Cybersecurity Snapshot: Memory Bugs Pervasive in Open Source SW, While Car Dealership Chaos Persists After Ransomware Attack

Check out why memory vulnerabilities are widespread in open source projects. Plus, get the latest on the ransomware attack that’s disrupted car sales in North America. In addition, find out why a majority of organizations grew their cyber budgets this year. And learn how confidential data from U.S. chemical facilities may have been accessed by hackers. And much more!

Dive into six things that are top of mind for the week ending June 28.

1 - Study: Most open source projects likely plagued by memory safety vulns

An analysis of important open source projects reveals that most of them potentially contain memory-safety vulnerabilities, which can allow attackers to manipulate how memory is accessed, written, allocated or deallocated.

That’s according to a study conducted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Australian Cyber Security Center and the Canadian Centre for Cybersecurity.

The agencies analyzed 172 projects that the Open Source Security Foundation has identified as being critically important in the open source ecosystem. The report aims to assess “the scale of memory safety risk in selected open source software (OSS),” reads a CISA statement.

Here are key some findings from the report, which was published this week:

• More than half of the projects (52%) contain code written in a memory-unsafe language.
• Fifty-five percent of the total lines of code (LoC) for all projects were written in a memory-unsafe language.
• The use of memory-unsafe languages is particularly pronounced in the largest projects.

“Hence, we determine that most critical open source projects analyzed, even those written in memory-safe languages, potentially contain memory safety vulnerabilities,” reads the report titled “Exploring Memory Safety in Critical Open Source Projects.”

Projects written completely in a memory-safe language can be affected by memory vulnerabilities if they use external dependencies written in memory-unsafe languages. 

Developers also can open the door for memory bugs in memory-safe languages if they disable certain security capabilities in them. Previously, CISA has identified C#, Go, Java, Python, Rust and Swift as memory-safe languages.

The cyber agencies recommend that organizations and software manufacturers:

• Reduce memory safety vulnerabilities
• Make secure and informed choices when using OSS
• Understand the risk of memory vulnerabilities in OSS
• Evaluate ways of reducing this risk

“We encourage additional efforts to understand the scope of memory-unsafety risks in OSS and continued discussion of the best approaches to managing and reducing this risk,” the report reads.

For more information about this topic:

• “CISA Calls on Software Makers To Use Memory Safe Languages” (Tenable)
• “The Move to Memory-Safe Programming” (IEEE Spectrum)
• “White House urges use of memory-safe coding languages” (Dark Reading)
• “Efforts to improve memory safety in software gain momentum” (TechTarget)
• “The Case for Memory Safe Roadmaps” (Cyber agencies from Australia, Canada, New Zealand, the U.S. and the U.K.)

VIDEO

How can memory safe code stop hackers? (Low Level Learning)

2 - Car dealerships still hobbled by attack on software provider

A ransomware attack against CDK Global has thrown a wrench into the operations of many of the 15,000-plus car dealerships that use its software for tasks such as customer relationship management and financing.

CDK Global suffered the ransomware attack on June 19, and as of Thursday afternoon of this week it still hadn’t recovered from the attack, according to multiple published reports. Meanwhile, many car dealerships that use CDK Global software have had their operations severely disrupted. 

The CDK Global attacker is an Eastern European ransomware group that is demanding tens of millions of dollars in ransom, according to Bloomberg. It has been identified by security researchers as BlackSuit, a group that reportedly emerged in May 2023.

There’s a trend towards more coordinated and less opportunistic approaches to ransomware, Ray Carney, Director of Research at Tenable, said in a statement. “Attackers are targeting supply chains and industries where they can force victims into paying ransom. These industries know that every minute of downtime has a price tag,” Carney said.

U.S. car sales could drop as much as 7.2% in June, compared with June of 2023, and a big factor will be the chaos caused by the CDK Global attack, Quartz reported, citing estimates from J.D. Power and GlobalData. Meanwhile, the disruption could end up costing car dealers as much as $1 billion, according to an Automotive News article that cites an estimate from Anderson Economic Group.

For more information:

• “CDK Global Cyberattacks: What Can CIOs Learn About Single Points of Failure?” (InformationWeek)
• “June new vehicle sales expected to take hit from cyberattack on dealer software” (Detroit Free Press)
• “CDK Global works to restore dealer software after hack, but the auto sales fallout still looms” (Yahoo Finance)
• “CDK updates dealers on status of sales software restoration after cyberattack” (CBS News)
• “Cyberattack on CDK Global stymies work at car dealerships across US” (The Record)

3 - Report: Majority of U.S. orgs increased cyber budgets in 2024

Facing an increasingly complex and challenging threat landscape, a majority of U.S. organizations upped their cybersecurity spending this year. So says the “2024 Threat and Risk Management Report,” which was independently conducted by Ponemon Institute and sponsored by Optiv.

Specifically, 59% of the 650 IT and cybersecurity professionals polled said their organizations grew their cyber budgets for 2024. Thirty percent left their cyber budgets unchanged, and only 11% decreased them, according to the report.

Driving the decisions to expand cyber budgets are the growing sophistication of attacks and the increased number of breaches. For example, 61% of respondents said their organizations had a data breach or a cybersecurity incident in the past two years. Among those respondents, 75% suffered between two and five breaches or incidents.

Asked about the frequency of cybersecurity incidents in the past 12 months, 61% said they had either “significantly increased” or “increased.” Only 13% reported experiencing a decrease, and 18% said the number had remained the same.

“The threat landscape keeps breaking records as it becomes more volatile and complex. Most organizations are experiencing data breaches and security incidents; what’s more, they are also reporting an increase in frequency,” reads the report, which was published this week.

Meanwhile, 44% of respondents are using artificial intelligence (AI) and machine learning (ML) to prevent cyberattacks, and the most common usage areas are vulnerability scanning; firewall protection; adversary training for security staff; and internal red teaming.

How is your organization currently ensuring that your AI/ML reduces cybersecurity risks and threats? (More than one choice permitted)

^{(Source: “2024 Threat and Risk Management Report” from Optiv / Ponemon Institute, June 2024)}

The report also looked at the issue of cybersecurity tool sprawl. For example, respondents have an average of 54 separate cybersecurity products. Only 29% of respondents feel they have the right number of cybersecurity tools; 40% believe they have too many. Even more concerning is that only 51% say these tools are highly effective in mitigating cyber risks. 

"Too many cybersecurity tools are hindering a strong cybersecurity posture," the report reads.

To get more details, download the “2024 Threat and Risk Management Report.”

VIDEO

Highlights from Optiv's 2024 Threat and Risk Management Report

4 - Chemical facilities’ data potentially compromised in CISA breach

Attackers may have accessed confidential information that chemical facilities submitted to CISA – including security vulnerability assessments, facility surveys, site security plans, staff information and user accounts.

Attackers could have obtained this information via a January breach of CISA’s Chemical Security Assessment Tool (CSAT), CISA said this week. Facilities with certain quantities and concentrations of chemicals must use CSAT to report their chemical holdings to CISA as part of an anti-terrorism program.

The breach occurred when attackers exploited vulnerabilities in the Ivanti Connect Secure remote-access VPN appliance used by the CSAT tool. At the time, CISA took the impacted system offline immediately. It has since found no evidence that data was exfiltrated, nor that credentials were stolen, nor that attackers extended their access beyond the Ivanti device.

Moreover, all CSAT data was protected using AES 256 encryption; additional information-security layers were in place; and encryption keys were hidden from the type of access the attackers obtained.

However, “out of an abundance of caution,” CISA is alerting all Chemical Facility Anti-Terrorism Standards (CFATS) program participants that attackers may have accessed their information. CISA recommends that facilities maintain “cyber and physical security measures.” If individuals re-used their CSAT passwords elsewhere, they should reset those accounts’ passwords.

To get more details, check out CISA’s:

• Chemical Security Assessment Tool (CSAT) Ivanti Notification
• Letter to participants of the CFATS program

5 - Attackers pounce on latest MOVEit Transfer vulnerability

Attackers are reportedly trying to exploit a critical vulnerability (CVE-2024-5806) that Progress Software patched this week in its MOVEit Transfer product.

MOVEit Transfer was targeted last year by ransomware group CL0P, which massively exploited a then zero-day vulnerability in this managed file transfer (MFT) product.

Because the product has been such an attractive target for attackers, Tenable Research strongly recommends that organizations prioritize patching this vulnerability.

To get all the details, read the Tenable Research blog “CVE-2024-5806: Progress MOVEit Transfer Authentication Bypass Vulnerability.”

For more information about this MOVEit Transfer vulnerability:

• “MOVEit Transfer Critical Security Alert Bulletin – June 2024 – (CVE-2024-5806)” (Progress Software)
• “Hackers target new MOVEit Transfer critical auth bypass bug” (Bleeping Computer)
• “Progress MOVEit Auth. Bypass In (Un)Limited Scenarios: CVE-2024-5806” (watchTowr Labs)
• “MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers” (Dark Reading)
• “Progress Software elevates severity of new MOVEit bug to ‘critical’ as exploit attempts jump” (The Record)

6 - Interpol disrupts global online scams, seizes $257M in assets

Almost 4,000 people suspected of participating in online scam networks were arrested, and another 15,000 were identified as suspects as part of a global Interpol operation.

Spanning 61 countries, Operation First Light 2024 led to the seizure of $257 million in assets from more than 6,700 bank accounts. 

The seized assets included fiat currency and cryptocurrency, as well as expensive real estate, cars, jewelry and other high value items and collections.

The operation disrupted phishing, investment fraud, fake shopping websites and romance and impersonation scams, Interpol said this week.