Threat Report

This week we’re focusing on breaches. How would you know if you’ve been breached? How would a breach impact your enterprise?

Major brands are paying fines for past breaches and technology providers are unaware of compromise – this could impact the viability of their business. We be doing everything we can to be good stewards and detect lingering threats.

Major brands fined for fairly recent breaches

Two large enterprises are ordered to pay fines this week. Over the last year these companies were hacked and now it’s time to pay their GDPR bills.

In a previous threat report, we talked about a breach at British Airways by Magecart, in which a skimmer was installed on the e-commerce checkout for the site. Fines have been assessed in that case and British Airways has been ordered to pay $230 million.

Another story we previously covered, Marriott, is having some fines announced this week and have inherited a breach as a result of their merge and acquisition with Starwood. Marriott has been ordered to pay $123 million.

Large enterprises can afford to absorb these large fines, however for many SMBs this would be a company ending event. Even if insurance policies cover the remediation and fines associated with a breach, some enterprises could be put out by the increase in insurance rates.

Implanting backdoors for persistence and C2

Threat actors are looking to implant code into your software stack. A popular Ruby module was backdoored by one threat actor, and a cheeky rogue created 11 repos in Canonical’s Ubuntu GitHub, demonstrating the ability to alter Ubuntu’s source code.

A diligent developer using the Ruby gem Strong Password noticed a backdoor had been added to the module in an undocumented change to the software. It is unclear how many installations are actively using this module; however, it is a popular Ruby gem. Any software that depends on this module and is using this backdoored version should be considered breached.

The developer of the module explains how this could have happened, “As already hypothesized in the comments I’m pretty sure this was a simple account hijack. The kickball user likely cracked an old password of mine from before I was using 1password that was leaked from who knows which of the various breaches that have occurred over the years.” In further details, “I released that gem years ago and barely remembered even having a rubygems account since I’m not doing much OSS work these days. I simply forgot to rotate out that old password there as a result which is definitely my bad.”

No harm no foul for Ubuntu? The repository for the Ubuntu Linux distribution was hacked and modified by an unknown actor.

Although no malicious changes were made to the Ubuntu source code, it does show that an unauthorized user was able to modify files. The fact that this was not used for a malicious purpose is irrelevant.

This is a failure of Canonical’s security. Ubuntu is run on a large number of computers and the potential impact of a security failure like this could have been immense.

“We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities,” the Ubuntu security team said in a statement.

“Canonical has removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected,” the team explained.

“Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected.”

According to a mirror of the hacked Canonical GitHub account, the hacker created 11 new GitHub repositories in the official Canonical account. The repositories were empty.

Access auctioned in active breaches

There are active breaches that have yet to be discovered by their respective enterprises. On underground forums, threat actors are auctioning access (with a buy now option) to breached companies.

In a recently announced auction, access to a large point of sale software company is on the block. The threat actor, amiak, is auctioning access to a server from a company that provides Point of Sale (POS) software to about 40,000 clients.

amiak claims to have admin access for MSSQL, RDP, and a Web shell. Also, the threat actor stated that from this server, (s)he was able to access physical POS terminals and successfully install malware on them.

The opening bid for the auction is $5,000, or access can be purchased directly for $50,000.

Problematic policy on security training videos

When we should be raising security awareness, we are making it harder for people to learn about security. Youtube’s recent policy change is problematic for raising the overall awareness on security.

Youtube now explicitly bans videos that depict “instructional hacking”, which is defined as videos that are “Showing users how to bypass secure computer systems or steal user credentials or personal data.”

Instructional hacking videos or demonstrations of vulnerabilities is not inherently bad or extremely dangerous.

This might as well be banning public vulnerability disclosure. This does not make people safer. We need to work together and share information to have a chance on defense. This includes having a good understanding of attack techniques. If this is Youtube’s policy, we should have a hacktube service that explicitly allows these instructional hacking videos.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday July 3rd 2019