Author: Mike (Page 2 of 12)

Happy weekend, folks! Loads of cool stuff going on in the day job, but lots chatter focused on 2 areas on opposite sides of the software ecosystem. The resourcefulness of adversaries never ceases to amaze me. Both stories offer a lot of intricate technical details, but the big takeaway is that we’re in serious trouble unless we tackle best-practices, hygiene, and find support for the massive base of open source projects. So let’s get going!

Open Source projects need our help

Since the beginning of the Internet Age, applications and operating systems have been dependent on open source. Despite the riches raked in by for-profit companies for their software, all of them stand on the shoulders of open source software libraries and packages. I think we all get it – using open source accelerates innovation. Why reinvent the wheel, right? But it is high time that we all consider how we support those open source projects. The maintainers of those efforts are usually coding these as a passion project or hobby. And they are all overwhelmed and outmatched. Need proof? Heartbleed, Log4j, Java and NPM vulnerabilities, Shellshock, and multiple Apache Struts CVEs can jog your memory.

Last week an attentive Microsoft engineer Andres Freund luckily stumbled on a performance issue, and traced it back to a hijacked open source compression library used in most modern Linux flavors known as XZ Utils. An adversary made a 2+ year effort to gain trust as a contributor and eventually gain commit-level privileges. They then disabled testing of their contributions and slowly nudged the code base to support their efforts to embed a malicious backdoor flaw into the package. This interferes with authentication in SSH and injects code to open up a backdoor. Holy cow!

Lucky for us, Andres caught it – before the code could be promoted to released versions of Linux. But we have a big problem. Expecting these projects to operate with no funding, 1 to a few contributors, and zero support in testing and validation is supply chain suicide. It is time for the many prosperous companies that benefit from these heroic efforts give back and assist in securing these projects for the greater good.

• Want to learn more? Kevin Beaumont does a great job talking about this entire caper holistically.
• Want to get nerdy? The SANS ISC does a splendid job of explaining the technical how of this backdoor here.

Microsoft struggles to use their own tools securely

Lest we think that Open Source cannot be relied on and that professionals and closed source are the safest bet, Microsoft shows that no one is infallible. If you recall, APT Storm-0588 compromised Microsoft’s Exchange Online email service through information from a developers laptops and a stolen Azure signing key. Despite happening 10 months ago, Microsoft is still not publicly aware of what happened, and CISA and the US Department of Homeland Security called them out for their handling of the matter. Don’t confuse with the breach of their own senior leadership team’s email accounts, which it appears they are still struggling with months later – talk about persistence!

• Want to learn more? Bleeping Computer’s synopsis boils it down for us. Ars Technica goes into more details about how the breach was made.
• Want to get nerdy? You can read Microsoft’s own analysis of the situation here.

This week in AI

Seeing the confluence of massive AI adoption and the emergence of so many open-ended concerns, what is obvious is that we’ve already lost control of AI’s propogation. Talking to my good friend Mark Stephens, he clued me in on a book by Nick Bostrom called “Superintelligence: Paths, Dangers, Strategies“. Amongst other things, he discusses how AI – given a simple goal of making the best paper clip – would make decisions that eventually threaten human life. Needless to say, that book is on order!

Things I am keeping an eye on

• Ivanti has finally released a version of their VPN head-end software that addresses currently known CVEs.
• VMware vulnerabilities let to the compromise of a hosting firm’s compute resources. Adversaries must be bummed that folks are looking elsewhere – APTs invested heavily in VMware-related exploits.
• A contractor for the US DoD was breached by IntelBroker, driving home that we also need to find a way to secure our partners.
• Sophos is warning of a trend toward compromising backups – don’t forget to protect those fallback plans, folks!
• Omni Hotels are the latest multi-national to fall victim to an attack. Hoping they can return to full operations soon!
• The inspirational and awesome Rachel Tobac has her own episode on DarkNet Diaries! Be sure to check it out – she is a leading voice on the perils of social engineering.
• It seems LockBit’s reputation continues to struggle after recent take-downs.

Good Reads

• Nothing too new – I am about 1/4th of the way into Children of Ash and Elm (the Viking history book). It’s amazing how misunderstood they are. The many languages and transitions of knowledge between groups and regions contributed to that confusion. Seems like history certainly rhymes!
• I am also reading the latest SANS Threat Hunting Survey results, and as explained in David Bianco’s video highlights, it is concerning that more than a third of customers Threat Hunt without a formal process, and the same percentage find that it impairs security, rather than improves it!

I hope that this update unravels a little of the many mysteries we are all being impacted by in cyberspace. If you have any feedback please send it along!

Wow, I am so sorry folks! it has been 3 weeks between updates – as I mentioned on LinkedIn, things have been busy on the travel front! In that crazy time, a lot of interesting things have happened that are worth a good look! Much of the biggest news this week in the world of threats is on another one of our state sponsored threat actors, APT31, so let’s see what the buzz is about.