The Codecov compromise involved a threat actor tampering with Codecov's Bash uploader script between January-April 2021, allowing them to export data from hundreds of customers' CI environments. The compromised script exfiltrated environment variables to the attacker's IP address. Rapid7 confirmed they were impacted, though the attacker was limited to internal tools and credentials and a small subset of source code repositories.
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
This document summarizes a presentation given by Dr. Engin Kirda on reacting to advanced cyberattacks in real-time using Lastline's detection platform. The presentation discusses how malware has become more sophisticated, evasive, and targeted. Lastline takes a unique approach to detection by using full system emulation in their sandbox environment, which allows them to detect malware that evades traditional antivirus solutions and virtualized sandboxes. The Lastline platform components work together to analyze suspicious files, correlate events into high-level incidents, share threat intelligence, and help automatically mitigate breaches across an organization's network in real-time.
This document discusses advanced persistent threats (APTs) and analyzes recent APT attack techniques to propose effective countermeasures. It describes the lifecycle of a generic APT attack and analyzes several popular past APTs, including Stuxnet and Flame. The document also discusses steps for detecting APTs, mounting proper responses, and developing secure networks against APT attacks. Additionally, it briefly introduces advanced volatile threats (AVTs) and argues why enterprises should prepare for them.
The document discusses penetration testing using Metasploit. It begins by defining penetration testing and why it is important for security. It then provides an overview of Metasploit, explaining what it is and some key terminology. The document demonstrates a sample penetration test against a virtual network, using Metasploit to exploit a Windows vulnerability. It evaluates the impact and recommends countermeasures like patching, code reviews, and periodic testing. The goal is to show how Metasploit can be used to test network security by simulating real-world attacks.
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
Threat intelligence and malware analysis are two sides of the same coin. Threat intelligence involves gathering information from various sources like open source intelligence (OSINT), internal network monitoring, and commercial threat feeds. This information can be used to understand emerging threats and inform an organization's response. Malware analysis involves reverse engineering malware samples to understand how they work and extract indicators like command and control servers and drop zones. Understanding common malware components like packers, loaders, and payloads can help focus analysis. Banking malware often uses dynamic configurations and web injections to target users and steal credentials. Both threat intelligence and malware analysis are important for increasing security awareness and protecting networks from emerging threats.
This document discusses the evolution of approaches to securing SCADA systems. Early advice based on IT security principles is subtly flawed, as it fails to prevent system compromise and physical damage cannot be undone with backups. More recent approaches focus on prevention over detection and response. The key shift is recognizing SCADA systems must remain uncompromised, as restoring operations from intrusions is impossible unlike with IT systems. Overall confidence in SCADA security remains low due to outdated approaches still in use.
The document summarizes a security solution called OTPS that is designed to protect utility control systems from vulnerabilities. It notes that control systems have become more vulnerable as they integrate with corporate networks and use commercial operating systems. The OTPS solution uses security event management, intrusion detection, and other tools to monitor systems for breaches, protect critical infrastructure, and detect and prevent security issues across networks, protocols, processes and system health. It is presented as a customizable, scalable solution to implement security best practices for utility control environments.
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
The “cyber kill chain” is a sequence of stages required for an
attacker to successfully infiltrate a network and exfiltrate data
from it. Each stage demonstrates a specific goal along the attacker’s
path. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on
how actual attacks happen.
The document discusses how to conduct a software exploitation attack using Metasploit Framework against a Windows XP system with Snort installed. It describes exploiting the Microsoft Graphics Rendering Engine vulnerability from 2006 using Metasploit to gain remote system access on the target. Snort's logs show it detected the attack as it occurred. The goal was to see how Snort would react to the attack.
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
This document summarizes a presentation given by Dr. Engin Kirda on reacting to advanced cyberattacks in real-time using Lastline's detection platform. The presentation discusses how malware has become more sophisticated, evasive, and targeted. Lastline takes a unique approach to detection by using full system emulation in their sandbox environment, which allows them to detect malware that evades traditional antivirus solutions and virtualized sandboxes. The Lastline platform components work together to analyze suspicious files, correlate events into high-level incidents, share threat intelligence, and help automatically mitigate breaches across an organization's network in real-time.
This document discusses advanced persistent threats (APTs) and analyzes recent APT attack techniques to propose effective countermeasures. It describes the lifecycle of a generic APT attack and analyzes several popular past APTs, including Stuxnet and Flame. The document also discusses steps for detecting APTs, mounting proper responses, and developing secure networks against APT attacks. Additionally, it briefly introduces advanced volatile threats (AVTs) and argues why enterprises should prepare for them.
The document discusses penetration testing using Metasploit. It begins by defining penetration testing and why it is important for security. It then provides an overview of Metasploit, explaining what it is and some key terminology. The document demonstrates a sample penetration test against a virtual network, using Metasploit to exploit a Windows vulnerability. It evaluates the impact and recommends countermeasures like patching, code reviews, and periodic testing. The goal is to show how Metasploit can be used to test network security by simulating real-world attacks.
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
Threat intelligence and malware analysis are two sides of the same coin. Threat intelligence involves gathering information from various sources like open source intelligence (OSINT), internal network monitoring, and commercial threat feeds. This information can be used to understand emerging threats and inform an organization's response. Malware analysis involves reverse engineering malware samples to understand how they work and extract indicators like command and control servers and drop zones. Understanding common malware components like packers, loaders, and payloads can help focus analysis. Banking malware often uses dynamic configurations and web injections to target users and steal credentials. Both threat intelligence and malware analysis are important for increasing security awareness and protecting networks from emerging threats.
This document discusses the evolution of approaches to securing SCADA systems. Early advice based on IT security principles is subtly flawed, as it fails to prevent system compromise and physical damage cannot be undone with backups. More recent approaches focus on prevention over detection and response. The key shift is recognizing SCADA systems must remain uncompromised, as restoring operations from intrusions is impossible unlike with IT systems. Overall confidence in SCADA security remains low due to outdated approaches still in use.
The document summarizes a security solution called OTPS that is designed to protect utility control systems from vulnerabilities. It notes that control systems have become more vulnerable as they integrate with corporate networks and use commercial operating systems. The OTPS solution uses security event management, intrusion detection, and other tools to monitor systems for breaches, protect critical infrastructure, and detect and prevent security issues across networks, protocols, processes and system health. It is presented as a customizable, scalable solution to implement security best practices for utility control environments.
The Cyber Kill Chain. 7 Stages of Cyber Kill Chain Supplementary ReadingMuhammad FAHAD
The “cyber kill chain” is a sequence of stages required for an
attacker to successfully infiltrate a network and exfiltrate data
from it. Each stage demonstrates a specific goal along the attacker’s
path. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on
how actual attacks happen.
The document discusses how to conduct a software exploitation attack using Metasploit Framework against a Windows XP system with Snort installed. It describes exploiting the Microsoft Graphics Rendering Engine vulnerability from 2006 using Metasploit to gain remote system access on the target. Snort's logs show it detected the attack as it occurred. The goal was to see how Snort would react to the attack.
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
This document discusses the importance of vulnerability management programs for organizations. It explains that connecting to the global internet exposes networks to threats from cybercriminals who can exploit vulnerabilities to break into networks and steal proprietary information. An effective vulnerability management program involves continuously monitoring networks to identify vulnerabilities and address them. The document outlines some key aspects of vulnerability management programs such as defining vulnerabilities, setting the scope, identifying options for management, and best practices.
Cyber Defense - How to be prepared to APTSimone Onofri
This document provides an overview of a presentation on cyber defense and cyber attack simulations. It begins with an agenda and introductions. It then discusses the evolving threats landscape, with attacks increasing in scale, scope and sophistication. It outlines the cyber attack simulation methodology, including researching the target, infiltrating networks, establishing footholds, moving laterally and exfiltrating data. It describes three scenario examples - a web attack, phishing email, and exploiting physical access. Each scenario provides the rules of engagement, attack overview and lessons learned. It concludes with quotes emphasizing the importance of preparation and deception in warfare.
Asset Discovery in India – Redhunt LabsRedhuntLabs2
Leading Asset Discovery Company Redhunt Labs provides a variety of solutions to assist companies in India in securing their online assets and guarding against cyber threats. Our Agent less Platform NVADR has been successful for many of our customers in locating significant data leaks across publicly exposed Docker containers. NVADR has the capability to continually monitor your exposed Docker Assets from across the globe.
We also provide a Free Scan if you'd like to examine the Attack Surface of your company. Here to visit our page for more information.
This document summarizes a research paper that proposes an inline patch proxy solution for the Xen hypervisor to help address vulnerabilities more quickly. The proposed solution uses a FastPatch module to analyze incoming traffic, detect vulnerabilities based on signature matching, generate patches, and pass them to virtual machines via PF_Ring to patch vulnerabilities in seconds rather than hours. The paper outlines the design of the solution and components like Xen, PF_Ring, and an update server. It also discusses implementation of handling some SQL injection attacks and future work to address more attacks.
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions).
Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
The document discusses a proposed method for detecting viruses and malware that evade existing antivirus software. It uses a combination of analyzing files with VirusTotal's database of known threats and applying natural language processing techniques like suffix trees and TF-IDF to identify malicious patterns in files. An evaluation shows the proposed method can detect viruses that existing antivirus and VirusTotal miss, achieving a 97% accuracy rate in testing.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
The deck covers details about the Sunburst/Solorigate breach including some interesting threat intel paths we are currently evaluating to attribute the attack.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
In today's presentation, we'll explore Security Onion, a powerful open-source platform designed to fortify your network security. Security Onion, much like its namesake vegetable, peels back the layers of your network traffic, enabling you to identify and address potential threats. We'll delve into its functionalities, core components, and the advantages it brings to your cybersecurity posture.
SafeBreach is a continuous security validation platform that can identify vulnerabilities in a company's network by simulating cyberattacks. It deploys agents across all systems to map the network and monitor for attacks without affecting the systems. The article describes how SafeBreach was tested on a large virtual network, quickly finding hundreds of potential entry points and paths to sensitive data. It also discusses how SafeBreach can be used to run security scenarios and wargames to help train IT teams to respond to attacks.
This document discusses the development of a cross-platform penetration testing suite that compiles standard penetration testing tools into a single mobile application. The suite aims to provide easy access to penetration testing tools on any Android device, improving portability for ethical hackers. It does not require root access of the user's phone. The suite is designed to perform tasks like port scanning, vulnerability scanning, payload generation, and more. It consolidates typical tools used for information gathering, vulnerability assessment, exploitation, and covering tracks into a single interface. This allows ethical hackers to conduct basic penetration tests using only their mobile device.
Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others. We created and maintain Security
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
To address the inadequacy of traditional anti-virus solutions, white-listing and secure containerization approaches have both gained traction in the enterprise. Both approaches have the overarching goal of preventing a successful breach at the endpoint, but each works differently and also focus on different parts of the cyber kill chain.
Invincea, a secure containerization solution, inoculates high-risk and Internet-facing applications against attack by running them in secure virtual containers, which have restricted access to the underlying host OS. This effectively removes the most common means of delivering the infection (see figure below). Any successful exploits of targeted applications (such as IE, Java, Flash, etc.), including by 0-day exploits, are kept safely in quarantine where additional forensic details may be uncovered.
Whitelisting attempts to prevent infections by allowing only certain known executables to run. This means whitelisting solutions will not see initial exploits; rather, whitelisting focuses on the next step beyond the exploit where many attacks then attempt to launch 2<sup>nd</sup> stage (malicious) executables with additional goals such as privilege escalation, lateral movement, or data exfiltration. In other words, whitelisting solutions do not have visibility into exploits of existing programs and for memory-resident malware. In addition, whitelisting solutions that prevent unknown software from running will flag legitimate software (such as patches) that are not updated with the whitelist.
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers:
• The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS.
• Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections)
• Best practices for how to protect your environment from the latest threats
Superpower Your Apache Kafka Applications Development with Complementary Open...Paul Brebner
Kafka Summit talk (Bangalore, India, May 2, 2024, https://events.bizzabo.com/573863/agenda/session/1300469 )
Many Apache Kafka use cases take advantage of Kafka’s ability to integrate multiple heterogeneous systems for stream processing and real-time machine learning scenarios. But Kafka also exists in a rich ecosystem of related but complementary stream processing technologies and tools, particularly from the open-source community. In this talk, we’ll take you on a tour of a selection of complementary tools that can make Kafka even more powerful. We’ll focus on tools for stream processing and querying, streaming machine learning, stream visibility and observation, stream meta-data, stream visualisation, stream development including testing and the use of Generative AI and LLMs, and stream performance and scalability. By the end you will have a good idea of the types of Kafka “superhero” tools that exist, which are my favourites (and what superpowers they have), and how they combine to save your Kafka applications development universe from swamploads of data stagnation monsters!
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
This document discusses the importance of vulnerability management programs for organizations. It explains that connecting to the global internet exposes networks to threats from cybercriminals who can exploit vulnerabilities to break into networks and steal proprietary information. An effective vulnerability management program involves continuously monitoring networks to identify vulnerabilities and address them. The document outlines some key aspects of vulnerability management programs such as defining vulnerabilities, setting the scope, identifying options for management, and best practices.
Cyber Defense - How to be prepared to APTSimone Onofri
This document provides an overview of a presentation on cyber defense and cyber attack simulations. It begins with an agenda and introductions. It then discusses the evolving threats landscape, with attacks increasing in scale, scope and sophistication. It outlines the cyber attack simulation methodology, including researching the target, infiltrating networks, establishing footholds, moving laterally and exfiltrating data. It describes three scenario examples - a web attack, phishing email, and exploiting physical access. Each scenario provides the rules of engagement, attack overview and lessons learned. It concludes with quotes emphasizing the importance of preparation and deception in warfare.
Asset Discovery in India – Redhunt LabsRedhuntLabs2
Leading Asset Discovery Company Redhunt Labs provides a variety of solutions to assist companies in India in securing their online assets and guarding against cyber threats. Our Agent less Platform NVADR has been successful for many of our customers in locating significant data leaks across publicly exposed Docker containers. NVADR has the capability to continually monitor your exposed Docker Assets from across the globe.
We also provide a Free Scan if you'd like to examine the Attack Surface of your company. Here to visit our page for more information.
This document summarizes a research paper that proposes an inline patch proxy solution for the Xen hypervisor to help address vulnerabilities more quickly. The proposed solution uses a FastPatch module to analyze incoming traffic, detect vulnerabilities based on signature matching, generate patches, and pass them to virtual machines via PF_Ring to patch vulnerabilities in seconds rather than hours. The paper outlines the design of the solution and components like Xen, PF_Ring, and an update server. It also discusses implementation of handling some SQL injection attacks and future work to address more attacks.
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions).
Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
The document discusses a proposed method for detecting viruses and malware that evade existing antivirus software. It uses a combination of analyzing files with VirusTotal's database of known threats and applying natural language processing techniques like suffix trees and TF-IDF to identify malicious patterns in files. An evaluation shows the proposed method can detect viruses that existing antivirus and VirusTotal miss, achieving a 97% accuracy rate in testing.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
The deck covers details about the Sunburst/Solorigate breach including some interesting threat intel paths we are currently evaluating to attribute the attack.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
In today's presentation, we'll explore Security Onion, a powerful open-source platform designed to fortify your network security. Security Onion, much like its namesake vegetable, peels back the layers of your network traffic, enabling you to identify and address potential threats. We'll delve into its functionalities, core components, and the advantages it brings to your cybersecurity posture.
SafeBreach is a continuous security validation platform that can identify vulnerabilities in a company's network by simulating cyberattacks. It deploys agents across all systems to map the network and monitor for attacks without affecting the systems. The article describes how SafeBreach was tested on a large virtual network, quickly finding hundreds of potential entry points and paths to sensitive data. It also discusses how SafeBreach can be used to run security scenarios and wargames to help train IT teams to respond to attacks.
This document discusses the development of a cross-platform penetration testing suite that compiles standard penetration testing tools into a single mobile application. The suite aims to provide easy access to penetration testing tools on any Android device, improving portability for ethical hackers. It does not require root access of the user's phone. The suite is designed to perform tasks like port scanning, vulnerability scanning, payload generation, and more. It consolidates typical tools used for information gathering, vulnerability assessment, exploitation, and covering tracks into a single interface. This allows ethical hackers to conduct basic penetration tests using only their mobile device.
Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others. We created and maintain Security
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
To address the inadequacy of traditional anti-virus solutions, white-listing and secure containerization approaches have both gained traction in the enterprise. Both approaches have the overarching goal of preventing a successful breach at the endpoint, but each works differently and also focus on different parts of the cyber kill chain.
Invincea, a secure containerization solution, inoculates high-risk and Internet-facing applications against attack by running them in secure virtual containers, which have restricted access to the underlying host OS. This effectively removes the most common means of delivering the infection (see figure below). Any successful exploits of targeted applications (such as IE, Java, Flash, etc.), including by 0-day exploits, are kept safely in quarantine where additional forensic details may be uncovered.
Whitelisting attempts to prevent infections by allowing only certain known executables to run. This means whitelisting solutions will not see initial exploits; rather, whitelisting focuses on the next step beyond the exploit where many attacks then attempt to launch 2<sup>nd</sup> stage (malicious) executables with additional goals such as privilege escalation, lateral movement, or data exfiltration. In other words, whitelisting solutions do not have visibility into exploits of existing programs and for memory-resident malware. In addition, whitelisting solutions that prevent unknown software from running will flag legitimate software (such as patches) that are not updated with the whitelist.
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers:
• The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS.
• Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections)
• Best practices for how to protect your environment from the latest threats
Similar to Software Supply Chain Attacks (June 2021) (20)
Superpower Your Apache Kafka Applications Development with Complementary Open...Paul Brebner
Kafka Summit talk (Bangalore, India, May 2, 2024, https://events.bizzabo.com/573863/agenda/session/1300469 )
Many Apache Kafka use cases take advantage of Kafka’s ability to integrate multiple heterogeneous systems for stream processing and real-time machine learning scenarios. But Kafka also exists in a rich ecosystem of related but complementary stream processing technologies and tools, particularly from the open-source community. In this talk, we’ll take you on a tour of a selection of complementary tools that can make Kafka even more powerful. We’ll focus on tools for stream processing and querying, streaming machine learning, stream visibility and observation, stream meta-data, stream visualisation, stream development including testing and the use of Generative AI and LLMs, and stream performance and scalability. By the end you will have a good idea of the types of Kafka “superhero” tools that exist, which are my favourites (and what superpowers they have), and how they combine to save your Kafka applications development universe from swamploads of data stagnation monsters!
The Comprehensive Guide to Validating Audio-Visual Performances.pdfkalichargn70th171
Ensuring the optimal performance of your audio-visual (AV) equipment is crucial for delivering exceptional experiences. AV performance validation is a critical process that verifies the quality and functionality of your AV setup. Whether you're a content creator, a business conducting webinars, or a homeowner creating a home theater, validating your AV performance is essential.
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid
IBM watsonx Code Assistant for Z, our latest Generative AI-assisted mainframe application modernization solution. Mainframe (IBM Z) application modernization is a topic that every mainframe client is addressing to various degrees today, driven largely from digital transformation. With generative AI comes the opportunity to reimagine the mainframe application modernization experience. Infusing generative AI will enable speed and trust, help de-risk, and lower total costs associated with heavy-lifting application modernization initiatives. This document provides an overview of the IBM watsonx Code Assistant for Z which uses the power of generative AI to make it easier for developers to selectively modernize COBOL business services while maintaining mainframe qualities of service.
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
Boost Your Savings with These Money Management AppsJhone kinadey
A money management app can transform your financial life by tracking expenses, creating budgets, and setting financial goals. These apps offer features like real-time expense tracking, bill reminders, and personalized insights to help you save and manage money effectively. With a user-friendly interface, they simplify financial planning, making it easier to stay on top of your finances and achieve long-term financial stability.
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Paul Brebner
Closing talk for the Performance Engineering track at Community Over Code EU (Bratislava, Slovakia, June 5 2024) https://eu.communityovercode.org/sessions/2024/why-apache-kafka-clusters-are-like-galaxies-and-other-cosmic-kafka-quandaries-explored/ Instaclustr (now part of NetApp) manages 100s of Apache Kafka clusters of many different sizes, for a variety of use cases and customers. For the last 7 years I’ve been focused outwardly on exploring Kafka application development challenges, but recently I decided to look inward and see what I could discover about the performance, scalability and resource characteristics of the Kafka clusters themselves. Using a suite of Performance Engineering techniques, I will reveal some surprising discoveries about cosmic Kafka mysteries in our data centres, related to: cluster sizes and distribution (using Zipf’s Law), horizontal vs. vertical scalability, and predicting Kafka performance using metrics, modelling and regression techniques. These insights are relevant to Kafka developers and operators.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
14 th Edition of International conference on computer visionShulagnaSarkar2
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Malibou Pitch Deck For Its €3M Seed Roundsjcobrien
French start-up Malibou raised a €3 million Seed Round to develop its payroll and human resources
management platform for VSEs and SMEs. The financing round was led by investors Breega, Y Combinator, and FCVC.
2. The SolarWinds Compromise
On Dec. 13, the cyber community became aware of one of the most
significant cybersecurity events of our time, impacting both commercial
and government organizations around the world.
The event was a supply chain attack on SolarWinds OrionⓇ software
conducted by suspected nation-state operators (discovered by
FireEye)
3. Events Timeline
While ‘SUNBURST’ activity was only identified in December 2020, analysis of
campaign details and further analysis of SolarWinds software indicates the
event may have started,at least in preparatory phases, over a year prior:
4. SolarWinds Background
• A software company that primarily deals with systems management
solutions used by IT Network admins, Operations and Infrastructure
teams
• The most widely deployed SolarWinds product used to be Orion, a
‘Network Management System’ (NMS), which used to monitor and
manage servers, endpoints, network devices etc.
• SolarWinds Orion was utilized widely and globally, as high as within
the US ‘Department of Defense’ (DoD)
5. • The attack was a supply-chain based attack, in which an adversary has
leveraged the software’s update mechanism. The compromise has
been linked to the US ‘Treasury Department’ and the FireEye
compromises and was used to inject the ‘SUNBURST' malware /
backdoor into the code
• When the SolarWinds Orion agent was used, it interrogated systems
for communication lines status, which let admins take manual or
automated actions with elevated credentials, that were configured by
teams with no security or risk-awareness in mind. As such, those
were considered 'juicy' targets for hackers
6.
7. NMS Are Prime Targets for Attackers
• NMS are able to communicate with all devices that are managed /
monitored
• The Orion agent can manually or automatically be used to run
commands such as Cisco shutdown / restart, by using the SNMP /
WMI protocols
• Many NMS are configured to both monitor events and respond to
them, meaning that any changes the NMS can make, attackers can
too – why have we given away so much power to these tools
8. SolarWinds Digital Signature – A Piece of
Software With A Backdoor
• The malware was deployed as an update
from SolarWinds' own servers and was
digitally-signed by a valid digital certificate
bearing their name (issued by Symantec),
which strongly points to a supply chain
attack
9. The SolarWinds Attack Framework
• Delayed Execution - The ‘SUNBURST' malware checks the filesystem timestamps to ensure that the product
has been deployedfor a dormant period of 12-14 daysprior to the current time, before sending its first
beacon
• An Anti-Sandbox Behavior - Unless the infected device is joined to a domain,the malware will not execute
• DNS Resolution& IP AddressCheck - If the malware resolves a domainto a private IP address, the malware
will not execute
• VMware - Command Injection Vulnerability (CVE-2020-4006) - exists in five VMware software products
focused on identityand access management
• MS / SAML - The attackershave exfiltratedSAML token signing certificates that allow them to forge tokens
and access any resources trusted by those certificates
• MFA Bypass - SAML token-forging attack, attacker targeted the “integrationsecret key” used to connect
Cisco’s Duo Multi-FactorAuthentication (MFA)solutionto an Outlook Web Access server
10. Recommendations
• Security teams must first review the usage of NMS systems, prior to
their usage and educate on risk-awareness accordingly
• Implementation of the ‘Security, Orchestration, Automation and
Response’ (SOAR) framework should be considered
• To limit the ‘Attack Surface’, A 'Zero-Trust' network approach should
be used (block access from the NMS to the internet and if explicitly
needed, limit the destinations)
• A ‘Threat-Modeling’ session should be performed on known risks and
the question that should be raised is: “Whether the functionality that
would come out of a service, outweighs the risk, or vice versa”
11. Initiate a ‘Threat Hunt' in your network:
• Always prioritize the 'Discovery Coarse of Action’ looking backwards
over the 'Detection CoA’, looking forward
• The attackers are clearly ‘OPSec'-aware and will likely have changed
any filesystem-based ‘Indicators of Compromise’ (IoCs), because the
attacker is performing counter-intelligence, IoCs that can be used for
the ‘Discovery CoA’ are most useful
• Attackers will be re-tooling, so do not anticipate finding specifics for
the ‘SUNBURST’ malware
12. • FireEye noted that the malicious code did not overlap with other
malware
• Other branded NMS services may as well be configured by
Operations / IT teams, which are prioritized for availability and may
lack Security in mind
• Security teams would do a ‘Threat Modeling' session for the access
that a compromise to an NMS would provide
• Monitor for intrusions – log everything and more, alert on events
and investigate accordingly
13. • Since supplychain compromises are extremelydifficult to protect against,it highlights the need to for security to be considered as
part of the vendorselection process
• Supplychain security compromises extend to SaaSapplications – your SaaSvendors do not haveany magic process that make it
easier for them to detect such threats
• Supplychain attacks mayinfluence the victims' IPO and due-diligence efforts
• State-backed attacks are financed bycountries,which budgets are nowhere near the amount ofbudget private securityfirms have
at their disposals,combined – thus we must support the global securitycommunities and share everythingwe know and may have
suffered
Thanks to:
Jake Williams @ ‘Rendition Infosec’, (rsec.us), @MalwareJake
FireEye
PaloAlto Networks
Bleeping Computer
DomainTools
14. Open-Source Code Compromises
More than 90% of organizations utilize open-source code lately (Gartner)
The means of obtaining the code have changed:
• In the past – Projects from RedHat, Apache, Intel, IBM etc.
• At present - Bitbucket, Github and Gitlab are widely-used to develop and share
code
• There is no responsible entity to review the open-source code to confirm if it is
clean / non-malicious
• Application Security solutions are focused on detecting vulnerabilities, but they
do not detect attackers in code packages
15. The Official PHP Git server Was Targeted In An
Attempt To Inject Malware Within The Code Base
• The official PHP Git server has been compromised in a potential
attempt to plant malware in the code base of the PHP project
• The PHP programming language developer and maintainer Nikita
Popov said that two malicious commits were added to the ‘php-src’
repository in both his name and that of PHP creator Rasmus Lerdorf
• As noted by Bleeping Computer, the code appears to be designed to
implant a backdoor and create a scenario in which ‘Remote Code
Execution’ (RCE) may be possible
16. • The malicious commits, which appeared to be signed off under the names
of Popov and Lerdorf (1,2),were masked as simple typographical errors
that needed to be resolved
• However, instead of escaping detection by appearing so benign,
contributors that took a closer look at the "Fix typo" commits noted
malicious code that triggered arbitrary code within the header
‘HTTP_USER_AGENT’ if a string began with content related to ‘Zerodium’
17. Namespace Shadowing - Dependency Confusion
A 'White-Hat' (an ethical hacker), who breached into the Python Artifactory server
(JFrog) for alerting purposes and has managed to guess a true dependency package
name, then:
• Uploaded his own renamed package, using the true legitimate package name,
with a higher version number that follow, than the legitimate package’s initial
version
• He managed to inject his dependency package into MS .NET, Apple, Tesla etc. – all
that, with no issues whatsoever on the true developers' side and having the most
modern security defense mechanisms
After paying the ethical hacker for a 'Bug-Bounty', he admitted to the payer and
proved that his own theory worked
19. The Codecov Compromise - Hundreds of
Networks Reportedly Breached
A cyberattackagainstCodecovtookplace aroundJanuary 31, 2021, and wasonlymade publiconApril 15. The organization, whichprovidescode coverageandtestingtools, saidthat
a 'threat actor' tamperedwiththe Bashuploaderscript,therebycompromisingthe Codecov-actionsuploaderforGitHub, Codecov CircleCl Orb, andthe CodecovBitriseStep.
Thisenabledattackerstoexportdatacontainedinusercontinuousintegration(CI) environments.
The companylearned,thatforovertwo months, Codecov’sBashUploaderscriptsusedbyhundredsorthousandsof theircustomershadbeenalteredwithamaliciousline of code
that exfiltratedinformationinthe environmentvariablespresentonthe users’CI/CDenvironmentstoanattacker’sIPaddress.
Bash Uploaderexfiltratedenvironmentvariablestoattacker’sIPaddress
The flaw originateddue toanerror inthe Docker image creationprocess,which, accordingtoCodecov,“allowedthe actortoextractthe credential requiredtomodifyourBash
Uploaderscript.”
Codecovprovidescode coverage, testing, andstatstoover29,000 companies, andevenhasahandyGitHub appto integrate the tool rightwithinyouropen-source software project.
The securityadvisoryreleasedbyCodecov stronglyadviseduserstoresetall of theircredentials, tokens, orkeysthatwere presentinthe environmentvariablesintheirCIprocesses
that usedCodecov uploaders
Hundredsof clientswere potentiallyimpacted,andnow, Rapid7hasconfirmedtheywereone of them.
Rapid7says the Bash uploaderwasusedinalimitedfashionasitwasonlysetupon a single CIserverusedtotestand buildtoolinginternallyforthe ManagedDetectionand
Response (MDR) service.
Assuch, the attackerwas keptawayfromtheirproductcode, buttheywere able toaccess a "small subsetof source code repositories" forMDR, internal credentials-- all of which
have now beenrotated-- andalert-relateddataforsome MDR customers.
20. Click to add text
Although the initial
compromise seemed limited
to Codecov’s Bash Uploader,
the scope of this breach was
found to have expanded
well beyond just that, when
U.S. federal investigators
hinted at hundredsof client
networks having been
breached by hackers as they
managed to collect
customer credentialsusing
the taintedBash Uploader
tool.
HashiCorp disclosed that
their GPG private key used
to sign and validate
software packages had been
exposed as a result of this
incident.
21. NPM Package – “Discord.dll”
“Discord.dll”: Successor to NPM "fallguys" malware went undetected for 5 months
'SonaType Security Research' team has identified a series of counterfeit components in the
NPM ecosystem:
• A "fallguys" group attacker has written a malicious Python library and has used the
Discord gaming community's chat platform to steal SSH keys
• Such intentionally malicious packages seem to be doing similar, shady things to the
malicious "fallguys" NPM package discovered in September 2020 (stolen web browser
files and Discord gaming chats)
• The new packages in question were published by the same NPM author, whose NPM
account also contained what looked like legitimate packages with genuine use cases
22. Infected Discord files:
• Discord.dll, Discord.app
etc.
The attackercollected
sensitive data then sent
the data to the attackers
via the Discord platform
Thanks to Sonatype Security
23. The Octopus Scanner
• Targeted Java
developers
• Infects the
development
environment
• Injects itself
into complied
software
24. The maliciouscode takes over the ‘clean’ developer'senvironment.Any additionalcode the developer
creates afterwards, gets injected with the same maliciouscode.
• As a dependencycontributor – yourinfected code gets unwillingly andunknowinglywidespreadto the
masses
Thanks to Security Lab
25. North Korea Targeting Security Researchers
North Korea has decided the best way to reach her favorite targets is to
gain access to software supply chain.
• Several cyber security researchers were manipulated to assist the
North Korean cyber security researchers.
• Selected code that belongs to the ‘good guys’ was poisoned and has
allowed access to their computers, their code, their secrets and zero-
day information.
26. NPM Package – "event-stream"
• A user named '@right9ctrl' has asked and eventually was granted permissions
• He added a new dependency to the project
• The new dependency contained malicious code
A known NPM package named 'event-stream@3.3.6', which was not maintained by its
initial contributor any longer, was handed over to another contributor:
• The offender contributor intentionally added a piece of code that scanned and parsed
the host computer's clipboard contents, trying to locate Bitcoin wallet addresses.
When it was discovered, the first contributor has denied any ties to the code's history
progress. He added that whoever decided to use the code, should be blaming themselves.
27. Supply Chain Attacks Are Difficult To Be Detected
By Current Code Security Solutions
• The current security systems are designed to detect bugs that lead to
vulnerabilities
• They are based on static analysis – ineffective in the detection of
malicious behavior
• Longer mean time to detect (MTTD) – due to manual research
28. Current Available Solutions and Work-In-
Progress
The US President has recently signed a presidential act that would deal with
the software supply chain subject - 'Software Bill of Material' (which already
exists for some time), that would lead to transparency and order:
• Who is the code supplier and details about his reputation history
• The code history and processes it went through so far
• How was the code reviewed / what are the used libraries, classes etc.
US organizations heavily push forward to this new initiative, as most of their
critical systems are vulnerable to supply chain attacks.
29. Detecting Supply-Chain Attacks In Code Packages
• A Platform for Code Packages Behavioral Analysis & Detection of
Open-source Software Supply-Chain Attacks
Thanks to Tzachi Zorn, Co-Founder & CEO @ ‘Dustico’
Dustico - https://dusti.co/
30. ‘SLSA’ - A Mitigation Solution by Google
SLSA (pronounced "salsa") is an End-to-End Framework for Supply Chain Integrity:
The proposed solution is ‘Supply chain Levels for Software Artifacts’ (SLSA), an end-to-end
framework for ensuring the integrity of software artifacts throughout the software supply
chain:
• It is inspired by Google’s internal “Binary Authorization for Borg” which has been in use
for the past 8+ years and is mandatory for all of Google's production workloads
• The goal of SLSA is to improve the state of the industry, particularly open source, to
defend against the most pressing integrity threats
• With SLSA, consumers can make informed choices about the security posture of the
software they consume
31. How SLSA Might Help
SLSA helps to protect against common supply chain attacks. The
following image illustrates a typical software supply chain and includes
examples of attacks that can occur at every link in the chain.
Each type of attack has occurred over the past several years and,
unfortunately, is increasing as time goes on -
32.
33. Threat Known example How SLSA could have helped
A Submit bad code to the sourcerepository Linux hypocrite commits: Researcher attempted to
intentionally introducevulnerabilitiesinto the Linux
kernel via patches on the mailinglist.
Two-person review caught most, but not all,of the
vulnerabilities.
B Compromise sourcecontrol platform PHP: Attacker compromised PHP’s self-hosted gitserver
and injected two maliciouscommits.
A better-protected sourcecode platformwould have
been a much harder target for the attackers.
C Build with official process butfromcode not matching sourcecontrol Webmin: Attacker modified the build infrastructureto
use sourcefiles notmatching sourcecontrol.
A SLSA-compliantbuild server would have produced
provenance identifyingthe actual sources used,allowing
consumers to detect such tampering.
D Compromise build platform SolarWinds:Attacker compromised the build platform
and installed an implantthatinjected malicious behavior
duringeach build.
Higher SLSA levels requirestronger security controls for
the build platform,makingitmore difficultto
compromiseand gain persistence.
E Use bad dependency (i.e. A-H, recursively) event-stream: Attacker added an innocuous dependency
and then updated the dependency to add malicious
behavior.The update did not match the code submitted
to GitHub (i.e. attack F).
ApplyingSLSA recursively to all dependencies would
have prevented this particular vector,becausethe
provenance would have indicated that iteither wasn’t
builtfrom a proper builder or that the sourcedid not
come from GitHub.
F Upload an artifactthatwas not builtby the CI/CD system CodeCov: Attacker used leaked credentials to upload a
maliciousartifactto a GCS bucket, from which users
download directly.
Provenance of the artifactin the GCS bucket would have
shown that the artifactwas not builtin the expected
manner from the expected sourcerepo.
G Compromise packagerepository Attacks on PackageMirrors:Researcher ran mirrors for
several popular packagerepositories,which could have
been used to serve malicious packages.
Similar to above(F), provenance of the malicious
artifacts would haveshown that they were not builtas
expected or from the expected sourcerepo.
H Trick consumer into usingbad package Browserify typosquatting: Attacker uploaded a malicious
packagewith a similarnameas the original.
SLSA does not directly address this threat,but
provenance linkingback to sourcecontrol can enable
and enhance other solutions.
34. SLSA URL:
https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html
SLSA is a practical framework for end-to-end software supply chain
integrity, based on a model proven to work at scale in one of the
world’s largest software engineering organizations. Achieving the
highest level of SLSA for most projects may be difficult, but incremental
improvements recognized by lower SLSA levels will already go a long
way toward improving the security of the open-source ecosystem.
Thanks to Patrick Mathieu, Sr. Manager, Offensive Security @ LogMeIn
35. Additional Security-Related ”Don’t Say You
Were Not Warned...”
• 80% of companies that pay a Ransomeware ransom are exploited
again - with about 1/2 of them believing it was the same group in the
subsequent attack. Is that enough proof that paying a ransom is not a
good strategy? If your security controls weren't good enough to stop
the ransomware, they definitely aren't good enough to detect a root
kit - https://www.zdnet.com/article/most-firms-face-second-
ransomware-attack-after-paying-off-first/#ftag=RSSbaffb68
Thanks to Michael Fischer, Sr. Manager, Product Security @ LogMeIn
36. 7 Cybersecurity Breaches In 2020 & How They
Could Have Been Prevented
1. Solarwinds: Third Party Infiltration (covered above)
2. Portnox: Network Penetration
3. Pulse Secure: VPN Vulnerabilities
4. Marriot: Fraudulent Login from Stolen Details
5. Cisco: Disgruntled Former Employee
6. University of California: Ransomware
7. UN Maritime Agency: Possible Watering Hole Attack
URL: https://cyolo.io/blog/7-data-cybersecurity-breaches-in-2020-how-they-
could-have-been-prevented/
37. And Last, But Not Least – Shirbit Insurance
Israel Shaken By Data Leak After Ransomware Attack At ‘Shirbit Insurance’ Company:
• Hackers leak screenshot of negotiationwith breached insurance giant
• Israeli government reportedly reconsidering relationship withinsurance firm following security breach
A hacking gang calling itself Black Shadow has demandeda giant insurance firm pay a US $3.8 millionransom
after encrypting and stealing sensitive dataand documentsabout its clients.
Customers of the victim, Israel’s Shirbit insurance company, havebeen advised to consider obtainingnew
identitycards and driving licenses due to the risk of identitytheft after the hackers released a third wave of
stolen data this past weekend.
Leaked data has includedscans of identitycards, marriage certificates, and financialand medical documents.
URL: https://hotforsecurity.bitdefender.com/blog/israel-shaken-by-data-leak-after-ransomware-attack-at-
shirbit-insurance-company-24786.html
40. The SolarWinds Compromise
On Dec. 13, the cyber community became aware of one of the mostsignificant cybersecurity events
of our time, impacting both commercial and government organizations around the world. The event
was a supply chain attack on SolarWinds OrionⓇ software conducted by suspected nation-state
operators (discovered by FireEye):
• SolarWinds has mentioned that a vulnerability which existed until the March-June 2020
timeframe, was leveraged to take advantageof their 'Orion' software product
• Evidence existand shows the attackers’ ‘Command and Control’(C2) infrastructure was set up as
early as August 2019. The first modified SolarWinds software was released in October 2019, and
the earliest related Cobalt Strike identified payload was generated using Cobalt Strike 4.0, which
was built in December 2019
More On NMS
• Even when NMS are configured to only monitor (read-only), the credentials used would still offer
some level of access to an attacker (read configurations, list processes etc.)
• In a situation that an attacker compromises NMS, he could usually reshape network traffic for
man-in-the-middle (MitM) / person-in-the-middle / monkey-in-the-middle opportunities and
might then use credentials for system monitoring, to laterally move to target systems (if the
Orion NMS agent is domain-joined, other service accounts that exist there might allow an
attacker to leverage and laterally move within the environment)
41. The SolarWinds Attack Framework– Delayed Execution
• The ‘SUNBURST' malware checks the filesystem timestamps to ensure that the product has been
deployed for a dormant period of 12-14 days prior to the current time, before it sends its first
beacon:
• The sample would only execute if the filesystem write time of the assemblyis at least 12-14 days
prior to the current time (the exact threshold is selected randomly from an interval)
• The sample continues to check the time threshold, as it is run by a legitimate recurring
background task
• Once the threshold is met, the sample creates a ‘named pipe’ to act as a guard that only one
instance is running before reading the specific file
'SolarWinds.Orion.Core.BusinessLayer.dll.config'from disk and retrieving the XML field
'appSettings’
• The 'appSettings' field's keys are legitimate values that the malicious logic re-purposes as a
persistent configuration
• The key 'ReportWatcherRetry' mustbe any value other than ‘3’, for the sample to continue
execution
This delayed execution maliciously and effectively prevents the counter-measure usage of malware
sandboxes and other instrumented environments to detect it – in this case, even if a staging
environment would have been used to test out the infected update prior to its deployment to make
certain malicious activities are avoided, it would leave the sandbox environment and be rolled out
within much less than 12 days (within 18,000 customers).
42. The SolarWinds Attack Framework– Anti-Sandbox Behavior
According to FireEye, unless the infected device is joined to a domain, the malware will not execute:
• The sample checks that the machine is domain-joined then retrieves the domain name before
execution continues
• A 'userID' is generated by computing the MD5 of all network interface MAC addresses that are up
and not loopback devices, the domain name, and the registry value
'HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid’
• The 'userID' is encoded via a custom XOR scheme after the MD5 is calculated
• The 'ReportWatcherPostpone' key of 'appSettings' is then read from
‘SolarWinds.Orion.Core.BusinessLayer.dll.config'to retrieve the initial, legitimate value
• This operation is performed as the sample later bit packs flags into this field and the initial value
must be known in order to read out the bit flags
• The sample then invokes the method 'Update', which is the core event loop of the sample
43. The SolarWinds Attack Framework – VMware:
The ‘National Security Agency’ (NSA) released an advisory about CVE-
2020-4006: A command injection vulnerability, stating that Russian
state-sponsored actors were actively exploiting the vulnerability and
suggesting US Government agencies patch immediately. This
vulnerability exists in five VMware software products focused on
identity and access management. Exploitation allows attackers to
deploy a ‘web shell’ on the system and gain access to protected data.
This vulnerability can only be exploited by someone who has already
authenticated to the system and indicates that when leveraged, it likely
is used to gain additional access once the attacker is already inside the
networks. More information about CVE-2020-4006 can be found in our
previously released Threat Brief: VMware Command Injection
Vulnerability
44. The SolarWinds Attack Framework - Microsoft / SAML:
Microsoft has published multiple reports on activity related to this attack
campaign, including a summary of the backdoor implanted into SolarWinds
OrionⓇ (referred to by Microsoft as ‘Solorigate’),as well as guidance for
their customers on protecting themselves. They have publicly statedthey are
working with more than 40 companies who have been targeted in this attack
• One specific component of the attackthat Microsoft has discussed in detail
is what they have observed in compromised networks with regard to
identity infrastructure. Specifically,the attackers have exfiltrated SAML
token signing certificates, that allow them to forge tokens and access any
resources trustedby those certificates. Microsoft has observed these
forged tokens presented to the Microsoft cloud on behalf of their
customers
• The impact of a compromise of these certificatesimplies the attacker
gained the highest level of privileges inside the network and used them to
establish long-term access to the network
45. The SolarWinds Attack Framework - SUPERNOVA Web Shell:
FireEye’s initial report on the SolarWinds compromise included indicators for a
‘web shell’ they call SUPERNOVA. FireEye has removed those indicators as they no
longer believe they were used as a result of the SolarWinds software compromise.
This ‘web shell’ may not be related, but it is still vital to defend against it
The SolarWinds Attack Framework - MFA Bypass:
The SAML token-forging attack described above would allow an attacker to evade
multi-factor authentication systems, as in that case, the authentication system
itself is compromised. Volexity published a report about a threat group named Dark
Halo who they have now connectedto the SolarWinds compromise. Their report
describes that the attacker targeted the “integration secret key” used to connect
Cisco’s Duo Multi-Factor Authentication (MFA) solution to an Outlook Web Access
server. With that key, they were able to pre-computethe token codes necessary for
authentication
Similar to the SAML token-forging attack, this MFA bypass requires a significant
compromise of the systems used to authenticate users and would have been
performed post-compromiseto extend the attacker’s access to the network
46. Open Source Code Attacks - Official PHP Server Targeted:
On the PHP Git server, an attacker group has managed to gain access
and has added malicious code that caused that any PHP server with a
specific version number and onwards, with the "zerodium" word, will
run the malicious code that follows. Basically, the code checked if the
HTTP request included the header "HTTP_USER_AGENT" and began
with the word "zerodium". If so, it would inject the rest of the string as
PHP code. Eventually, the malicious code was discovered by an
occasion and was removed. However, in the eyes of infosec teams, such
a code might seem normal, but the fact that the malicious code or a
part of it was removed, does not mean a full-scale attack was over. We
cannot assume that other programming languages were not affected as
well. Attackers never stop once their attack was stopped.
47. Additional Past Supply Chain Attacks
• September 2015 – XcodeGhost: An attacker distributed a version ofApple’s Xcode software (used to build iOS and macOS
applications),which injected additional code into iOSapps built usingit.This attackresulted in thousands ofcompromised apps
identified in Apple’s app store
• March 2016 – KeRanger: Popularopen source BitTorrent client,Transmission,was compromised to include macOSransomware in
its installer.Attackers compromised the legitimate servers used to distribute Transmission,so users who downloaded and installed
the programwould be infected with malware that held their files for ransom
• June 2017 – NotPetya: Attackers compromised a Ukrainian software companyand distributed a destructive payloadwith network-
worm capabilities through an update to the “MeDoc” financial software.After infectingsystems usingthe software, the malware
spread to other hosts in the network and caused a worldwide disruption affectingmanyorganizations
• September 2017 – CCleaner: Attackers compromised Avast’s CCleanertool,used bymillions to help keep their PC working
properly.The compromise was used to target large technologyand telecommunications companies worldwide with a second-stage
payload
• In September 2019, attackers again likelytargeted Avast’s CCleaner tool after gainingaccess to Avast’s networkthrough a
temporaryVPN profile.It is not clear whether or not,the same operators from 2017 were involved in this incident
In each case, includingthe recent SolarWinds compromise, rather than targetingan organizationdirectlythrough phishingor
exploitation ofvulnerabilities,the attackers chose to compromise software developers directlyand use the trust we place in them to
access other networks.This can effectivelyevade certain prevention and detectioncontrols that have been tuned to trust well-known
programs
This pattern ofsoftware supplychain compromises will continue,and securityteams can not afford to ignore them. Protecting against
these attacks is not simple for anyenterprise, and those who are responsible for writingand deployingsoftware need to take
responsibilityforthe integrityofthat code