Issue #23 | July, 2024
Quality service requires quality security
Vendors can make a business more efficient by specializing in certain services or products and providing flexible solutions that solve problems before an organization grows enough to find that they need them. It’s a good thing—a great thing, even. But, as we know, with great power comes great responsibility.
Without security, what’s efficient for companies is just as efficient for attackers.?This is one angle we can reflect upon when we look at the Snowflake incidents – Snowflake’s product may be so streamlined that it actually helped criminals to quickly exfiltrate data from their systems.
New research from Google’s Mandiant adds weight to this concern, as they found that a threat actor group is looking at SaaS platforms and favoring data theft (instead of ransomware) for extortion. These two approaches are probably linked.
In other words, criminals are finding these cloud platforms very efficient for data theft. But are providers working to prevent their strengths from being leveraged against their customers?
As usual, Alice in Supply Chains is here to shed some light on the answer to this question with a collection of guidance, news, breaches, and regulations related to third-party cyber risk management (TPCRM).
Before we move on to our headlines, though, we want to let you know we have new content on our blog. One of our posts looks at the numbers from Verizon’s Data Breach Investigations Report (DBIR), and another has the insights we got from our very own survey on the state of TPCRM. We appreciate you checking them out.
And now, on to the news. Enjoy!
Snowflake mass-attacks linked to info-stealing malware
When we reported the Snowflake attacks last month, the coverage on the incident was still just starting. One month later, there is a lot more information available.?
Google’s Mandiant released a thorough technical paper on how the attacks were carried out, along with guidance for affected organizations. According to their findings, the root cause of the breaches was stolen credentials:
Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment. Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.
These credentials were primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems. This allowed the threat actor to gain access to the affected customer accounts and led to the export of a significant volume of customer data from the respective Snowflake customer instances.
TechCrunch had already reported on the availability of stolen credentials. Some cybercriminals specialize in spreading stealer malware to gather credentials that can be later sold to other criminals who have found ways to monetize this information, and TechCrunch was able to confirm that Snowflake credentials were available.
While the breach did not take place in Snowflake’s infrastructure, they still made things a bit easier for the attackers by not mandating MFA. Since stealer malware runs on endpoints, they can copy sessions from browsers and from installed applications, bypassing MFA if no safeguards against session hijacking are in place (e.g. short session lifetime and restrictions based on behavior, geolocation, and so on). However, Mandiant noted that none of the accounts had MFA enabled, so this was probably not a factor.
It’s plausible that a threat actor found out MFA was not mandatory for Snowflake, bought some stolen credentials (which criminals often helpfully organize by URL/service), started trying their luck, and succeeded.
After Santander and Ticketmaster came forward confirming the hack, Wired had a conversation with the ShinyHunters threat group for an article (an earlier article had a bit more speculation), and more victims were identified (Pure Storage, Neiman Marcus, Advance Auto Parts, LendingTree). Google’s write-up states that the company notified 165 organizations for being “potentially exposed.”
Guidance for Snowflake users is available from CISA and Snowflake themselves. The threat-hunting guide from Google mentioned earlier is available here (PDF).
It’s worth remembering that third-party services can avoid some attention from cybercriminals by making sure all their customers follow good security practices. If you build a safe neighborhood, criminals know there will be no easy targets. Otherwise, they will at least be motivated enough to start looking for an opening and preparing automated tools to carry out a mass hack.
Evolve bank incident, supply-chain attack injects code into 100,000 websites: breaches round-up?
A huge data leak at Evolve Bank is expected to have consequences for several companies that rely on their services:
Now, the bank has been hit in what may be one of the widest-reaching public data breaches in US history.
Given the sheer amount of data leaked, reportedly as much as 33 terabytes, it will take some time to determine exactly how bad the situation is. For context, 33 terabytes is the equivalent of about 2.8 billion pages of text — though even the true size is uncertain, as the leak may contain duplicate or compressed files.
Some companies have already come forward to let their customers know that their data might be impacted (Wise, Affirm, Mercury). TechCrunch published an article about the fallout. The hack itself was carried out by ransomware group LockBit, who initially stated they had stolen data from the Federal Reserve, which was untrue.
Meanwhile, researchers at Sansec published a write-up on a supply-chain attack where Polyfill.io, a CDN for the polyfill.js JavaScript library, was injecting malicious code that redirects users to malicious websites. Sansec estimated that over 100,000 websites loaded this library from polyfill.io.
The malware was already being reported on the project’s GitHub, but the company that operates the domain and the repository reportedly deleted any mentions of the issue, leading many to believe that the injection was intentional. A Chinese company took ownership of the domain name and the repository in February.
Fearing that this code would never be fully removed, Cloudflare decided to replace the library URL on the websites they serve (that is, for their customers) to point to a mirror hosted by them, while Google started blocking Google Ads for pages that use the service to compel website administrator to load the library from elsewhere.
The Polyfill team denied any wrongdoing or attack, which could mean it truly is intentional… or they don’t understand what’s happening, as this is unlikely to be an episode of mass hallucination. In any case, while buying a CDN isn’t an everyday occurrence, it has been known for at least a decade that malicious actors buy apps or browser extensions to push malicious code through updates. Chinese infrastructure has also been known to inject code without the website owner’s knowledge for just as long. Additional coverage is available from The Hacker News.
Another supply-chain incident hit websites running WordPress, as several plugins were found to contain malicious code that attempts to create new admin users.
Sav-Rx is notifying 2.8 million in the United States about a data breach from last year. The company acts as a third party for managing prescriptions for health plans, which means that many people who are being notified have never heard of them. The company published an FAQ on their website, which answers this exact question: “Why was this information stored on these computers? Why does Sav-Rx have my data? Who is Sav-Rx?” Additional coverage is available from The Record.
In London, a ransomware attack hit Synnovis, a provider of diagnostic services, disrupting operations at several hospitals.
CDK, a major SaaS provider for car dealers, suffered two security incidents in a row, causing a prolonged outage that disrupted many dealerships. News reports say the company took weeks to restore access to all 15,000 dealerships that use their services and is facing multiple lawsuits as a result.
Cryptocurrency data aggregator CoinGecko disclosed a third-party incident stemming from GetResponse, their email marketing platform. Attackers managed to obtain credentials from a GetResponse employee and download data on nearly 2 million contacts. GetResponse published a cryptic blog post about the incident, suggesting that they too were targeted by vulnerabilities in “third-party software vendors,” but it’s not possible to know what they mean by that – did they forget a patch, or was it a platform issue??
As a side note, GetResponse’s blog covers everything from how to make money with AI to cool templates for your email marketing, so finding information about this isn’t straightforward. Even searching for “security” in their blog will turn up “How to become a spiritual coach in 6 steps” before a more interesting post about the company’s approach to the GDPR. Do you know where and how your third parties communicate their security incidents, and are you happy with their approach? Would your customers be happy to deal with them in a breach notification scenario, or are you willing to step up and do things in their stead?
A malfunction at Comtech, a vendor for 911 services, caused a statewide outage in the calling system in Massachusetts. According to the state, “the exact reason the firewall stopped calls from reaching dispatch centers remains under review.” Thankfully, the outage only lasted for two hours, and state authorities believe no emergencies were impacted.
Progress Software disclosed a new vulnerability in MOVEit Transfer, and it was quickly exploited. If we don’t get a repeat of last year, we can be hopeful that many organizations have learned something. Meanwhile, TeamViewer, another common software package in enterprise environments, disclosed a hack that compromised its corporate environment.
HubSpot disclosed an incident involving unauthorized access to less than 50 accounts. They don’t specify whether this was a credential issue (as with Snowflake) or something else. Nevertheless, it’s possible that the attackers built a tool to automate these attempts, triggering their security systems. HubSpot is a popular CRM and marketing platform, so a breach at their service would impact thousands of companies worldwide and might lead to the leaking of data on their customers.
Finally, a short follow-up for the MediSecure incident we reported previously: the company is now in administration, which – as we understand – is the Australian equivalent to Chapter 11 from the U.S. bankruptcy code. From the reporting, the cyber incident seems to be a core concern of the process.
领英推荐
Microsoft: “We accept responsibility for each and every finding in the CSRB report”
As was expected, Microsoft President Brad Smith testified before a House panel on homeland security. He was there to answer questions regarding the intrusions the company suffered, especially the incident involving Chinese hackers that motivated an investigation by the Cyber Safety Review Board (CSRB). The questions, however, touched on several other related subjects, including Microsoft’s presence in China:
“We accept responsibility for each and every finding in the CSRB report,” Smith said in his opening statement, adding that the company had already begun working on a majority of the report’s recommendations. […]
Lawmakers also probed Smith for details on Microsoft’s business and presence in China. […] Smith said around 1.5% of the company’s revenue came from China, and that it was working on reducing its engineering presence there.
The full video of the hearing is available here from C-SPAN.
ProPublica’s reporting on the hearing focuses on Smith’s reactions to questions drawing from their reporting on the “Golden SAML.” In that piece, Andrew Harris reveals his experience trying to improve the way Azure handles authorizations from ADFS from within Microsoft — only to find that most of the company didn’t think much of the weakness he had discovered. ProPublica has a follow-up with more information.
Smith avoided answering any questions about this story, saying that the information was too recent. ProPublica notes, however, that they had contacted Microsoft weeks before publication.
Microsoft is also letting customers know if their emails were accessed by Russian hackers that breached their systems (the “other” intrusion). Some analysis and screenshots of the notification (and of confused social media posts made by people who received it) can be found here from Graham Cluley.
To end this section, we have a couple news related to Recall and Windows features. First, Recall was added to the Nessus vulnerability scanner, and Adrianna Pińska made some insightful commentary based around the systemic risk introduced by Recall: even if you disable it, your data could still be at risk when others use it.
While that’s a problem for another day (since Recall’s launch was delayed), Neowin reports that Microsoft is making OneDrive backups opt-out. Unlike the standard OneDrive folder, OneDrive “backup” is a confusing feature that syncs core Windows folders (such as Documents and Desktop) and can cause several unintended consequences. While Neowin’s report could be inaccurate – being sourced from Reddit posts, as far as we can tell – it’s true that Microsoft has made this feature more difficult to disable.
Adrianna’s reasoning also applies here: your data may unintentionally end up in the cloud if you share it with someone who recently reinstalled Windows and hasn’t yet realized all their “local” folders are no longer local. As a reminder, you probably won’t get to call Brad Smith to ask questions if your data gets hacked.
Department of Energy releases a set of principles for supply chain cybersecurity
In another government move that shows a growing concern over the security of the cyber supply chain, the U.S. Department of Energy released a “set of principles” on the subject:
Developed for manufacturers and end users alike, the principles create a framework to strengthen key technologies used to manage and operate electricity, oil, and natural gas systems around the world. Several prominent suppliers and manufacturers serving the energy sector have expressed support for the principles, including GE Vernova, Schneider Electric, Hitachi Energy, Schweitzer Engineering Laboratories, Rockwell Automation, Siemens, Siemens Energy, and Honeywell.
Some of the companies mentioned here are not based in the United States. Indeed, the White House statement explains that this is a global initiative, as “President Biden and G7 leaders committed to taking critical action to strengthen the cybersecurity of the global supply chain of key [energy] technologies.” The principles are outlined in a short 3-page PDF.
In somewhat related news, CNN has a story about how water systems are getting hacked.
More market restrictions for Chinese and Russian products are coming. The Select Committee on the Chinese Communist Party in the House of Representatives is set to look into the risks of Chinese market dominance in IoT and LiDAR. Meanwhile, the Commerce Department has banned Russian anti-virus maker Kaspersky, a move that could prevent users from receiving malware signatures if they don’t switch to another vendor by September.?
It’s worth mentioning that the U.S. government is arguing that Russia has transitioned into a “full war economy” to justify over 300 new sanctions. Russia is doing the same (Russian link) to the U.S. and other “unfriendly” nations.
The Dutch Military Intelligence and Security Service (MIVD) released a report claiming Chinese hackers exploited a flaw in Fortinet VPNs two months before the vendor disclosed the problem. The MIVD says the vulnerability was used to compromise devices belonging to Western governments and large organizations.
A further complication here is that, according to Ars Technica, Fortinet failed to disclose the flaw immediately after patching it (we talked about the pros and cons of silent patching in May). This begs the question of what governments will do when they get hacked due to vulnerabilities that vendors hid from them.
Our last story here comes from Malaysia, where the government is amending existing legislation to include breach notification requirements.
Guidance: ‘what to learn from 2023’s most notable cybersecurity breaches’
“Third parties are still your weakest link”, according to a new Forrester article, “What We Can Learn From 2023’s Most Notable Breaches:”
Third-party vulnerabilities have an outsized impact on four of the seven industries, with larger enterprises more affected by third-party vulnerabilities than smaller, midsized firms. While this may seem counterintuitive, larger enterprises have larger third-party ecosystems, meaning they have a larger set of suppliers that could offer an entry point. Attackers have favored exploiting weaknesses in suppliers with access to large organizations, over attacking them directly due to the weaker security practices seen in many of these suppliers.
Compliance Week has more guidance in their takeaways from the Third-Party Risk Management & Oversight Summit. It’s not exclusively about cyber risk, but there are many interesting opinions from people in a variety of industries.
Sophos shared their experience fighting incidents of Microsoft Remote Desktop web Access abuse. Again, lack of MFA is a common weakness.
At GovInfoSecurity, an article (with a video) argues that Third-Party Oversight Is Needed to Stop Systemic Risk. It quotes legal expert Jonathan Armstrong and recommends that CISOs educate their company’s board regarding systemic risk, since many company boards cannot supervise technical concerns.
New attack technique targets machine learning models
The Hacker News reports on “Sleepy Pickle,” a technique that could allow a payload to be injected into machine learning models to create a backdoor or some other undesirable behavior. This means that certain AI models might have to be treated as potentially dangerous, just like standard code.
Sleepy Pickle works by inserting a payload into a pickle file using open-source tools like Fickling, and then delivering it to a target host by using one of the four techniques such as an adversary-in-the-middle (AitM) attack, phishing, supply chain compromise, or the exploitation of a system weakness.
The malicious behavior could be made to be quite difficult to detect, which is perhaps a bigger problem than an obvious backdoor – especially when people already expect AI models to “hallucinate” from time to time. The original research is available here.
In yet another link to work from Mandiant, their research on a group they call their research on a group they call UNC3944 is worth a look. This gang is probably related to “Scattered Spider,” or “the Com” (the people who hacked Las Vegas casinos last year), but Mandiant says that they have moved away from ransomware to focus on data theft for extortion.
More importantly, though, Mandiant notes they’re pivoting their access to SaaS applications using specialized tools, and the Golden SAML attack via ADFS that was the subject of ProPublica’s article. Vendors that don’t use SaaS securely could quickly find most of their (and their clients’) cloud data being enumerated and possibly stolen. As Mandiant explains, many companies don’t log or monitor this activity, even if equivalent on-premises data access would have the appropriate logging.
And that’s a wrap… except for one bonus link that may be especially interesting for our Brazilian readers.
See you next month!
This blog post brings together Google’s collective understanding of the Brazilian threat landscape, combining insights from Google’s Threat Analysis Group (TAG) and Mandiant’s frontline intelligence. As Brazil’s economic and geopolitical role in global affairs continues to rise, threat actors from an array of motivations will further seek opportunities to exploit the digital infrastructure that Brazilians rely upon across all aspects of society. By sharing our global perspective, we hope to enable greater resiliency in mitigating these threats.