Cyber Bakery Chronicles

Your Weekly Cybersecurity Update

Cyber Bakery Chronicles

Your Weekly Cybersecurity Update ( 27 September 2024)

  • CISA and FBI Urge Software Makers to Eliminate Cross-Site Scripting Vulnerabilities
  • Paying Ransomware Doesn't Guarantee File Recovery, Even With Decryptor
  • US Dismantles Chinese Government-Linked Botnet Targeting Hundreds of Thousands of Devices
  • Clever 'GitHub Scanner' Campaign Abusing Repos to Push Malware
  • Australian Government Suffers Surge in Cyber Attacks, Social Engineering Most Common Tactic

CISA and FBI Urge Software Makers to Eliminate Cross-Site Scripting Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint alert urging software manufacturers to prioritize eliminating cross-site scripting (XSS) vulnerabilities in their products. XSS vulnerabilities are a common and preventable security flaw that attackers exploit to steal or manipulate data.

Why This Matters:

  • XSS vulnerabilities are ranked second on MITRE's 2022 list of most dangerous software flaws.
  • These vulnerabilities are found in roughly two-thirds of web applications, according to OWASP.
  • Attackers can use XSS to steal data, redirect users to malicious websites, or inject malware.

What CISA and FBI Recommend:

  • Software manufacturers should:
    • Review documented threat models.
    • Ensure software validates user input for both structure and meaning.
    • Use modern web frameworks that automatically handle user input escaping.
    • Conduct thorough code reviews and implement adversarial testing.
    • Develop a strategic plan to eliminate XSS vulnerabilities entirely.
  • Senior executives should:
    • Take accountability for customer security.
    • Regularly test software for vulnerabilities.
    • Consider adopting the Secure by Design principles outlined in the joint guidance.

What is Secure by Design?
CISA's Secure by Design initiative encourages software manufacturers to prioritize security from the very beginning of the development process. This includes:

  • Taking ownership of customer security outcomes: Manufacturers should invest in secure building blocks and preventative measures to avoid vulnerabilities.
  • Embracing radical transparency and accountability: Manufacturers should disclose vulnerabilities promptly and accurately, using established programs like CVE and CWE.
  • Building organizational structure and leadership to achieve security goals: Executives should prioritize security, allocate resources, and establish processes to identify and eliminate vulnerabilities proactively.

How Can Software Manufacturers Get Involved?
Manufacturers can demonstrate their commitment to secure software by taking the Secure by Design Pledge. This pledge outlines seven key goals to reduce vulnerabilities like XSS.

By following these recommendations, software manufacturers can help create a more secure digital environment for everyone.

Paying Ransomware Doesn't Guarantee File Recovery, Even With Decryptor

In a stark reminder of the risks associated with ransomware attacks, recent incidents have highlighted that paying the ransom doesn't always guarantee successful data recovery, even when attackers provide a decryption tool.

A notable case involved the Hazard Ransomware, where an organization paid the ransom only to receive a faulty decryptor that failed to unlock their encrypted files. This incident underscores the unpredictable nature of dealing with cybercriminals.

There are several reasons why decryptors might fail:

  • Bugs: The ransomware itself might be flawed, containing bugs that render the decryption tool ineffective, as seen in the Hazard case.
  • Incompatibility: Sometimes, attackers provide a decryptor incompatible with the victim's specific IT environment.
  • Deception: In the worst-case scenario, attackers might intentionally provide a broken or useless tool, simply taking the ransom and disappearing.

While some attacks might be driven by malicious intent, ransomware is primarily a money-making operation for cybercriminals. Maintaining a reputation for successful decryption, however, helps ensure future ransom payments for these groups. This incentivizes them to provide functional decryptors in most cases.

Recommendations for Businesses:

  • Backups are Crucial: Paying a ransom should be a last resort. Regularly backing up data provides a safety net in case of ransomware attacks.
  • Invest in Security: Robust cybersecurity measures can significantly reduce the risk of infection and the impact of an attack.
  • Seek Expert Help: In the event of an attack, consider involving cybersecurity professionals who can guide you through the recovery process and potentially even repair faulty decryptors, as done by GuidePoint Security in this case.

The good news is that organizations are becoming more aware of the risks associated with ransomware. There's also a growing trend of transparency among victims, with some sharing their experiences to help others avoid similar pitfalls.

The Takeaway:
Paying a ransom is a gamble with potentially devastating consequences. Businesses should prioritize data security and have a robust recovery plan in place to mitigate the risks posed by ransomware attacks.

US Dismantles Chinese Government-Linked Botnet Targeting Hundreds of Thousands of Devices

The US Department of Justice (DOJ) announced the successful disruption of a massive botnet run by a Chinese firm with ties to the People's Republic of China (PRC) government.

A botnet is a network of compromised devices controlled by attackers to launch malicious activities like DDoS attacks or steal data. This particular botnet infected over 260,000 devices worldwide, including:

  • Internet of Things (IoT) devices
  • Small office/home office (SOHO) network devices
  • Firewalls
  • Network-attached storage (NAS) devices

The botnet targeted devices running outdated firmware and exploited vulnerabilities in hardware from various brands, including Fortinet, QNAP, Ivanti, DrayTek, Netgear, and even Telstra's older Smart Modem Gen 2 devices.

Although no known DDoS attacks originated from this botnet, it had the potential to launch them and potentially infiltrate targeted networks. Lumen's Black Lotus Labs confirmed activity targeting military, education, defense, and government entities in both Taiwan and the US.

The FBI successfully took control of the botnet's communication infrastructure (C2) and disabled the malware on infected devices using remote commands. This did not impact the functionality of the infected devices, and no data was collected.

Recommendations:

  • Update device firmware regularly.
  • Replace devices that are no longer supported by their manufacturers.
  • Segment your network to isolate potential threats.

This disruption demonstrates the ongoing struggle against cybercrime and the importance of cybersecurity awareness for both individuals and organisations.

Clever 'GitHub Scanner' Campaign Abusing Repos to Push Malware

A new phishing campaign is abusing GitHub’s “Issues” feature to distribute the Lumma Stealer password-stealing malware, targeting unsuspecting open-source project users.

In this campaign, malicious actors open a fake "issue" on popular GitHub repositories, falsely claiming the presence of a "security vulnerability" in the project. They then direct users to a counterfeit domain, "github-scanner[.]com," which masquerades as a GitHub-affiliated site. However, this domain is designed to trick visitors into downloading Windows malware.

What makes this campaign particularly effective is the use of legitimate GitHub email notifications. When the threat actors file a new issue, subscribers to the affected repositories receive "IMPORTANT!" email alerts from the official GitHub servers, making the campaign seem more authentic. These emails, sent from [email protected], falsely claim to be from the "GitHub Security Team."

Once users visit the fraudulent domain, they are met with a fake CAPTCHA that, upon interaction, executes JavaScript code that copies malicious content to the user’s clipboard. The site then instructs the user to execute the copied code via the Windows Run command, which downloads and executes a file named "l6E.exe," identified as the Lumma Stealer malware.

The Lumma Stealer is capable of stealing web browser credentials, authentication cookies, browsing history, cryptocurrency wallets, and other sensitive files from the infected device.

GitHub’s "Issues" Feature Being Abused
The campaign exploits GitHub’s “Issues” feature, where threat actors create pseudonymous GitHub accounts to flood repositories with these bogus security alerts. As a result, legitimate contributors receive phishing alerts directly from GitHub’s notification system.

GitHub users are advised to be vigilant, avoid clicking on suspicious links, and report such issues to GitHub. This incident highlights how popular platforms like GitHub can be exploited by cybercriminals to conduct supply chain attacks and spread malware.

Recently, similar campaigns have been seen, where threat actors replied to GitHub Issues with fake fixes that also distributed the Lumma Stealer malware. This alarming trend underscores the growing threat of attackers targeting developers to gain access to source code and inject malicious payloads.

Australian Government Suffers Surge in Cyber Attacks, Social Engineering Most Common Tactic

Australian government agencies experienced a significant rise in cyberattacks during the first half of 2024, according to a report by the Office of the Australian Information Commissioner (OAIC). This concerning trend places the government sector as the second-most breached industry in the country.

The report details 63 total incidents impacting government bodies, with a staggering 44 classified as malicious or criminal attacks. Social engineering tactics, like impersonation and phishing scams, were the primary culprit behind these breaches, accounting for 41 incidents.

The data reveals a worrying lack of awareness within some agencies, with the OAIC identifying delays in reporting incidents. These delays stemmed from internal failures to escalate issues to the appropriate departments, hindering timely responses and notifications.

"This highlights the critical need for robust cybersecurity protocols and employee training within government agencies," says a cybersecurity expert.

The surge in government breaches coincides with a broader increase in national cybercrime. The OAIC report reveals a total of 527 notifications across all sectors, representing a 9% rise compared to the previous period and the highest number in over three and a half years.

The healthcare industry remains the most targeted sector, with 102 reported breaches. Notably, the May 2024 MediSecure data breach impacted an estimated 12.9 million individuals, marking the largest data leak since the introduction of the notifiable data breaches scheme six years ago.

While malicious attacks dominated the landscape, human error also played a role, contributing to 30% of reported incidents. The OAIC emphasizes the importance of vigilance and ongoing security awareness training across all sectors.