380K Kubernetes API Servers Exposed to Public Internet

 

Description

More than 380,000 Kubernetes API servers allow some kind of access to the public internet, making the popular open-source container-orchestration engine for managing cloud deployments an easy target and broad attack surface for threat actors, researchers have found.

The Shadowserver Foundation discovered the access when it scanned the internet for Kubernetes API servers, of which there are more than 450,000, according to a blog post published this week.

Of the more than 450,000 Kubernetes API instances identified by Shadowserver, 381,645 responded with “200 OK,” researchers said. In all, Shadowserver found 454,729 Kubernetes API servers. The “open” API instances thus constitute nearly 84 percent of all instances that that Shadowserver scanned.

Moreover, most of the accessible Kubernetes servers—201,348, or nearly 53 percent–were found in the United States, according to the post.

While this response to the scan does not mean these servers are fully open or vulnerable to attacks, it does create a scenario in which the servers have an “unnecessarily exposed attack surface,” according to the post.

“This level of access was likely not intended,” researchers observed. The exposure also allows for information leakage on version and builds, they added.

Cloud Under Attack

The findings are troubling given that attackers already increasingly have been targeting Kubernetes cloud clusters as well as using them to launch other attacks against cloud services. Indeed, the cloud historically has suffered from rampant misconfiguration that continues to plague deployments, with Kubernetes being no exception.

In fact, Erfan Shadabi, cybersecurity expert with data-security firm comforte AG, said in an email to Threatpost that he was not surprised that the Shadowserver scan turned up so many Kubernetes servers exposed to the public internet.

“White [Kubernetes] provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he said. “For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured.”

Open-Source Security Exposed

The findings also raise the perennial issue of how to build security into open-source systems that become ubiquitous as part of modern internet and cloud-based infrastructure, making an attack on them an attack on the myriad systems to which they are connected.

This issue was highlighted all-too-unfortunately in the case of the Log4Shell vulnerability in the ubiquitous Java logging library Apache Log4j that was discovered last December.

The flaw, which is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover–continues to be targeted by attackers. In fact, a recent report finding millions of Java applications still vulnerable despite a patch being available for Log4Shell.

An Achilles heel in particular of Kubernetes is that the data-security capabilities built into the platform are only at a “bare minimum”–protecting data at rest and data in motion, Shadabi said. In a cloud environment, this is a dangerous prospect.

“There’s no persistent protection of data itself, for example using industry accepted techniques like field-level tokenization,” he observed. “So if an ecosystem is compromised, it’s only a matter of time before the sensitive data being processed by it succumbs to a more insidious attack.”

Shadabi’s advice to organizations that use containers and Kubernetes in their production environments is to take securing Kubernetes as seriously as they do all aspects of their IT infrastructure, he said.

For its part, Shadowserver recommended that if administrators find that a Kubernetes instance in their environment is accessible to the internet, they should consider implementing authorization for access or block at the firewall level to reduce the exposed attack surface.

Read More

Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang

 

Description

The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations.

“Most of Wizard Spider’s efforts go into hacking European and U.S. businesses, with a special cracking tool used by some of their attackers to breach high-value targets,” Swiss cybersecurity company PRODAFT said in a new report shared with The Hacker News. “Some of the money they get is put back into the project to develop new tools and talent.”

Wizard Spider, also known as Gold Blackburn, is believed to operate out of Russia and refers to a financially motivated threat actor that’s been linked to the TrickBot botnet, a modular malware that was officially discontinued earlier this year in favor of improved malware such as BazarBackdoor.

That’s not all. The TrickBot operators have also extensively cooperated with Conti, another Russia-linked cybercrime group notorious for offering ransomware-as-a-service packages to its affiliates.

Gold Ulrick (aka Grim Spider), as the group in charge of the development and distribution of the Conti (previously Ryuk) ransomware is called, has historically leveraged initial access provided by TrickBot to deploy the ransomware against targeted networks.

“Gold Ulrick is comprised of some or all of the same operators as Gold Blackburn, the threat group responsible for the distribution of malware such as TrickBot, BazarLoader, and Beur Loader,” cybersecurity firm Secureworks notes in a profile of the cybercriminal syndicate.

Stating that the group is “capable of monetizing multiple aspects of its operations,” PRODAFT emphasized the adversary’s ability to expand its criminal enterprise, which it said is made possible by the gang’s “extraordinary profitability.”

Typical attack chains involving the group commence with spam campaigns that distribute malware such as Qakbot (aka QBot) and SystemBC, using them as launchpads to drop additional tools, including Cobalt Strike for lateral movement, before executing the locker software.

In addition to leveraging a wealth of utilities for credential theft and reconnaissance, Wizard Spider is known to use an exploitation toolkit that takes advantage of known security vulnerabilities such as Log4Shell to gain an initial foothold into victim networks.

Also put to use is a cracking station that hosts cracked hashes associated with domain credentials, Kerberos tickets, and KeePass files, among others.

What’s more, the group has invested in a custom VoIP setup wherein hired telephone operators cold-call non-responsive victims in a bid to put additional pressure and compel them into paying up after a ransomware attack.

This is not the first time the group has resorted to such a tactic. Last year, Microsoft detailed a BazarLoader campaign dubbed BazaCall that employed phony call centers to lure unsuspecting victims into installing ransomware on their systems.

“The group has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo,” the researchers said.

“It is responsible for an enormous quantity of spam on hundreds of millions of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets.”

Read More

Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks

 

Description

A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia.

Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus).

“Elements of Cobalt Mirage activity have been reported as Phosphorus and TunnelVision,” Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.

The threat actor is said to have conducted two different sets of intrusions, one of which relates to opportunistic ransomware attacks involving the use of legitimate tools like BitLocker and DiskCryptor for financial gain.

The second set of attacks are more targeted, carried out with the primary goal of securing access and gathering intelligence, while also deploying ransomware in select cases.

Initial access routes are facilitated by scanning internet-facing servers vulnerable to highly publicized flaws in Fortinet appliances and Microsoft Exchange Servers to drop web shells and using them as a conduit to move laterally and activate the ransomware.

“The threat actors completed the attack with an unusual tactic of sending a ransom note to a local printer,” the researchers said. “The note includes a contact email address and Telegram account to discuss decryption and recovery.”

However, the exact means by which the full volume encryption feature is triggered remains unknown, Secureworks said, detailing a January 2022 attack against an unnamed U.S. philanthropic organization.

Another intrusion aimed at a U.S. local government network in mid-March 2022 is believed to have leveraged Log4Shell flaws in the target’s VMware Horizon infrastructure to conduct reconnaissance and network scanning operations.

“The January and March incidents typify the different styles of attacks conducted by Cobalt Mirage,” the researchers concluded.

“While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited.”

Read More

What's Changed for Cybersecurity in Banking and Finance: New Study

 

Description

Cybersecurity in financial services is a complex picture. Not only has a range of new tech hit the industry in the last 5 years, but compliance requirements introduce another layer of difficulty to the lives of infosec teams in this sector. To add to this picture, the overall cybersecurity landscape has rapidly transformed, with ransomware attacks picking up speed and high-profile vulnerabilities hitting the headlines at an alarming pace.

VMware recently released the 5th annual installment of their Modern Bank Heists report, and the results show a changing landscape for cybersecurity in banking and finance. Here’s a closer look at what CISOs and security leaders in finance said about the security challenges they’re facing — and what they’re doing to solve them.

Destructive threats and ransomware attacks on banks are increasing

The stakes for cybersecurity are higher than ever at financial institutions, as threat actors are increasingly using more vicious tactics. Banks have seen an uptick in destructive cyberattacks — those that delete data, damage hard drives, disrupt network connections, or otherwise leave a trail of digital wreckage in their wake.

63% of financial institutions surveyed in the VMware report said they’ve seen an increase in these destructive attacks targeting their organization — that’s 17% more than said the same in last year’s version of the report.

At the same time, finance hasn’t been spared from the rise in ransomware attacks, which have also become increasingly disruptive. Nearly 3 out of 4 respondents to the survey said they’d been hit by at least one ransomware attack. What’s more, 63% of those ended up paying the ransom.

Supply chain security: No fun in the sun

Like ransomware, island hopping is also on the rise — and while that might sound like something to do on a beach vacation, that’s likely the last thing the phrase brings to mind for security pros at today’s financial institutions.

IT Pro describes island hopping attacks as “the process of undermining a company’s cyber defenses by going after its vulnerable partner network, rather than launching a direct attack.” The source points to the high-profile data breach that rocked big-box retailer Target in 2017. Hackers found an entry point to the company’s data not through its own servers, but those of Fazio Mechanical Services, a third-party vendor.

In the years since the Target breach, supply chain cybersecurity has become an even greater area of focus for security pros across industries, thanks to incidents like the SolarWinds breach and large-scale vulnerabilities like Log4Shell that reveal just how many interdependencies are out there. Now, threats in the software supply chain are becoming more apparent by the day.

VMware’s study found that 60% of security leaders in finance have seen an increase in island hopping attacks — 58% more than said the same last year. The uptick in threats originating from partners’ systems is clearly keeping security officers up at night: 87% said they’re concerned about the security posture of the service providers they rely on.

The proliferation of mobile and web applications associated with the rise of financial technology (fintech) may be exacerbating the problem. VMware notes API attacks are one of the primary methods of island hopping — and they found a whopping 94% of financial-industry security leaders have experienced an API attack through a fintech application, while 58% said they’ve seen an increase in application security incidents overall.

How financial institutions are improving cybersecurity

With attacks growing more dangerous and more frequent, security leaders in finance are doubling down on their efforts to protect their organizations. The majority of companies surveyed in VMware’s study said they planned a 20% to 30% boost to their cybersecurity budget in 2022. But what types of solutions are they investing in with that added cash?

The number 1 security investment for CISOs this year is extended detection and response (XDR), with 24% listing this as their top priority. Closely following were workload security at 22%, mobile security at 21%, threat intelligence at 15%, and managed detection and response (MDR) at 11%. In addition, 51% said they’re investing in threat hunting to help them stay ahead of the attackers.

Today’s threat landscape has grown difficult to navigate — especially when financial institutions are competing for candidates in a tight cybersecurity talent market. In the meantime, the financial industry has only grown more competitive, and the pace of innovation is at an all-time high. Having powerful, flexible tools that can streamline and automate security processes is essential to keep up with change. For banks and finance organizations to attain the level of visibility they need to innovate while keeping their systems protected, these tools are crucial.

Additional reading:

• Cloud Security and Compliance: The Ultimate Frenemies of Financial Services
• The Future of Finserv Security: Cloud Expert and Former CISO Anthony Johnson Weighs In
• An Inside Look at CISA’s Supply Chain Task Force
• Update to GLBA Security Requirements for Financial Institutions

NEVER MISS A BLOG

Read More

Conti Ransomware Attack Spurs State of Emergency in Costa Rica

 

Description

Costa Rican President Rodrigo Chaves declared a state of national cybersecurity emergency over the weekend following a financially motivated Conti ransomware attack against his administration that has hamstrung the government and economy of the Latin American nation.

The attack—attributed to the prolific Conti ransomware group–occurred three weeks ago not long after Chaves took office; in fact, the state of emergency was one of his first decrees as president. The first government agency attacked was the Ministry of Finance, which has been without digital services since April 18, according to a published report.

Conti—a top-tier Russian-speaking ransomware group–is known as one of the most ruthless gangs in the game, with a take-no-prisoners approach specializing in double extortion, a method in which attackers threaten to expose stolen data or use it for future attacks if victims don’t pay by a deadline.

Conti acts on a ransomware-as-a-service (RaaS) model, with a vast network of affiliates and access brokers at its disposal to do its dirty work. The group also is known for targeting organizations for which attacks could have life-threatening consequences, such as hospitals, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.

The attack on Costa Rica could be a sign of more Conti activity to come, as the group posted a message on their news site to the Costa Rican government that the attack is merely a “demo version.” The group also said the attack was solely motivated by financial gain as well as expressed general political disgust, another signal of more government-directed attacks.

Next-Level Incident

The incident demonstrates how a cyber-attack can potentially be as serious as a military action or a natural disaster especially when it affects a developing nation like Costa Rica, a security professional observed.

“Costa Rica’s state-of-emergency following an attack from Conti is an important rallying call to the rest of the world,” Silas Cutler, principal reverse engineer for security firm Stairwell, wrote in an e-mail to Threatpost. “While the emergency status may have a limited direct impact … it puts the severity of this breach into the same category as a natural disaster or military incident.”

The double-extortion aspect of not only Conti’s but also a number of other ransomware group’s methods also can embolden more ransomware attacks because most targeted organizations will pay rather than risk the leak of sensitive data—providing more incentive to threat actors, noted another security professional.

“It is a large reason why most victims are paying today,” observed Roger Grimes, data-driven defense evangelist for security firm KnowBe4, in an email to Threatpost.

Conti likely has every employee’s personal login credentials to any Costa Rican government site that they visited during the time the ransomware was active on the system before it locked files, which poses a big problem for citizens using government services online if Conti indeed has leaked the info, he said.

“If Costa Rica was hosting customer-facing websites in the compromised domains, like they likely were, their customers’ credentials–which are often reused on other sites and services the customers visit–are likely compromised, too,” Grimes said. “Not paying the ransom puts not only Costa Rica’s own services at risk, but those of their employees and customers.”

Indeed, last year the city of Tulsa, OK, put its citizens on alert for potential cyber fraud after Conti leaked some 18,000 city files, mostly police citations, on the dark web following a ransomware attack on the city’s government.

U.S. Offering Aid

To help prevent future attacks like the one on Costa Rica, the U.S. government said last week that it’s offering a hefty reward–up to $10 million–for information leading to the identification and/or location of any of Conti Group’s leaders. The U.S. also will offer up to $5 million for info that can lead to the arrest or conviction of anyone conspiring in a Conti ransomware attack.

To date, Conti has been responsible for hundreds of ransomware incidents over the past two years, with more than 1,000 victims paying more than $150 million to the group, according to the FBI. This gives Conti the dubious honor of being the costliest ransomware strain ever documented, according to the feds.

While authorities pursue Conti, governments can take a number of steps to prevent ransomware attacks, security professionals noted. One is to adopt a cultural change when it comes to cybersecurity, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.

Governments should shift their focus from the historic mentality of cyber-security as an “IT cost center” toward one that views it as “a culturally ingrained approach that identifies cybersecurity investment, both in tools and people, as a critical strategic defensive shield,’ he said in an email to Threatpost.

“Until this changes, the problem of cyber-attack is going to get worse before it gets any better,” Clements said in an email to Threatpost.

Governments also can take proactive steps such as conducting perimeter reviews as a means of mitigating some of the methods Conti-affiliated access brokers use to infiltrate systems, Cutler suggested. This can better secure their perimeters and allow them to react faster to attacks.

However, even this “will not fully prevent these types of attacks” given the network of affiliates and access brokers that RaaS groups like Conti have at its disposal to breach systems, he said.

Read More

Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk

 

Description

An unpatched Domain Name System (DNS) bug in a popular standard C library can allow attackers to mount DNS poisoning attacks against millions of IoT devices and routers to potentially take control of them, researchers have found.

Researchers at Nozomi Networks Labs discovered the flaw affecting the implementation of DNS in all versions of uClibc and uClibc-ng, popular C standard libraries found in numerous IoT products, they revealed in a blog post this week.

“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Nozomi’s Giannis Tsaraias and Andrea Palanca wrote in the post.

In a DNS poisoning attack– also known as DNS spoofing and DNS cache poisoning–an attacker deceives a DNS client into accepting a forged response. This forces a program to perform network communications with an arbitrarily defined endpoint instead of the legitimate one.

Numerous Affected Devices

The scope of the flaw is vast, as major vendors such as Linksys, Netgear and Axis, as well as Linux distributions such as Embedded Gentoo, use uClibe in their devices. Meanwhile, uClibc-ng is a fork specifically designed for OpenWRT, a common OS for routers deployed throughout various critical infrastructure sectors, researchers said. Specific devices impacted by the bug were not disclosed as part of this research.

Moreover, if an attacker mounts a successful DNS poisoning attack on an affected device, they also can perform a subsequent man-in-the-middle attack, researchers said. This is because by poisoning DNS records, they can re-route network communications to a server under their control, researchers said.

“The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them,” researchers wrote. “The main issue here is how DNS poisoning attacks can force an authenticated response.”

Researchers are currently working with the maintainer of the uClibe library to develop a fix for the vulnerability, which leaves devices vulnerable, they said. Because of this, Nozomi researchers have declined to disclose specific details of the device on which they were able to reproduce the flaw to keep attackers at bay, they said.

DNS as a Target

News of the DNS vulnerability brings reminders of last year’s Log4Shell flaw, which sent ripples of concern within the cybersecurity community when it was discovered in December because of its scope. The flaw affects the ubiquitous open-source Apache Log4j framework—found in countless Java apps used across the internet. In fact, a recent report found that the flaw continues to put millions of Java apps at risk, though a patch exists for the flaw.

Though it affects a different set of targets, the DNS flaw also has a broad scope not only because of the devices it potentially affects, but also because of the inherent importance of DNS to any device connecting over IP, researchers said.

DNS is a hierarchical database that serves the integral purpose of translating a domain name into its related IP address. To distinguish the responses of different DNS requests aside from the usual 5-tuple–source IP, source port, destination IP, destination port, protocol–and the query, each DNS request includes a parameter called “transaction ID.”

The transaction ID is a unique number per request that is generated by the client and added in each request sent. It must be included in a DNS response to be accepted by the client as the valid one for request, researchers noted.

“Because of its relevance, DNS can be a valuable target for attackers,” they observed.

The Vulnerability and Exploitation

Researchers discovered the flaw while reviewing the trace of DNS requests performed by an IoT device, they said. They noticed something abnormal in the pattern of DNS requests from the output of Wireshark. The transaction ID of the request was at first incremental, then reset to the value 0x2, then was incremental again.

“While debugging the related executable, trying to understand the root cause, we eventually noticed that the code responsible for performing the DNS requests was not part of the instructions of the executable itself, but was part of the C standard library in use, namely uClibc 0.9.33.2,” they explained.

Researchers performed a source code review and found that the uClibc library implements DNS requests by calling the internal “__dns_lookup” function, which is located in the source file “/libc/inet/resolv.c.”

Eventually they found fault with some of the lines of code in the library—specifically line #1240, #1260, #1309, #1321 and #1335, to which they could attribute the anomaly in the DNS request pattern, which makes the transaction ID predictable, researchers said.

This predictability creates a scenario in which an an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server to exploit the flaw, researchers said.

“It is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port,” they explained.

To exploit the flaw also depends on how an OS applies randomization of source port, which means an attacker would have to bruteforce the 16-bit source port value by sending multiple DNS responses, while simultaneously beating the legitimate DNS response, researchers added.

Mitigation

Researchers explained, because the bug remains patched on millions of IoT devices, it is not disclosing the specific devices vulnerable to attack. In the interim, Nozomi Networks recommends that network administrators increase their network visibility and security in both IT and Operational Technology environments.

“This vulnerability remains unpatched, however we are working with the maintainer of the library and the broader community in support of finding a solution,” they wrote.

Read More

AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection

 

Description

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.

“This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys),” Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.

“In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script.”

AvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.

A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.

Other targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an advisory released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.

Telemetry data gathered by Trend Micro shows that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.

The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho’s ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.

“The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the [command-and-control] server to execute arbitrary commands,” the researchers explained.

This includes retrieving an ASPX web shell from the server as well as an installer for the AnyDesk remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.

Some of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw (CVE-2021-44228) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints.

The batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.

Also used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company resolved in June 2021.

“The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege),” the researchers pointed out. “This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice.”

Read More