CISO Daily Update - March 13, 2024
NEW DEVELOPMENTS
JetBrains Is Still Mad at Rapid7 for the Ransomware Attacks on Its Customers
Source: The Register
Rapid7 and JetBrains' disagreement over handling vulnerability disclosures has developed into a public feud–amplifying the cybersecurity community's divergent views on responsible disclosure. Rapid7 shared detailed information on vulnerabilities in JetBrains' TeamCity platform shortly after patches were released–sparking backlash from JetBrains, which accused Rapid7 of enabling ransomware attacks against its clients. The conflict emphasizes the need for open communication and collaboration between security researchers and software vendors to reduce the danger of exploitation while providing protection for customers.
US, Russia Accuse Each Other of Potential Election Cyberattacks
Source: Security Week
US and Russia are accusing one another of possible cyberattacks intended to sabotage impending presidential elections. Additionally, China and Russia are cited in an Office of the Director of National Intelligence report as major risks to US national interests. China is especially engaged in cyber operations and may be trying to influence US elections in 2024. Russia is seen forging new alliances and conducting influence operations–such as attempting to cause division among US voters. Without offering any proof, Russia's Foreign Intelligence Service warns against foreign meddling and claims that the US intends to meddle in the country's next elections. Despite these claims, Vladimir Putin is anticipated to win the Russian presidential election.
R00TK1T Hacker Group Issues Warning to Nestle in Dark Web Post
Source: The Cyber Express
The notorious R00TK1T hacker group has issued a warning on the dark web to Nestle, a global food and beverage corporation. While lacking specific details, the announcement emphasizes the group's determination to disrupt Nestle's cybersecurity defenses using its arsenal of cyber weaponry. R00TK1T, known for covert cyber-operations, has a history of targeting financial institutions, governments, and corporations, utilizing various techniques to execute undetected attacks. Despite minimal evidence, they've allegedly compromised databases and sensitive information in previous high-profile attacks.
Over 12 Million Auth Secrets and Keys Leaked on GitHub in 2023
Source: Bleeping Computer
In 2023, over 12.8 million authentication and sensitive secrets were inadvertently exposed on GitHub across more than 3 million public repositories. Despite 1.8 million alerts sent to repository owners, only a small fraction of users took immediate corrective action. These exposed secrets included passwords, API keys, TLS/SSL certificates, and other sensitive data. The leakiest countries were India, the United States, Brazil, China, and France, while IT and education sectors were the most affected. Top leaked secrets included Google API and Cloud keys, MongoDB credentials, and OpenAI API keys, with a significant increase in OpenAI key leaks compared to the previous year. While “push protection” has been enabled by default on GitHub to prevent accidental exposure, better security measures are still needed to address the ongoing challenge of secret leaks.
Stanford Says Data From 27,000 People Leaked in September Ransomware Attack
Source: The Record
Stanford University disclosed that over 27,000 individuals' personal information was compromised in a ransomware attack by the Akira gang, which infiltrated the Department of Public Safety's network from May to September 2023. The breach, only recently disclosed to victims, exposed sensitive data including social security numbers, government IDs, and health information. While law enforcement continues investigations, the university plans to provide affected individuals with two years of free identity protection services. This incident marks Stanford's second encounter with ransomware, following a 2021 breach involving the Clop gang targeting Stanford Medicine's data through a software vulnerability.
Three-Quarters of Cyber Incident Victims Are Small Businesses
Source: Infosecurity Magazine
Small businesses bore the brunt of cyber incidents in 2023, with over three-quarters of reported incidents affecting them. Ransomware had a significant impact, particularly orchestrated by groups like LockBit, Akira, BlackCat, and Play. Additionally, evolving tactics such as remote encryption and targeting macOS and Linux systems indicate a growing sophistication among ransomware operators. Data theft emerged as a primary focus for attacks on small and medium businesses (SMBs), with over 90% of incidents involving some form of data or credential theft. Malware targeting data theft, including password stealers and keyloggers, was also prevalent. Social engineering attacks, such as business email compromise (BEC), also evolved with attackers adopting more sophisticated tactics to evade detection and maximize success rates.
Watch Out: These PyPI Python Packages Can Drain Your Crypto Wallets
Source: The Hacker News
Threat hunters have uncovered seven malicious Python packages on PyPI aimed at stealing BIP39 mnemonic phrases for cryptocurrency wallets. Dubbed BIPClip, the campaign has been active since at least December 2022 and has amassed thousands of downloads before removal. The packages, disguised as legitimate tools, exfiltrate sensitive data to actor-controlled servers. They aim to avoid detection with carefully crafted names and functions. This finding highlights the need for heightened vigilance in open-source repositories and the risks associated with abandoned projects, which threat actors can exploit to orchestrate large-scale supply chain attacks.
VULNERABILITIES TO WATCH
ChatGPT-Next-Web SSRF Flaw Let Attackers Gain Unauthorized Access
Source: Cyber Security News
The NextChat application, also known as ChatGPT-Next-Web, is a popular open-source chatbot application deployed globally. However, it contains a critical server-side request forgery (SSRF) vulnerability, designated CVE-2023-49785, with a severity level of 9.1 (Critical). The vulnerability, found at the /api/cors endpoint, allows unauthenticated users to send arbitrary HTTP requests, potentially accessing cross-domain resources and internal HTTP resources. Exploitation can lead to AWS cloud metadata leakage and reflected cross-site scripting (XSS) attacks. No patch is currently available, so organizations are advised to prevent exposing the application to the internet or isolate it from other internal resources if internet access is necessary.
Adobe Patches Critical Flaws in Enterprise Products
Source: Security Week
Adobe has released significant security updates to address critical vulnerabilities in several enterprise-facing products. The updates cover code execution flaws in Adobe ColdFusion, Adobe Premiere Pro, Adobe Bridge, and Adobe Lightroom, among others. Notably, Adobe Experience Manager received a mega-update addressing at least 46 vulnerabilities exposing users to arbitrary code execution and security feature bypass. Urgent attention is advised for a critical bug in Adobe ColdFusion capable of leading to arbitrary file system read. Adobe Premiere Pro, Adobe Bridge, Adobe Lightroom, and Adobe Animate also received updates to fix various code execution and memory leak issues. While no exploits in the wild have been reported, users are urged to apply the patches promptly.
SAP Patches Critical Command Injection Vulnerabilities
Source: Security Week
SAP has issued a series of security patches to address critical vulnerabilities in its enterprise software, including command injection flaws and improper authentication issues. The most severe vulnerabilities include command injection flaws in the Business Client's Chromium browser and the Build Apps application and a code injection flaw in the Administrator Log Viewer plugin of NetWeaver AS Java. These vulnerabilities could allow attackers to execute unauthorized commands, access sensitive information, and cause system disruptions. SAP also patched a denial-of-service bug in HANA XS Classic and HANA XS Advanced and a path traversal issue in the central management console of the BusinessObjects Business Intelligence Platform. Additionally, medium-severity vulnerabilities were addressed in NetWeaver, Fiori Front End Server, and ABAP Platform. SAP has urged customers to apply the patches promptly to mitigate the risk of exploitation by threat actors.
Study Reveals Top Vulnerabilities in Corporate Web Applications
Source: Infosecurity Magazine
A study by Kaspersky Security Assessment experts revealed prevalent vulnerabilities in corporate web applications developed in-house. The vulnerabilities, spanning access control, data protection, and weak user passwords, pose significant risks to organizations, potentially leading to unauthorized access and data breaches. To mitigate these risks, the study emphasizes the importance of implementing secure software development practices, conducting regular security assessments, and deploying monitoring mechanisms to promptly detect and respond to threats.
March 2024 Patch Tuesday: Microsoft Fixes Critical Bugs in Windows Hyper-V
Source: Help Net Security
Microsoft's March 2024 Patch Tuesday addresses 59 vulnerabilities, with none currently known to be publicly exploited. Notable fixes include critical vulnerabilities in Windows Hyper-V, a remote code execution (RCE) flaw in Microsoft Exchange Server, and an elevation of privilege vulnerability affecting Azure Kubernetes Service (AKS) Confidential Containers. Experts highlight the importance of patching critical flaws promptly to prevent potential exploitation by threat actors.
SPECIAL REPORTS
The CISO Role Is Changing. Can CISOs Themselves Keep Up?
Source: Darkreading
A panel of CISOs and VPs highlighted the importance of soft skills such as communication in addition to technical expertise. Communication and security awareness failures, as seen in incidents like SolarWinds, can lead to significant security breaches. Digital transformation has broadened the corporate attack surface, forcing CISOs out of their silos and into more collaborative roles within organizations. As IT becomes increasingly integrated into business operations, CISOs must advise the board on business decisions and work closely with developers, salespeople, and customers. Effective communication with employees is crucial for fostering a strong security culture. Merely spreading awareness may not be sufficient; CISOs must establish healthy relationships with employees and make security measures as transparent and easy to use as possible. Alternative incentives, such as impacting bonus pools based on security culture metrics, can also be effective. Educating board members on cybersecurity implications in strategic decisions is crucial for protecting the organization from threats. Providing real-world examples of breaches and their financial impact can help drive home the importance of cybersecurity to other executives.
4 Security Tips From PCI DSS 4.0 Anyone Can Use
Source: Darkreading
PCI DSS 4.0 introduces key security requirements that are relevant beyond credit card protection and emphasizes the need for proactive security measures. Security professionals can draw valuable insights from these updates to enhance their security posture. The new requirements address malicious scripts, network security controls, secure software development, and logging mechanisms. Implementing these measures ensures compliance and strengthens overall cybersecurity programs.