The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have published guidance to help organizations improve their defenses against software supply chain attacks.

The guidance document – Defending Against Software Supply Chain Attacks – explains the three most common methods that threat groups use in supply chain attacks along with in-depth recommendations for software customers and vendors for prevention, mitigation, and improving resilience against software supply chain attacks.

Like many supply chain attacks, the recent SolarWinds Orion attack involved hijacking the software update mechanism of the platform to deliver a version of the software with malicious code that provided the attackers with persistent access to the solution on more than 18,000 customers’ systems, with the attackers then cherry picking targets of interest for more extensive compromises. This was also the method used by the threat group behind the NotPetya wiper attacks in 2017. The software update mechanism used by a popular tax accounting software in Ukraine was hijacked to gain control of the software for use in destructive attacks.

It is also common for attackers to undermine the code signing process to hijack software update mechanisms to deliver malicious code. This is often achieved by self-signing certificates and exploiting misconfigured access controls to impersonate trusted vendors. CISA reports that the Chinese advanced persistent threat group APT41 commonly undermines code signing in its sophisticated attacks in the United States.

The third most common method used in supply chain attacks is to target publicly accessible code libraries and insert malicious code, which is subsequently downloaded by developers. In May 2020, GitHub, the largest platform for open source software, discovered 26 open source projects had been compromised as a result of malicious code being injected into open source software. Blocks of open source code are also commonly used in privately owned software solutions and these too can be easily compromised.

Software supply chain attacks are time consuming and resource intensive and usually require long-term commitment. While criminal threat actors have successfully conducted supply chain attacks, they are more commonly conducted by state sponsored advanced persistent threat groups that have the intent, capabilities, and resources for prolonged software supply chain attack campaigns.

These attacks can allow large numbers of organizations to be compromised by attacking just one. Organizations are vulnerable to these attacks as they give software vendors privileged access to their systems to allow them to operate effectively. Vendors need regular communication with installed software solutions to provide updates to improve security against emerging threats and to fix vulnerabilities. If a vendor is compromised, the attackers can bypass security measures such as firewalls and gain persistent access to all customers’ systems.

The guidance document provides several recommendations and tips for using NIST’s Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF). Organizations can greatly improve resilience to software supply chain attacks by operating software within a C-SCRM framework with a mature risk management program.

“A mature risk management program enables an organization to understand risks presented by ICT products and services, including software, in the context of the mission or business processes they support. Organizations can manage such risks through a variety of technical and non-technical activities, including those focused on C-SCRM for software and the associated full software lifecycle,” explained NIST.

The guidance details 8 best practices for establishing a C-SCRM approach and applying it to software:

1. Integrate C-SCRM across the organization.
2. Establish a formal C-SCRM program.
3. Know and manage critical components and suppliers.
4. Understand the organization’s supply chain.
5. Closely collaborate with key suppliers.
6. Include key suppliers in resilience and improvement activities.
7. Assess and monitor throughout the supplier relationship.
8. Plan for the full lifecycle.

Even when this approach is adopted, it is not possible to prevent all supply chain attacks so it is essential for other steps to be taken to mitigate vulnerable software components.

Organizations should develop a vulnerability management program and reduce the attack surface through configuration management. This includes placing configurations under change control, conducting security impact analyses, implementing manufacturer-provided guidelines to harden software, operating systems, and firmware, and maintaining an information system component inventory. Steps should also be taken to increase resilience to a successful exploit and limit the harm that can be caused to mission critical operations, personnel and systems in the event of a successful attack.

The post CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks appeared first on HIPAA Journal.

At least one threat group is exploiting vulnerabilities in Ivanti’s Pulse Connect Secure products, according to a recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). While there has not been an official attribution, the threat actor has been linked to China by some security researchers and targets have included government, defense, financial, and critical infrastructure organizations.

FireEye has been tracking the malicious activity and reports that at least 12 malware families have been involved in cyberattacks exploiting the vulnerabilities since August 2020. These attacks have involved the harvesting of credentials to allow lateral movement within victim networks and the use of scripts and the replacement of files to achieve persistence.

Several entities have now confirmed that they have been attacked after they identified malicious activity using the Pulse Connect Secure Integrity Tool. Access has been gained to Pulse Connect Secure appliance by exploiting multiple vulnerabilities including three vulnerabilities that were disclosed in 2019 and 2020 and one recently disclosed zero-day vulnerability. Patches have been available for several months to fix the first three vulnerabilities – CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243; however, a patch has yet to be released to correct the most recently disclosed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has received the maximum CVSS vulnerability severity score of 10/10. Ivanti published a security advisory about the new vulnerability on April 20, 2021. Exploitation of the flaw allows a remote unauthenticated attacker to execute arbitrary code in the Pulse Connect Secure Gateway. The flaw is believed to be exploitable by sending a specially crafted HTTP request to a vulnerable device, although this has yet to be confirmed by Ivanti. The vulnerability affects Pulse Connect Secure 9.0R3 and higher.

At least one threat group is exploiting the vulnerabilities to place web shells on vulnerable Pulse Secure VPN appliances. The web shells allow the threat actor to bypass authentication and multi-factor authentication controls, log passwords, and gain persistent access to the appliance even after the patches have been applied.

Ivanti and CISA strongly advise all users of the vulnerable Pulse Connect Secure appliances to apply the patches immediately to prevent exploitation and to implement the mitigations recently published by Ivanti to reduce the risk of exploitation of the CVE-2021-22893 vulnerability until a patch is released. The workaround involves deleting two Pulse Connect Secure features – Windows File Share Browser and Pulse Secure Collaboration – which can be achieved by importing the workaround-2104.xml file. A patch is expected to be released to correct the CVE-2021-22893 in May 2021.

Since patching will not block unauthorized access if the vulnerabilities have already been exploited, CISA strongly recommends using the Pulse Connect Secure Integrity Tool to investigate whether the vulnerabilities have already been exploited.

CISA has issued an emergency directive requiring all federal agencies to enumerate all instances of Pulse Connect Secure virtual and hardware appliances, deploy and run the Pulse Connect Secure Integrity Tool to identify malicious activity, and apply the mitigation against CVE-2021-22893. The actions must be taken by 5 pm Eastern Daylight Time on Friday, April 23, 2021.

The post Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw appeared first on HIPAA Journal.

The global COVID-19 vaccine cold chain continues to be targeted advanced persistent threat groups, according to an updated report from IBM Security X-Force. X-Force researchers previously published a report in December 2020 warning that cyber adversaries were targeting the COVID-19 cold chain to gain access to vaccine data and attacks continue to pose a major threat to vaccine distribution and storage.

There are currently more than 350 logistics partners that are part of the cold chain and are involved in the delivery and storage of vaccines at low temperatures. Since the initial report was published on cold chain phishing attacks, IBM X-Force researchers have identified a further 50 email message files tied to spear phishing campaigns, which have targeted 44 companies in 14 countries throughout Europe, the Americas, Africa, and Asia.

The companies being targeted underpin the transport, warehousing, storage, and distribution of COVID-19 vaccines, with the most targeted organizations involved in transportation, IT and electronics, and healthcare such companies in biomedical research, medical manufacturing, and pharmaceutical and hygiene services.

Threat actors, believed to be backed by nation states, have expanded their campaigns and are using spear phishing emails to steal credentials of CEOs, global sales officers, purchasing managers, HR officers, heads of plant engineering and others to gain privileged insight into national Advance Market Commitment (AMC) negotiations related to the procurement of vaccines, time tables for distribution, information on the passage of vaccines through nations and territories, export controls and international property rights, World Trade Organization (WTO) trade facilitation agreements, technical vaccine information, and other sensitive data.

The threat group behind this campaign appears to have an in depth understanding of the vaccine cold chain. The emails used in the spear phishing campaign impersonate an executive from the Chinese biomedical company, Haier Biomedical, which is the world’s only complete cold chain provider.

The emails request price quotations for service contracts regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and reference products such as a solar-powered vaccine refrigerator and ice-lined refrigerator from the Haier Biomedical product line. The emails also mention organizations involved in petrochemical production and the manufacturing of solar panels that aligns with those products, and the language used in the email reflects the educational background of the sender that is spoofed in the signature block.

The emails have malicious HTML attachments which are opened locally, with the user requested to provide their credentials to view the file. If credentials are entered, they are captured and exfiltrated to the attackers’ command and control server.

“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.

With vaccine nationalism and global competition related to access to vaccines, attacks that disrupt the cold chain were inevitable. While the researchers have not been able to attribute the campaign to any threat group, there is a strong likelihood that this is a nation state operation.

If the cold chain is disrupted it could result in delays delivering the vaccines or could disrupt the conditions required for safe vaccine transport and storage, which could render the vaccines unsafe or useless. IBM has published Indicators of Compromise in its report to help organizations in the COVID-19 cold chain protect against attacks.

The post COVID-19 Vaccine Cold Chain Continues to Be Targeted by Threat Groups appeared first on HIPAA Journal.