Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

CI/CD Pipelines Exposed Via Source Code Repository Webhooks

A fascinating PoC developed by Cider Security shows how DevOps software deployment pipelines can be compromised by webhooks they expose so that cloud SaaS source code management systems can trigger internal build events.

Enterprises often establish internal built/test/deploy pipelines using automation servers like Jenkins (https://www.jenkins.io/), but make use of cloud-hosted source code repositories like GitHub and GitLab. In order to automatically push commits from the source repository to the deployment pipeline, these systems support webhooks which trigger actions on the automation server by POSTing a request to a RESTful API. But for this to work, the enterprise firewalls must accept inbound HTTP requests from a particular range of IP addresses owned by the repository.

A complicating factor is that automation servers are often seen as well-protected since they are well inside the firewall, but they also have a large number of poorly-maintained plugins and can remain unpatched for long periods. If an attacker can a) find an automation server exposed endpoint and b) get the source repository to send cunningly-crafted payloads, then they have opened a door to brute-force credentials, then execute Jenkins commands. All kinds of interesting possibilities then follow: compromising code deployed to production systems, pivoting to attack other systems or even arbitrary remote command execution.

It's not easy - but Cider have shown that - and how - it can be done. Time to take a closer look at those CI/CD pipelines.

Gil, Omer and Asi Greenholts, How we Abused Repository Webhooks to Access Internal CI Systems at Scale, blog post, 20 September 2022. Available online at https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhooks-to-access-internal-ci-systems-at-scale/.

Morgan Stanley Insecure Asset Disposal Attracts $23 Million Fine

Financial services company Morgan Stanley has been fined $US35 million by the Securities and Exchange Commission for "extensive failures to protect the personal identifying information of approximately 15 million customers". The company agreed to the payment in order to escape a court process which might have had a worse outcome.

In point of fact,, Morgan Stanley didn't actually dispose of the old hard drives and network caching devices itself - it had contracted another company to take care of the tasks. But the company failed to promulgate adequate policies for equipment retirement and data destruction, did not manage the selection of a contractor to perform the task, and had inadequate procedures for assuring secure destruction by the contractor.

Full details are in the administrative proceeding file, linked below, which makes fascinating - and essential - reading.

The lessons are clear:

• You can outsource or delegate responsibility for some security-related functions, but you can't escape accountability and liability
• Device retirement policies should require secure destruction, rather than over-writing and reselling, for media that contains sensitive data, especially PII
• Full-device encryption can aid with compliance, as long as keys are correctly managed
• PII that escapes can show up years later, with expensive consequences

Uncredited, Morgan Stanley Smith Barney to Pay $35 Million for Extensive Failures to Safeguard Personal Information of Millions of Customers, press release, 20 September 2022. Available online at https://www.sec.gov/news/press-release/2022-168.

United States of America v. Morgan Stanley Smith Barney LLC (respondent), Administrative Proceeding File No. 3-21112, 20 September 2022. Available online at https://www.sec.gov/litigation/admin/2022/34-95832.pdf.

Rusian Groups Ramp Up Attacks

As the Russia/Ukraine conflict seems likely to enter a new phase, Ukrainian Defence Intelligence has warned that Russia is preparing massive cyberattacks on critical infrastructure facilities of Ukraine and its allies. Western countries are likely to be collateral damage, if not direct targets, in these campaigns.

Mandiant is tracking multiple self-proclaimed hacktivist groups working for Russia, primarily conducting DDoS attacks and leaking stolen data. Such groups, although claiming independence, seem to be working closely with, or are simply a front for, the Russian state.

The moderators of three Telegram channels - "XaKNet Team", "Infoccentr" and "CyberArmyofRussia_Reborn" - are using GRU-sponsored APT28 (Fancy Bear) tools on Ukrainian victims' networks, leaking their data within 28 hours of wiping activity by APT28.

Meanwhile, Cluster25 researchers have analyzed an infected PowerPoint file which an APT28-affialiated group is using to implant a variant of Graphite malware. The technique exploits a code execution technique which is triggered when the user enters presentation mode and then moves the mouse - this then runs a PowerShell script which downloads and executes a dropper from OneDrive, which in turn downloads and injects the Graphite variant.

Cluster25 Threat Intel Team, In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants, blog post, 23 September 2022. Available online at https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/.

Defence Intelligence of Ukraine, !! The occupiers are preparing massive cyberattacks ..., tweet 26 September 2022. Available online at https://twitter.com/DI_Ukraine/status/1574324482277363714.

Mandiant Intelligence, GRU: Rise of the (Telegram) MinIOns, blog post, 23 September 2022. Available online at https://www.mandiant.com/resources/blog/gru-rise-telegram-minions.

Russian Botmaster Requests Extradition to the US

The likely operator of the RSOCKS botnet, 36-year-old Russian national Denis Emelyantsev, a.k.a.Denis Kloster, has been arrested in Bulgaria at the request of US authorities, reports Brian Krebs. In a novel twist, he requested, and was granted, extradition to the US, apparently telling the judge, "America is looking for me because I have enormous information and they need it".

A cynical observer might observe that whether or not he has "enormous information", Russian President Vladimir Putin has instituted a massive conscription program, and this might have factored in his decision.

Krebs, Brian, Accused Russian RSOCKS Botmaster Arrested, Requests Extradition to U.S., blog post, 23 September 2022. Available online at https://krebsonsecurity.com/2022/09/accused-russian-rsocks-botmaster-arrested-requests-extradition-to-u-s/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.