MITRE targeted by nation-state threat actors

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs .

This week: MITRE has disclosed that a Chinese state-backed hacking group breached its systems earlier this year by exploiting Ivanti VPN zero-days flaws. Also: The Apache Cordova App Harness project was targeted in a dependency confusion attack.

This Week’s Top Story

MITRE targeted by nation-state threat actors

The MITRE Corporation detected malicious activity at the beginning of April, disclosing a major breach in its Networked Experimentation, Research, and Virtualization Environment (NERVE) on April 9. NERVE serves as a critical network for its research and development operations. 

The breach, which occurred in January, involved a nation-state threat actor exploiting Ivanti Connect Secure VPN vulnerabilities. MITRE's CEO emphasized the importance of timely disclosure and commitment to enhancing cybersecurity practices, and stressed that no organization – regardless of cybersecurity measures – is immune to such attacks.

The breach has been traced back to a Chinese nation-state hacking group known as UTA0178, which exploited two zero-day vulnerabilities to gain initial access before deploying advanced malware to maintain control and steal sensitive data. The threat actor infiltrated MITRE's VMware infrastructure, employing advanced backdoors and webshells for persistence and credential harvesting. Despite MITRE's efforts to follow best practices and upgrade systems, the actions taken were insufficient to mitigate the exploitation of the vulnerability.

Upon detecting the breach in early April, MITRE took swift action, taking the NERVE environment offline and launching an investigation with in-house and third-party experts. The company says it followed best practices to upgrade and harden its Ivanti system, but was unable to detect the lateral movement into the VMware infrastructure. MITRE's CTO acknowledged that while they closed the "front door" after advisories, the "back door was already open."

MITRE's CEO warned that no organization is immune from such sophisticated cyber attacks, as nation-state threat actors have a "license to hack" and are developing advanced capabilities to disrupt, steal data, and threaten essential services. Thus, vulnerability exploitation can have serious consequences for all types of organizations – even cybersecurity enterprises. (CSO)

This Week’s Headlines

Apache Cordova App Harness targeted in dependency confusion attack

Researchers have identified a dependency confusion vulnerability impacting the archived Apache Cordova App Harness project. Dependency confusion attacks occur when package managers prioritize public repositories over private ones, allowing a threat actor to publish a malicious package with the same name as an internal dependency. In this case, the Cordova App Harness project referenced an internal dependency named cordova-harness-client without a relative file path, leaving it vulnerable to such an attack. This vulnerability allowed a threat actor to upload a malicious version of the cordova-harness-client package to the public registry with a higher version number, causing npm to retrieve the fraudulent package instead of the intended one. This could have serious consequences, as the malicious package would be installed by all downstream customers. (The Hacker News)

AWS and Google Cloud command-line tools can expose secrets in CI/CD logs

Security researchers warn that certain commands executed in the AWS and Google Cloud command-line interfaces (CLIs) can expose credentials and other sensitive information stored in environment variables as part of the standard output. This poses a security risk, as such sensitive information could be included in build logs if the commands are executed as part of CI/CD workflows. Both AWS and Google Cloud consider this expected behavior, and it is up to users to take steps to ensure sensitive command outputs are not saved in logs or that sensitive credentials are stored securely and not in environment variables. The leakage of software secrets poses a significant security risk to the software supply chain, which is why it is crucial for developers to exercise caution when using public platforms, as this can potentially lead to the exposure of sensitive software information. (CSO)

GitHub comments abused to push malware via Microsoft repo URLs

Threat actors are abusing a flaw or design decision in GitHub to distribute malware using URLs associated with legitimate Microsoft repositories, making the files appear trustworthy. Attackers are exploiting the ability to attach files to GitHub comments, which are then uploaded to GitHub's CDN and given a URL that makes it seem like the files are hosted on official Microsoft repositories, even if the comments are never actually posted or later deleted. This issue is not limited to GitHub, as GitLab's ‘comments’ feature can also be abused in a similar way to host malware. While GitHub has removed the specific malware linked to Microsoft's repositories, the underlying vulnerability remains, allowing threat actors to create convincing lures by attaching malicious files to comments on any public GitHub or GitLab repository. (Bleeping Computer)

Windows vulnerability reported by the NSA exploited to install Russian malware

Microsoft announced that hackers backed by the Kremlin have been exploiting a critical vulnerability in its software, CVE-2022-38028, for the past four years. The hacking group, Forest Blizzard, has used this vulnerability to install a previously unknown backdoor, named GooseEgg, in targeted attacks against a wide range of organizations. Microsoft patched the vulnerability in October 2022, but at the time, the company did not disclose that it was under active exploitation. The exploitation of CVE-2022-38028 grants attackers system privileges, the highest level in Windows, when combined with another exploit. This vulnerability, which carries a 7.8 severity rating, can be exploited with low existing privileges and minimal complexity. (Ars Technica)

Russian Sandworm hackers targeted 20 critical orgs in Ukraine

According to a report from the Ukrainian Computer Emergency Response Team (CERT-UA), the Russian hacker group Sandworm, also known as BlackEnergy, Seashell Blizzard, Voodoo Bear, and APT44, targeted around 20 critical infrastructure facilities in Ukraine in March 2024.

The group, believed to be associated with Russia's Main Directorate of the General Staff of the Armed Forces (the GRU), aimed to disrupt operations at these facilities, which included energy, water, and heating suppliers in 10 regions of Ukraine. The hackers were able to infiltrate the targeted networks by poisoning the supply chain to deliver compromised or vulnerable software, or through the software provider's ability to remotely access the systems. (Bleeping Computer)

Critical update: CrushFTP zero-day flaw exploited in targeted attacks

Researchers have discovered a critical zero-day vulnerability in the CrushFTP enterprise file transfer software that is being actively exploited in targeted attacks. The flaw allows unauthenticated attackers to escape the user's virtual file system (VFS) and download system files. CrushFTP has released patches for the vulnerability in versions 10.7.1 and 11.1.0, urging customers to update immediately. Researchers have observed the exploit being used in a targeted fashion, mainly targeting U.S. entities, with the attacks suspected to be politically motivated. CrushFTP customers using a DMZ (demilitarized zone) environment are said to be protected against the attacks. (The Hacker News)

Resource Roundup

On Demand I Breaking Down NIST CSF 2.0

Listen to our panel of experts — including NIST’s Nakia Grayson , for insights into the key takeaways and changes in CSF 2.0. [Watch Here]

Special Report I NIST CSF 2.0 and C-SCRM for Software Risk Management

Learn about NIST's Cybersecurity Framework 2.0 and CISA's Cyber Supply Chain Risk Management program, and what they mean for improving supply chain security. [Read Here]

On Demand I RL Spectra Assure Product Demo

Watch ReversingLabs’ Chief Software Architect and Co-Founder, Tomislav Peričin , showcase how RL Spectra Assure's capabilities are simplifying the detection of threats and exposures, enabling software producers and enterprise buyers to minimize the impact of supply chain attacks on their organizations. [Watch Now]