Cybersecurity News Bites #32: Tokens, Drivers, and Digital Independence

Welcome to this week's edition of Cybersecurity News Bites, coming to you on Indonesia's Independence Day, August 17, 2024. As we celebrate the spirit of freedom and self-reliance that this day represents, it's fitting to reflect on the importance of digital independence and security in our increasingly interconnected world.

In the ever-evolving landscape of cybersecurity, this week has brought to light several critical issues that demand our attention. From vulnerabilities in widely-used development tools to sophisticated attacks on financial systems, the challenges we face are as diverse as they are complex. As we delve into these stories, let's keep in mind that our collective vigilance and expertise are the keys to maintaining our digital sovereignty.

GitHub Actions Artifacts: A Token of Vulnerability

In a concerning development, Palo Alto Networks has uncovered a significant security flaw in GitHub Actions artifacts. These artifacts, generated during CI/CD workflows, have been found to inadvertently leak tokens for third-party cloud services and GitHub itself. This exposure puts repositories and services at risk of compromise.

The issue stems from a combination of misconfigurations and security defects, allowing anyone with read access to a repository to potentially access these leaked tokens. The implications are severe: threat actors could exploit this vulnerability to push malicious code or steal secrets from affected repositories.

One of the most commonly exposed secrets was the GitHub token, often found in the local git folder within the checkout directory. This token is typically written by the actions/checkout GitHub action during the repository cloning process. Additionally, the use of Super-Linter, a popular open-source code linter, was found to exacerbate the problem by writing environment variables, including secrets, to log files that were then uploaded as build artifacts.

The researcher, Yaron Avital, demonstrated how these leaked tokens could be used to achieve remote code execution on job runners, potentially compromising workstations. Even more alarmingly, Avital discovered that high-profile open-source projects from tech giants like Google, Microsoft, Canonical, RedHat, OWASP, and AWS were affected, potentially impacting millions of customers.

To mitigate this risk, Avital developed a proof-of-concept action that scans the source directory for secrets and prevents artifacts from being uploaded if they contain sensitive information. The cybersecurity community is advised to reduce workflow permissions of runner tokens according to the principle of least privilege and thoroughly review artifact creation in CI/CD pipelines.

SolarWinds Web Help Desk: A New Entry in CISA's Hall of Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2024-28986 with a CVSS score of 9.8, is a Java deserialization issue that could allow an attacker to execute remote code on a vulnerable host.

SolarWinds Web Help Desk, a widely-used solution for customer support in large enterprises and government organizations, was found susceptible to this vulnerability across all versions. While SolarWinds initially reported it as an unauthenticated vulnerability, they were unable to reproduce it without authentication after thorough testing.

Nevertheless, out of an abundance of caution, SolarWinds strongly recommends all Web Help Desk customers to apply the available patch by upgrading to WHD 12.8.3 and installing the provided hotfix. Federal Civilian Executive Branch (FCEB) agencies are required to address this vulnerability by September 5, 2024, as per the Binding Operational Directive (BOD) 22-01.

This incident serves as a reminder of the critical importance of promptly addressing known vulnerabilities, especially in widely-deployed software solutions that form the backbone of organizational IT infrastructure.

National Public Data Breach: A Trove of Sensitive Information Exposed

In a troubling development for personal data security, National Public Data, a background check service, has confirmed a significant data breach. The incident has resulted in the exposure of millions of social security numbers and other sensitive personal information.

The breach, which the company believes is linked to a hacking attempt from late December 2023, has led to the leaking of a database containing an estimated 2.7 billion records. The compromised information includes names, email addresses, phone numbers, social security numbers, and postal addresses.

While the full extent of the breach is still being determined, initial analysis by Troy Hunt, creator of the Have I Been Pwned service, identified 134 million unique email addresses in one version of the leaked database. However, the accuracy and currency of the data have been called into question, with some records containing outdated or mismatched information.

The incident highlights the ongoing challenges in securing large datasets of personal information and the potential for far-reaching consequences when such breaches occur. Individuals potentially affected by this breach are advised to monitor their financial accounts for suspicious activity and to be vigilant against potential phishing attempts that may leverage the leaked contact information.

Iran's Banking System Under Cyber Siege

Iran's financial infrastructure faced a significant challenge this week as reports emerged of a major cyberattack targeting the Central Bank of Iran (CBI) and several other banks in the country. The attack, described as potentially one of the largest ever faced by Iran's state infrastructure, has caused widespread disruption within the nation's financial system.

The impact of the attack was visibly manifested in the temporary inability to withdraw money from ATMs, with anonymous individuals placing notes on machines explaining the situation. The timing of this cyberattack is particularly notable, coinciding with heightened geopolitical tensions and threats of retaliation from Iran's supreme leader, Ayatollah Khamenei.

This incident underscores the growing trend of cyber warfare and its potential to disrupt critical national infrastructure. It serves as a stark reminder of the need for robust cybersecurity measures in financial systems, particularly in regions of geopolitical instability.

RansomHub's New Weapon: EDRKillShifter

In a concerning development for cybersecurity professionals, the RansomHub ransomware gang has unveiled a new utility designed to terminate endpoint detection and response (EDR) processes. Dubbed "EDRKillShifter," this binary employs a sophisticated method to bypass security measures and disable EDR software.

The utility operates by loading a legitimate but vulnerable driver, which is then exploited for privilege escalation using publicly available proof-of-concept exploits. This bring-your-own-vulnerable-driver (BYOVD) technique is not new, but its implementation in EDRKillShifter represents a significant threat to organizational security.

The emergence of EDRKillShifter is part of a broader trend of increasing sophistication in malware designed to disable EDR systems. This development highlights the ongoing arms race between cybercriminals and security professionals, emphasizing the need for continuous improvement in defensive strategies and technologies.

To mitigate the risk posed by tools like EDRKillShifter, cybersecurity experts recommend implementing strong hygiene for Windows security roles and maintaining a strict separation between user and admin privileges. These measures can help prevent attackers from easily loading vulnerable drivers and exploiting them for malicious purposes.

As we conclude this week's Cybersecurity News Bites, it's clear that the digital landscape continues to present complex challenges that require our ongoing attention and expertise. From the vulnerabilities in development tools to sophisticated attacks on financial systems, the need for robust cybersecurity measures has never been more apparent.

On this Indonesian Independence Day, we're reminded that true independence in the digital age extends beyond physical borders. It encompasses the ability to secure our digital assets, protect our personal information, and maintain the integrity of our critical infrastructure against ever-evolving cyber threats.

As we move forward, let's carry the spirit of independence into our cybersecurity practices. By staying informed, implementing best practices, and fostering a culture of security awareness, we can work towards a more secure digital future. Remember, in the realm of cybersecurity, our vigilance is our strength, and our collective efforts are our best defense against those who seek to exploit our digital vulnerabilities.

Stay safe, stay informed, and keep championing the cause of digital independence!

faisalyahya.com