Security researchers at Apiiro have discovered a significant software supply chain zero-day vulnerability in the popular open-source continuous delivery platform, Argo CD.

Used by thousands of organizations globally, Argo CD is a tool that reads environment configurations (written as a helm chart, kustomize files, jsonnet or plain YAML files) from git repositories and applies it Kubernetes namespaces. The platform can manage the execution and monitoring of application deployment post-integration.

The flaw (CVE-2022-24348) lets attackers access and exfiltrate sensitive information such as passwords and API keys.

“A 0-day vulnerability, discovered by Apiiro’s Security Research team, allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and ‘hop’ from their application ecosystem to other applications’ data outside of the user’s scope,” wrote researchers.

Exploitation of the flaw can lead to privilege escalation, sensitive information disclosure, lateral movement attacks and more.

The attack begins with the threat actor constructing a malicious Kubernetes Helm Chart-a YAML file that embeds different fields to form a declaration of resources and configurations needed in order for deploying an application.

Using the Helm Chart, the attacker builds a dummy configuration to exploit a parsing confusion vulnerability to access restricted information.

Finally, the attacker extracts sensitive data such as API keys and passwords that can be leveraged to carry up follow-up attacks and facilitate lateral movement inside the victim’s network. 

Apiiro reported the attack to Argo CD on January 30 2022. After discussing the vulnerability’s extent and impact, the vendor created a patch to fix the problem. Advisories and the patch were released on Thursday. 

Apiiro’s research team praised Argo CD’s incident response and “professional handling of the case.”

“We are seeing more advanced persistent threats that leverage zero day and known, unmitigated vulnerabilities in software supply chain software such as Argo CD,” commented Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber.

He added: “For years, known, unmitigated vulnerabilities have contributed more than any other factor to mounting cyber risk. But hackers are always looking for the most-effective path of least resistance to attain their objectives.”

Lithuanian-based cybersecurity companies and rival virtual private network (VPN) providers Nord Security and Surfshark have finalized a merger agreement.

The companies said that the merger would “open new technical knowledge-sharing opportunities and enable more focused market diversification.” Both companies will continue to operate autonomously and maintain separate infrastructure and product roadmaps.

Since both companies are privately owned entities, the transaction details have not been disclosed. 

Nord Security was established in 2012 and now has 1,000 employees who support 15 million users worldwide. The company is known for its VPN service NordVPN, freemium VPN provider Atlas VPN, password manager NordPass, encrypted cloud storage NordLocker and the advanced network access security solution NordLayer.

According to a post on its website about the merger, Nord Security was impressed by the fast growth of Surfshark and the expertise and professionalism of its team. 

“The increasing complexity of cybersecurity and digital privacy is a growing challenge worldwide. We believe that this industry requires radical simplification and ease of access, both for consumers and businesses,” said Tom Okman, the co-founder of Nord Security.

Surfshark was developed with the assistance of Lithuanian business incubator Tesonet, which also helped NordVPN to grow.

He added: “Together, Nord Security and Surfshark create the largest internet security powerhouse in the market, ready to bring advanced solutions for customers.” 

Nord Security said that while both companies will work independently to improve their own products, they will consolidate their resources to reach mutual goals and innovate within the cybersecurity industry.

Smaller fish Surfshark launched in 2018 and employs around 200 people. The company delivers software solutions and was a founding member of the VPN Trust Initiative. It is known for its Surfshark One suite, which bundles an award-winning VPN, antivirus, private search tool and data leak detection system alert to provide cybersecurity protection.

“Consolidations in the global consumer cybersecurity market indicate the industry’s maturity. They also bring new competitive challenges,” said Vytautas Kaziukonis, founder and CEO of Surfshark.

They added: “Nord Security and Surfshark joining forces will set the ground to scale in different digital security dimensions, which is necessary to meet the growing requirements of our customers.”

A cyber-attack on a community college in Tennessee may have exposed the personal data of students, staff and faculty. 

Attackers struck Pellissippi State Community College (PSCC) with ransomware on December 5 2021. The digital assault shut down online network connections to all five of its campuses during finals week, disrupting online exams. 

All the college’s connected PC workstations and most of its servers, including the operating system and files, were encrypted. The attackers also changed the passwords of every user.

“What I can say is that this is not going to be a quick fix,” said Pellissippi State vice president for academic affairs, Kellie Toon, at the time of the attack.

“There have been other schools hit and just by all indications in can take months to rebuild it. We can rebuild it. We will rebuild it … but it’s going to take time. ” 

The attack left staff and some of the college’s 11,000 students unable to access email or the Microsoft communications platform Teams. 

The college launched an investigation into the cyber-attack to gauge its impact. On February 1, PSCC began informing an unspecified number of individuals that their sensitive information may have been compromised in the attack. 

A notice on the college’s website states: “Our investigation confirmed that the attacker had access to our Active Directory database, which includes first and last name; PSCC username; PSCC email address; office location and phone number; job title and department (if an employee); P number (a unique number assigned to each student and employee used only at PSCC and not used to sign documents); General user ID number (a long random string of numbers used only by PSCC in its Banner system); and PSCC account password (hashed).”

The college added that cyber-criminals may have also been able to access “other personal data in our system.”

PSCC said that the individuals whose data may have been accessed and acquired in the attack included former and current students, faculty, staff and participants in Tennessee Consortium for International Studies (TNCIS) programs.

Securing healthcare technologies is critical to human health and safety, not just in the medical setting but also with consumer HealthTech.

In an afternoon session on February 3 at the Engima 2022 conference, Joy Forsythe, director of security at Alto Pharmacy, explained that HealthTech is a growing area of healthcare products and services targeted at consumers that are available outside traditional medical establishments. HealthTech can include online medical services and both software and hardware-based human health monitoring technologies.

Forsythe pointed out that any information collected about a person’s health by a healthcare provider or medical professional that has a direct relationship with a patient is often considered in the US to be protected health information. The US Government rules to protect such information is referred to HIPAA (Health Insurance Portability and Accountability Act).

She noted that it’s not always clear what rules apply when it comes to HealthTech services and devices.

Forces Impacting Security in the Healthcare Ecosystem

Forsythe identified regulations as critical among the primary forces that impact security across the healthcare landscape.

While HIPAA outlines user privacy, other regulations include guidance on security practices issued by the US Department of Health and Human Services (HHS). For example, Forsythe noted that HSS has established that fax is considered a secure transmission method if the recipient’s fax number can be confirmed.

“Generally speaking in healthcare, if you verify that the fax number is correct, that’s considered secure,” she said. “If there’s a breach because of a fax that was sent to the correct phone number, the provider is not liable.”

While fax is an outdated decades-old technology, the HSS guidance on email for secure data transmission is less specific. As a result, Forsythe stressed, many healthcare entities in the US had banned email for sending personal health information.

Industry certification is another strong force that security needs to deal with for healthcare security.

“Certification is an attempt to standardize third-party risk assessments and simplify vendor management,” Forsythe said. “But certification often pushes outdated security controls, and they failed to reduce risk in modern environments.”

How HealthTech Can Improve Security

Not all HealthTech devices are bound by the same regulations in the US as technologies and services directly provided by medical professionals.

“Consumer wellness startups are not acting as healthcare providers, and they may not be subject to HIPAA for a while,” she commented. “They still have to abide by other privacy laws that are often less burdensome.”

The opportunity for security people in HealthTech is to actually really do the risk identification for the privacy rules that are in place, such as CCPA in California or GDPR in Europe.

It’s also important that HealthTech providers track which data is identifiable because that’s the data that matters for privacy. Additionally, she recommends that HealthTech providers enable an auditable record of all access to user data by services, employees and partners.

Forsythe concluded by emphasing the role that security can bring HealthTech: “I think there’s still a lot of opportunity for security to come into HealthTech organizations and make a difference in how they handle data.” 

The United States has accused Russia of a disinformation plot to serve as a pretext to an invasion of Ukraine.

This would be a video purporting to show a Ukrainian attack on Russian territory or against Russian-speaking people in Eastern Ukraine. According to the US government, the fabricated video would be highly graphic, including images of dead bodies.

On Thursday, Pentagon spokesman John Kirby told reporters: “We do have information that the Russians are likely to want to fabricate a pretext for an invasion.

“As part of this fake attack, we believe that Russia would produce a very graphic propaganda video, which would include corpses and actors that would be depicting mourners and images of destroyed locations.”

The US government added that it revealed the plans to help prevent conflict from breaking out in the region. However, no evidence was provided to support its claim, which Russia has denied.

The BBC reported that senior US officials believe the video is just one of a number of ideas Russia has to provide a pretext to invade Ukraine.

The claim has come amid mounting tension in the region, which has led to a massive build-up of Russian troops on its border with Ukraine.

Jake Moore, global cybersecurity advisor at ESET, noted that advancements in deepfake technologies are facilitating the use of fabricated videos, potentially to provoke war. “This reported use of deep fakery would highlight the extreme and dramatic turn in the nature of warfare that we are witnessing. Being able to drum up fear is often as powerful as the attack itself. In this new age of deepfake weaponry, it could worryingly not be too long before we have no idea what is real, making nation-state attacks even more difficult to protect from or predict,” he commented.

Russia has been accused of targeting Ukraine with numerous cyber-attacks in recent weeks, including forcing more than a dozen government websites offline.

Cyber-criminals are making and laundering millions through non-fungible tokens (NFTs), according to new data from Chainalysis.

NFTs are technically unique records on a blockchain that are each linked to a piece of digital content. They can be minted and sold by the content creator to investors, fans and collectors.

Their popularity soared last year, according to Chainalysis.

The Singapore-based blockchain investigations and analytics firm tracked $44.2bn worth of cryptocurrency sent to ERC-721 and ERC-1155 contracts – the two types of Ethereum smart contracts associated with NFT marketplaces and collections. That’s up from just $106m in 2020.

However, this surging market for NFTs also attracted fraudsters and cyber-criminals.

Chainalysis claimed that so-called “wash trading” made scammers $8.9m last year.

Wash trading refers to a situation in which a seller is on both sides of a trade in order to mislead potential buyers about an asset’s value and liquidity.

“In the case of NFT wash trading, the goal would be to make one’s NFT appear more valuable than it really is by ‘selling it’ to a new wallet the original owner also controls,” Chainalysis explained.

“In theory, this would be relatively easy with NFTs, as many NFT trading platforms allow users to trade by simply connecting their wallet to the platform, with no need to identify themselves.”

The firm’s analysis revealed 110 profitable NFT wash trades last year. However, the actual figure for this volume and the profits made from the scams may be much higher, as Chainalysis only looked at activity using Ethereum and wrapped Ethereum (wETH) currencies.

The firm urged NFT marketplaces to clamp down on such activity.

“NFT wash trading exists in a murky legal area. While wash trading is prohibited in conventional securities and futures, wash trading involving NFTs has yet to be the subject of an enforcement action,” it said.

“However, that could change as regulators shift focus and apply existing anti-fraud authorities to new NFT markets. More generally, wash trading in NFTs can create an unfair marketplace for those who purchase artificially inflated tokens, and its existence can undermine trust in the NFT ecosystem, inhibiting future growth.”

The report also revealed a growing trend of NFTs being purchased to launder illicit funds. In Q3 and Q4 2021, Chainalysis tracked $2.4m in funds sent to NFT marketplaces from “scam-associated addresses” and addresses linked to sanctions activity, such as Chatex.

Oil terminals in some of Europe’s biggest ports appear to have been disrupted by ransomware, according to reports.

A broker in the region told AFP that the attacks are disrupting the oil supply chain.

“There was a cyber-attack at various terminals, quite some terminals are disrupted,” Jelle Vreeman, senior broker at Riverlake in Rotterdam, told the newswire.

“Their software is being hijacked, and they can’t process barges. Basically, the operational system is down.”

The Amsterdam-Rotterdam-Antwerp oil hub, which spans ports across the Netherlands and Belgium, is believed to have borne the brunt of the attacks. AFP cited local Belgian reports that logistics and storage firm SEA-Tank Terminal is one of those impacted in Antwerp.

According to a separate report from The Associated Press, at least two energy companies in the Belgian ports of Antwerp and Ghent were hit by cyber-attacks, with the government’s Federal Computer Crime Unit opening an investigation.

This follows reports earlier this week that two German oil logistics firms were struck by ransomware: Oiltanking GmbH Group and Mabanaft Group.

Both companies were forced to declare force majeure, a legal clause used in emergencies when companies cannot fulfill their contractual obligations.

However, the head of Germany’s federal office for information security, Arne Schönbohm, is quoted as saying the incident is serious but “not grave.”

Anglo-Dutch oil giant Shell has already admitted it has been forced to reroute supplies due to the incident.

The news has uncomfortable echoes of the Colonial Pipeline attack in May 2021, which crippled oil supplies up and down the US east coast for days, leading to queues at gas stations.

This time the culprit, at least in the attacks in Germany, appears to be BlackCat (aka “alphv”), a relatively new ransomware-as-a-service variant.