Newsletter
10.26.2021 | 6'' read
The software supply chain pain intensifies
- A lighter-than normal newsletter this week because of work travel.
- Earlier today, I interviewed Dragos founder and chief executive Robert M. Lee to kick off this year’s ICS Cybersecurity Conference. Catch the recording here.
I’m in the midst of dumping Google Chrome for an alternative browser (you should too!) when I stumbled upon this piece that makes me grit my teeth in exasperation: Firefox is selling ads in the most sacred place: the actual search bar.
In the same announcement of this new Firefox “feature,” Mozilla simultaneously explains that ads will be sold and served in the address bar and that “privacy is fundamental” to its mission.
I’m close to giving up.
_ryan
On to the newsletter…
Zero-days and nation states.
- Patrick Gray’s interview with zero-day exploit supplier Mark Dowd provides a rare voice going public with that murky underworld. I’ll have more to say on this next week.
- The U.S. National Counterintelligence and Security Center is warning that China’s goals in certain key emerging technologies (pdf) could give Beijing an advantage over the U.S. and its security interests.
- Microsoft has caught the Solarwinds hackers (Nobelium/APT29) targeting hundreds of IT and cloud services providers with password-spraying attacks. About 14 companies were successfully breached.
- The U.S. Commerce Department announces a new rule aimed at stemming the sale of hacking tools to Russia and China. Here’s the announcement and text of new rule.
Sponsored.
- Symmetry DataGuard helps you protect what matters most. Start with a sealed, read-only service in your cloud. Point it at your data stores and fine-grained query logs. Get a risk map with at-risk data objects and suggested interventions.. Get in touch today for a demo.
- ProcessUnity’s Cybersecurity Program Management (CPM) is a single, comprehensive platform for centrally managing an organization’s cybersecurity program with prepackaged mapped content, automated workflows, assessments and dynamic reporting. The solution enables the CISO to inventory and assess high-value assets; map them to threats, risks, policies and control standards; automate reviews; and capture evidence of compliance — all on a predefined schedule. Request a demo.
Supply chain pain.
- Security responders are scrambling to assess the damage from malware embedded in UAParser.js, an npm package (JavaScript library) that counts close to 8 million downloads per week. The hack raised eyebrows because of the software supply chain implications and prompted a “critical severity” warning from GitHub that any computer with the embedded package “should be considered fully compromised.”
- NTIA has released a how-to guide for generating SBOMs (software bill of materials). A separate document on framing software component transparency is also available.
- This year’s AVAR keynote this year will address firmware security as the next security frontier.
- A very useful session on how the latest recommendations for UEFI firmware from national security organizations can be leveraged to design secure devices that are able to meet stringent national security standards.
Research things.
- Dennis Fisher has a story on a security researcher finding several key pairs used to encrypt the traffic between rogue Cobalt Strike beacons and their command-and-control servers, enabling the decryption of the communications for several hundred beacons deployed by malicious actors.
- Threat hunters at BitDefender have identified a rootkit with a Microsoft-issued digital signature. The rootkit is used to proxy traffic to Internet addresses that interest the attackers.
- This detailed look at the “Initial Access Broker Landscape” is incredibly important to understanding the cybercrime ecosystem.
- Some data points on Secrets Sprawl on Github.
Ransomware everywhere.
- The New York Times is reporting on a rare win in the cat-and-mouse game of ransomware.
- Huntress Lab was called in to investigate a ransomware attack against an unnamed U.S. engineering company and found gaping holes in a little-known billing system software called BillQuick Web Suite iwth 400,000 users worldwide.
- From Florian Roth: “It’s not always possible to scan every device in your network for crypt mining malware (Linux boxes, IOT, App containers) but you could check your DNS & firewall logs for connections to the limited number of mining pools on this list.
NYTimes reporter hacked by Saudis
Citizen Lab has a head-scratcher of a report on a New York Times reporter Ben Hubbard’s devices hacked by Saudi Arabian operators using the Pegasus spyware tool. The raw details:
- Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.
- The targeting resulted in Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus operator in June 2018.
- Some forensic artifacts connected to NSO Group are present on Hubbard’s device as early as April 2018.
- A phone number belonging to Hubbard also reportedly appeared on the Pegasus Project list in July 2019.
Hubbard wrote a first-person account of the compromise.
Leftovers.
Danny Moore’s upcoming talk at CyberWarCon is all kinds of fascinating:
This talk will explore how the modern military is information security’s worst nightmare. In particular, we will focus on the US military and its decades-old, globe-spanning operational networks powering weapons designed by a dozen low-bidding contractors with enormous supply chains. Weapons must be remotely targeted, operated and maintained thousands of miles from home, and potentially work both over civilian and military infrastructure. For an attacker, that is an incredible playing field.
The talk tackles specific examples such as the US Navy’s Littoral Combat Ship, the F-35, and military satellite comms. We will explore their design vulnerabilities, opportunities for compromise, and how they may be attacked for operational gain during – or right before – conflict.
This makes Danny’s book on Offensive Cyber Operations a must-read.
Tangentially.
From the ISC SANS diary:
A bug in the GPSD project that could cause time to rollback in October 2021. Due to the design of the GPS protocol, time rollback (or technically termed “GPS Week Rollover”) can be anticipated and usually closely monitored by manufacturers. The next occurrence should have been in November 2038, but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021 . This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021.
Beautiful bug.