Cyber Pulse: Edition 164 | 17 November 2021

Application security testing report uncovers flaws in automated application security testing

The Synopsys Cybersecurity Research Center (CyRC) examined anonymised data from thousands of commercial software security tests performed by Synopsys application security testing services in 2020. The CyRC team measured this data against the 2021 OWASP Top 10 list of the most critical security risks to web applications. Key findings in the report include:

• 97% of tests uncovered vulnerabilities
• 36% of tests uncovered high or critical severity vulnerabilities
• 76% of vulnerabilities uncovered fell into an OWASP Top 10 category 

Vulnerabilities such as cross-site scripting, remote code execution, and SQL injection were most common in commercial software, and the reason why relying solely on automated security tests can leave organisations at risk to cyberattacks and data breaches. The report describes software risk as business risk, and to effectively manage the second, you must address the first.

While “transparent box” testing such as static application security testing (SAST) can bring visibility to security issues early in the software development life cycle, SAST cannot uncover runtime security vulnerabilities. And some vulnerabilities cannot be easily detected by automated testing tools — they need human oversight to be uncovered. For example, the only effective way to detect an insecure direct object reference (IDOR), an issue that allows attackers to manipulate references in order to gain access to unauthorised data, is by having a human perform a manual test. Clearly, there is no one best approach to application security testing. Humans need to perform the security tests they’re the most effective at carrying out, with their efforts augmented by automated testing. A full spectrum of application security testing is an essential component of managing software risk in today’s world.

As the old security saw goes, “You can’t fix problems you don’t know you have.” Most organisations typically use a mix of custom-built code, commercial off-the-shelf code, and open-source components to create the software they sell or use internally. Often those organisations have informal, or no, inventories detailing exactly what components their software is using, as well as those components’ licenses, versions and patch status. With many companies having hundreds of applications or software systems in use, each themselves likely having hundreds to thousands of different third-party and open source components, an accurate, up-to-date Software Bill of Materials (SBOM) is urgently needed to effectively track those components.

Hackers gained access to Australian Gov accounts

South Australia's Department for Infrastructure and Transport confirmed that mySA Gov accounts were compromised through a cyberattack. mySA Gov is the South Australian government's online platform and app that provides residents with single-account access for the state's services, such as checking into a venue or completing transactions for vehicle registration.

The department said hackers accessed these accounts as account holders used the same or a similar password for their mySA Gov account as they had used for their account with an unrelated website. The hackers then used the passwords they had obtained from the unrelated website to access a number of mySA GOV accounts.

According to the ABC, 2,601 mySA Gov accounts were accessed in the attack, with 2,008 of them containing registration and licensing information. The department became aware of the breach, and has since blocked people from logging in if compromised passwords are used. It has also notified affected accountholders by email of the potential access to their account. As details could have been accessed by an unauthorised third party, the department has also encouraged all affected account holders to change their driver's licence number by attending a Service SA Centre.

New Zealand reports 15% increase in cyber attacks on critical organisations

New Zealand’s National Cyber Security Centre (NCSC) has observed a 15% year-on-year jump in cyber attacks against the country’s “nationally significant” organisations. More than 400 such incidents were recorded between 1 July 2020 and 20 June 2021, up from 352 a year earlier, according to the NCSC’s latest annual threat report, published on 17 November 2021. More alarmingly still, the proportion of these incidents that reached the post-compromise stage – where threat actors manage to access and move laterally through networks or otherwise cause the victim harm – more than doubled, from 15% to 33%.

Hardcoded SSH key in Cisco Policy Suite lets remote hackers gain root access

Cisco Systems has released security updates to address vulnerabilities in multiple Cisco products that could be exploited by an attacker to log in as a root user and take control of vulnerable systems. Tracked as CVE-2021-40119, the vulnerability has been rated 9.8 in severity out of a maximum of 10 on the CVSS scoring system and stems from a weakness in the SSH authentication mechanism of Cisco Policy Suite.

"An attacker could exploit this vulnerability by connecting to an affected device through SSH," the networking major explained in an advisory, adding, "A successful exploit could allow the attacker to log in to an affected system as the root user." Cisco said the bug was discovered during internal security testing.

Cisco Policy Suite releases 21.2.0 and later will also automatically create new SSH keys during installation, while requiring a manual process to change the default SSH keys for devices being upgraded from 21.1.0. Also addressed by Cisco are multiple critical vulnerabilities affecting web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) that could enable an unauthenticated, remote attacker to log in using an inadvertent debugging account existing in the device and take over control, perform a command injection, and modify the configuration of the device.

New Trojan Source technique lets hackers hide vulnerabilities in source code

A novel class of vulnerabilities could be leveraged by threat actors to inject visually deceptive malware in a way that's semantically permissible but alters the logic defined by the source code, effectively opening the door to more first-party and supply chain risks. Dubbed "Trojan Source attacks," the technique exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. Cambridge University researchers Nicholas Boucher and Ross Anderson discuss the vulnerabilities in a newly published paper — tracked as CVE-2021-42574 and CVE-2021-42694 — affect compilers of all popular programming languages such as C, C++, C#, JavaScript, Java, Rust, Go, and Python.

At its core, the issue concerns Unicode's bidirectional (or Bidi) algorithm that enables support for both left-to-right (eg English) and right-to-left (eg Arabic or Hebrew) languages, and also features what's called bidirectional overrides to allow writing left-to-right words inside a right-to-left sentence, or vice versa, thereby making it possible to embed text of a different reading direction inside large blocks of text.

Such adversarial encodings can have a serious impact on the supply chain, the researchers warn, when invisible software vulnerabilities injected into open-source software make their way downstream, potentially affecting all users of the software. Even worse, the Trojan Source attacks can become more severe should an attacker use homoglyphs to redefine pre-existing functions in an upstream package and invoke them from a victim program.

Microsoft to release Defender for Business platform

Microsoft announced the upcoming release of Microsoft Defender for Business, a new security tool that will soon be available for preview. Once the tool is available, customers will be able to buy the platform directly from Microsoft as a standalone offering costing $3 per user per month. The platform covers everything from threat and vulnerability management to misconfiguration remediation, attack surface reduction, antimalware and antivirus protection. It also comes with endpoint detection and response, manual response actions, automated investigation features and more. 

The tool will work regardless of if your email and productivity tools are on-premises, Microsoft 365, or are other solutions. It will be included as part of Microsoft 365 Business Premium accounts and can be integrated with Microsoft 365 Lighthouse. 

Google Ads used for stealing credentials and draining accounts

Crypto criminals are investing in Google Ads to target victims with bogus wallets that steal credentials and deplete balances. So far, it appears that the cyber crooks have stolen more than $500,000 and counting. According to a recent Check Point Research investigation, the adverts are linking to reportedly download prominent crypto-wallets Phantom and MetaMask.

According to the research, attackers began by using Google Ads to look for possible victims. According to the researchers at Check Point, clicking on the malicious Google Ad redirects the user to a malicious site that has been doctored to seem like the Phantom (or occasionally MetaMask) wallet site. The target is then asked to register a new account with a “Secret Recovery Phrase”. They are also requested to create a password for the alleged account (which is harvested by the attackers). Following that, visitors are given a keyboard shortcut to open the wallet and then led to the authentic Phantom site, according to Check Point. Now if the user adds the Chrome wallet tab to their browser and inserts the newly created recovery phrase from the attacker, they actually log in to the attacker’s wallet instead of creating a new one. This means if they transfer any funds, the attacker will get that immediately.

QA's Cyber Security learning pathways

QA has created several cyber security learning pathways, unlocking various different cyber security job roles.