Merlin Labs Memo -- Week of February 13-17
Merlin Cyber
Merlin is your trusted source for best-in-class and innovative and emerging cyber solutions for the U.S. public sector.
SolarWinds, Two Years Later
In Dec. 2020, we learned of long-term breaches at SolarWinds that forced everyone in IT to confront the harsh reality of supply-chain security issues. Gartner projects that by 2025, 45% of organizations globally will have been hit with a software supply-chain attack. For attackers, finding a software firm with a broad market base and lax security culture means finding an easily opened door into customers’ enterprises.
GitHub, PyPl, and CircleCI have each taken turns at being targets of supply-chain attacks. They show that not only is there a risk of a final product being compromised, but the tools themselves being used to build apps can be compromised.?
Our Take: While we have tools coming forward to deal with supply-chain risks such as Finite State and Aqua Security, and the launch of Open Software Supply Chain Attack Reference (OSC&R), and even a new CISA office for working with public and private sectors to improve supply chain security, we continue to have an Achilles’ Heel in the way software is made in the USA: profits.
I used to teach Economics, and I taught that a failure of a free market to provide a solution is called “market failure.” While neo-classic economists would fume and rage that there were no such things, the reality is that we’ve seen firms pollute, make dangerous product claims, and ignore worker safety concerns in the name of making profits. The market does not provide any incentive for a software product to be safe or secure. In fact, if safety and security slow down transaction speeds, then those elements are questioned and downplayed.?
We deal with market failures through regulation. I’ve seen the insides of banks and pharma companies that are obsessed with maintaining their regulatory compliance. We need similar regulatory frameworks for software as we currently have for other classes of products. This is a matter of national security, and we can’t keep putting the burden on IT admins to keep track of 40,000-plus software products in the market, all with their own unique set of dependencies.
If the regulatory requirements start with government purchasing requirements, the private sector will follow suit, one way or another. Government markets are too important to ignore, and that’s where security and safety can be made stronger. – Dean Webb
More reading:?
User Data Exposed in Money Lover Financial App
According to a Trustwave security researcher and app user, a finance app named Money Lover “has been found leaking user transactions and their associated metadata, including wallet names and email addresses.” The Money Lover app is readily available for download from Google Play, Microsoft Store, and the Apple App Store, with versions available for Android, Windows and iOS. It is important to point out that while a vulnerability was discovered, there is not yet any evidence that bank account or credit card information was leaked. This is a textbook case of inappropriately/inadequately configured access controls and permissions where an “authorized” user had access to far more data than was appropriate. Because the app is a financial app, the reputational damage of this type of exposed vulnerability could be significant. According to the article, this type of vulnerability is very common, with broken access controls. In fact, in its 2021 iteration, the Open Web Application Security Project (WASP) listed broken access controls as the No. 1 most common vulnerability. To its credit, Money Lover patched this vulnerability as of Jan. 27 – so users of the app should make sure they are using the latest version. –?Via Dark Reading
Our Take: At first glance, the leaking of wallet names and email addresses may not seem all that serious. Here’s the problem with that thinking – hackers are notoriously dedicated and creative in how they leverage lesser system information to ultimately gain access to far more sensitive (and valuable) system information. Exposing information like email addresses and wallet names opens the door to targeted phishing campaigns. Out of curiosity, I looked up some information on phishing. According to Mimecast (in one of many studies done by multiple organizations), nearly “65% of cybercriminals have leveraged spear phishing emails as their primary attack vector. In 2021, almost 40% of breaches featured phishing.” So, there you have it. Since a chain is only as strong as its weakest link, now’s the time for application developers and system owners to start paying attention to the basic tenets of zero trust architectures by shoring up access control shortcomings and ensuring that principles of least privilege are employed and maintained. There is no reason to make it easy for the adversaries. – Sarah Hensley
领英推荐
Additional Reading:
ESXi Remains a Top Target After New ESXiARGs Adds New Encryption Post-CISA update
ESXi is under increasing pressure from the hacker community as more than 5,000 servers have been reported to be compromised and likely thousands more have not been reported.
“The first?wave of attacks?started on Feb. 3 and nearly 2,000 servers were compromised within 24 hours, according to Patrice Auffret, founder, CTO and CEO of the France-based cybersecurity firm Onyphe.
“A ransomware variant dubbed ESXiArgs appears to be targeting end of general support or significantly out of date products by leveraging known vulnerabilities previously addressed and disclosed in VMware security advisories,” a VMware spokesperson said at the time.” – Via CyberSecurityDive
Our Take: VMware ESXi is a beautiful technology that laid the groundwork for the modern cloud infrastructure and continues to be the bedrock of the IT infrastructure. Over the years, VMware has continued to update and improve the hyper-visor and with it the hardware support for newer server architectures. However, in that same march to the future, VMware has imposed end-of-life sentences on the same hardware that is often still within its 5-plus year lifespan. This puts organizations in the position to make the choice to run older versions of the servers until the upgrade cycle, leaving the server infrastructure susceptible to the myriad of vulnerabilities that are being discovered and actively exploited by hackers. The response from VMware includes “run Supported Version” and it is not really new, so we don’t need an advisory.
At the same time, we cannot just heap blame on VMware. Ideally, the older ESXi servers would be moved to more protected areas on their way to be deprecated as organizations move to the newer 7.x platform if their hardware, operations, and support contracts allow it. This becomes a balancing act between risk assessment, IT hygiene, and supply chain costs. Unfortunately, it can clearly be seen by the thousands of infected and vulnerable servers that supply chain and cost won over risk and hygiene. Some of the latest reports show nearly 60% of all bare metal servers are running 6.x and, if unpatched, are directly vulnerable. Mitigation strategies are below, along with more reading. Good Luck. – Jeremy Newberry
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!??