Verizon Enterprise gets breached & the irony is strong with this one, details on the NPM fiasco & why the SAMSAM is holding up the doctor.
Plus some great questions, a packed round up & much, much more!
- NPM is a package manager, for node.js
- The Node.js ecosystem is “special”
- It provides packages that are mostly code snippets, usually individual functions
- Many packages, depend on a number of other packages to work correctly
- For example, the package ‘isArray’, which is a one-line function to tell if an object is an array, is depended upon by 72 other packages
- There was a package called ‘kik’, created by Azer Koçulu
- Kik.com, a mobile messaging app, wanted to create their own new package, called kik, for some new open source project
- Unpleasant discussions occurred
- Eventually kik.com had the NPM managers transfer ownership of the kik package name to the kik.com account
- Azer was offended by this, and deleted all of his packages from NPM (around 250 different packages)
- This fallout had unintended consequences
- One of the modules, left-pad, was a simple 11 line function to left-pad a string or number with spaces or zeros.
- Left-pad had been downloaded 2,486,696 times in the last month
- It was a dependency for a huge number projects, including: Node.js it self, Babel,
- NPM then restored the module to unbreak the other applications
- module’s author’s Medium.com post
- kik.com’s Medium.com post
- Official NPM blog post
- Blog Post: Have we forgotten how to program?
- Left-pad as a service
- “The fact that this is possible with NPM seems really dangerous. The author unpublished (erm, “liberated”) over 250 NPM modules, making those global names (e.g. “map”, “alert”, “iframe”, “subscription”, etc) available for anyone to register and replace with any code they wish. Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, “left-pad” with 2.5M/month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds.”
- “Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned”
- “Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise”
- “The seller priced the entire package at $100,000, but also offered to sell it off in chunks of 100,000 records for $10,000 apiece. Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site”
- “Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
- So it seems to just be contact details from a database on the website, not more intimate details like login credentials for their networks, or other details that Verizon would posses as they administers and investigated the networks of the customers
- It appears the data is in MongoDB format, which suggests that might be the format it was stored in on the Verizon side
- “The irony in this breach is that Verizon Enterprise is typically the one telling the rest of the world how these sorts of breaches take place. I frequently recommend Verizon’s annual Data Breach Investigations Report (DBIR) because each year’s is chock full of interesting case studies from actual breaches, case studies that include hard lessons which mostly age very well (i.e., even a DBIR report from four years ago has a great deal of relevance to today’s security challenges).”
- “According to the 2015 report, for example, Verizon Enterprise found that organized crime groups were the most frequently seen threat actor for Web application attacks of the sort likely exploited in this instance. “Virtually every attack in this data set (98 percent) was opportunistic in nature, all aimed at easy marks,” the company explained.”
- While this attack may have been more targeted in nature. Although it is possible it was just opportunistic, because Verizon failed to secure its database
- Customers of Verizon who’s data was breached are likely targets for various types of spear phishing, including emails pretending to be from Verizon, who provides network security and post-breach investigation services to these customers
- Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits.
- This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.
- A particular focus appears to have been placed on the healthcare industry.
- Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.
- Upon compromising the system the sample will launch a samsam.exe process which begins the process of encrypting files on the system.
- SamSam encrypts various file types (see Appendix A) with Rijndael and then encrypts that key with RSA-2048 bit encryption. This makes the files unrecoverable unless the author made a mistake in the implementation of the encryption algorithms.
- One interesting note regarding the samples Talos has observed is that the malware will abort the encryption routine if the system is running a version of Microsoft Windows prior to Vista. This is likely done for compatibility reasons.
- There were a couple of open source tools that were seen being leveraged by the adversaries. The first is JexBoss, which is a testing and exploitation framework for JBoss application servers.
- This was being used as an initial infection vector to gain a foothold in the network to spread the ransomware.
- The second is a component of REGeorg, tunnel.jsp. REGeorg is an open source framework to create socks proxies for communication.
- As we have monitored this activity, we have started to see changes in the amount and types of payment options available to victims. Initially, we saw a payment option of 1 bitcoin for each PC that has been infected.
- Later we saw the price for a single system has been raised to 1.5 bitcoin. It is likely the malware author is trying to see how much people will pay for their files.
- They even added an option for bulk decryption of 22 bitcoin to decrypt all infected systems.
HEADS UP Stand ready to patch all of your Windows, Linux, BSD, OS X, iOS, Android, and other servers. And all of your routers, print servers, set-top boxes, smart TVs, IoT devices. And basically anything with a CPU. The “BADLOCK” bug will be releaved on April 12th, 2016 , a critical vulnerability in the SMB protocol, so affects Windows and all other implementations of the protocol (samba, whatever apple uses, whatever android uses, etc)
- Docker for Mac and Windows Beta: the simplest way to use Docker on your laptop
- Krebs: Stolen credit cards are now a buyers market, a look inside “Joker’s Stash” to find out
- Microsoft deletes ‘teen girl’ AI after it became a Hitler-loving sex robot within 24 hours
- Spammers and Phishers abusing open redirectors on .GOV domains to hide link destinations
- Once thought safe, DDR4 memory shown to be vulnerable to “Rowhammer”
- Apple suspects server tampering during shipping
- A Government Error Just Revealed Snowden Was the Target in the Lavabit Case
- A proposal for SSTS, a version of HSTS for SMTP — My server claims it will ALWAYS support crypto, if you ever see it not, someone is intercepting the connection
- By boosting the radio signal of your contactless car keys, theives can unlock and start 24 models of car while the owner is 300 feet away, and indoors
- AMEX reveals more about stolen card data
- The firm helping the FBI hack the iPhone may be Cellebrite
- Hackers accidently break into Water Treatment Plant, modify parameters by accident. No one was harmed
- Vulnerability in 70 CCTV DVRs Traced Back to Chinese Firm Who Ignores Researcher
- A cross-site scripting vulnerability, in the national vulnerability database, the site you use to find out about… cross-site scripting vulnerabilities
- Feds arrest man apparently responsible for The Fappening
- Facebook and Wikipedia offer a limited version of the internet in Angola, allowing access to only those two sites. Angola’s embed other sites, and pirated movies into the sites to share access