Edition 4

Highlights:

• With its new crypto effort, Software Supply Chain scores a security winGitHub has requested feedback from developers on a proposal to adopt sigstore, which makes the signing of code components simpler.
• Software developers can verify the code that produced a software application or component using sigstore.
• The idea is the most recent attempt to provide developers with tools to protect the software supply chain.
• Three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders have been found to have a security feature bypass flaw.
• Microsoft signed and verified vulnerable bootloaders and fixed them as part of the company's Patch Tuesday update.
• Researchers at Eclypsium have warned that the BootHole vulnerability CVE-2022-34302 and the New Horizon Datasys vulnerability can be used in the real world.
• A Chinese instant messaging app called "MiMi" has been hacked to deliver a new backdoor called "rshell" that can be used to steal data from Linux and Mac computers.
• On the bug bounty front, it looks like Microsoft is ahead of Google.
• The software company with the most employees gave $13.7 million in prizes to 335 researchers.

With its new crypto effort, Software Supply Chain scores a security win

GitHub has requested feedback from developers on a proposal to adopt sigstore, which makes the signing of code components simpler. Software developers can verify the code that produced a software application or component using sigstore. The idea is the most recent attempt to provide developers with tools to protect the software supply chain. In 2020, GitHub purchased the Node Package Manager (npm). Sigstore functions because the technology makes it considerably simpler for developers to sign code. Developers are given a road map for safeguarding software projects by another program, the Supply Chain Levels for Software Artifacts (SLSA).

Vendor Patch Management Are So Broken

Because of CVSS scores and incomplete fixes, it is now harder to patch security holes. Exploit writers can also benefit from bad patches, since "n-days" are much easier to use than "zero-days." Since 2005, Trend Micro's Zero Day Initiative has told people about more than 10,000 security holes. Microsoft has taken vendor advisories out of its security update guides. This makes it harder to find out which bugs are fixed each month. Patch Tuesday bulletins also don't include basic information like how many vulnerabilities are actively being attacked or are known to the public.

The company will be careful about how it shares information about how to exploit vulnerabilities. In bug disclosures, Microsoft is just one of many companies that don't give a lot of information. She says that "placebo patches," which are "fixes" that don't change the code, are common. Patch prioritization comes down to figuring out which software targets in the organization are the most important. Cybercriminals don't waste any time adding big attack surfaces to their ransomware tool sets. Threat intelligence sources should be watched by security teams to find out when a bug is added to an exploit kit or ransomware.

Researchers Find UEFI Secure Boot Bypass in 3 Boot Loaders Signed by Microsoft

Three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders have been found to have a security feature bypass flaw. Microsoft signed and verified vulnerable bootloaders and fixed them as part of the company's Patch Tuesday update. By mounting the EFI System Partition and replacing the existing bootloader with the vulnerable one, or by changing a UEFI variable, it is possible to take advantage of the vulnerabilities. Researchers at Eclypsium have warned that the BootHole vulnerability CVE-2022-34302 and the New Horizon Datasys vulnerability can be used in the real world. With successful exploitation, an attacker could get around security checks at startup and run any unsigned code while the computer boots up. This can have knock-on effects that make it easier for a bad actor to get permanent access to a host and stay there.

Allow the use of light sensing without having to worry about data theft

In 2012, the first Ambient Light Events API specification for web browsers came out. Sensors for ambient light are put on cell phones and laptops to measure how much light they give off. In 2012, the W3C didn't include security and privacy concerns in the section of the spec about ambient light events. By 2016, it was clear that letting web code interact with a device's light sensor posed privacy and security risks beyond fingerprinting. "We took advantage of these natural facts to make an attack that figured out what a website was about based on information encoded in the light level and sent back to the browsing context by the user's skin." The technique made it possible for proof-of-concept attacks to happen, such as stealing web history by making assumptions based on changes to CSS and stealing cross-origin resources, like images or the content of iframes.

Chinese hackers put a backdoor in a chat app with new malware for Linux and MacOS

A Chinese instant messaging app called "MiMi" has been hacked to deliver a new backdoor called "rshell" that can be used to steal data from Linux and Mac computers. Since May 26, 2022, the app's macOS 2.3.0 version has had a backdoor, according to SEKOIA's Threat & Detection Research Team. The malware was linked to APT27 because it used the same IP address range and some of the same infrastructure (backdooring a messaging app in Operation StealthyTrident and packing malicious code with the Dean Edwards Javascript packer). At this point, SEKOIA doesn't know what the goal of this campaign is. Researchers say that because this app doesn't seem to be used much in China, it's likely that it was made to spy on specific people.

Feds: Zeppelin ransomware is back with new encryption and compromise techniques

Zeppelin is a type of ransomware-as-a-service (RaaS) that is based on Delphi and was first known as Vega or VegaLocker. Threat actors use vulnerabilities in the remote desktop protocol (RDD) and the SonicWall firewall to get into networks. Zeppelin also seems to use a new method called "multi-encryption," which involves running the malware more than once on a victim's network. Ransomware threat actors are using a Zeppelin technique to run the malware more than once on a victim's network. On compromised systems, usually a user's desktop, threat actors also leave a note file with a ransom note in it. Zeppelin actors usually want to be paid in Bitcoin, and they ask for anywhere from a few thousand dollars to more than a million dollars.

Twilio had a data breach that affected 125 customers, but no passwords were taken.

Twilio, which owns Authy, a company that offers two-factor authentication (2FA), says that it has found 125 customers whose information was accessed during a security breach. The attackers got into Twilio's network by stealing the passwords of several employees through an SMS phishing attack. The company asked several U.S. mobile carriers to close the accounts that were used to send the phishing messages, but the threat actors switched to new accounts and kept attacking. Cloudflare, whose employees were also attacked in the same way, said attackers were unable to get into its systems because its employees use FIDO2-compliant hardware security keys that blocked their attempts to log in.

Microsoft will pay out more bugs than Google in 2021 and 2022

On the bug bounty front, it looks like Microsoft is ahead of Google. The software company with the most employees gave $13.7 million in prizes to 335 researchers. Google, on the other hand, got $8.7 million in 2021, which it called a "record-breaking" amount. Microsoft's numbers go from July 1, 2021, to June 30, 2022.

At Black Hat, the Starlink satellite dish cracked on stage

A security researcher has shown how, with physical access at least, a home-made modchip can be used to fully take over a Starlink satellite terminal. This week at Black Hat in Las Vegas, Lennert Wouters talked about how he does things. He will put the code and information about the parts used on GitHub so that other people can build their own unlocking modchips. Chris Wouters used a modchip to break the bootloader and get root access on SpaceX's Falcon Heavy rocket's Starlink user terminal (UT). After he was able to do a side-channel attack, he was able to use the rooted terminal to send a tweet about his Black Hat talk. "There was no obvious, low-hanging fruit," he said, "at least not to me."

How to Get Past Security Barriers and Reach Cloud Nirvana

89% of companies have a multicloud strategy, and 48% of them use both public and private clouds. According to the "2021 SaaS Risk Report" from Varonis, 44% of cloud user privileges are set up wrong, and 43% of all cloud identities are not being used and are therefore open to threats. By reducing the size of your cloud footprint and putting in place new security controls, you can feel safe enough to reach cloud nirvana. In addition to, say, Microsoft 365, you probably also use Workday, Salesforce, ServiceNow, Atlassian, and possibly dozens of other applications to keep your business running. Before you can start working on SaaS security problems, you need to make sure you've thought of everything.

To keep the data and configurations safe, you need to set up security controls. 49% of apps are used by small businesses, while only 39% are used by large businesses. There is no standard way to protect SaaS. By using a DevSecOps structure, security teams are brought in at the start of the development process. This year, end users are expected to spend more than $176 billion, and next year, they are expected to spend 18% more.

If you enjoyed reading this post or found it valuable, please consider subscribing and sharing this newsletter. I hope this small step can help many to keep well-updated on cybersecurity related issues.