A novel supply chain attack, called dependency confusion or a substitution attack, takes advantage of the open ecosystem that many businesses use as part of their app development process. And given that business apps have become increasingly important, any threat to the app development supply chain could potentially have huge implications. Found this short intro interesting? Then click and read the whole new episode of the Xopero Security Center.
Dependency Confusion attack technique or how to hack into Apple, Microsoft and 33 other companies
Microsoft documented a new type of attack technique called a dependency confusion or a substitution attack that can be used to poison the app-building process inside corporate environments by inserting a malicious code inside private code repositories.
Developers use package managers to download and import libraries that are then assembled together using build tools to create a final app. If the app contains proprietary or highly-sensitive code, companies will often also use private libraries that they store inside a private (internal) package repository, hosted inside the company’s own network. When apps are built, the company’s developers will mix these private libraries with public libraries downloaded from public package portals like npm, PyPI, NuGet, or others.
New “Dependency Confusion” attack
Researchers showed that if an attacker learns the names of private libraries used inside a company’s app-building process, they could register these names on public package repositories and upload public libraries that contain malicious code.
The “Dependency Confusion” attack takes place when developers build their apps inside enterprise environments, and their package manager prioritizes the (malicious) library hosted on the public repository instead of the internal library with the same name.
The research team said they put this discovery to the test by searching for situations where big tech firms accidentally leaked the names of various internal libraries and then registered those same libraries on package repositories like npm, RubyGems, and PyPI.
Using this method, researchers tried to load their (non-malicious) code inside apps used by 35 major tech firms, including the likes of Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber, and others. And the success rate was simply astonishing. Researchers have already made the prominent tech companies aware of this type of attack who have now implemented some kind of mitigation across their infrastructure.
An unknown attacker tried to poison Florida City’s water supply
A threat actor hacked into the computer system of the water treatment facility in Oldsmar, Florida, and tried to poison the town’s water supply by raising the levels of sodium hydroxide, or lye, in the water supply.
Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It is used to control water acidity and remove metals from drinking water in water-treatment plants.
An operator at the plant first noticed a brief intrusion Friday, Feb. 5, around 8:00 a.m. Someone remotely accessed the computer system the operator was monitoring that controls chemical levels in the water as well as other operations. At first the operator “didn’t think much of it” because it’s normal for his supervisors to use the remote access feature to monitor his computer screen at times.
However, around 1:30 p.m. someone again remotely accessed the computer system and the operator observed the mouse moving around on the screen to access various systems that control the water being treated. During the second intrusion, which lasted three to five minutes, the intruder changed the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million.
Fortunately, the operator quickly changed the level back to normal after the intrusion and alerted supervisors. Even if the operator hadn’t so quickly noticed the malicious activity, it would have taken 24 to 36 hours for the tainted water to hit the water supply, and redundancies in the system would have tested it before then and caught the high levels of sodium hydroxide. Still, the incident is a dire reminder of the potentially catastrophic effect an attack on critical infrastructure can have on public safety, making the security of these systems a top concern.
Update
Why we are not surprised… The Florida water treatment facility used an unsupported version of Windows OS (32-bit version of the Windows 7) with no firewall and shared the same TeamViewer password among its employees.
HelloKitty ransomware attack on CD Projekt Red: source codes of Cyberpunk 2077, Witcher – sold at illegal auction
On Tuesday, CD Project Red disclosed that they were the target of a ransomware attack that encrypted devices on their network and led to the theft of unencrypted files. The attack was conducted by a ransomware group that goes by the name…”Hello Kitty”. The attackers stole unencrypted source code for Cyberpunk 2077, Witcher 3, Gwent, and an unreleased version of Witcher 3.
As part of the double-extortion attempt, the attackers threatened to release or sell the stolen data if CDPR did not pay the ransom. CD Projekt stated that they would not give into the ransom demands and instead are restoring from backups that remain intact.
Later last week, a security researcher twitted that threat actors have started to auction stolen internal documents, ‘CD Projekt offenses,’ and the source code for Cyberpunk 2077, Witcher 3, Thronebreaker, and an unreleased Witcher 3 version with raytracing on Exploit.in cybercrime forum. The starting price for this auction was $1 million with bid increments of $500,000 and a ‘blitz’ or buy now price of $7 million. To prove the stolen data’s validity, the seller known as ‘redengine’ has shared a text file containing a directory listing from the alleged Witcher 3 source code.
On Thursday Dark web monitoring organization KELA reported that the data were sold and criminals received a satisfying offer.
CD Projekt Red said that it had already contacted the relevant institutions to further investigate the cyberattack, including data protection authorities and computer forensics specialists.
What now? The company did not lose data, it was possible to recover it from backup – so game production is not at risk. Selling source codes at auction, however, can cause criminals to spot vulnerabilities faster and prepare attacks on these popular titles.
12-year-old Windows Defender bug gives hackers admin rights
Microsoft has fixed a privilege escalation vulnerability in Microsoft Defender Antivirus (formerly Windows Defender) that could allow attackers to gain admin rights on unpatched Windows systems. According to stats this anti-malware solution is running on over 1 billion Windows 10 systems.
The elevation of privileges flaw tracked as CVE-2021-24092 impacts Defender versions going back as far as 2009, and it affects client and server releases starting with Windows 7 and up.
Threat actors with basic user privileges can exploit it locally, as part of low complexity attacks that don’t require user interaction. The vulnerability also impacts other Microsoft security products including but not limited to Microsoft Endpoint Protection, Microsoft Security Essentials, and Microsoft System Center Endpoint Protection.
SentinelOne found and reported the vulnerability in November 2020. Microsoft released a patch on Tuesday, together with the other security updates published as part of the February 2021 Patch Tuesday.
The vulnerability was discovered in the BTR.sys driver (also known as the Boot Time Removal Tool) used during the remediation process to delete files and registry entries created by malware on infected systems. The bug had remained undiscovered for 12 years, probably due to the nature of how this specific mechanism is activated. The driver is normally not present on the hard drive but rather dropped and activated when needed (with a random name) and then purged away.
Since the vulnerability is present in all Windows Defender versions starting from around 2009, it’s likely that numerous users will fail to apply the patch, leaving them exposed to future attacks.
The only way to secure yourself is patching now if you do not have automatic updates enabled. Systems patched against this vulnerability should run Microsoft Malware Protection Engine version 1.1.17800.5 or later.
Do you have thirst for knowledge? There are ten more cybersecurity stories below
1. Actively Exploited Windows Kernel EoP Bug Allows Takeover (Threat Post)
2. Google Play Boots Barcode Scanner App After Ad Explosion (Threat Post)
3. Apple fixes SUDO root privilege escalation flaw in macOS (Bleeping Computer)
4. Adobe Patches Reader Vulnerability Exploited in the Wild (Security Week)
5. Proofpoint sues Facebook to get permission to use lookalike domains for phishing tests (ZDNet)
6. LodaRAT Windows malware now hunting Android devices (HackRead)
7. Brazilian authorities start probe as 102 million consumers are exposed in new leak (ZDNet)
8. Buggy WordPress plugin exposes 100K sites to takeover attacks (Bleeping Computer)
9. AgentTesla Dropped Through Automatic Click in Microsoft Help File (InfoSec Handlers Diary Blog)
10. Microsoft releases emergency fix for Windows 10 WiFi crashes (Bleeping Computer)