Leaky continuous integration logs
Security researchers at Aqua Security report that third-party open source developer credentials are being leaked by the hosted continuous integration service Travis CI. Researchers were able to access over 700 million logs from 2013 through May 2022. Though only looking at a small subset, researchers found the logs contain tokens and other forms of credentials linked to GitHub, AWS, and Docker Hub. These tokens could open the door to software supply chain attacks. This appears to be an ongoing issue with Travis CI, with HackOne reporting an exposed access token in 2015, with similar incidents reported in 2019 and 2021.
Exchange servers used to deploy Black Cat
Microsoft reported that it’s observed at least one threat actor successfully infiltrated a network through an unpatched Exchange server, exfiltrating information in a typical double-extortion ransomware scheme. However two weeks after the initial compromise, it used that same server to launch BlackCat ransomware payloads across the entire network. Microsoft’s Threat Intelligence Team said that while remote desktop and compromised credentials are typical vectors for ransomware, Exchange servers are being increasingly used by attackers. It’s unclear what Exchange exploit was used or what ransomware affiliate carried out this named attack by Microsoft.
Bluetooth can be used to track phones
A new paper by researchers at the University of California San Diego found that Bluetooth beacons signals can be used to track devices “in a highly accurate way.” The researchers used an algorithm to look at a device’s carrier frequency offset and raw IQ radio signals, which are found to vary slightly, and specifically to each device. This allows for tracking of all beacons sent from the same device, using a relatively cheap software-defined radio. The researchers warn this could be more of a security risk than tracking devices over Wi-Fi preambles due to the “frequent and constant wireless signal emitted from all our personal mobile devices.”
Google suspends AI researcher making sentience claims
The Washington Post’s sources say Google placed AI engineer Blake Lemoine on paid administrative leave for violating confidentiality policies after voicing concerns that Google’s LaMDA language model showed signs of sentience. Google placed Lemoine on leave on June 6th, after he sought “a minimal amount of outside consultation” to guide his investigations. He subsequently published transcripts of LaMDA conversations on June 11th. Lemoine works for Google’s Responsible AI organization and initially tested whether LaMDA generates discriminatory language or hate speech. Google’s Brian Gabriel said a team of ethicists and technologists reviewed Lemoine’s concerns and said “there was no evidence that LaMDA was sentient.” Cognitive scientist Gary Marcus noted that systems like LaMDA are more cognitive sequencing models rather than a system that can try to connect to the world at large.
Thanks to today’s episode sponsor, Datadog
Celsius Network hits its freezing point
The decentralized finance platform Celsius Network suspended all withdrawals, swaps, and transfers between accounts on June 12th, citing “extreme market conditions.” Celsius operates in principal like a standard bank, collecting deposits and loaning them out, but offering an 18.63 annual percentage yield on crypto deposits that is not backed by FDIC insurance. The value of the company’s token was down 92% since April 8th, trading at around $0.22 at the time of this writing. This comes as Binance also suspended Bitcoin withdrawals.
(Decrypt)
New Chinese RAT on the loose
Security researchers at Palo Alto Networks discovered a new remote access trojan with ties to Chinese state-backed actor Gallium. This RAT has been dubbed PingPull and also marks a turn in Gallium’s targets, expanding from telcos to financial and government entities. PingPull communicates with C2 servers over the ICMP protocol. Communicating over ICMP isn’t new for malware, but remains effective as few organizations inspect the traffic. It’s not clear how many organizations have been impacted, but Palo Alo reports that organizations in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam have been hit.
Metasploit learns some new tricks
Rapid7 released version 6.2.0 of its popular pentesting framework, adding a new Capture plugin that automatically starts 13 services to capture credentials on a network. Metasploit already largely offered these capabilities, but this update streamlines it into a simple plugin. It also added support for quickly launching a read-only SMB v3 server for hosting payloads remotely for testing. Rapid7 noted that its most popular module among testers was one to exploit Log4Shell on Linux and Windows hosts.
And now you “should have patched” Tuesday update
The German pentest firm SySS report on two security vulnerabilities in Mitel 6800/6900 IP phone that could allow for an attacker to gain root access due to an undocumented backdoor, patches were released in May 2022. Drupal issued a security advisory on flaws found in the third-party library Guzzle that could allow attackers to take control of an affected website. And JFrog Security Research documented a vulnerability in Envoy Proxy that could allow attackers to stage a denial of service attack.