A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index.js:42)

**flatten-json Prototype Pollution**

Moderate severity GitHub Reviewed Published Jun 17, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-j8px-pjmp-325f: flatten-json Prototype Pollution

apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty.

**Object Resolver Prototype Pollution**

Moderate severity GitHub Reviewed Published Jun 17, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-qj86-v6m7-4qv2: Object Resolver Prototype Pollution

alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)

**object-deep-assign Prototype Pollution**

Moderate severity GitHub Reviewed Published Jun 17, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-4xg3-7w7q-856q: object-deep-assign Prototype Pollution

A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.

**Badger Database Prototype Pollution**

Moderate severity GitHub Reviewed Published Jun 17, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-69r2-2fg7-7hf9: Badger Database Prototype Pollution

A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.

**@cdr0/sg Prototype Pollution**

Moderate severity GitHub Reviewed Published Jun 17, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-fg52-5jjj-28h7: @cdr0/sg Prototype Pollution

A suspected China-nexus cyber espionage actor has been attributed as behind a prolonged attack against an unnamed organization located in East Asia for a period of about three years, with the adversary establishing persistence using legacy F5 BIG-IP appliances and using it as an internal command-and-control (C&C) for defense evasion purposes.
Cybersecurity company Sygnia, which responded to

Cyber Espionage / Vulnerability

A suspected China-nexus cyber espionage actor has been attributed as behind a prolonged attack against an unnamed organization located in East Asia for a period of about three years, with the adversary establishing persistence using legacy F5 BIG-IP appliances and using it as an internal command-and-control (C&C) for defense evasion purposes.

Cybersecurity company Sygnia, which responded to the intrusion in late 2023, is tracking the activity under the name **Velvet Ant**, characterizing it as possessing robust capabilities to swiftly pivot and adapt their tactics to counter-remediation efforts.

"Velvet Ant is a sophisticated and innovative threat actor," the Israeli company said in a technical report shared with The Hacker News. "They collected sensitive information over a long period of time, focusing on customer and financial information."

The attack chains involve the use of a known backdoor called PlugX (aka Korplug), a modular remote access trojan (RAT) that has been widely put to use by espionage operators with ties to Chinese interests. PlugX is known to rely heavily on a technique called DLL side-loading to infiltrate devices.

Sygnia said it also identified attempts on the part of the threat actor to disable endpoint security software prior to installing PlugX, with open-source tools like Impacket used for lateral movement.

Also identified as part of the incident response and remediation efforts was a reworked variant of PlugX that used an internal file server for C&C, thereby allowing the malicious traffic to blend in with legitimate network activity.

"This meant that the threat actor deployed two versions of PlugX within the network," the company noted. "The first version, configured with an external C&C server, was installed on endpoints with direct internet access, facilitating the exfiltration of sensitive information. The second version did not have a C&C configuration, and was deployed exclusively on legacy servers."

In particular, the second variant was found to have abused out-of-date F5 BIG-IP devices as a covert channel to communicate with the external C&C server by issuing commands over a reverse SSH tunnel, once again highlighting how compromising edge appliances can allow threat actors to gain persistence for extended periods of time.

"There is just one thing that is required for a mass exploitation incident to occur, and that is a vulnerable edge service, meaning a piece of software that is accessible from the internet," WithSecure said in a recent analysis.

"Devices such as these are often intended to make a network more secure, yet time and again vulnerabilities have been discovered in such devices and exploited by attackers, providing a perfect foothold in a target network."

Subsequent forensic analysis of the hacked F5 devices has also uncovered the presence of a tool named PMCD that polls the threat actor's C&C server every 60 minutes to look for commands to execute, as well as additional programs for capturing network packets and SOCKS tunneling utility dubbed EarthWorm that has used by actors like Gelsemium and Lucky Mouse.

The exact initial access vector – whether it's spear-phishing or exploitation of known security flaws in internet-exposed systems – used to breach the target environment is currently not known.

The development follows the emergence of new China-linked clusters tracked as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace which have been observed targeting Asia with the goal of gathering sensitive information.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices

Traditional application security practices are not effective in the modern DevOps world. When security scans are run only at the end of the software delivery lifecycle (either right before or after a service is deployed), the ensuing process of compiling and fixing vulnerabilities creates massive overhead for developers. The overhead that degrades velocity and puts production deadlines at risk.

Traditional application security practices are not effective in the modern DevOps world. When security scans are run only at the end of the software delivery lifecycle (either right before or after a service is deployed), the ensuing process of compiling and fixing vulnerabilities creates massive overhead for developers. The overhead that degrades velocity and puts production deadlines at risk.

Regulatory pressure to ensure the integrity of all software components is also ramping up dramatically. Applications are built with an increasing number of open source software (OSS) components and other 3rd party artifacts, each of which can introduce new vulnerabilities to the application. Attackers seek to exploit these components' vulnerabilities, which also puts the software's consumers at risk.

Software represents the largest under-addressed attack surface that organizations face. Some interesting statistics to digest:

*   More than 80% of software vulnerabilities are introduced through open source software (OSS) and 3rd party components
*   Digital supply chain attacks are becoming more aggressive, sophisticated, and diverse. By 2025, 45% of organizations will have experienced at least one. (Gartner)
*   Total cost of software supply chain cyber attacks to businesses will exceed $80.6 billion globally by 2026, up from $45.8 billion in 2023 (Juniper Research)

The current threat environment, coupled with the drive to deliver applications faster, compels organizations to integrate security throughout the software development lifecycle in ways that don't degrade developer productivity. This practice is formally known as DevSecOps.

Delivering secure software– the outcome of an effective DevSecOps program– is a huge undertaking. It requires significant cultural changes across multiple functions to drive shared responsibility, collaboration, transparency, and effective communication. It also requires the right set of tools, technologies, and use of automation and AI to secure applications at the speed of development. Implemented correctly, DevSecOps becomes a major success factor in delivering secure software.

****So What is DevSecOps?****

DevSecOps, short for development, security, and operations, is an approach to software development that integrates security practices throughout the entire software development lifecycle. It emphasizes collaboration and communication between development teams, security teams, and operations teams to ensure that security is built into every stage of the software development process.

Within the context of software development pipelines, DevSecOps aims to "shift security left", which essentially means as early as possible in the development process. Quite frankly, it involves integrating security practices and tools into the development pipeline from the very beginning. By doing so, security becomes an integral part of the software development process rather than a late-stage add-on.

This approach makes it significantly easier for organizations to identify and resolve security vulnerabilities early on, and meet regulatory obligations. It's also important to note that DevSecOps is built upon a culture of collaboration and shared responsibility. It breaks down silos and encourages cross-functional teams to work together towards a common goal of building more secure applications at high velocity.

****Guiding Principles for Delivering Secure Software****

At a high level, building and running an effective DevSecOps program means that your organization is able to operate a secure delivery platform, test for software vulnerabilities, prioritize and remediate vulnerabilities, prevent the release of insecure code, and ensure the integrity of software and all of its artifacts. Below are detailed descriptions of the elements and required capabilities to achieve a successful DevSecOps practice.

**Establish a Collaborative Culture That Makes Security a Shared Responsibility**

The success of any DevSecOps practice is really in the hands of its stakeholders, so before setting out to acquire, configure and deploy new tools and technologies,

If your organization builds, sells, or consumes software (which today is every conceivable organization on the planet), then every single employee has an impact on the overall security posture– not just those with 'security' in their titles. At its core, DevSecOps is a culture of shared responsibility, and operating with a common security-oriented mindset determines how well DevSecOps processes fit into place and can drive better decision-making when choosing DevOps platforms, tooling, and individual security solutions.

Mindsets don't change overnight, but alignment and a sense of security accountability can be achieved through the following:

*   Commitment to regular internal security training– tailored to DevSecOps– that includes developers, DevOps engineers, and security engineers. Skills gaps and needs shouldn't be underestimated.
*   Developer adoption of secure coding methodologies and resources
*   Security engineering contributes to application and environment architecture, design reviews. It's always easier to identify and fix security issues early in the software development lifecycle.

**Break Down Functional Silos and Collaborate Continuously**

Since DevSecOps is a result of the confluence of software development, IT operations, and security, breaking down silos and actively collaborating on a continuous basis is critical for success. Typically, DevOps-centric organizations operating without any formal DevSecOps framework see security entering the picture like an unwelcome party crasher.

Process changes or tooling that is suddenly imposed (as opposed to collaboratively chosen and instantiated) invariably results in development pipeline friction and unnecessary toil for developers. A common scenario involves security mandating additional application security checks without consideration for their placement within the pipeline, or for how much workload is required to process scanner output and remediate vulnerabilities, which inevitably falls to developers.

*   Driving collaboration and operating as a cohesive DevSecOps team involves:
*   Defining and agreeing upon a set of measurable security objectives, such as mean time to remediation and % reduction in CVE alert noise.
*   Involvement from software developers and DevOps teams throughout the evaluation and procurement processes for new security tools
*   Ensuring no DevSecOps process has a single functional gatekeeper
*   Iteratively optimizing tooling choices and security practices for developer productivity and velocity

**Shift Security Left**

Implementing shift-left security is a crucial step in securing application code as it moves through development pipelines. This approach involves integrating security practices early in the software development lifecycle, starting from the initial stages of coding and extending throughout the entire development and deployment process. By shifting security testing further left, organizations can identify and address vulnerabilities at an early stage, reducing the risk of security breaches and ensuring the delivery of secure applications.

Shifting security left successfully starts with the integration and orchestration of different types of security scanners throughout development pipelines. There are several categories of application security tests that DevSecOps teams need to adopt and employ in order to catch and remediate vulnerabilities throughout the software development lifecycle. The techniques employed by each type of security scanner are complimentary. Combined, they are very effective in surfacing known security issues before an application hits production.

****How to Get Started****

If you'd like to learn the fundamentals of secure software delivery, who should be involved, and ultimately how to achieve a highly-effective DevSecOps practice, you should download the _Definitive Guide to Secure Software Delivery_. We'll provide an overview of what's required from a tools, technologies, and process perspective to deliver software that is more secure, faster.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

What is DevSecOps and Why is it Essential for Secure Software Delivery?

A ShinyHunters hacker tells WIRED that they gained access to Ticketmaster’s Snowflake cloud account—and others—by first breaching a third-party contractor.

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.

About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.

Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

But according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts.

EPAM told WIRED that it does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale. ShinyHunters has been around since 2020 and has been responsible for numerous breaches since then that involve stealing large troves of data and leaking or selling it online.

Snowflake is a large data storage and analysis firm that provides tools for companies to derive intelligence and insight from customer data. EPAM develops software and provides various managed services for customers worldwide, primarily in North America, Europe, Asia, and Australia, according to its web site, with about 60 percent of its revenue coming from customers in North America. Among the services EPAM provides customers is assistance with using and managing their Snowflake accounts to store and analyze their data. EPAM claims it has some 300 workers who are experienced in using Snowflake’s data analytics tools and services, and announced in 2022 that it had attained “Elite Tier Partner” status with Snowflake to leverage the latter’s analytics platform for its customers.

EPAM’s founder emigrated from Belarus to the US in the ’90s before founding his company in 1993 from his New Jersey apartment. Nearly two-thirds of EPAM’s 55,000 employees resided in Ukraine, Belarus, and Russia until Russia invaded Ukraine, at which point the company says it closed its Russia operations and moved some of its Ukrainian workers to locations outside of that country.

The hacker who spoke with WIRED says that a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. The hacker says that once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer.

Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. (MFA requires that users type in a one-time temporary code in addition to a username and password, making accounts that use MFA more secure.)

While EPAM denies it was involved in the breach, hackers did steal data from Snowflake accounts including Ticketmaster's, and have extorted the owners of the data by demanding hundreds of thousands, and in some cases more than a million, dollars to destroy the data or risk having the hackers sell it elsewhere.

The hacker who spoke with WIRED didn’t identify all of the victims breached through EPAM but did indicate that Ticketmaster was one of them. Ticketmaster did not respond to a request for comment from WIRED. But Ticketmaster’s parent company, Live Nation, has acknowledged that data was stolen from its Snowflake account in May without revealing how much data was stolen or how the hackers accessed the Snowflake account. In a post offering the data for sale, however, the hackers indicated that they had taken data on 560 million Ticketmaster consumers.

The hacker claims that in some cases they were able to directly access the Snowflake account of EPAM customers using the plaintext usernames and passwords they found on the EPAM worker’s computer. But in cases where Snowflake credentials weren’t stored on the worker’s system, the hacker claims they sifted through stockpiles of old credentials stolen in previous breaches by hackers using infostealer malware and found additional usernames and passwords for Snowflake accounts, including ones harvested from the machine of the same EPAM worker in Ukraine.

Credentials harvested by infostealers are often posted online or made available for sale on hacker forums. If victims don’t change their login credentials after a breach, or don’t know their data has been stolen, those credentials can remain active and available for years. It’s especially problematic if those credentials are used across multiple accounts; hackers can identify the user through the email address they use as a login credential, and if that person reuses the same password, hackers can simply try those credentials in multiple places.

The hackers in this case say they were able to use credentials stolen by an infostealer in 2020 to access Snowflake accounts.

WIRED wasn’t able to independently confirm that the hackers were inside the EPAM worker’s machine or used EPAM to gain access to Ticketmaster’s data and other Snowflake accounts, but the hacker provided WIRED with a file that appears to be a list of EPAM worker credentials lifted from the company’s Active Directory database after they gained access to the worker’s computer.

Furthermore, in the blog post written by Mandiant, which was published after the hacker told WIRED about his group’s use of data harvested by infostealers, the security firm revealed that the hackers who breached Snowflake accounts used old data siphoned by infostealers to access some of the accounts. Mandiant said that about 80 percent of the victims it identified in the Snowflake campaign were compromised using credentials that had previously been stolen and exposed by infostealers.

And an independent security researcher who has been helping to negotiate the ransom transactions between the ShinyHunter hackers and victims of the Snowflake campaign pointed WIRED to an online repository of data harvested by an infostealer that includes data siphoned from the computer of the EPAM worker in Ukraine that the hacker says was used to gain access to the Snowflake accounts. This stolen data includes the worker’s browser history, which reveals the worker’s complete name. It also includes an internal EPAM URL pointing to Ticketmaster’s Snowflake account, as well as a plaintext version of the username and password that the EPAM worker used to access the Ticketmaster Snowflake account.

“This means that \[an EPAM worker\] who had access to that Snowflake \[account\] had password-stealing malware on their computer, and their password was stolen and sold on the dark web,” says the researcher, who asked to be identified only as Reddington, an identity they use online to communicate with cybercriminals. “This means that anyone that knew the correct URL to \[Ticketmaster’s\] Snowflake could have simply looked up the password, logged in, and stolen the data.”

An EPAM spokesperson did not seem to be aware when contacted by WIRED early this week that its company allegedly played a role in breaches of Snowflake accounts. “We do not comment on situations to which we are not a part,” she wrote in an email, suggesting the company did not believe it played any role in the campaign. When WIRED provided the spokeswoman with details about how the hackers say they obtained access to the system of an EPAM worker in Ukraine, she replied, “Hackers frequently spread false information to advance their agendas. We maintain a policy of not engaging with misinformation and consistently uphold robust security measures to protect our operations and customers. We are continuing our exhaustive investigation and, at this time, see no evidence to suggest that we have been affected or involved in this matter.”

WIRED followed up by providing the name of the Ukrainian worker whose machine the hackers allegedly compromised, as well as the username and password the worker used for accessing Ticketmaster’s Snowflake account, but the spokesperson did not respond to any additional questions.

It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to \[make the\] default MFA,” he says.

_Update 6/17/2024, 5:45 pm EDT: The article was updated to clarify the details that Santander has publicly revealed about the hack._

Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

A list of topics we covered in the week of June 10 to June 16 of 2024

June 14, 2024 - On Wednesday June 12, 2024, a well-known dark web data broker and cybercriminal acting under the name “Sp1d3r” offered a significant...

June 13, 2024 - Google revealed that a firmware vulnerability in its Pixel devices has been under limited active exploitation

June 12, 2024 - Adobe announced changes to its ToS which sparked backlash among users, so it posted an explainer to take away the major concerns

June 11, 2024 - Canada's and UK privacy authorities are going to investigate the data breach at 23andMe to assess what the company could have done better.

June 11, 2024 - Digital sharing is the norm in romantic relationships. But some access could leave partners vulnerable to inconvenience, spying, and abuse.

 A week in security (June 10 &#8211; June 16) 

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates.
"The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed **BadSpace** under the guise of fake browser updates.

"The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German cybersecurity company G DATA said in a report.

Details of the malware were first shared by researchers kevross33 and Gi7w0rm last month.

It all starts with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before.

Should it be the user's first visit, the code collects information about the device, IP address, user-agent, and location, and transmits it to a hard-coded domain via an HTTP GET request.

The response from the server subsequently overlays the contents of the web page with a phony Google Chrome update pop-up window to either directly drop the malware or a JavaScript downloader that, in turn, downloads and executes BadSpace.

An analysis of the C2 servers used in the campaign has uncovered connections to a known malware called SocGholish (aka FakeUpdates), a JavaScript-based downloader malware that's propagated via the same mechanism.

BadSpace, in addition to employing anti-sandbox checks and setting up persistence using scheduled tasks, is capable of harvesting system information and processing commands that allow it to take screenshots, execute instructions using cmd.exe, read and write files, and delete the scheduled task.

The disclosure comes as both eSentire and Sucuri have warned different campaigns leveraging bogus browser update lures in compromised sites to distribute information stealers and remote access trojans.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git