Cybersecurity Snapshot: Study Raises Open Source Security Red Flags, as Cyber Agencies Offer Prevention Tips Against Telecom Spying Attacks

Don’t miss the Linux Foundation’s deep dive into open source software security. Plus, cyber agencies warn about China-backed cyber espionage campaign targeting telecom data. Meanwhile, a study shows the weight of security considerations in generative AI projects. And get the latest on ransomware trends, financial cybercrime and critical infrastructure security.

Dive into six things that are top of mind for the week ending Dec. 6.

1 - Study: Security of open source software projects must improve

Improperly secured developer accounts. Lack of a standard naming schema for software components. The persistence of legacy software.

Those three issues put the reliability and security of free and open source software (FOSS) at risk, a new Linux Foundation study has found. 

Published this week, “Census III of Free and Open Source Software — Application Libraries” is based on about 12 million observations of FOSS at 10,000-plus companies. Its aim: to provide a better understanding of FOSS use and security challenges, given FOSS’ widespread adoption globally.

“Our goal is to not only provide an updated list of the most widely used FOSS, but to also provide an example of how the distributed nature of FOSS requires a multi-party effort to fully understand the value and security of the FOSS ecosystem,” the study reads.

Data sharing, coordination and investment are keys to preserving the value of FOSS, which has become critical for the digital economy, the authors wrote.

Here are more details about the three key security issues identified in the study:

• To conduct their FOSS work, developers often use individual accounts, which typically lack the security protections of organizational accounts. Hosting FOSS projects under individual developer accounts creates multiple risks, such as making it easier for hackers to breach individual computing environments and tamper with FOSS code.
• A lot of legacy FOSS software still exists that isn’t being maintained nor updated, which makes the software more vulnerable to attacks.
• The FOSS ecosystem needs a standardized schema for naming software components, a key issue for supply chain security. “Until one is widely used, strategies for software security, transparency and more will have limited effect,” the study reads.

For more information about open source security:

• “Concise Guide for Developing More Secure Software” (Open Source Security Foundation)
• “OWASP Top 10 Risks for Open Source Software” (OWASP)
• “CISA Open Source Software Security Roadmap” (CISA)
• “Seven ways to secure open-source software” (SC World)
• “Is Open Source a Threat to National Security?” (InformationWeek)

2 - How to protect comms infrastructure from China-backed Salt Typhoon hackers

Security teams in charge of defending networks and communications infrastructure should take steps to prevent attacks from China-affiliated hackers that have recently compromised the networks of major global telecom providers.

So said cyber agencies from Australia, Canada, New Zealand and the U.S. this week in a joint document that offers network and communications-infrastructure engineers recommendations for strengthening network visibility and hardening systems.

The silver lining: The cyberattackers are exploiting known, existing weaknesses in their victims’ infrastructure. “No novel activity has been observed,” reads the publication, titled “Enhanced Visibility and Hardening Guidance for Communications Infrastructure.”

“Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity,” the document adds.

These are some of the recommendations for defenders of networks and communications systems.

• To enhance visibility
  • Adopt alerting mechanisms to detect unauthorized changes to the network and configuration modifications to network devices.
  • Monitor anomalous logins into user and service accounts, and disable inactive accounts.
  • Implement a centralized logging system that can analyze data from multiple sources.
• To harden systems and devices
  • Implement strong network segmentation.
  • Adopt an access control list (ACL) strategy that denies access to the network by default, and log all denied traffic.
  • Disconnect unneeded internet-facing infrastructure and monitor the infrastructure that does need to be exposed to the internet.

The joint document doesn’t name the hacking group. However, The Wall Street Journal identified it as Salt Typhoon when, citing anonymous sources, it reported in September that the group had breached several U.S. telecoms, including Verizon and AT&T. 

Salt Typhoon’s main goal is reportedly to carry out cyber espionage activities on behalf of the Chinese government. Salt Typhoon’s cyber espionage campaign is “ongoing” and authorities feel there is still much to be discovered about it, a Cybersecurity and Infrastructure Security Agency (CISA) official told reporters this week.

“We cannot say with certainty that the adversary has been evicted,” CISA official Jeff Greene said during a press call, as quoted by Politico. According to NBC News, Greene also recommended that Americans use encrypted messaging apps to protect themselves from Salt Typhoon.

Last month, CISA and the FBI described the Chinese-government backed cyber espionage campaign as “broad and significant,” resulting in the theft of customer call records data; the compromise of private communications of government officials and politicians; and the copying of law enforcement information related to wiretap requests.

For more information about Salt Typhoon and its ongoing cyber espionage campaign:

• “Salt Typhoon's surge extends far beyond US telcos” (The Register)
• “Chinese hackers breached T-Mobile's routers to scope out network” (Bleeping Computer)
• “Telcos struggle to boot Chinese hackers from networks” (Axios)
• “China's 'Salt Typhoon' Hackers Breached US Networks Using Existing Flaws” (PCMag)
• “Salt Typhoon Builds Out Malware Arsenal With GhostSpider” (Dark Reading)

3 - Survey: Security a key element in GenAI projects

As organizations deepen their generative AI use, security and data protection considerations feature prominently in their plans — including whether to build their own generative AI infrastructure.

That’s according to the Linux Foundation’s “Shaping the Future of Generative AI” report, which polled 316 respondents familiar with their organizations’ generative AI adoption. 

“Security remains a cornerstone of this transformation. As organizations embrace GenAI, safeguarding sensitive data and ensuring compliance with industry standards have become critical imperatives,” reads an Open Source Security Foundation blog about the report.

Among organizations deploying their own generative AI infrastructure, security and data control ranked as the top motivation for doing so. Three other data security priorities — data sovereignty; privacy; and intellectual property protection — ranked third, fifth and eighth, respectively.

^{(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)}

Meanwhile, respondents, who were based primarily in the Americas, Europe and Asia-Pacific, ranked security as the second most important criteria when choosing a generative AI model or tool, with privacy and regulatory compliance ranking fourth and fifth, respectively.

^{(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)}

Furthermore, respondents, who included executives, developers, consultants, data scientists and operations staffers, also ranked security and data protection risks high when asked about their concerns when adopting generative AI models and tools.

^{(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)}

For more information about AI security, check out these Tenable blogs:

• “AI Security Roundup: Best Practices, Research and Insights”
• “How to Discover, Analyze and Respond to Threats Faster with Generative AI”
• “Never Trust User Inputs — And AI Isn't an Exception: A Security-First Approach”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Do You Think You Have No AI Exposures? Think Again”

4 - CISA finds gaps in critical infrastructure org’s network, shares lessons learned

Here’s a report that cyber teams at critical infrastructure organizations will likely find useful and informative.

The topic: How CISA’s red team breached a critical infrastructure organization’s IT network and then compromised a domain controller and a human machine interface (HMI), which served as an operational technology (OT) dashboard.

The unnamed organization requested that CISA conduct the red team assessment (RTA), in which CISA acted like a cyberattacker to probe the organization’s cybersecurity detection and response processes and procedures.

In broad strokes, here are some of the ways in which CISA’s red team circumvented the critical infrastructure organization’s cyber defenses:

• After failing to gain initial success via spearphishing, CISA’s red team hit pay dirt when it discovered a web shell left on a Linux web server by mistake.
• Using the web shell, CISA’s red team ran arbitrary commands on the Linux web server and moved laterally into the internal network. 
• Using valid accounts, it compromised the organization’s domain and several sensitive business systems.
• Eventually, CISA’s team compromised a Windows domain controller, which allowed it to move laterally to all Windows hosts. 
• With persistent access to Linux and Windows systems across the organization’s networks, CISA’s red team probed further, accessing, among other assets, the HMI OT dashboard.

Timeline of CISA's red team cyberthreat activity

^{(Source: CISA’s advisory “Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization,” November 2024)}

Key findings include:

• The organization didn’t properly block access from the perimeter network to the internal network.
• The organization relied too much on host-based tools, while lacking sufficient network-layer protections.
• Multiple systems were insecurely configured.
• The organization failed to review security alerts that were triggered by the red team’s actions.
• Identity management was poor.
• The organization used software that is known to be insecure and outdated.

Some of CISA’s mitigation recommendations for cybersecurity teams are:

• Adopt the principle of least privilege, segment the perimeter network, and adopt firewalls, access control lists and intrusion prevention systems.
• Tune network appliances to detect anomalous behavior, and limit the use of admin tools.
• Harden system configuration by, for example, removing “unconstrained delegation” functionality from all servers.
• Keep systems and software up to date.
• Adopt a centralized identity and access management system.
• Prohibit the storage of passwords in plaintext.

To get all the details, read CISA’s advisory “Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization.”

To learn more about securing OT systems in critical infrastructure environments, check out these Tenable resources:

• “CISA Finding: 90% of Initial Access to Critical Infrastructure Is Gained Via Identity Compromise. What Can You Do About It?” (blog)
• “OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)
• “Operational Technology (OT) Security: How to Reduce Cyber Risk When IT and OT Converge” (guide)
• “5 Key OT Security Use Cases For The DoD: Safeguarding OT Networks and Cyber-Physical Systems” (white paper)
• “Unlock Advanced IoT Visibility in your OT Environment Security” (on-demand webinar)

5 - Report: VPNs were weakest link in Q3 ransomware attacks

Here’s a stat to remind your organization to make sure its virtual private network (VPN) system is configured correctly, has no vulnerabilities and is up to date: Almost 30% of ransomware attacks in the third quarter compromised insecure VPNs to gain initial access, sharply up from about 5% in the second quarter.

That’s according to Corvus Insurance’s “Q3 2024 Cyber Threat Report,” which said many of the ransomware attacks in Q3 leveraged outdated VPN software and poorly protected VPN gateways. 

Specifically, organizations shouldn’t allow the use of common usernames and weak passwords in their VPN user accounts, and should protect them with multi-factor authentication. 

“The persistence of weak credentials and lack of multi-factor authentication on VPN gateways has facilitated these attacks, making secure access controls crucial for mitigating threats,” reads the report.

The Corvus ransomware report also found that five ransomware groups — RansomHub, PLAY, LockBit 3.0, MEOW and Hunters International — accounted for 40% of all attacks. However, the ransomware ecosystem remains diverse, with almost 60 groups active during the third quarter, which makes the threat landscape more complex for cyber teams to manage.

For more information about ransomware prevention:

• “How Can I Protect Against Ransomware?” (CISA)
• “Best practices for protection from ransomware in cloud storage” (TechTarget)
• “Steps to Help Prevent & Limit the Impact of Ransomware (Center for Internet Security)
• “Mitigating malware and ransomware attacks” (UK National Cyber Security Centre)
• “Preventing Ransomware Attacks at Scale” (Harvard Business Review)

VIDEO

Ultimate Guide to Ransomware for Businesses (TechTarget)

6 - Interpol tackles financial cybercrime with thousands of arrests

A five-month Interpol operation led by South Korea has led to the arrest of 5,500-plus suspected financial cybercriminals and to the seizure of more than $400 million in assets.

With Operation HAECHI, Interpol and law enforcement partners from 40 countries went after cyber crooks involved in a variety of financial scams, including:

• voice phishing
• romance scams
• investment fraud
• e-commerce fraud

International collaboration is key to fighting financial cybercrime, which has devastating effects on its victims, Interpol Secretary General Valdecy Urquiza said in a statement.

“It’s only through united efforts that we can make the real and digital worlds safer,” he said.