This Week in Cyber 05th April 2024

Analyst Insight

This week's cybersecurity landscape presents several noteworthy events. Firstly, OWASP has encountered a data breach stemming from a server misconfiguration, leading to the compromise of member data. Meanwhile, a stealthy backdoor in XZ Utils poses a threat to the integrity of open-source software. Additionally, a newly discovered HTTP/2 vulnerability, dubbed the CONTINUATION Flood, raises concerns regarding potential denial-of-service attacks. INC Ransom has asserted responsibility for a breach at Leicester City Council, reflecting the vulnerability of public institutions to cyber threats. Lastly, Google Pixel smartphones are exposed to zero-day vulnerabilities exploited by forensic companies, indicating the necessity for enhanced mobile device security measures. These developments underscore the ongoing challenges in maintaining cybersecurity resilience and the imperative for proactive risk mitigation strategies.

OWASP Discloses Data Breach: Thousands of Member Resumes Compromised

OWASP, a prominent advocate for software security, recently disclosed a data breach affecting thousands of its members. The breach, which occurred due to a misconfiguration in OWASP's old Wiki web server, resulted in unauthorized access to a database containing decade-old member resumes. The compromised data included personally identifiable information such as names, email addresses, phone numbers, and physical addresses. OWASP promptly notified its members and the public about the breach, emphasizing its commitment to addressing the issue and enhancing security measures. Despite challenges in contacting affected individuals due to outdated contact information, OWASP is taking steps to mitigate the impact of the breach. Security experts, while acknowledging the severity of the incident, commend OWASP for its transparency and urge organizations to prioritize data protection and implement robust

Cunning XZ Utils Backdoor Changes the Landscape for Supply Chain Attacks

Supply Chain attacks are the bane of every security professional. The internet was built on trust, and despite what many would have you believe, still operates on it too. We trust that big name products and reputable software are squeaky clean. That it has been picked apart to its bones to ensure nothing malicious has made its way in. In the last week a particularly frightening supply chain threat is shaking the Security world, and testing that narrative. 

XZ Utils is a command-line lossless data compression utility included in many distributions of Linux. A recent experimental release of XZ Utils has been found to hold a backdoor which would provide a key holder with the ability to connect to the system and run commands as an administrator. Thankfully the diligence of a Microsoft Engineer, Andres Freund, caught the backdoor before it was distributed in a full release stopping an incredible and cunning campaign at the last hurdle, all because he had noticed half a second of delay in how his SSH was running in the experimental version. 

How did this backdoor end up in a well-used and respected utility? A package that has passed the tests, to enter many Linux distributions. The culprit is a user who goes by the name "Jia Tan". Who Jia Tan really is, is mostly guesswork, what we do know however is Jia Tan is talented, patient and concerning. Jia Tan has been active on github since late 2021 making contributions to open-source projects. A year later the user was sighted making their first contributions to XZ Utils. By early 2023 their submissions were being accepted into XZ Utils. Then in a coup de grace the backdoor was finally added in February this year, relying on the reputation built up over the prior years. The patience exhibited by Jia Tan is impressive and scary. Some have described it as inhuman, suggesting longer term, more nefarious motives including nation-state backing. The discipline to execute an attack with this foresight is unlike the majority of attacks we see in the current threat landscape. While most practitioners don't operate on implicit trust to the rest of the community, there are still those who do. More and more, we are seeing the need for trust along with valid scrutiny. We should scrutinise what every part of what we're doing and what others are doing for us. There won't always be an Andres Freund with both the luck to stumble into a symptom and the skilled presence of mind to investigate that to protect us.

HTTP/2 CONTINUATION Flood: New DoS Vulnerability Discovered

A new vulnerability dubbed HTTP/2 CONTINUATION Flood has been identified in the HTTP/2 protocol, allowing for denial-of-service (DoS) attacks. Security researcher Bartek Nowotarski reported the issue to CERT Coordination Center (CERT/CC) on January 25, 2024. This vulnerability exploits the CONTINUATION frame in the HTTP/2 protocol, where many implementations fail to properly limit or sanitize the amount of CONTINUATION frames sent within a single stream. An attacker can exploit this vulnerability by sending a stream of CONTINUATION frames to overwhelm the server, potentially leading to an out-of-memory (OOM) crash or CPU exhaustion. This attack poses a more severe threat compared to previous vulnerabilities like Rapid Reset, as it can disrupt server availability with minimal resources. Various projects, including amphp/http, Apache HTTP Server, Apache Tomcat, and Node.js, are affected by this vulnerability. Users are advised to upgrade affected software to the latest version or consider temporarily disabling HTTP/2 on the server to mitigate potential threats.

INC Ransom Claims Responsibility for Leicester City Council Cybersecurity Incident

The ransomware group INC Ransom has asserted its involvement in the ongoing cybersecurity breach at Leicester City Council. A post on INC Ransom's leak blog revealed that the attackers purportedly stole 3 TB of council data, a claim that was swiftly retracted after publication, a tactic known as "flashing." Leicester City Council's recovery efforts have made progress, with most systems and services restored, though the council remains tight-lipped on whether any data was compromised. INC Ransom's modus operandi of double extortion raises concerns about the sensitivity of targeted data, as seen in recent attacks on NHS Dumfries and Galloway. The potential for phishing attacks using leaked data underscores the broader risks posed by such breaches.

Google Pixel Zero-Day Exploits Exposed by Forensic Companies

Google has disclosed two high-severity zero-day vulnerabilities affecting its Pixel smartphones, namely CVE-2024-29745 and CVE-2024-29748. These flaws, an information disclosure issue in the bootloader component and a privilege escalation flaw in the firmware component, have been exploited in the wild by forensic companies, according to GrapheneOS maintainers. The vulnerabilities allow attackers to exploit fastboot firmware and interrupt factory resets triggered via the device admin API. The disclosure follows previous reports of firmware vulnerabilities being exploited by forensic companies to spy on users, prompting calls for Google to implement an auto-reboot feature to mitigate such risks.