Cybersecurity Roundup December 2022

Nuclear Scientists are Becoming Russian Hacker Targets

Cold River is a Russian-based hacking group that has recently launched a series of cyber attacks targeting American scientists at three nuclear research facilities. Reuters reported that between August and September 2022, Cold River targeted various engineers at Brookhaven, Lawrence Livermore, and Argonne National Labs. Cybersecurity monitoring records clearly show the activity, but the extent of success or failure is unknown. Detailed information can be found here.

The intrusions sync up with the United Nations sending inspectors to Europe’s largest nuclear plant in Ukraine, which had come under attack as part of the Russia – Ukraine war. While the Russian government denies its involvement with Cold River, various intelligence agencies and cybersecurity organizations have confirmed it. Fortunately, the attacks were quickly contained and did not pose a threat to worldwide security. 

SSL.com Response

Cybersecurity protection at the nation’s nuclear facilities and research labs is very tight. This attack shows that even the most protected facilities are subject to security intrusions. SSL.com answers many government and municipal security use cases with a PKI-based solution suite. This includes solutions for national identification programs, client authentication certificates for secure user access, encrypted email, and code signing for systems development. Please click here for access to an SSL.com report on how we support various national governments.

CircleCI was Breached, Issues Warnings and Advice to Its Customers

Hosted development services like CircleCI, GitHub, Jenkins, and Travis CI are becoming frequent hacker targets. In a breach announced by CircleCI, last December, security tokens and other secrets used by developers were exposed to an unidentified hacker team. CircleCI estimates that over a million developer accounts were potentially compromised. Information is available here.

  CI/CD pipelines and repositories, focusing on improving software development cycles, present multiple threat surfaces and vulnerabilities. This is due to a growing dependency on open-source code libraries, sharing of repositories, and vulnerable servers. 

Attacks on CI/CD pipelines are considered supply chain attacks. Whereby code developed for further distribution is the target. There are multiple examples of attacks of this nature. A recent example is the Solar Winds attack, whereby code was injected with malware, which ultimately created backdoors on Solar Winds customers, who had been instructed to update their software. Once the backdoors were established, hackers had access into thousands of different systems throughout the world, including various governmental agencies. 

SSL.com Response

The use of code signing is a good deterrent. SSL.com has code signing certificates available with malware scanning capability. By obtaining a code signing certificate, routines can be set up to continuously sign code, apps, drivers, and files with a digital signature. Using code signing prevents code tampering and confirms code ownership. A code signing certificate can be integrated into the process using SSL.com’s eSigner remote code signing service. Alternatively a code signing certificate can be used with a physical USB token holding signing key material.  Malware code signing can also be implemented to scan code before signing. If malware is detected, the signing process is held until remediation occurs. Specific information can be found here.

Five Guys Burger Chain HR Systems Hacked

Five Guys Enterprises, LLC. suffered a cybersecurity breach recently. One of their  servers, which housed personal information from job applications, was hacked. Information about applicants, including driver’s licenses and social security numbers, appears to have been the target. Five Guys has taken a proactive approach by offering credit monitoring to the affected applicants. It is unclear what other steps have been taken. Additional information regarding the attack can be found here.

Multiple cybersecurity organizations have weighed in on this attack. They feel the residual effect of stolen data in the wild is more severe than it appears. Adaptive threat actors are getting more creative with how the stolen information is used while using the attack scenario as a reconnaissance act for planning future attacks.

Restaurants tend to under-deploy security systems due to low-profit margins and budgets. Unfortunately, HR recruiting systems that interact with the public are easy targets. 

There are ways to combat the threat. Slight to moderate investments in tighter multi-factor authentication and real-time monitoring systems could have helped deflect this attack.

SSL.com Response

While cyber-attacks cannot be stopped, they can be thwarted or directed to a honey pot for analysis. Cybersecurity is a multi-layered initiative; a small investment can go a long way in preventing or deflecting attacks. Most importantly, ensuring that cybersecurity products and systems are configured correctly is imperative. SSL.com has various client authentication certificates available. The certificates shield assets from malicious actors by assuring that only authenticated and validated individuals get access. Additional information can be found here.

Slack Targeted via Its Private Github Repository

Even Slack is not immune to cybersecurity problems. The messaging business communication stack, owned by Salesforce, had some of its GitHub code repositories stolen.

  With a customer base of over 18 million, Slacks attention to cybersecurity is very intense. The incident stems from several authentication tokens being stolen from a group of employees. The tokens allowed hackers to get access to a small collection of Slack’s private GitHub repositories. While none of the repositories contained customer data, the attack is a reminder that no organization should let their guard down. Ongoing security vigilance either through software or managed services should be an integral part of a defense-in-depth architecture. 

Slack’s security team, backed up by the Salesforce security team, acted quickly; immediately invalidating the tokens and tightening access to its online database. The team is dedicated to protecting the privacy and security of its customer base while maintaining its internal organization’s integrity. Additional information can be found here. SSL.com Response

Slack is a massive operation, and its security team is top-notch. The loss of security tokens is problematic and is an ongoing concern for organizations that use them. SSL.com deploys its EV code signing certificate credentials via a FIPS – compliant USB token. Our ability to recreate them in the event of a loss is excellent. However, the use of cloud-based services which do not require USB token use is preferred. SSL.com has a variety of services available in the cloud, such as client authentication certificates and the use of eSigner. Whenever there is a dependency on a physical item, SSL.com prefers to look to the cloud. Information regarding our cloud services can be found here.

SSL.com Reminders

OV & IV Code Signing Key Storage Requirements are Changing With input from most of its membership, the CA/Browser Forum is changing the OV & IV Code Signing Key Storage Requirements. The change date is June 1, 2023. OV & IV Code Signing Certificates will be issued on Yubico USB Tokens or available via the SSL.com eSigner cloud signing service. 

Additional information on this change can be found on the  CA/Browser Forum website. Learn more about the SSL.com eSigner solution: https://www.ssl.com/esigner/.