A malicious Telegram bot is the key to a veritable flourishing garden of nefarious cybercriminal activity, which was discovered via a series of Python packages.

Source: Picturebank via Alamy Stock Photo

A sprawling criminal network has emerged in Iraq, linked to a Telegram bot that dates back to 2022 and contains more than 90,000 messages, mostly in Arabic.

According to researchers at Checkmarx, the bot is the key to a larger, sophisticated cybercriminal ecosystem, including a thriving underground marketplace offering social media manipulation services and financial theft tools, and a suite of malicious PyPI packages that exfiltrate user data.

**Malicious PyPI Packages for Data Theft**

A series of malicious, Arabic-language Python packages recently surfaced on the Python code repository PyPI according to Checkmarx, uploaded by a user named "dsfsdfds." Upon further examination, the researchers found them to contain a malicious script that was pilfering sensitive user data out to a Telegram bot chat.

"The malicious script … begins by scanning the user's file system, focusing on two specific locations: the root folder and the DCIM folder," according to the report, released today. "During this scanning process, the script searches for files with extensions such as .py, .php, and .zip files, as well as photos with .png, .jpg, and .jpeg extensions."

The packages also contained a hardcoded Telegram ID and token, which Checkmarx researchers used to gain direct access to the attacker's Telegram bot, where they discovered "a significant history of activity, with records dating back to at least 2022, long before the malicious packages were released on PyPI."

Ultimately, the 90,000 messages pointed to an origin in Iraq, with ties with many other bots to boot. In all, it's clear that Iraq is home to a heretofore unknown, thriving cybercriminal enterprise with a raft of illicit services on offer.

"The discovery of the malicious Python packages on PyPI and the subsequent investigation into the Telegram bot have shed light on a sophisticated and widespread cybercriminal operation," the report concluded. "What initially appeared to be an isolated incident of malicious packages turned out to be just the tip of the iceberg, revealing a well-established criminal ecosystem based in Iraq."

The discovery underscores the role that open source software continues to play when it comes to providing an attack vector for compromising enterprise information, the researchers noted, adding that they plan to release further details on the Iraq underground discovery in the coming months.

"As the fight against malicious actors in the open-source ecosystem persists, collaboration and information sharing among the security community will be critical in identifying and thwarting these attacks," they said. "Through collective effort and proactive measures, we can work towards a safer and more secure open-source ecosystem for all."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Well-Established Cybercriminal Ecosystem Blooming in Iraq

The breach affects older customer information involved in purchases made from June 6, 2017, up until July 30, 2018.

Source: Robert K. Chin - Storefronts via Alamy Stock Photo

This morning Rite Aid, an American drugstore chain, revealed news of falling victim in a data breach last month in what it called a "limited cybersecurity incident."

On June 6, a third-party threat actor impersonated a company employee and gained access to certain company systems. This unauthorized access was detected soon after, and the company launched an investigation to determine the scope of the breach and whether any data was compromised.

Though the company has determined that no Social Security numbers, financial information, or patient information was affected in the breach, the threat actors did acquire data connected to purchases of retail products, including names, addresses, dates of birth, and driver's licenses or government IDs.

The company has not released an official statement revealing who the threat actors are, but RansomHub gang has claimed that it breached the company's systems.

"While having access to the Rite-Aid network, we obtained over 10GB of customer information equating to around 45 million lines of people's personal information," the ransomware group said on its Dark Web leak site. "This information includes name, address, dl\_id number, DoB, Rite Aid rewards number."

Rite Aid reportedly stopped negotiating a ransom, prompting the ransomware group to share snippets of what it claims is stolen data as proof and add a two-week deadline before more information will be leaked.

**About the Author(s)**

Rite Aid Becomes RansomHub's Latest Victim After Data Breach

Good risk management is necessary to protect customers, ensure operational continuity, safeguard intellectual property, and maintain fiscal responsibility.

Source: Ron Buskirk via Alamy Stock Photo

COMMENTARY

Manufacturers have been feeling urgency around cybersecurity for several years — and it's little wonder given their sector remains the No. 1 ransomware target. Ransomware attacks threaten to affect manufacturers by interrupting operations that ripple through supply chains, leading to significant financial losses through ransom payments, revenue decline, and recovery costs.

Despite the looming threats, there is a notable shortage of cybersecurity professionals who can shield manufacturers from bad actors. But with the proper training and tools, manufacturers can still implement a strong security posture, even if they don't have a security expert on staff. Let's drill down on how can manufacturers can bolster their cybersecurity defenses and, should an attack occur, steps they should take to control the damage.

**Considerations for Securing the Entire Ecosystem**

Small to midsize manufacturing businesses are especially vulnerable to cyber threats due to a lower level of preparedness as compared to enterprises, unprotected data, and willingness to pay ransoms. Strengthening cybersecurity is crucial for product safety, quality assurance, and operational efficiency. For instance, implementing stringent controls on industrial control systems (ICS), operational technology (OT), and enterprise resource planning (ERP) systems can reduce vulnerabilities.

With a comprehensive risk management strategy, manufacturers can protect end customers, ensure operational continuity, safeguard intellectual property, and maintain fiscal responsibility. However, even with robust preventive measures, the possibility of a cyberattack remains. Therefore, manufacturers need to be prepared to identify risks.

**Warning Signs of Ransomware**

Timing is critical when assessing cyber threats in manufacturing, and early detection is the most effective way to prevent ransomware. The longer a breach goes undetected, the more damage attackers can inflict on production lines, supply chains, and intellectual property. Fortunately, even lean manufacturing IT teams can implement robust defense measures without the need for a dedicated cybersecurity expert.

In manufacturing, common warning signs include unusual activity on the network segments that control machinery, production lines, or ERP systems. Another common indicator is unusual network traffic, which can mean that someone has external data access or is conducting other malicious activities within the system. Manufacturers might notice unexpected data transfers from supervisory control and data acquisition (SCADA) systems or other critical OT components.

Consider a scenario where a manufacturer notices an unusual spike in network traffic late at night when production lines are typically idle. This anomaly could indicate an unauthorized party is attempting to transfer data or conduct other malicious activities. Other red flags include unauthorized administrative activities, such as installing programs without official approval or user sign-ins from unusual locations or unfamiliar devices.

Recognizing these warning signs is crucial for early detection and prompt response, preventing minor breaches from turning into major incidents. However, if a ransomware attack occurs, act quickly and efficiently to mitigate damage and begin recovery.

**What to Do in the Event of an Attack**

If hackers strike, manufacturers should take these critical steps to prevent significant damage and begin the recovery process:

1.  Isolate impacted systems: Immediately identify and isolate compromised systems — including production machinery, assembly lines, SCADA systems, or ERP software — from the network. If isolation is not possible, shut them down to prevent further spread.
    
2.  Create an incident document: Maintain and update a document to log discoveries and affected systems — e.g., computer numerical control (CNC) machines, robotic systems, or programmable logic controllers (PLCs) — and coordinate response efforts across the team.
    
3.  Examine detection systems: Review existing detection systems — such as antivirus, endpoint detection and response (EDR), security, information, and event management (SIEM), and intrusion prevention (IPS) systems — for signs of compromise, such as newly created accounts, or indications of persistence mechanisms. This process should include checking logs from ICS and OT monitoring tools.
    
4.  Report the incident: Contact agencies, such as the US Cybersecurity and Infrastructure Security Agency (CISA), your security vendors, the FBI, or the US Secret Service for assistance and to report the attack. Additionally, inform industry-specific bodies or associations that may provide support.
    
5.  Coordinate communication: Work with communications staff to ensure accurate information is shared internally and externally, according to the company's corporate communications guidelines. Use nonstandard communication methods (e.g., phone calls and encrypted messaging apps) to avoid alerting attackers. Notify key stakeholders, including suppliers and customers, about potential impacts on production schedules.
    
6.  Rebuild and restore systems: Prioritize and rebuild critical systems, focusing on restoring manufacturing operations, such as manufacturing execution systems (MES), human-machine interfaces (HMI), and other essential production control systems. Issue password resets for affected accounts and restore data from offline encrypted backups to ensure the integrity and availability of production data.
    
7.  Document lessons learned: After the incident is under control, document your insights and update organizational policies, plans, and procedures accordingly. Conduct a post-incident review to identify gaps in the response and improve resilience against future attacks. Include lessons learned about specific manufacturing processes and impacted technologies.
    

Manufacturing organizations and professionals know the urgency required to address cybersecurity threats. By recognizing early warning signs, responding swiftly to incidents, and strengthening their cybersecurity posture, manufacturers can protect themselves against the growing wave of attacks, allowing the industry to build resilience and ensure the continuity of critical manufacturing processes.

**About the Author(s)**

CTO and Co-Founder, Blumira

Matt is CTO and Co-Founder of Blumira, a leading cybersecurity provider of automated threat detection and response technology. At Blumira, he leads the security and engineering efforts to provide actionable insights into cybersecurity risks at scale. Matt has over 10 years of experience in IT, Information Security, and Software Engineering, focusing on business strategy, architecture, compliance, threat detection and penetration testing. Previously, he was Director of Security Services, Development & Security at NetWorks Group, responsible for defensive information security and services.

How Manufacturers Can Secure Themselves Against Cyber Threats

Careful planning and proactive measures can ensure smooth and secure transitions, paving the way for a successful merger or acquisition.

Source: Mohd Izzuan Roslan via Alamy Stock Photo

COMMENTARY

Mergers and acquisitions (M&As) are exciting ventures, but they come with their share of challenges, especially in the realm of cybersecurity. Integrating systems, data, and cultures from two distinct organizations can introduce various cybersecurity risks that can impact both the transaction and the future operations of the newly combined entity.

**7 M&A Cybersecurity Risks and Tips for Dealing With Them**

Here are the top seven cybersecurity risks commonly associated with M&As, and suggestions on how to mitigate each.

1.  Data breaches: The integration phase in an M&A significantly increases the risk of data breaches. As systems and data from two different organizations are merged, vulnerabilities can be exploited, leading to unauthorized access. To combat this challenge, organizations should adopt a phased integration approach and maintain continuous security monitoring. It's also critical to have a solid incident response plan ready to quickly address any potential breaches.
    
2.  Limited due diligence: Skipping a thorough assessment of the cybersecurity posture of the acquisition target can lead to inheriting unresolved security issues or even ongoing breaches. As such, organizations should perform detailed cybersecurity audits and assessments during the due diligence process. This approach helps uncover and fix any existing vulnerabilities or breaches before they become a problem.
    
3.  Integration challenges: Combining IT systems can be complex and may create security gaps. In particular, differences in security architectures, policies, and practices between the two organizations can lead to vulnerabilities. By developing a detailed integration plan that includes security protocols and standards, organizations can ensure a smooth and secure merging of IT systems, addressing potential security gaps proactively, instead of reactively.
    
4.  Compliance issues: Each company involved in the merger may be subject to different regulatory requirements for data protection and privacy. And, what's more, ensuring the merged entity meets all legal standards can be challenging. Organizations should conduct a comprehensive compliance review to identify all regulatory requirements. They should also create a compliance roadmap to ensure the merged entity meets all necessary legal and regulatory standards.
    
5.  Insider threats: The M&A process can create uncertainty and discontent among employees, increasing the risk of insider threats, such as intentional data leaks or sabotage. Because of this, organizations should implement robust insider threat monitoring and establish clear communication channels to address employee concerns. Reducing uncertainty can help mitigate the risk of insider threats.
    
6.  Legacy systems: Supporting outdated or unsupported technology within the merged entity can pose significant security risks, as these systems are often more vulnerable to cyberattacks. To solve this problem, organizations should prioritize the assessment and modernization of legacy systems. Ensuring these systems are properly secured until they can be replaced or updated will significantly reduce vulnerabilities.
    
7.  Resource allocation: Resources may be spread thin during an M&A, leading to neglected cybersecurity practices or delayed incident responses. Involvement of multiple third parties, such as consultants and advisers, can also increase the risk of data exposure. Organizations can get ahead of this issue by allocating dedicated resources for cybersecurity during the M&A process. They also need to ensure that third-party partners adhere to strict security standards and practices to maintain data security.
    

Navigating the cybersecurity risks in mergers and acquisitions can be daunting, but with careful planning and proactive measures, it's possible to ensure a smooth and secure transition. By following the suggestions above, organizations can mitigate risks and pave the way for a successful merger or acquisition.

**About the Author(s)**

Chief Innovation Officer, Axiad

Bassam Al-Khalidi is the chief innovation officer at Axiad. He is an industry expert with more than 20 years of experience designing and deploying identity and access management solutions across large government, enterprise, and healthcare organizations. He is a leading expert in authentication, CAC/PIV smart card, and PKI deployment, and has been involved in multiple enterprise-class authentication deployments over the past several years.

7 Tips for Navigating Cybersecurity Risks in M&amp;As

PRESS RELEASE

Lineaje, a leader in continuous software supply chain security management, today announced that Lineaje SBOM360 has been selected by the Department of the U.S. Air Force’s (DAF) for a Small Business Technology Transfer (STTR) Phase 1 contract. As the industry’s first software supply chain and software bill of materials (SBOM) manager, SBOM360 will automate the detection and remediation of today’s most pressing software supply chain challenges within the U.S Air Force.

In the past year alone, more than 75% of software supply chains were exposed to cyberattacks —and 40% of organizations took a month or longer to recover. Due to the sensitivity of the data in applications built and bought by the U.S. Air Force and other federal entities, these organizations are often a top target for today’s adversaries.

SBOM360 supports the full life-cycle management of software that is sourced, built, sold, or bought by the U.S. Air Force. With our solution, the U.S. Air Force can ensure all software supply chain risks and threats are identified and remediated and meet organizations’ security policies and compliance mandates, such as Executive Order 14028, automatically. In addition, the U.S. Air Force will be able to search its software in seconds to find any newly discovered vulnerabilities and indicators of compromise (IOCs) within the most deeply embedded components, dramatically reducing discovery time. Lineaje generates a full lineage of software and discovers inherent and tampers risks by scanning source code, containers, mobile APKs, POM files, and even SBOMs. Lineaje can also generate SBOMs as well if you don’t already have one.

“Being selected for the STTR Phase 1 contract program is a testament to Lineaje’s commitment to revolutionizing the software supply chain security space,” said Javed Hasan, CEO and Co-founder, Lineaje. “SBOM360’s innovative and comprehensive approach will empower the U.S. Space Force and Department of the Air Force to fortify their defenses against cyberthreats. We are extremely proud to play a pivotal role in safeguarding the nation’s critical software infrastructure.”

The STTR Contract Program

The DAF began offering the competitive, awards-based Open Topic Small Business Innovation Research (SBIR)/STTR program in 2018 to expand the range of innovations the DAF funded. The programs are designed to encourage domestic small businesses to engage in federal research and development.

Recently, the Air Force Research Laboratory and SpaceWERX, the innovation arm of the U.S. Space Force, partnered to streamline the SBIR and STTR process by accelerating the small business experience through a faster proposal to award timelines, changing the pool of potential applicants by expanding opportunities to small businesses, and eliminating bureaucratic overhead by continually implementing process improvement changes in contract execution. By completing Phase I of the program, Lineaje has established the scientific, technical, and commercial merit and feasibility of SBOM360’s innovation.

To learn more about SBOM360, please visit www.lineaje.com/sbom360.

You May Also Like

Lineaje Awarded Contract by the Department of the US Air Force

PRESS RELEASE

BROWNWOOD, Texas, June 26, 2024 /PRNewswire/ -- Landmark Admin, LLC ("Landmark"), is providing notice of a recent data security incident. Landmark is a third-party administrator for life insurance carriers and may have received certain personal information from producers, insureds, policy owners or policy beneficiaries for insurance policies which Landmark administered.

What Happened?

On or about May 13, 2024, Landmark detected suspicious activity on its system and later learned that an unauthorized third party accessed its network. Upon discovery of this incident, Landmark immediately disconnected indicated systems and remote access to the network and promptly engaged a specialized third-party cybersecurity firm and IT personnel to assist with securing the environment, as well as to conduct a comprehensive forensic investigation to determine the nature and scope of the incident. While the forensic investigation remains ongoing, Landmark found evidence to suggest some of its files may have been compromised by an unauthorized third-party.

Based on these findings, Landmark began reviewing the affected systems to identify the specific individuals and the types of information that may have been compromised.

What Information Was Impacted? 

The following information may have been subject to unauthorized access: first name/initial and last name; address; Social Security number; tax identification number; driver's license number/state-issued identification card; passport number; financial account number; medical information; date of birth; health insurance policy number; and life and annuity policy information.

The information varies by individual. Affected individuals will be notified by mail of information that was impacted.

What Remediation Measures Were Taken?

Landmark takes the privacy and security of personal information seriously. Since the discovery, Landmark moved quickly to investigate and secure its systems. Landmark has taken steps to further enhance its network security, and took steps, and will continue to take steps, to mitigate the risk of future harm.

What Steps Can Individuals Take?

Landmark encourages everyone to remain vigilant against incidents of identity theft by reviewing their account statements and monitoring their credit reports for any suspicious activity. Individuals can obtain free copies of their credit reports by going to the following website: www.annualcreditreport.com or by calling them toll-free at 1-877-322-8228. (Hearing impaired consumers can access their TDD service at 1-877-730-4204.)

You can also obtain more information from the Federal Trade Commission (FTC) about identity theft and ways to protect yourself. The FTC has an identity theft hotline: 877-438-4338; TTY: 1-866-653-4261. They also provide information on-line at www.ftc.gov/idtheft.

Other Important Information: 

If you have questions about the Incident not addressed in this notice please call the help line at 1-844-428-5109 and representatives are available for 90 days from the date of this letter to assist you between the hours of 8:00 a.m. to 8:00 p.m. Eastern time, Monday through Friday excluding U.S. holidays.

Landmark sincerely regrets any concern or inconvenience this matter may cause and remains dedicated to ensuring the privacy and security of all information in our control.

Landmark Admin, LLC Provides Notice of Data Privacy Incident

PRESS RELEASE

MOUNT KISCO, N.Y., June 26, 2024 /PRNewswire/ -- The Mount Kisco Surgery Center LLC d/b/a The Ambulatory Surgery Center of Westchester ("ASCW"), has learned of a data security incident that may have impacted data belonging to certain current and former employees and patients.

On November 3, 2023, ASCW discovered unusual activity in one employee's email account. Upon discovering this activity, it immediately took steps to secure the account. ASCW also engaged a digital forensics and incident response firm to conduct an investigation to determine why any data within the mailbox may have been affected. The investigation determined that certain files stored within the email accounts were accessed between October 23, 2023, and November 3, 2023.

ASCW then undertook a comprehensive review of the potentially affected data. On May 30, 2024, ASCW identified that certain individuals' personal and/or protected health information was contained in the account. The potentially affected information may include individuals' names, Social Security numbers, driver's license or state identification numbers, dates of birth, medical information, including diagnosis information, treatment information, and prescription information, and health insurance information, including claim information and health insurance ID numbers, and financial account information. On June 26, 2024, ASCW provided written notification of the incident via US mail to impacted individuals.

ASCW has implemented additional measures to enhance network security and minimize the risk of a similar incident occurring in the future.

ASCW has established a toll-free call center to answer questions about the incident and to address related concerns. Call center representatives are available Monday through Friday between 9am – 9pm EST and can be reached at 1-888-715-8252. 

ASCW is located at 34 S. Bedford Rd., Mount Kisco, NY 10549.

SOURCE The Mount Kisco Surgery Center LLC d/b/a The Ambulatory Surgery Center of Westchester

You May Also Like

The Mount Kisco Surgery Center LLC d/b/a The Ambulatory Surgery Center of Westchester - Notice of Data Security Incident

Despite warnings from Health-ISAC and the NCC Group, the remote access software maker says defense-in-depth kept customers' data safe from Midnight Blizzard.

Source: Tuta via Alamy Stock Photo

This week, TeamViewer said that while the Russian group APT29, aka Midnight Blizzard, managed to access its corporate network, the threat actors were limited to the company's internal IT network because of "strong segmentation" between its environments. Thus, no customers were affected.

In public statements on June 27 (reiterated today), the German maker of remote desktop software said, "\[W\]e keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our 'defense in-depth' approach."

Defense-in-depth is a set of basic techniques, including network segmentation, that the US government consistently urges people to implement. Others include network monitoring, multifactor authentication, and access control lists.

Even so, because of the potential mischief a bad actor with desktop access can wreak, TeamViewer users should up their security game, according to industry groups. The NCC Group, which originally issued a warning under an amber/limited classification but then changed it to green/public, advised its customers that, while awaiting final confirmation of the extent of compromise, they remove TeamViewer from their systems if possible and closely monitor hosts that had the application installed if not.

The Health Information Sharing and Analysis Center (H-ISAC) meanwhile issued similar advice to the healthcare sector, adding that organizations should implement two-factor authentication (2FA) and allowlists/blocklists to control who gets to access systems via TeamViewer.

Stakes are particularly high for remote access application security because of the legitimate access to users' systems such software provides. In January, Huntress reported that two hacking attempts started with TeamViewer instances, and there is a long history of attackers using remote desktop software to implant malware. The apparently limited impact of the latest incident shows the value of defense-in-depth techniques to limit the effect of intrusions.

**About the Author(s)**

TeamViewer Credits Network Segmentation for Rebuffing APT29 Attack

PRESS RELEASE

SAN FRANCISCO, June 26, 2024 /PRNewswire/ -- Ballistic Ventures, the venture capital firm dedicated exclusively to funding and incubating entrepreneurs and innovations in cybersecurity, is pleased to announce that co-founder Kevin Mandia is now General Partner.

Mandia is one of the world's most recognized experts in cybersecurity, known for his relentless efforts to fight cyber threats for more than 30 years. In 2004, he founded renowned cybersecurity firm Mandiant, serving as CEO from 2004 to 2013, when Mandiant Corporation was acquired by FireEye. Mandia took the helm as CEO of FireEye in 2016, guiding the company through a divestiture and corporate name change to Mandiant, Inc. in 2021, and through a successful acquisition by Google in 2022. Mandia recently transitioned to an advisory role within Google Cloud, and he continues to sit on the Google Public Sector board.

In 2023, Mandia was appointed by President Biden to serve as a member of the National Security Telecommunications Advisory Committee (NSTAC). He is also a member of the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee. Previously, he held senior positions in the security consulting divisions of Sytex, acquired by Lockheed Martin, and Foundstone, acquired by McAfee. He also served in the United States Air Force as a computer security officer at the Pentagon, and later as a special agent in the Air Force Office of Special Investigations.

"I am very excited to dedicate more of my energy to Ballistic Ventures, and I especially look forward to working with the entrepreneurs who are shaping the future of cybersecurity," said Mandia.

Ballistic Ventures was co-founded in 2021 by Mandia and General Partners Barmak Meftah, Ted Schlein, Jake Seid and Roger Thornton. While CEO of Mandiant (now part of Google Cloud), Mandia jointly served as Co-founder and Strategic Partner at Ballistic, leading the firm's investment in SpecterOps, the Attack Path Management company, where he is an Observer to the company's Board of Directors. Mandia also served as the second investing partner for five of the VC firm's 18 investments to date, and is a Board Observer to portfolio company Alethea, the disinformation detection and mitigation company.

"We're excited to have Kevin as a General Partner at Ballistic," said Schlein. "Kevin's expertise in the cybersecurity industry is unparalleled, and his knowledge of the market and customer set is unmatched."

As General Partner, Mandia will draw from his extensive knowledge of the threat landscape and expertise as a successful founder and CEO to expand his investments within the firm and continue to mentor entrepreneurs and scale companies across the Ballistic portfolio.

Mandia's move to General Partner comes on the heels of Ballistic Ventures announcing the close of its $360 million oversubscribed second fund. The firm is actively looking to deploy the new capital in novel innovations led by passionate cybersecurity entrepreneurs.

About Ballistic Ventures  
Ballistic Ventures is a venture capital firm solely dedicated to early-stage cybersecurity and cyber-related companies. The partners have spent their entire careers defending against every cyber threat conceivable. Members of the firm have founded, operated, and funded over 100 successful cybersecurity firms – including Abnormal Security, AlienVault, ArcSight, Fortify, Mandiant, and Shape Security – led over 10,000 security professionals globally, and have 40+ years of experience in venture capital. The Ballistic portfolio includes Aembit, Alethea, ArmorCode, AuthMind, Codezero, Concentric AI, Mimic, Nudge Security, Oligo, Pangea, Perygee, Reach Security, SpecterOps, Talon (PANW), Veza and WitnessAI. Our experience provides entrepreneurs impactful support from people focused on the same mission. Our networks and relationships open doors for our founders. Learn more at ballisticventures.com.

Cybersecurity Veteran Kevin Mandia Named General Partner of Ballistic Ventures

The company is urging users running vulnerable versions to patch CVE-2024-5655 immediately, to avoid CI/CD malfeasance.

Source: Bill Crump via Alamy Stock Photo

A critical GitLab vulnerability could allow an attacker to run a pipeline as another user.

GitLab is a popular Git repository, second only to GitHub, with millions of active users. This week, it released new versions of its Community (open source) and Enterprise Editions.

The updates include fixes for 14 different security issues, including cross site request forgery (CSRF), cross site scripting (XSS), denial of service (DoS), and more. One of the issues is deemed of low severity according to the Common Vulnerability Scoring System (CVSS), nine are of medium severity, and three are high — but there's also one critical bug with a CVSS score of 9.6 out of 10.

**CVE-2024-5655 Offers Critical Threat to Code Development**

That critical one, CVE-2024-5655, affects GitLab versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, according to the company. It enables an attacker to trigger a pipeline as another user, but only under circumstances which GitLab did not elaborate on (nor did it provide any other information about the vulnerability).

A pipeline automates the process of building, testing, and deploying code in GitLab. Theoretically, an attacker with the ability to run pipelines as other users can access their private repositories, and manipulate, steal, or exfiltrate sensitive code and data contained therein.

Unlike with CVE-2023-7028 — a 10 out of 10 account takeover bug known to have been exploited earlier this Spring — GitLab has thus far found no evidence of CVE-2024-5655 exploits in the wild. Though, that could quickly change.

**A Compliance Issue, Not Just Security**

 Issues rooted deep in the development process like CVE-2024-5655 can sometimes cause headaches beyond the simple risk they pose on paper.

"In a worst-case scenario, this vulnerability doesn't even have to be exploited to cost companies money in lost revenue," says Jamie Boote, associate principal consultant at Synopsys Software Integrity Group. The mere fact that a software or software-driven product was built using a vulnerable version of GitLab could itself be cause for concern.

"Pipeline vulnerabilities like this can not only pose a security risk but a regulatory and compliance risk as well. As US companies are working towards compliance with the Self-Attestation Form requirements that they need to meet to sell software and products to the US Government, not addressing this vulnerability could lead to a compliance gap which could put sales and contracts at risk," he explains. In particular, he points to line item 1c in Section III of the US Department of Commerce's Secure Software Development Attestation Form Instructions, which requires "Enforcing multi-factor authentication and conditional access across the environments relevant to developing and building software in a manner that minimizes security risk."

"Compliance with item 1c is in jeopardy for companies who don't address this vulnerability as an exploit would allow attackers to bypass those conditional access controls that companies are relying on for compliance," he concludes.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading