Merlin Labs Memo -- Week of November 14-18

Supply Chain Attacks Impact Nearly All Global Organizations

An alarming 98% of global organizations suffered a supply chain breach in 2021, “with?visibility into cyber risk getting harder as these ecosystems expand, according to BlueVoyant.” Supply chain risk is pervasive, it’s increasing, and it’s hugely under-addressed by most cybersecurity operations. Adding to the difficulty, organizations cited problems related to lack of awareness about the impact of third-party suppliers on cybersecurity posture, difficulty meeting regulatory requirements including third-party cybersecurity compliance, and trouble working to get third-party suppliers to improve their posture.?– Via: Info Security

Our Take: From the recent SolarWinds breach to previous high-profile breaches including Target, the Stuxnet worm, and the Eastern European ATM malware attack – supply chain vulnerabilities have paved the way for countless breaches impacting thousands if not millions of people. While managing supply chain risks can be tricky given the often organizationally and geographically disparate development and manufacturing elements that are pieced together to comprise hardware and software solutions – there is guidance to help tackle the problem. NIST, the National Institute of Standards and Technology, recently published an update to their foundational cybersecurity supply chain risk management guidance (NIST Special Publication NIST SP 800-161r1) to help organizations manage risk related to the acquisition and use of technology products and services. The NIST guidance addresses portions of Executive Order 14028 (improving the nation’s cybersecurity) as well. Finally, FedRAMP, the government’s program standardizing an approach to cybersecurity management for cloud products and services is on the cusp of fully implementing rev 5, which includes new cloud security controls for supply chain management. Both NIST and FedRAMP are great places to start in understanding and taking important actionable steps to fortify IT systems from the risks inherent in their supply chains. – Sarah Hensley, MS-SLP

Additional Reading:

• 98% of organizations have been impacted by a cyber supply chain breach (Security Magazine)
• Healthcare Industry Least Likely to Increase Funding for Supply Chain Defense (HIT Consultant)
• Software supply chain breaches are ‘staggeringly high,’ report finds (Venture Beat)

URLScan is not at fault for the data leak, the configuration of the tools using it are

“Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs.”

"Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Br?unlein,?said?in a report published on November 2, 2022.

"With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user," Br?unlein noted. – Via: The Hacker News

Our Take: Open source intelligence tools are regularly used by cyber researchers for threat analysis and response activities. In URLScans case we would leverage it to scan the URL automatically via submission from a proxy, email or SOAR solution. It will respond with a rapid diagnosis of the threat and features of the URL. ?Phising and malicious URLs can then be rapidly blocked.

URLScan offers three different types of scans, and in this case the tools have been incorrectly set to leverage the public API scan. The best practices clearly spell out the different types of scans and how they should be leveraged. Simply put the exposure of data is the result of a misconfiguration of the integration.

If your organization is using an exterior tool like this, what is submitted needs to be carefully filtered to only be truly unknown URLS and needs to exclude any type of sites that would include secrets or personal information as part of the submission. Now would be an excellent time to review how the external tools are being leveraged and if best practices are being followed.

Just in case URLScan itself has published an excellent guide to correctly limiting the submissions and are taking steps internally to prevent such mistakes having adverse effects. – Jeremy Newberry

Additional Reading:

• Scan Visibility Best Practices (URLScan.io)
• Urlscan.io's SOAR Spot: Chatty Security Tools Leaking Private Data (Positive Security)
• Issue 208: Urlscan.io Leaks Sensitive Data, Dropbox Phishing Attack, Contract Test for Microservices (APIsecurity.io)

Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!?