that downstream attacks are targeting organizations in the defense, energy, and legal sectors

“As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests,” Microsoft said in a report calling attention to the surge in these Iran-linked attacks.

[ READ: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation ]

In July 2021 this year, Microsoft said it caught a threat actor based in Iran that compromised a single Israel-based IT company that provides business management software.  Microsoft said the hacking group then used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel. 

A few months later, Redmond’s threat hunting teams caught  a separate Iranian group hacking into email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain government clients.

Microsoft surmises that the downstream Bahrain government clients “were likely the ultimate target” and warned that the group has also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors.

The hacking group maintained persistence at the Bahrain IT integration organization from September through at least October.

[ READ: Microsoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense ]

Microsoft said credential theft from the original compromises of IT services companies are used in the downstream attacks.  [The Iranian attackers] dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” Microsoft explained.

The company said at least four of those victims were compromised using the acquired credentials and access from the IT company in the July and August attacks. 

Redmond’s telemetry has picked up a major surge in these and other Iranian groups targeting IT companies based in India beginning in mid-August. From mid-August to late September, Microsoft said it issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies.   

Over the three previous years, Microsoft barely issued 10 such notifications in response to Iranian hacking activity and because there are no obvious geo-political reasons for the India targeting, the company believes the Indian IT shops are being used “for indirect access to subsidiaries and clients outside India.”

Related: Microsoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation

Related: Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyber Attack 

Related: New Code Execution Flaws In Solarwinds Orion Platform

view counter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends.
Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:
Tags:

https://www.securityweek.com/supply-chain-security-fears-escalate-iranian-apts-caught-hitting-it-services-sector




Microsoft Says HTML Smuggling Attacks On The Rise

Microsoft says it has observed an increase in the use of HTML smuggling in malicious attacks distributing remote access Trojans (RATs), banking malware, and other malicious payloads.

HTML smuggling leverages HTML5/JavaScript for the download of files onto a victim machine, which in this case of these attacks is an encoded malicious script designed to assemble the final payload directly on the victim computer.

Phishing emails are used to either deliver specially crafted HTML attachments or to direct the intended victim to a web page malicious page designed to smuggle the script.

Microsoft said it observed the Chinese threat actor NOBELIUM leveraged the technique in a series of attacks in May, and is now seeing the same method being used to deliver AsyncRAT/NJRAT, Trickbot, and the banking Trojan Mekotio.

Because the malicious payload is built behind the firewall, the technique allows adversaries to easily bypass standard perimeter security controls that check network traffic for suspicious attachments or patterns.

“Because the malicious files are created only after the HTML file is loaded on the endpoint through the browser, what some protection solutions only see at the onset are benign HTML and JavaScript traffic, which can also be obfuscated to further hide their true purpose,” Microsoft said.

[ Related: Ongoing Campaign Uses HTML Smuggling for Malware Delivery ]

The tech giant said it observed HTML smuggling being used in attacks against banking users in Brazil, Mexico, Spain, Peru, and Portugal, where adversaries were looking to infect victim systems with either Mekotio or Ousaban.

The technique is also making its way into the arsenal of sophisticated threat actors, such as NOBELIUM.

In July and August, adversaries employed HTML smuggling to deliver remote access Trojans (RATs) such as AsyncRAT/NJRAT, while in September the method was used to deploy Trickbot, likely by DEV-0193an emerging financially motivated cybercrime ring.

The threat actor mainly targets healthcare and education organizations, and shows close connections with ransomware operators, such as those behind Ryuk. DEV-0193 seeks to compromise organizations to sell unauthorized access to ransomware operators.

Disabling JavaScript could prevent such attacks, but that option might not be viable within enterprise environments, where business-related pages and other legitimate resources depend on JavaScript. Thus, a multi-layered defensive approach is recommended.

Related: Ongoing Campaign Uses HTML Smuggling for Malware Delivery

Related: IcedID Trojan Operators Experimenting With New Delivery Methods

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags:

https://www.securityweek.com/microsoft-says-html-smuggling-attacks-rise




Cloudflare Battles 2 Tbps DDoS Attack Launched by Mirai Botnet

Web security services provider Cloudflare says it mitigated a distributed denial-of-service (DDoS) attack that peaked at almost 2 terabytes per second (Tbps).

The multi-vector assault was launched by a botnet of approximately 15,000 machines infected with a variant of the original Mirai malware. The bots included Internet of Things (IoT) devices and GitLab instances, Cloudflare said in a new report.

GitLab instances ensnared into the botnet are affected by CVE-2021-22205, a critical (CVSS score of 10) vulnerability that was patched more than six months ago, but which continues to expose tens of thousands of systems.

The 2 Tbps DDoS attack only lasted one minute. The assault combined DNS amplification and UDP floods, company said.

[ READ: ‘BotenaGo’ Malware Targets Routers, IoT Devices with Over 30 Exploits ]

Cloudflare notes that it observed an overall increase  in the number of terabit-strong DDoS attacks over the last quarter, and that network-layer incidents were up 44% quarter-over-quarter.

The trends appear to continue into the fourth quarter of the year as well, with multiple terabit-strong attacks already hitting Cloudflare’s infrastructure.

In August, the web protection firm said it observed a Mirai-variant botnet launching multiple 1Tbps attacks, some peaking at 1.2 Tbps.

Last month, Microsoft said in August it mitigated a massive 2.4 Tbps assault originating from 70,000 sources worldwide. Last year, Amazon and Google said they mitigated 2.3 Tbps and 2.5 Tbps DDoS attacks, respectively.

Related: Operator of ‘DownThem’ DDoS Attack Service Convicted

Related: Mēris Botnet Flexes Muscles With 22 Million RPS DDoS Attack

Related: Organizations Warned: STUN Servers Increasingly Abused for DDoS Attacks

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags:

https://www.securityweek.com/cloudflare-mitigates-2-tbps-ddos-attack-launched-mirai-botnet