Cyber Pulse: Edition 155 | 23 June 2021

NATO cloud platform vulnerable to attack

In May 2021, a group of hackers broke into the IT infrastructure of a Spanish company called Everis. Researchers report this is how hackers could compromise a NATO cloud computing platform. Cybercriminals claim to have made copies of the data on this platform through a backdoor. This NATO platform is known as SOA & IdM (Provision of Service Oriented Architecture & Identity Management Platform). NATO’s information technology modernisation effort is also known as the Polaris program. 

Paul Howland, NATO Polaris Program Officer, said: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities.”

While NATO says it is ready to retaliate in the event of a cyber threat, the hackers behind the cyberattack explained that initially, only data from Everis’ Latin America subsidiaries interested them; they were not even aware of the possibility of finding a loophole on the NATO platform. Besides stealing data from NATO’s SOA & IdM platform, the hackers also attempted to extort Everis, offering the Spanish company not to associate its name with the LATAM Airlines data leak and not to not disclose NATO data for 14,500 XMR (an open-source cryptocurrency whose value is currently estimated at 228 euros for 1 XMR). They have not paid the ransom.

Most developers never update third-party libraries

Most developers never update third-party libraries after including them in their software, a new report from application security company Veracode reveals. Compiled in partnership with the Cyentia Institute, Veracode’s latest State of Software Security report focuses on open-source software and the manner in which developers approach the security of third-party libraries they use. An analysis of more than 86,000 repositories containing over 300,000 unique libraries and discussions with more than 1,700 developers revealed that, although the open-source landscape is constantly changing and libraries are continuously evolving, 79% of libraries are never updated after being included in software. While some developers act quickly when learning of vulnerabilities in the libraries they use, with 25% of bugs addressed within a week, half of the security holes aren’t patched within seven months after fixes are released. This is because developers lack important information they need to take immediate action.

“When developers understand the implications of vulnerabilities and appropriately prioritise security, they can fix most flaws easily,” Veracode notes.

In fact, half of all vulnerabilities are addressed within three weeks when developers have the information they need. The report also discovered that the majority (92%) of vulnerabilities in third-party libraries can be patched with a single update and that 69% of the updates represent minor version changes, unlikely to break application functionality. Another worrying fact the report brings to light is that, for roughly half of libraries that contain vulnerabilities, it may take longer than 21 months to be updated, while approximately 25% aren’t updated even after four years.

South Korean nuclear research agency targeted

The security breach first took place on 14 May and the research agency spotted it on 31 May. The research agency informed the government about the breach and launched an investigation. South Korean authorities did not reveal which VPN vendor was targeted by the attackers. The VPN server vendor was redacted in documents shown at a KAERI press conference.

Further, the investigation into the intrusion exposed the involvement of 13 internet addresses. Out of these, one of the internet addresses was traced back to the Kimsuky APT group. Last October, the US-CERT issued a report on Kimusky’s recent activities that provided information on its TTPs and infrastructure.

A month ago, researchers issued a report on the group’s operations targeting the South Korean government. It was observed conducting spear-phishing attacks to deliver the AppleSeed backdoor. Even though the North Korean APT group is suspected of being behind the recent attack on KAERI, an official leading the investigation found no concrete evidence to link the intrusion to North Korea. Moreover, nuclear energy and arms-related organisations are under attack from several other APT groups across the globe. They are recommended to tighten up their security to avoid any unfortunate cyber incidents.

Tor browser fixes vulnerability that tracks you using installed apps

The Tor Project has released Tor Browser 10.0.18 to fix numerous bugs, including a vulnerability that allows sites to track users by fingerprinting the applications installed on their devices. In May, JavaScript fingerprinting firm FingerprintJS disclosed a "scheme flooding" vulnerability that allows the tracking of users across different browsers based on the applications installed on their device. To track users, a tracking profile is created for a user by attempting to open various application URL handlers, such as zoommtg://, and checking if the browser launches a prompt. If the application's prompt is displayed, it can be assumed that the application is installed on the device. By checking for numerous URL handlers, the vulnerability can create an ID based on the unique configuration of installed apps on the user's device. This ID can then be tracked across different browsers, including Google Chrome, Edge, Tor Browser, Firefox and Safari.

With the release of Tor Browser 10.0.18, the Tor Project has introduced a fix for this vulnerability by setting the network.protocol-handler.external setting to false. This default setting will prevent the browser from passing the handling of a particular URL to an external application and thus no longer trigger the application prompts.

Linux distributions targeted by ransomware attacks

Security researchers from Trend Micro have discovered an attack chain using an SSH worm and DarkRadiation ransomware. Most components of this attack chain target RedHat and CentOS Linux distributions. In some scripts, Debian-based Linux distributions are targeted. According to researchers, hacking tools are used to move laterally on targeted networks to deliver ransomware. These tools included exploits for Red Hat/CentOS, binary injectors and reconnaissance/spreader scripts. The analysis of the attack chain has revealed an SSH worm and ransomware script. The ransomware is named DarkRadiation and downloader[.]sh script as SSH worm.

The SSH worm accepts base64-encoded configuration credentials as arguments that are dumped after the initial foothold on systems, or used as a brute-force list to target systems with weak passwords. The ransomware is written in a bash script and targets Red Hat/CentOS and Debian Linux distributions. The script named supermicro_cr_third is suspected to be the latest version of this ransomware. The script is obfuscated with node-bash-obfuscate, which is a Node[.]js CLI tool and library to obfuscate bash scripts. It can divide the bash script into chunks. Usually, the adversary uses multiple hacking tools to move laterally on targeted networks. However, the hacking tools in this attack have very low detection numbers in VirusTotal. Thus, it is anticipated that the attackers are probably trying to use low-profile tools to stay hidden.

Python projects exploited for cryptomining

This week, multiple malicious packages were caught in the PyPI repository for Python projects that turned developers' workstations into cryptomining machines. All malicious packages were published by the same account and tricked developers into downloading them thousands of times by using misspelled names of legitimate Python projects. A total of six packages containing malicious code infiltrated the Python Package Index (PyPI). All came from user “nedog123” and the names of most of them are misspelled versions of the matplotlib legitimate plotting software. Ax Sharma, a security researcher at DevOps automation company Sonatype, analysed the “maratlib” package in a blog post, noting that it was used as a dependency by the other malicious components.

“For each of these packages, the malicious code is contained in the setup.py file which is a build script that runs during a package’s installation,” the researcher writes.

Attackers are constantly targeting open-source code repositories like PyPI, the NPM for NodeJS or RubyGems. Even if the detection comes when the download count is low, as it typically happens, there is a significant risk as developers may integrate the malicious code in widely used projects. In this case, the six malicious packages were caught by Sonatype after scanning the PyPI repo with its automated malware detection system, Release Integrity. At detection time, the packages had accumulated almost 5,000 downloads since April, with “maratlib” recording the highest download count at 2,371.