The Good, the Bad and the Ugly in Cybersecurity – Week 37

The Good | CISA Announces Open Source Software Security Roadmap

Open Source Software (OSS) underpins much of the products and services we all take for granted, including within the federal government and across the critical infrastructure sector. When a vulnerable piece of OSS is exploited by threat actors, supply chain attacks can have widespread and costly consequences, just ask Equifax or SolarWinds customers, or any admin that had to hunt down Log4j in their environments. Good to hear, then, that this week, CISA has announced its Open Source Software Security Roadmap.

The roadmap sets out how CISA will help support the secure use and development of OSS both within and outside the federal government. Identifying the cascading effects of OSS vulnerabilities and the malicious compromise of OSS components to create downstream compromises as the primary threats, CISA has laid out four key objectives in the roadmap published this week.

  • Establish CISA’s role in supporting OSS security
  • Drive visibility into OSS usage and risks
  • Reduce risks to Federal Government
  • Harden the OSS ecosystem

Hardening the open security software ecosystem in particular is a goal that can have far-reaching impacts for all. CISA says its goal is to foster security education for OSS developers as well as to coordinate vulnerability disclosure and response. This includes establishing processes to look for upstream issues in open source packages and quickly notify affected users of any identified vulnerabilities.

Over 5000 vulnerabilities have been identified in OSS software in the last 5 years alone and attempts to address the issue have lacked direction. CISA taking an active and prominent role in furthering OSS security, itself an outcome of the National Cybersecurity Strategy announced earlier this year, is a positive step that should be broadly welcomed.

The Bad | Caesars Gambles On Paying Attackers While MGM Battles On

An affiliate of ALPHV/BlackCat ransomware is claiming responsibility for an extortion attempt on MGM Casinos that has caused severe disruption to the company’s outlets, with reports of empty casinos and disconnected slot machines.

Researchers vx-underground broke the story on Monday, sharing on social media that the attackers were claiming they breached the company through social engineering MGM Casino help desk staff.

A further statement from the gang claimed that the disruption was caused by MGM Casinos attempt to find and root out the intruders rather than by the detonation of ransomware, but that claim remains unverified at the time of writing.

The gang said that they did launch ransomware attacks against 100 ESXi hypervisors after the company refused to negotiate with them, and that they are threatening to leak stolen data if the company remains unmoved.

Meanwhile, in a separate incident, casino operator Caesars Entertainment has said that intruders stole a database containing personally identifying information of its customers including driving license details and social security numbers. The admission came in a required SEC filing in which Caesars also stated that they had “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result”.

It is rumored that these “steps” involved paying half of a $30 million ransom initially demanded, an expensive gamble – if true – that MGM rightly seems unwilling to copy.

The Ugly | Threat Actors Exploit Bug in Google’s WebP Library

Vendors Apple, Google, Microsoft, Mozilla and more have been scrambling to patch a critical severity bug in WebP this week that is known to be being actively exploited in the wild.

WebP is used in Chrome, Firefox, Edge, Brave and the Tor Browser. It is also found in many Electron apps like Signal, Telegram, and 1Password. Many Android applications and cross-platform software built with Flutter also use WebP.

The vulnerability is described as a heap buffer overflow which could allow an attacker to perform a memory write outside of its allocated buffer and gain arbitrary code execution.

Github commit CVE-2023-4863
Github commit in libwebp related to CVE-2023-4863

Tagged as CVE-2023-4863, the bug in the widely used image encoding and compression library was apparently first reported by Citizen Lab to Apple. Regular readers will recall that last week Citizen Lab also identified an Apple zero-click zero day being used to deliver Pegasus malware. It is not clear at this time whether the two reports are linked.

Initial reporting of the vulnerability suggested it was restricted to web browsers, but it quickly became apparent that any software using the libwebp library is affected. libwebp is open source software developed by Google and has been widely adopted in both applications and other third-party libraries.

Details about the bug and exploit are sparse at the time of writing. Google says it is deliberately restricting disclosure until the majority of affected software has been patched. Vendors mentioned in this report have all issued patches this week, but given how widespread the library is, there are likely many others still to come.