Apr 12, 2024The Hacker NewsDevSecOps / Identity Management

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems?

Let’s break it down.

The challenge

Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or retrieving information from databases. Communicating seamlessly through APIs, they ensure the seamless operation of services for us users. However, to utilize these APIs, microservices must authenticate themselves using non-human identities and secrets, akin to programmatic access keys.

Now, consider the ramifications if a malicious actor were to obtain one of these non-human identities or secrets. The potential for chaos is immense—secrets could be stolen, data tampered with, or even the entire system brought to a standstill.

Without strong security measures, a system is wide open to these kinds of attacks. Companies need to lock things down tight to keep data safe and systems running smoothly.

The solution

What’s needed is a comprehensive suite of features to meet the needs of managing non-human identities.

Comprehensive secrets visibility

To manage non-human identities and secrets at scale you need a bird’s-eye view of all machine identities in your systems. From ownership details to permissions and risk levels, all this critical information needs to be centralized, empowering your security teams to understand the secrets landscape thoroughly. No more guessing games—just clear insights into non-human identities and their potential vulnerabilities.

Real-time monitoring & protection

To effectively oversee non-human identities, it’s crucial to employ real-time monitoring, enabling constant vigilance over your sensitive information. Any signs of dubious behavior should be promptly detected and flagged without delay. Whether it involves an unauthorized access attempt or an unforeseen alteration in permissions, ongoing scrutiny of secrets guarantees proactive defense against potential risks. Mere alerting isn’t sufficient; a comprehensive solution providing actionable steps for immediate resolution is imperative when suspicious activities arise.

Centralized governance

Centralized governance simplifies secrets management for non-human identities. By consolidating all security controls into one streamlined platform, it becomes easy for you to oversee access to non-human identities. From identification to prioritization and remediation, you need seamless collaboration between security and development teams, ensuring everyone is on the same page when it comes to protecting your digital assets.

Vulnerability detection & false positive elimination

Not all alerts warrant immediate alarm. Hence, vulnerability detection must extend beyond merely highlighting potential risks; it should differentiate between genuine threats and false alarms. By eliminating false positives and honing in on actual vulnerabilities, your security teams can efficiently address issues without being sidetracked by unnecessary distractions.

This is what it takes to manage secret security for non-human identities. It’s what we obsess about here at Entro.

Why Entro

With Entro’s non-human identity management solution, organizations can:

• Gain complete visibility of secrets that protect code, APIs, containers, and serverless functions scattered across various systems and environments.
• Identify and prioritize security risks, remediate vulnerabilities, and prevent unauthorized access to critical financial systems and data.
• Automate the remediation of identified security risks, saving time and resources for the security and development teams.
• Ensure compliance with regulatory requirements such as SOC2, GDPR, and others by maintaining robust access controls and security measures.

Get in touch with us to learn more about Entro’s machine identities and secrets management solution.

Apr 02, 2024NewsroomFirmware Security / Vulnerability

The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed.

The audacious supply chain compromise, tracked as CVE-2024-3094 (CVSS score: 10.0), came to light last week when Microsoft engineer and PostgreSQL developer Andres Freund alerted to the presence of a backdoor in the data compression utility that gives remote attackers a way to sidestep secure shell authentication and gain complete access to an affected system.

XZ Utils is a command-line tool for compressing and decompressing data in Linux and other Unix-like operating systems.

The malicious code is said to have been deliberately introduced by one of the project maintainers named Jia Tan (aka Jia Cheong Tan or JiaT75) in what appears to be a meticulous attack spanning multiple years. The GitHub user account was created in 2021. The identity of the actor(s) is presently unknown.

“The threat actor started contributing to the XZ project almost two years ago, slowly building credibility until they were given maintainer responsibilities,” Akamai said in a report.

In a further act of clever social engineering, sockpuppet accounts like Jigar Kumar and Dennis Ens are believed to have been used to send feature requests and report a variety of issues in the software in order to force the original maintainer – Lasse Collin of the Tukaani Project – to add a new co-maintainer to the repository.

Enter Jia Tan, who introduced a series of changes to XZ Utils in 2023, which eventually made their way to release version 5.6.0 in February 2024. They also harbored a sophisticated backdoor.

“As I have hinted in earlier emails, Jia Tan may have a bigger role in the project in the future,” Collin said in an exchange with Kumar in June 2022.

“He has been helping a lot off-list and is practically a co-maintainer already. I know that not much has happened in the git repository yet but things happen in small steps. In any case some change in maintainership is already in progress at least for XZ Utils.”

The backdoor affects XZ Utils 5.6.0 and 5.6.1 release tarballs, the latter of which contains an improved version of the same implant. Collins has since acknowledged the project’s breach, stating both the tarballs were created and signed by Jia Tan and that they had access only to the now-disabled GitHub repository.

“This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning,” firmware security company Binarly said. “Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation.”

A deeper examination of the backdoor by open-source cryptographer Filippo Valsorda has also revealed that the affected versions allow specific remote attackers to send arbitrary payloads through an SSH certificate which will be executed in a manner that circumvents authentication protocols, effectively seizing control over the victim machine.

“It appears as though the backdoor is added to the SSH daemon on the vulnerable machine, enabling a remote attacker to execute arbitrary code,” Akamai said. “This means that any machine with the vulnerable package that exposes SSH to the internet is potentially vulnerable.”

Needless to say, the accidental discovery by Freund is one of the most significant supply chain attacks discovered to date and could have been a severe security disaster had the package been integrated into stable releases of Linux distributions.

“The most notable part of this supply chain attack is the extreme levels of dedication of the attacker, working more than two years to establish themselves as a legitimate maintainer, offering to pick up work in various OSS projects and committing code across multiple projects in order to avoid detection,” JFrog said.

As with the case of Apache Log4j, the incident once again highlights the reliance on open-source software and volunteer-run projects, and the consequences that could entail should they suffer a compromise or have a major vulnerability.

“The bigger ‘fix’ is for organizations to adopt tools and processes that allow them to identify signs of tampering and malicious features within both open source and commercial code used in their own development pipeline,” ReversingLabs said.

Mar 09, 2024NewsroomCyber Attack / Threat Intelligence

Microsoft on Friday revealed that the Kremlin-backed threat actor known as Midnight Blizzard (aka APT29 or Cozy Bear) managed to gain access to some of its source code repositories and internal systems following a hack that came to light in January 2024.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” the tech giant said.

“This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

Redmond, which is continuing to investigate the extent of the breach, said the Russian state-sponsored threat actor is attempting to leverage the different types of secrets it found, including those that were shared between customers and Microsoft in email.

It, however, did not disclose what these secrets were or the scale of the compromise, although it said it has directly reached out to impacted customers. It’s not clear what source code was accessed.

Stating that it has increased in its security investments, Microsoft further noted that the adversary ramped up its password spray attacks by as much as 10-fold in February, compared to the “already large volume” observed in January.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” it said.

“It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”

The Microsoft breach is said to have taken place in November 2023, with Midnight Blizzard employing a password spray attack to successfully infiltrate a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.

The tech giant, in late January, revealed that APT29 had targeted other organizations by taking advantage of a diverse set of initial access methods ranging from stolen credentials to supply chain attacks.

Midnight Blizzard is considered part of Russia’s Foreign Intelligence Service (SVR). Active since at least 2008, the threat actor is one of the most prolific and sophisticated hacking groups, compromising high-profile targets such as SolarWinds.

Mar 02, 2024NewsroomSpyware / Privacy

A U.S. judge has ordered NSO Group to hand over its source code for Pegasus and other products to Meta as part of the social media giant’s ongoing litigation against the Israeli spyware vendor.

The decision, which marks a major legal victory for Meta, which filed the lawsuit in October 2019 for using its infrastructure to distribute the spyware to approximately 1,400 mobile devices between April and May. This also included two dozen Indian activists and journalists.

These attacks leveraged a then zero-day flaw in the instant messaging app (CVE-2019-3568, CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality, to deliver Pegasus by merely placing a call, even in scenarios where the calls were left unanswered.

In addition, the attack chain included steps to erase the incoming call information from the logs in an attempt to sidestep detection.

Court documents released late last month show that NSO Group has been asked to “produce information concerning the full functionality of the relevant spyware,” specifically for a period of one year before the alleged attack to one year after the alleged attack (i.e., from April 29, 2018, to May 10, 2020).

That said, the company doesn’t have to “provide specific information regarding the server architecture at this time” because WhatsApp “would be able to glean the same information from the full functionality of the alleged spyware.” Perhaps more significantly, it has been spared from sharing the identities of its clientele.

“While the court’s decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret,” said Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International.

NSO Group was sanctioned by the U.S. in 2021 for developing and supplying cyber weapons to foreign governments that “used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

The development comes as Recorded Future revealed a new multi-tiered delivery infrastructure associated with Predator, a mercenary mobile spyware managed by the Intellexa Alliance.

The infrastructure network is highly likely associated with Predator customers, including in countries like Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. It’s worth noting that no Predator customers within Botswana and the Philippines had been identified until now.

“Although Predator operators respond to public reporting by altering certain aspects of their infrastructure, they seem to persist with minimal alterations to their modes of operation; these include consistent spoofing themes and focus on types of organizations, such as news outlets, while adhering to established infrastructure setups,” the company said.

Feb 13, 2024NewsroomCyber Threat / Malware

The threat actors behind the PikaBot malware have made significant changes to the malware in what has been described as a case of “devolution.”

“Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications,” Zscaler ThreatLabz researcher Nikolaos Pantazopoulos said.

PikaBot, first documented by the cybersecurity firm in May 2023, is a malware loader and a backdoor that can execute commands and inject payloads from a command-and-control (C2) server as well as allow the attacker to control the infected host.

It is also known to halt its execution should the system’s language be Russian or Ukrainian, indicating that the operators are either based in Russia or Ukraine.

In recent months, both PikaBot and another loader called DarkGate have emerged as attractive replacements for threat actors such as Water Curupira (aka TA577) to obtain initial access to target networks via phishing campaigns and drop Cobalt Strike.

Zscaler’s analysis of a new version of PikaBot (version 1.18.32) observed this month has revealed its continued focus on obfuscation, albeit with simpler encryption algorithms, and insertion of junk code between valid instructions as part of its efforts to resist analysis.

Another crucial modification observed in the latest iteration is that the entire bot configuration — which is similar to that of QakBot — is stored in plaintext in a single memory block as opposed to encrypting each element and decoding them at runtime.

A third change concerns the C2 server network communications, with the malware developers tweaking the command IDs and the encryption algorithm used to secure the traffic.

“Despite its recent inactivity, PikaBot continues to be a significant cyber threat and in constant development,” the researchers concluded.

“However, the developers have decided to take a different approach and decrease the complexity level of PikaBot’s code by removing advanced obfuscation features.”

The development comes as Proofpoint alerted of an ongoing cloud account takeover (ATO) campaign that has targeted dozens of Microsoft Azure environments and compromised hundreds of user accounts, including those belonging to senior executives.

The activity, underway since November 2023, singles out users with individualized phishing lures bearing decoy files that contain links to malicious phishing web pages for credential harvesting, and use them for follow-on data exfiltration, internal and external phishing, and financial fraud.

Feb 02, 2024NewsroomData Breach / Cloud Security

Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out “with the goal of obtaining persistent and widespread access to Cloudflare’s global network,” the web infrastructure company said, describing the actor as “sophisticated” and one who “operated in a thoughtful and methodical manner.”

As a precautionary measure, the company further said it rotated more than 5,000 production credentials, physically segmented test and staging systems, carried out forensic triages on 4,893 systems, reimaged and rebooted every machine across its global network.

The incident involved a four-day reconnaissance period to access Atlassian Confluence and Jira portals, following which the adversary created a rogue Atlassian user account and established persistent access to its Atlassian server to ultimately obtain access to its Bitbucket source code management system by means of the Sliver adversary simulation framework.

As many as 120 code repositories were viewed, out of which 76 are estimated to have been exfiltrated by the attacker.

“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes,” Cloudflare said.

“A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves.”

The threat actor is then said to have unsuccessfully attempted to “access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”

The attack was accomplished by making use of one access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that were stolen following the October 2023 hack of Okta’s support case management system.

Cloudflare acknowledged that it had failed to rotate these credentials, mistakenly assuming they were unused.

The company also said it took steps to terminate all malicious connections originating from the threat actor on November 24, 2024. It also involved cybersecurity firm CrowdStrike to perform an independent assessment of the incident.

“The only production systems the threat actor could access using the stolen credentials was our Atlassian environment. Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network,” Cloudflare said.

Jan 25, 2024NewsroomFileless Malware / Endpoint Security

Cybersecurity researchers have uncovered an updated version of a backdoor called LODEINFO that’s distributed via spear-phishing attacks.

The findings come from Japanese company ITOCHU Cyber & Intelligence, which said the malware “has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques.”

LODEINFO (versions 0.6.6 and 0.6.7) was first documented by Kaspersky in November 2022, detailing its capabilities to execute arbitrary shellcode, take screenshots, and exfiltrate files back to an actor-controlled server.

A month later, ESET disclosed attacks targeting Japanese political establishments that led to the deployment of LODEINFO.

The backdoor is the work of a Chinese nation-state actor known as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks targeting Japan since 2021.

Attack chains commence with phishing emails bearing malicious Microsoft Word documents that, when opened, execute VBA macros to launch downloader shellcode capable of ultimately executing the LODEINFO implant.

LODEINFO infection paths in 2023 have also been observed making use of remote template injection methods to retrieve and execute malicious macros hosted on the adversary’s infrastructure every time the victim opens a lure Word document containing the template.

What’s more, checks are said to have been added sometime around June 2023 to verify the language settings of Microsoft Office to determine if it’s Japanese, only for it to be removed a month later in attacks leveraging LODEINFO version 0.7.1.

“In addition, the filename of the maldoc itself has been changed from Japanese to English,” ITOCHU noted. “From this, we believe that v0.7.1 was likely used to attack environments in languages other than Japanese.”

Another notable change in attacks delivering LODEINFO version 0.7.1 is the introduction of a new intermediate stage that involves the shellcode downloader fetching a file that masquerades as a Privacy-Enhanced Mail (PEM) from a C2 server, which, in turn, loads the backdoor directly in memory.

The downloader shares similarities with a known fileless downloader dubbed DOWNIISSA based on the self-patching mechanism to conceal malicious code, encoding method for command-and-control (C2) server information, and the structure of the data decrypted from the fake PEM file.

“LODEINFO backdoor shellcode is a fileless malware that allows attackers to remotely access and operate infected hosts,” the company said, with samples found in 2023 and 2024 incorporating extra commands. The latest version of LODEINFO is 0.7.3.

“As a countermeasure, since both the downloader shellcode and the backdoor shellcode of LODEINFO are fileless malware, it is essential to introduce a product that can scan and detect malware in memory in order to detect it,” it added.