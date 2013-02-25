from the code-bucket dept.
Surprise surprise, we've done it again. We've demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, supply chains, software development systems and environments, and more:
Arguably armed still with a somewhat inhibited ability to perceive risk and seemingly no fear, in November 2024, we decided to prove out the scenario of a significant Internet-wide supply chain attack caused by abandoned infrastructure. This time however, we dropped our obsession with expired domains, and instead shifted our focus to Amazon's S3 buckets.
It's important to note that although we focused on Amazon's S3 for this endeavour, this research challenge, approach and theme is cloud-provider agnostic and applicable to any managed storage solution. Amazon's S3 just happened to be the first storage solution we thought of, and we're certain this same challenge would apply to any customer/organization usage of any storage solution provided by any cloud provider.
The TL;DR is that this time, we ended up discovering ~150 Amazon S3 buckets that had previously been used across commercial and open source software products, governments, and infrastructure deployment/update pipelines - and then abandoned.
Naturally, we registered them, just to see what would happen - "how many people are really trying to request software updates from S3 buckets that appear to have been abandoned months or even years ago?", we naively thought to ourselves.
[...] These S3 buckets received more than 8 million HTTP requests over a 2 month period for all sorts of things -
- Software updates,
- Pre-compiled (unsigned!) Windows, Linux and macOS binaries,
- Virtual machine images (?!),
- JavaScript files,
- CloudFormation templates,
- SSLVPN server configurations,
- and more.
The article goes on to describe where the requests came from and provides some details on getting the word to the right companies and what actions they took. Originally spotted on Schneier on Security.
Related Stories
While app development is faster and easier, security is still a concern:
In a report last year, silicon design automation outfit Synopsys found that 97 percent of codebases in 2021 contained open source, and that in four of 17 industries studied – computer hardware and chips, cybersecurity, energy and clean tech, and the Internet of Things (IoT) – open source software (OSS) was in 100 percent of audited codebases. The other verticals had open source in at least 93 percent of theirs. It can help drive efficiency, cost savings, and developer productivity.
"Open source really is everywhere," Fred Bals, senior technical writer at Synopsys, wrote in a blog post about the report.
That said, the increasing use of open source packages in application development also creates a path for threat groups that want to use the software supply chain as a backdoor to myriad targets that depend on it.
The broad use of OSS packaging in development means that often enterprises don't know exactly what's in their software. Having a lot of different hands involved increases complexity, and it's hard to know what's going on in the software supply chain. A report last year from VMware found that concerns about OSS included having to rely on a community to patch vulnerabilities, and the security risks that come with that.
Varun Badhwar, co-founder and CEO of Endor Labs – a startup working to secure OSS in app development – called it "the backbone of our critical infrastructure." But he added that developers and executives are often surprised by how much of their applications' code comes from OSS.
Badhwar noted that 95 percent of all vulnerabilities are found in "transitive dependencies" – open source code packages that are indirectly pulled into projects rather than selected by developers.
[...] Developers pull the source components together and add business logic, Fox told The Register. This way, open source becomes the foundation of the software. What's changed in recent years is the general awareness of it – not only among well-meaning developers that are creating the software from these disparate parts.
"The attackers have figured this out as well," he said. "A big notable change over the last five or so years has been the rise of intentional malware attacks on the supply chain."
The threat is potentially grave because it could be used in supply-chain attacks:
A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January.
A change GitLab implemented in May 2023 made it possible for users to initiate password changes through links sent to secondary email addresses. The move was designed to permit resets when users didn't have access to the email address used to establish the account. In January, GitLab disclosed that the feature allowed attackers to send reset emails to accounts they controlled and from there click on the embedded link and take over the account.
While exploits require no user interaction, hijackings work only against accounts that aren't configured to use multifactor authentication. Even with MFA, accounts remained vulnerable to password resets, but the attackers ultimately are unable to access the account, allowing the rightful owner to change the reset password. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.
On Wednesday, the US Cybersecurity and Infrastructure Security Agency said it is aware of "evidence of active exploitation" and added the vulnerability to its list of known exploited vulnerabilities. CISA provided no details about the in-the-wild attacks. A GitLab representative declined to provide specifics about the active exploitation of the vulnerability.
The vulnerability, classified as an improper access control flaw, could pose a grave threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects or plant backdoors that could infect anyone using software built in the compromised environment. An example of a similar supply chain attack is the one that hit SolarWinds in 2020 and pushed malware to more than 18,000 of its customers, 100 of whom received follow-on hacks. Other recent examples of supply chain attacks are here, here, and here.
[...] GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits. GitLab has published incident response guidance here.
The Biden administration on Friday hosted telco execs to chat about China's recent attacks on the sector, amid revelations that US networks may need mass rebuilds to recover.
Details of the extent of China's attacks came from senator Mark R Warner, who on Thursday gave both The Washington Post and The New York Times insights into info he's learned in his role as chair of the Senate Intelligence Committee.
Warner told the Post, "my hair is on fire," given the severity of China's attacks on US telcos. The attacks, which started well before the US election, have seen Middle Kingdom operatives establish a persistent presence – and may require the replacement of "literally thousands and thousands and thousands" of switches and routers.
The senator added that China's activities make Russia-linked incidents like the SolarWinds supply chain incident and the ransomware attack on Colonial Pipeline look like "child’s play."
Warner told The Times the extent of China's activity remains unknown, and that "The barn door is still wide open, or mostly open."
[...] For what it's worth, China claims the US makes this stuff up – but hasn't offered an alternative explanation.
The day after Warner chatted to the newspapers, the Biden administration’s national security advisor Jake Sullivan and deputy national security advisor for cyber and emerging technology Anne Neuberger met with telecom execs. According to a White House readout of the chat, they used the opportunity to "share intelligence and discuss the People's Republic of China's significant cyber espionage campaign targeting the sector."
Which rather suggests there's more info about this situation that's not available to the public.