The big media this week will be talking about the new accusations of Chinese cyberattacks on U.S. medical institutions doing research on COVID-19 vaccines, but we have a menu of security stories for more refined palates: The huge danger from unsupported open source software, the most targeted apps of the last 5 years, and how those ingenious bad guys are going after air-gapped networks.
How “Open” Is Open Source? “2020 Open Source Security and Risk Analysis Report,” Synopsys, April 2020
“Open” has many meanings, if by “open” you mean open to hacking, you can truly argue that open source is open. Synopsys, whose business includes examining software integrity, has just come out with its 5th edition of this report. It reminds us that a considerable amount of open source software is held together with chewing gum and bailing wire.
Of the more than 1,250 commercial codebases they studied, 99% of them contained open source components, and 75% of the codebases contained vulnerabilities. 49% were high-risk vulnerabilities. 91% of the codebases had components that were more than four years out of date or had no development activity in the last two years. It’s great when open source software has a big active support community. It’s not so great when it doesn’t.
Foreign Bad Cyber Actors’ Greatest Hits: “Top 10 Routinely Exploited Vulnerabilities,” CISA Alert (AA20-133A), May 12, 2020
The CISA, the FBI and other Feds would like you to keep up on your patches. They say to pay particular attention to the software they have found to be the most appealing targets for foreign security threats. Who are the targets? Drum roll, please: Microsoft Office, Apache Struts, SharePoint, Adobe Flash Player, .NET Framework, Word, Drupal. Some of these made the Top 10 list more than once.
These “winners” were for the years 2016 to 2019. So far in 2020, the leaders are Pulse Secure devices and Citrix devices such as Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP.
Lots of important details can be found in the Alert.
Just When You Thought It Was Safe to Leave the Network: “Ramsay: A cyber-espionage toolkit tailored for air-gapped networks,” Ignacio Sanmillan, WeLiveSecurity, ESET, May 13, 2020
Researchers at ESET have discovered a cyber espionage framework designed to collect and exfiltrate sensitive documents from air-gapped systems. Air-gapping means separating a network from the internet or any other online systems. The most famous attack on an air-gapped system is probably the Stuxnet virus used to damage Iran’s nuclear program.
Few victims have been discovered so far. ESET got wind of this because of a VirusTotal sample. VirusTotal is a community of anti-virus folks who review suspect files. ESET hypothesizes that the framework is in development. It shows three successive versions, two using Word documents and one a decoy 7zip installer as the carriers.
LOTS of interesting detail is available in the report about how enterprising hackers are still minding the gap.