Corporate Freeloading Makes Open Source Vulnerable

Corporate Freeloading Makes Open Source Vulnerable

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Airlock Digital.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

‎Risky Business News: Srsly Risky Biz: Why the compromise of open source projects is inevitable on Apple Podcasts
‎Show Risky Business News, Ep Srsly Risky Biz: Why the compromise of open source projects is inevitable - 17 Apr 2024
Dangerous sauce

The foundations for open source software security (OpenSSF) and for the promotion of JavaScript (OpenJS) have jointly warned the takeover of the XZ Utils project (a likely state-backed multi-year effort to subvert an open source project by gaining the trust of the package's maintainer) was probably not an isolated incident. 

The foundations said that several 'credible takeover attempts' had been unsuccessfully launched against JavaScript-related projects.

Their post provides a list of "suspicious patterns" of behaviour that could indicate an attempted social engineering attack. The list isn't wrong, but to some degree it misses the point.

The 'vulnerability' that makes open source software susceptible to these sorts of social engineering attacks is baked into its 'business model' of internet strangers collaborating to achieve a common goal. 

Malicious actors don't dupe their way into positions of responsibility within projects — they earn these positions of trust by behaving like good open source citizens, contributing code and doing real work. 

The behaviours that the post identifies as suspicious are what we'd call 'complementary' tactics that increase pressure on open source project maintainers, but aren't the main avenue of attack. These include, for example, "friendly yet aggressive and persistent pursuit of [a] maintainer… by relatively unknown members of the community" or "endorsement coming from other unknown members of the community who may also be using false identities, also known as "sock puppets."

The post spells out the key problem: "many projects in the JavaScript ecosystem are maintained by small teams or single developers who are overwhelmed by commercial companies who depend on these community-led projects yet contribute very little back".

CISA, the US cybersecurity authority, agrees. In a 'Lessons from XZ Utils' post, it calls for technology companies that benefit from open source software to become "sustainable contributors" to the open source packages they depend on.  

Getting companies to contribute to open source software, either with money, or by helping to maintain projects, would be a paradigm shift. 

But without these contributions, the ecosystem will remain vulnerable to malicious 'good samaritan' attacks. 

Sisense Loses a Bucket-load of Keys, Feds Step In

Last week, the US Cybersecurity and Infrastructure Agency (CISA) announced it was "collaborating with private industry partners to respond to a recent compromise discovered by independent security researchers impacting Sisense, a company that provides data analytics services". 

This is a potentially disastrous breach. Sisense holds a bucket-load of credentials and secrets which it uses to access customers' data sources so it can gather, analyse and visualise that information on their behalf.

According to Krebs On Security, attackers obtained access to the company's source code repository, which contained access details for Sisense's Amazon S3 bucket. The attackers then used the "S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates". 

On Mastodon, security researcher Marc Rogers posted instructions from Sisense on which types of access credentials should be reset (see below). 

Sisense customer credential reset instructions

In the same thread, Rogers said  "members of the cybersecurity community and agencies all over the world have worked this intensely over the last few days". He thanked agencies from the US, UK, New Zealand and Canada for "amazing collaboration" in containing the Sisense breach. 

We don't have the precise details about what went wrong here, but if independent reporting is to be believed, it looks like Sisense has some questions to answer, at the very least. 

But, as per last week, we are left wondering why government agencies are spending time and effort cleaning up problems created by the private sector. One answer, of course, is that they have to and we would be much worse off if they didn't. 

But the broader systemic question is why can private sector companies underinvest in security and get everyone else to bear the cost?  

Dependency on Microsoft A Strategic Risk

Wired has a good examination of the US government's dependence on Microsoft and how the company is "insulated" from accountability, despite a series of entirely avoidable security failures

The author, Eric Geller, says this stems from a combination of factors, including that Microsoft is the government's most important technology supplier; the company is a critical partner for government cyber security initiatives; and its politically savvy lobbying and marketing efforts over decades.

The overall message of the piece is that Microsoft is still not treating its security problems with the seriousness they deserve, and it examines what should be done to force Microsoft to lift its game when it comes to security. 

Geller's piece links to news that CISA, the US cyber security authority, is modernising its IT environment and creating a new 'greenfield' architecture. This effort is to develop a more secure environment that can be an example implementation for other agencies. 

This architecture doesn't rely on Microsoft's Active Directory, which is at least a start in  giving government agencies options and increasing pressure on the company to improve its security. More of this please. 

When coupled with the US government's dependence on its services, Microsoft's lacklustre focus on security is a long-term national security problem. Cutting that dependency will take time, but it has to be done.  

US Cyber Command Hunts Authoritarian States

In testimony to the Senate Armed Services Committee, the new head of US Cyber Command and NSA, General Timothy Haugh, provided a written overview of the state of the world from Cyber Command's perspective.

This included brief summaries of major cyber threat actors. 

Haugh described the PRC as "our pacing challenge" and said it employs "the world's largest cyberspace operations workforce". Cyber Command's main focus is "defending against the PRC’s persistent access and pre-positioning for attack on U.S. critical infrastructure systems".

Russia is also "an acute threat", although its focus on the conflict in Ukraine has diverted its attention from other worldwide intelligence efforts. Interestingly Cyber Command assesses that "Moscow likely views the upcoming U.S. election as an opportunity for malign influence" and that it will "most likely" interfere with elections in the United States and Europe this year.

Iran is particularly focused on disrupting critical infrastructure and Cyber Command has "supported significant efforts to bolster the cyber defences of Israel and other regional partners" since the start of the Israel-Hamas war. 

North Korean cyber forces are "increasingly capable" although in the testimony the country feels like a tertiary concern compared to the other threat actors mentioned.

When it comes to non-state actors, Haugh says NSA and Cyber Command have an enabling role "to disrupt ransomware, cryptocurrency theft, and other criminal activities".

In 2023 Cyber Command carried out 22 'hunt forward' operations in 17 countries. These are efforts to find and disrupt adversary activity on partner networks. 

Haugh says these missions led to public releases of more than 90 malware samples. These disclosures "frustrate the military and intelligence operations of authoritarian regimes", the testimony says. You can almost hear the happiness in these words.

Three Reasons to Be Cheerful This Week:

  1. Identifying the real LockBit criminals: Law enforcement authorities have said that they've been able to identify the real world identities of "a good number" of LockBit ransomware affiliates. The LockBit ransomware group takedown operation obtained a list of about 200 potential affiliates. It won't be easy to arrest affiliates even once they are identified, but it is a start. 
  2. CISA is opening its malware analysis service: CISA has announced that its malware analysis service, Malware Next-Gen will be opened to the private sector. The service had previously been open to only government customers. 
  3. 77 arrested in Zambia for internet fraud: Zambian law enforcement agencies arrested 77 people, including 22 Chinese nationals who were allegedly engaged in internet fraud scams. The raid of Golden Top Support Services found 11 SIM boxes and 13,000 SIM cards. 

In this Risky Business News sponsored interview, Tom Uren talks to Daniel Schell and David Cottingham, the CTO and CEO of Airlock Digital. They discuss the security standard that drove innovation and the genesis of Airlock Digital and also how to make sure that standards don’t become box-checking exercises.

‎Risky Business News: Sponsored: When standards drive innovation on Apple Podcasts
‎Show Risky Business News, Ep Sponsored: When standards drive innovation - 14 Apr 2024


When Crypto Crime Doesn't Pay

An ex-Amazon engineer, Shakeeb Ahmed, was sentenced to three years in prison for hacking two separate cryptocurrency exchanges. After both of these hacks he attempted to negotiate with the victim exchanges to get his actions recognised as 'bug bounties' rather than outright thefts in exchange for returning some of the money. 

Separately, another indictment unsealed this week alleges that Charles O Parks III, aka CP3O, stole USD$3.5m worth of cloud computing services to mint USD$1m of cryptocurrency.  

Skilled Hackers Prefer The Sunshine 

TechCrunch has an interesting interview with Yevhenii Panchenko, the chief of Ukraine's National Police Cyber department. 

Panchenko describes how Russia recruits new hackers by initially giving them small jobs and ratcheting up the tasks if they are successful.  

Despite the difficulties in prosecuting hackers in the midst of a war, Panchenko takes the long view. He says that although a regular soldier "will probably never come to the European Union and other countries", skilled hackers will 'prefer to move to warmer places and not work in Russia because [they] could be recruited to the army'. So collecting evidence and sharing it with partners is important. 

AI Election Interference Tracker

The Rest of World publication has launched an AI election interference tracker. It's already assembled an interesting collection of examples. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at Google’s review of 0days in 2023. They discuss what this kind of information tells us and how Google’s perspective influences the report.

‎Risky Business News: Between Two Nerds: 0days in 2023 on Apple Podcasts
‎Show Risky Business News, Ep Between Two Nerds: 0days in 2023 - 15 Apr 2024

From Risky Biz News:

PuTTY crypto bug exposes private keys, may lead to supply chain attacks: A team of German academics has discovered a crypto vulnerability in PuTTY, an extremely popular SSH and Telnet client for Windows users.

The vulnerability allows attackers who run malicious SSH servers to observe cryptographic signatures and recover a user's private key. This allows attackers to connect to systems where the private keys are being used for authentication.

But the vulnerability main impact is on source code repositories if they've been managed via a client that embeds PuTTY.

Attackers can look at a project's past signed public commits and then determine a developer's private key.

As the US NVD points out in its description of the vulnerability, this opens the door to supply chain attacks where threat actors can submit "signed" malicious code to legitimate projects.

[more on Risky Business News]

Palo Alto Networks scrambles to push zero-day patch

[Editor's note: Palo Alto have since put out patches for the latest releases of PAN-OS, and announced a roll out schedule for the rest]

Palo Alto Networks has scrambled over the weekend to release a software patch for its firewall devices. The patch is intended to fix a zero-day (CVE-2024-3400) in the GlobalProtect VPN feature of PAN-OS, the firmware that runs on Palo Alto's firewalls.

Security firm Volexity discovered the attacks, which the company attributed to a group it tracks as UTA0218. Palo Alto tracks this as Operation MidnightEclipse.

Volexity described the group as a state-backed threat actor but did not link the group to any country.

"Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks."

According to a timeline published by Volexity, the attacker appears to have developed and tested the zero-day at the end of March.

[more on Risky Business News]

Pegasus in Poland: Poland's General Prosecutor says the country's former ruling government has hacked 578 individuals with the Pegasus spyware. The hacks were carried out by three Polish services between 2017 and 2022. The findings are part of an investigation into abuses performed by the former government, controlled by the Law and Justice party. Previous reports have accused former Polish officials of using the spyware against opposition members, prosecutors, and journalists. [Additional coverage in Wiadomosci]