Security

Another Codecov supply chain attack victim has come forward, and this time it’s cloud communications provider Twilio.

Twilio posted a blog Tuesday disclosing that a “small number” of customer emails had “likely been exfiltrated by an unknown attacker” who cloned Twilio’s code repositories on GitHub in mid-April. The company further connected the activity to the Codecov breach disclosed last month.

“On April 22, 2021, we received a notification from GitHub.com that suspicious activity had been detected related to the Codecov event and a Twilio user token that had been exposed,” the blog read. “GitHub.com had identified a set of GitHub repositories that had been cloned by the attacker in the time before we were notified by Codecov.”

The blog post explained that Twilio uses Codecov code coverage tools, including the compromised Bash Uploader script, in a small number of its projects.

After they identified the suspicious activity and found that some customer emails had been in the repositories, they initiated a security response that included a review of their security, notifying customers with exposed information and rotating all “potentially exposed credentials and secrets.” The post concluded by saying that they have no indication that any other customer data was accessed or at risk.

In a section of the blog post titled “What are we doing to prevent similar issues in the future?” the cloud communications provider said that it uses “a robust third-party security team” to evaluate vendors, both new and existing.

“This process ensures our technology supply chain always meets our standards for security. When we become aware of an incident or vulnerability within that supply chain, we move quickly to remediate the issue or remove the software from our environment,” the post read.

It is unclear whether Twilio has removed Codecov or dropped it as a vendor.

SearchSecurity asked Twilio whether the company had any indication regarding the attacker’s identity; the spokesperson declined to comment.

Twilio marks the second known company to disclose a security incident related to the supply chain attack involving Codecov. Cloud infrastructure vendor HashiCorp disclosed a breach on April 22. Like Twilio, a key part of the company’s response involved rotating relevant credentials.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Emerging cyberattacks and threats

The Center for Internet Security provides consensus-based, vendor-agnostic configuration standards for the cloud. Known as CIS Foundations Benchmarks, these best practices were developed to help organizations secure public cloud environments at the account level.

Security leaders and cloud engineering teams can use the CIS benchmarks for cloud security in a couple of ways. First, referencing independent standards of best practice security controls and configuration settings can aid in defining internal requirements for secure cloud deployments. This is imperative when defining and ratifying policies and standards that all business units and IT operations teams are expected to adhere to in their own cloud accounts and subscriptions. Second, the benchmarks can help organizations develop a continuous monitoring and reporting strategy for cloud control plane and asset compliance.

How implementation improves security

Public cloud customers can experience both immediate and lasting benefits from implementing CIS benchmarks for cloud security. Short-term payoffs include an improved security posture and a reduced amount of vulnerabilities in common cloud asset categories, such as VMs and other workloads. Implementing the framework can also scale down the immediate attack surface tied to exposed and potentially misconfigured cloud control plane services.

Long-term benefits include an improved security posture overall within an organization’s cloud environment, as well as enhanced monitoring and reporting on configuration. This enables the development of more accurate metrics and reporting on vulnerabilities, thus driving improvements in both security and operational efficiency.

Many question whether the CIS cloud security framework should be considered an advanced end goal or more of a security starting point. In many ways, the answer is both. CIS benchmarks are created with two tiers of recommendations. Level 1 recommendations are intended to provide immediate security benefits. They are relatively practical, simple to implement and rarely inhibit or break cloud service or asset functionality in any way. Level 1 benchmark items should be the starting point for all organizations and are widely considered baseline best practices that can be enabled quickly and easily by almost anyone.

Level 2 items, however, provide stronger security capabilities and a more layered defense-in-depth posture. CIS cloud security controls at this level may lead some services or assets to perform poorly or even break in some scenarios. Organizations subject to stringent security requirements may regard Level 2 CIS benchmark items as short-term goals, but most will pursue them as part of a longer-range strategy.

Scope of CIS Foundations for public cloud

Currently, CIS benchmarks are available to download for each of the following public cloud environments:

Alibaba Cloud
AWS
Google Cloud Platform
Google Workspace
IBM Cloud
Microsoft Azure
Oracle Cloud Infrastructure

Though CIS benchmarks for one given platform may vary from those of other platforms, there are notable commonalities. All CIS benchmarks for the public cloud have similar suggested categories of control, ranging from VM workload security to storage and data security settings to privileged access control.

CIS cloud security control recommendations

Among the most universal and actionable recommendations from CIS are the following:

Create secure cloud workloads that adhere to industry best practices and hardening standards. Store and monitor these new images.
Enable cloud control plane logging via tools such as AWS CloudTrail or Google Cloud’s operations suite (formerly Stackdriver) to provide visibility into all API calls made within a cloud service account. Additionally, cloud-native monitoring and alerting should be configured and enabled.
Enable strong authentication to any cloud administration interfaces, including the web portal or command line. Implement least privilege identity policies for different cloud operations roles.
Enable encryption and other data protection measures for cloud storage services.
Secure cloud-native network access controls to minimize access and enable network flow data to monitor network behavior.

How the CIS cloud security framework can improve

Large cloud service environments are evolving at an increasingly rapid pace. Though CIS Foundations Benchmarks cover the core fundamentals of cloud security controls and configuration, more frequent updates to the consensus-based guidelines would help better serve organizations by providing the most current guidance.

Additionally, aligning the benchmarks with industry attack models and frameworks, such as Mitre ATT&CK for cloud, would help educate stakeholders on which controls can protect them in real-world cloud attack scenarios.

Dig Deeper on Cloud Computing Frameworks and Standards

U.S. defense contractor BlueForce has apparently been hit in a ransomware attack, according to a Conti ransomware chat and Hatching Triage sample.

The Hatching Triage page for the ransomware sample included a ransom note claiming to be from a threat actor who infected the victim with the Conti ransomware strain. The sample was shared with SearchSecurity by TechTarget sister site LeMagIT.

“All of your files are currently encrypted by CONTI strain,” the note read. “As you know (if you don’t – just “google it”), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software — the files might be damaged, so if you are willing to try — try it on the data of the lowest value.”

The note included both a standard URL and a .onion link to an active chat between a Conti operator and a negotiator who claimed to be from BlueForce Inc., a Virginia-based defense contractor that aims to “create and further develop the nexus between DoD [Department of Defense] and DoS [Department of State] with a skillfully blended mix of cross functional defense, interagency and international development expertise” according to its website.

A chat between Conti ransomware operators and a negotiator claiming to represent BlueForce Inc. The threat actor demanded 17 bitcoins — nearly $1 million as of this writing.

The chat’s original message from the ransomware operator, dated April 9, asks if the victim is ready to negotiate. Over two weeks later, the supposed victim replies, saying “please help, my files are encrypted!!!” After the ransomware operator asked the victim to identify themselves, someone in the chat responded Thursday morning and identified themselves as BlueForce and asked for next steps, as well as whether any data had been encrypted.

The threat actor responded in the affirmative and demanded 17 bitcoins (worth nearly $969,000 as of this writing). In addition, the response included a list and data pack of files in order to verify that Conti had breached the company and exfiltrated data. The chat has not been updated since.

BlueForce did not respond to SearchSecurity’s request for comment.

Conti ransomware was first reported in mid-2020, and like many other modern ransomware families, it extorts victims by not only encrypting data, but threatening to publish it, too. Recent Conti victims include a number of London schools, as well as fashion retailer FatFace. It was also a member of the Maze ransomware cartel when it was active.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Emerging cyberattacks and threats

A popular Python developer tool could also become a potent malware accessory, according to new research.

A group of researchers from the University of Piraeus in Greece said that PyInstaller, a tool intended to convert Python code into standalone applications, is capable of creating malware payloads that are able to slip past many of the most widely used antivirus programs and get their malicious code up and running before being flagged and terminated.

This means that, rather than spend the extensive time and money required to obfuscate code and create an untraceable malware packer from scratch, cybercriminals would be able to take advantage of the most popular Python application builder to create packers that are not caught in scans.

“Interestingly, our approach to generating the malicious executables is not based on introducing a new packer but on the augmentation of the capabilities of an existing and widely used tool for packaging Python, PyInstaller but can be used for all similar packaging tools,” wrote Vasilios Koutsokostas and Constantinos Patsakis in the research paper, which was published this week. “As we prove, the problem is deeper and inherent in almost all antivirus engines and not PyInstaller specific.”

Patsakis told SearchSecurity that the team went into the research knowing that antivirus engines already have a problem properly handling Python applications. In many cases, apps based on Python produce false positives. The extent of the issue, however, was never really understood.

“From the very beginning we knew that something quite wrong was happening as all applications were flagged as malicious,” Patsakis explained. “This kind of bias implies that AVs were not scanning the packages that PyInstaller produces properly, but due to the wide use of Python, we did not expect the reason being the Python bytecode.”

The issue lies in how PyInstaller turns Python code into executables. Because Python is a scripting language, PyInstaller does not compile the code in the traditional sense. Rather, it bundles all the libraries and other components the Python code requires into .pyc files and compressed archives. When the bundled application is launched, a bootloader is spun up and those dependencies are unpacked into a temporary folder and called as needed.

Those .pyc files, as it turns out, are extremely difficult for most modern antimalware tools to effectively scan. In many cases, the University of Piraeus duo found that when an individual .pyc file was scanned through the VirusTotal scanning suite, it was not properly analyzed and in many cases code that would normally be flagged as malicious was instead passed through.

In one example, the pair slipped in code for a reverse shell into a .pyc file through PyInstaller and inserted the same code into a JavaScript file and an uncompressed Python script. The JavaScript file was detected four times more often than the Python code. More importantly, the reverse shell code in the .pyc file went completely undetected by the full suite of AV tools in Virus total. This was all done out in the open, with no code obfuscation.

“There are many ways to bypass static analysis so in this sense finding a new AV bypass was not surprising,” Patsakis explained.

“The surprising part was that we did not have to actually hide the payload, which for a scripting language like Python was rather unexpected.”

What is more concerning, the researchers said, is that this problem is not simply a quirk of PyInstaller but reflective of a larger issue among security tools. It seems that there is a blind spot in many commercial antimalware tools when it comes to the way Python bytecode is handled and scanned.

Fortunately, a fix for the problem is not particularly difficult. The researchers believe that most commercial AV vendors are well-equipped to add support for Python bytecode into their scanning and antimalware detection tools. Once those features are added, consistently stopping Python-based malware would be feasible.

“The fix for AVs is not something difficult to apply, as .pyc are not hard to process and new rules can be added to their arsenal,” Patsakis said. “Therefore, we expect fixes to be soon applied from all AVs.”

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

The benefits of Python are plenty, but it’s not for everyone

With Packer, VM template creation is easy

How to automate Windows 10 imaging with Packer

Use Packer for Windows to enhance machine image automation