Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Software Supply Chain Poisoned By Phishing Campaigns

Research performed jointly by application security testing firm Checkmarx and open-source supply chain security firm Illustria has brought to light a massive campaign which targets naive end users with compromised packages containing links to phishing campaigns. The threat actors behind the campaign, which appears to be highly automated, published over 144,000 packages to the NuGet, NOM and PyPi repositories - the vast majority to NuGet.

The names of the packages mostly relate to hacking, cheats and free resources, for example "free-steam-codes-generator" and "yalla-ludo-diamond-hack". Victims were also promised increased social media followers or likes. The descriptions of all the packages also contained links to phishing sites - perhaps an attempt to increase the SEO ranking of the phishing sites by linking them to legitimate sites like NuGet.

Over 65,000 unique URL's in 90 domains were used to host realistic and well-designed web pages, with some even including fake interactive chatbots that appeared to be delivering the cheats, but generally the victims were asked to perform a 'human verification' process that led them through a maze of sites which asked them social engineering questions, finally redirecting to legitimate ecommerce sites with referral ID's - so that if the victim makes a purchase, the threat actors will earn a commission.

Harush, Jossef, How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links, blog post, 14 December 2022. Available online at https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links/.

Microsoft Reclassifies SPNEGO Vuln as Critical - Patch Now

SPNEGO is the Simple and Protected Negotiation Protocol - part of the 'plumbing' that goes around Active Directory, Kerberos and similar authentication protocols to allow negotiation of the security mechanism to be used. In the Windows world, it is used by application protocols like SMB (Server Message Block) and RDP (Remote Desktop Protocol), among others, so select the appropriate authentication mechanism from those supported by a client and a server.

Also in the Windows world, it is the subject of a vulnerability which Microsoft patched back in September. At that point, CVE-2022-37958 was categorised as an invormation disclosure vulnerability. However, IBM X-Force Red Security researcher Valentina Palmiotti discovered that the vulnerability could allow unauthenticated attackers to remotely execute code.

Successful exploitation might require multiple attempts, and so its CVSS 'exploit complexity' rates as High, meaning that with all other categories at the highest level, the overall CVSS score of this vulnerability is 8.1, and Microsoft has reclassified the vulnerability as 'Critical'. In order to give users time to patch, IBM will not release full technical details until at least April 2023.

Thompson, Chris, Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism, IBM Security Intelligence blog, 13 December 2022. Available online at https://securityintelligence.com/posts/critical-remote-code-execution-vulnerability-spnego-extended-negotiation-security-mechanism/.

GitHub Requires 2FA From March 2023

During 2023 GitHub is going to gradually roll out a requirement for developers to use two factor authentication. Over the year, distinct groups of users will be required to enable 2FA; the gradual rollout will enable GitHub to make adjustments as larger groups are enrolled to 2FA later in the year.

The exact criteria GitHub will use to allocate membership in these groups will not be made public, but broadly the criteria are:

• Users who published GitHub or OAuth apps or packages
• Users who created a release
• Users who are Enterprise and Organization administrators
• Users who contributed code to repositories deemed critical by npm, OpenSSF, PyPI, or RubyGems
• Users who contributed code to the approximate top four million public and private repositories

Users will start receiving reminders 45 days before the 2FA deadline, and will have a week to enroll, after which they will be blocked from accessing GitHub until 2FA is enabled.

Swanson, John, Raising the bar for software security: next steps for GitHub.com 2FA, blog post, 14 December 2022. Available online at https://github.blog/2022-12-14-raising-the-bar-for-software-security-next-steps-for-github-com-2fa/.

Examples of Cloud Credential Abuse

A short article from Palo Alto Networks' Unit 42 provides a couple of examples of how attackers are able to leverage stolen cloud service API credentials to pursue objectives such as phishing, cryptomining and data theft.

Alon, Dror, Compromised Cloud Compute Credentials: Case Studies From the Wild, blog post, 8 December 2022. Available online at https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/.

Saturday Funny

No comment about the dangers of the Internet of Things is required; just see https://twitter.com/vxunderground/status/1603508551569252360. Shodan.io FTW!

Happy Holidays!

This will be the last security news headlines blog post for 2022, as we take a break for the holiday season. We'll be back in January, although we may post before then if there are any major news events. Until then, we wish all readers a happy holidays season!

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.