A new ransomware data removal tool is found, a warning that exploit proofs-of-concept in Github may not be safe, and more.
Welcome to Cyber Security Today. It’s Monday, October 24th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Many ransomware gangs use affiliates to initially break into the networks of targets. Those affiliates are just as crafty as the ransomware developers and often create custom tools to help their work. The latest example is the discovery by researchers at Symantec of a new data exfiltration tool they call Exbyte. It’s usually deployed prior to the installation of the BlackByte strain of ransomware. Thanks to the work of these researchers there are indicators of compromise that security and IT teams can look for. There’s a link to their report in the text version of this podcast.
Threat actors are still trying to exploit an unpatched hole in VMware’s Workspace One Access and Identity Manager. This alert comes from researchers at Fortinet, who have released an analysis of some of the attempts. VMware administrators have no excuse for not patching this application by now: The security update was released in April.
Attention IT administrators using Microsoft Azure for running applications: You need to install a patch issued by Microsoft earlier this month to close a vulnerability in the Service Fabric Explorer. SFX inspects and manages cloud applications and nodes in a Service Fabric cluster. The hole allows an attacker to gain full administrative privileges on the cluster. The hole was discovered by researchers at Orca Security. They note the hole affects version 1 of SFX. Administrators should make sure they’re running version 2.
Application developers have been warned for months about the risk of malicious packages in the open-source GitHub repository. Now there’s a warning of hidden vulnerabilities in proof-of-concept exploits also uploaded to Github. The work was done by researchers at the Leiden Institute of Advanced Computer Science and presented last week at a conference in the Netherlands. Proofs-of-concept are supposed to help developers learn how hackers exploit holes in code. But the research suggests some threat actors are using GitHub as a place to plant vulnerabilities in the computers of developers by listing them within a proof-of-concept exploit. GitHub, like other open code repositories, doesn’t provide an assurance that any code — be it an application library or a proof of concept — is trustworthy. One of the researchers, who also works for Darktrace, told the Bleeping Computer news site that developers should carefully scrutinize the proofs-of-concept they download from any source. One hint: Be suspicious if the code is too obfuscated and needs too much time to analyze manually. Another hint: Use open-source intelligence tools like VirusTotal to analyze any open-source binaries.
IT and security leaders need to know what’s in applications to be able to judge their level of risk. Last week Google announced a way to help. It has created a project called the Graph for Understanding Composition, or GUAC for short. the goal is to help developers create metadata about their applications that describe the software build, security and dependencies. There already are several efforts, such as the ability to create signed attestations about how software was built (known as SLSA), and software bill of materials generators. However, Google argues that it’s hard to combine and synthesize the information in a comprehensive view. GUAC would bring together different sources of software security metadata into a graph database. This is an open-source project on Github, and Google is looking for contributors.
Here’s how could this help you. It only took a few days for hackers to start trying to exploit the vulnerability in the open-source Apache Commons Text library, which is used by some developers in their applications. I told you about this hole — now given the nickname Text4Shell –last Wednesday. A few days later researchers at WordFence said they started seeing threat actors looking for vulnerable applications. This vulnerability isn’t as bad as Log4Shell, but Text4Shell needs to be addressed.
Finally, international acceptance of a cybersecurity rating system for smart consumer products is progressing. Last week Singapore and Germany agreed to recognize their respective cybersecurity rating systems. Finland has a similar agreement with Singapore, where the idea started. And last week at a conference at the White House the Biden administration encouraged the U.S. technology industry to come up with similar but voluntary labeling standards by next year. The U.S. idea would have a bar code consumers could scan on items like internet routers, internet-connected speakers, household robots and home automation hubs that might rate devices’ security for being able to get security updates, only collect limited personal data is collected, that data is encrypted and other things.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.