Widespread Vulnerability: Cybersecurity researchers from Aqua Security have identified a significant security risk involving publicly exposed Kubernetes configuration secrets. These exposed secrets, found in public repositories, could potentially enable supply chain attacks, affecting a wide range of organizations, including Fortune 500 companies and top blockchain firms.
Extent of Exposure: Analysis revealed that out of 438 records potentially holding valid credentials for registries, 203 (about 46%) contained active credentials granting access to these registries. Alarmingly, a substantial portion of the passwords set were weak, highlighting a lax approach to password security in some organizations.
Technical Specifics of the Leakage: The vulnerability primarily involved two types of Kubernetes secrets - dockercfg and dockerconfigjson - which are used for accessing external registries. Researchers utilized GitHub's API to pinpoint instances where these secrets were inadvertently uploaded to public repositories, underscoring the severity and widespread nature of this issue.
Case Example and Risks: In one notable instance, valid credentials for SAP SE's Artifacts repository were exposed, providing access to over 95 million artifacts. This particular breach posed significant risks, such as potential code leaks, data breaches, and increased susceptibility to supply chain attacks, threatening the integrity of the organization and the security of its customers.
Widespread Security Flaw in Fingerprint Sensors: Researchers from Blackwing Intelligence discovered vulnerabilities in the fingerprint sensors of popular laptop models - Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X. These vulnerabilities could be exploited to bypass Windows Hello fingerprint authentication, a security feature critical for user access control in these devices.
Technical Details of the Vulnerability: The affected laptops utilized fingerprint sensors from ELAN, Synaptics, and Goodix. These sensors are Match-on-Chip (MoC) types with their own microprocessors and storage, allowing fingerprint matching within the chip. However, researchers found that while MoC sensors prevent replay of stored fingerprint data, they don't inherently stop a malicious sensor from mimicking legitimate sensor communication, enabling unauthorized access.
Method of Exploitation: The researchers successfully conducted man-in-the-middle (MiTM) attacks on all three laptop models using a custom Linux-powered Raspberry Pi 4 device. This involved software and hardware reverse-engineering, exploiting cryptographic flaws in Synaptics sensor's TLS protocol, and decoding proprietary protocols. On Dell and Lenovo laptops, authentication bypass was achieved by enrolling the attacker's fingerprint under a legitimate user's ID.
Implications and Recommendations: This research underscores a critical flaw in the physical security of laptop hardware and the need for robust firmware and driver updates to address such vulnerabilities. The findings highlight the importance of ensuring secure communication between hardware sensors and the operating system. Blackwing Intelligence recommends that vendors enable Secure Device Connection Protocol (SDCP) in biometric authentication solutions to mitigate such risks.
Mandos Brief GPT
Analyze any cybersecurity topic 100 times faster by focusing on key takeaways and zero noise.
Extensive Unauthorized Access: A Chinese hacker group known as "Chimera" gained access to NXP, a prominent Dutch chip manufacturer, and maintained this access from the end of 2017 to early 2020. This breach was not detected until early 2020 and resulted in the theft of intellectual property. Chimera employed sophisticated methods, including the exploitation of stolen account information from prior data breaches, to infiltrate NXP’s network.
Method of Attack and Spread: The attackers used credentials obtained from services like LinkedIn or Facebook, employing brute force to crack passwords. Once inside the network, they expanded their access, erased their tracks, and penetrated protected network areas. There, they encrypted and uploaded sensitive data to cloud storage services, repeatedly checking the NXP systems for new data.
Discovery of the Breach: The NXP breach came to light following an incident at Transavia, a KLM subsidiary. Hackers attempted to access Transavia’s reservation systems in September 2019. Investigations led by Fox-IT revealed that the hackers were connected to IP addresses in Eindhoven, where NXP is headquartered. This discovery prompted NXP to seek assistance from Fox-IT in January 2020.
Impact and Wider Implications: Although NXP reported no "material" damage from the breach, the theft of intellectual property, particularly chip designs, is significant. The breach highlights the broader threat of cyber espionage to high-tech industries and critical infrastructure globally. Additionally, at least seven Taiwanese chip companies also fell victim to this same hacker group, demonstrating a pattern of targeted attacks on the semiconductor industry.
Global Software Supply Chain Compromised: North Korean hackers, identified as the Diamond Sleet group, infiltrated a Taiwanese software company, CyberLink, to conduct a supply chain attack. The breach impacted users in North America and Asia, including the US, Canada, Japan, and Taiwan. This attack was part of a broader strategy by Diamond Sleet, a sub-group of the infamous Lazarus group, known for espionage, data theft, and financial crimes.
Infiltration of CyberLink and Malware Distribution: The attackers targeted CyberLink, a company specializing in multimedia and AI facial recognition software, and altered a legitimate application installer to include malicious code. This code, dubbed "LambLoad," was designed to download and load a second-stage payload, deceivingly signed with a valid CyberLink certificate and hosted on the company's legitimate update infrastructure.
Selective Execution of Malware: Microsoft observed the malicious installer as early as October 20, 2023, impacting over 100 devices. The malware was programmed to assess the presence of security software from companies like CrowdStrike, FireEye, and Tanium on the infected host. If detected, only the legitimate application would run, otherwise, it would execute the malicious code. This tactic illustrates the hackers' cunning approach to evade detection.
Second-Phase Payload and Hacker Objectives: A second-phase payload, interacting with infrastructure previously compromised by Diamond Sleet, was identified. Microsoft has attributed this attack to Diamond Sleet with high confidence, noting the group's history of targeting technology, defense, and media organizations. Their primary motives include espionage, financial gain, and corporate network destruction.
Shift in Targeting Strategy: The ClearFake campaign, initially focused on Windows systems, has expanded its reach to Mac systems, deploying a macOS information stealer known as Atomic. This shift marks a significant development in social engineering campaigns, indicating an increase in attacks not just geographically, but across different operating systems. Atomic Stealer, a commercial malware sold for $1,000 per month, is known for its capability to siphon data from web browsers and cryptocurrency wallets.
Malware Distribution Tactics: The campaign leverages compromised WordPress sites to serve fraudulent web browser update notices, tricking users into downloading the Atomic Stealer malware. This operation has evolved to target macOS users with a similar infection chain, using hacked websites to deliver the malware in DMG file format. The malware was initially propagated through malicious ads, but has since shifted to using fake browser update notifications, targeting both Safari and Google Chrome users.
Malware Functionality and Evolution: Atomic Stealer focuses on collecting and exfiltrating data from infected Mac devices. The stealer has evolved to target macOS systems, highlighting the increasing sophistication of threat actors in adapting their techniques to different platforms. This evolution reflects the growing complexity of digital threats and the need for robust cross-platform cybersecurity measures.
Rising Need for Cybersecurity Awareness and Protection: The expansion of the ClearFake campaign to Mac systems underscores the persistent myth that macOS devices are immune to malware. It emphasizes the need for continuous vigilance, regular patching, and the use of advanced anti-malware solutions on all types of devices. Training employees to recognize social engineering and phishing attempts is crucial, as human error remains a leading cause of data breaches.
Subscribe to Mandos Way
Join CISOs and Tech Leaders for Information Security Strategies & Weekly Briefs.