VERT’s Cybersecurity News Roundup for the week of March 28, 2022

All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of March 28, 2022. I’ve also included some comments on these stories.

Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability

Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system, reports The Hacker News. The vulnerability relates to CVE-2022-0543, a Lua sandbox escape flaw in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine.

Andrew Swoboda | Senior Security Researcher at Tripwire

Redis servers are subject to a code execution vulnerability. CVE-2022-0543 relates to a Lua sandbox escape bypass. To exploit this issue an attacker needs the ability to execute Lua scripts on a vulnerable system. This vulnerability has been used to fetch and execute botnet binaries. Once executed, an infected computer connects to an IRC server to receive commands.

FBI: 649 Ransomware Attacks Reported on Critical Infrastructure Organizations in 2021

The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) says it received 649 complaints of ransomware attacks targeting critical infrastructure organizations in 2021, noted Security Week. Ransomware attacks hit 14 out of 16 CNI sectors last year, with healthcare being impacted the most, the IC3 notes.

Dylan D’Silva | Security Researcher at Tripwire

Fourteen of the sixteen critical infrastructure sectors in the US last year were hit with ransomware. For those that are unaware of what they are, the sectors range from chemical to dams to healthcare, and energy and nuclear.

From a definition perspective, they include sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Canada has a very similar definition but ostensibly wants to achieve the same goal of protection. If anyone can remember the North American east coast blackout of August 2003 (which was caused by some physical issues as well as software issues (race conditions) and not a cyberthreat), think of potential damage on that scale, or worse if ransomware and cyberthreats continue to increase.

Of the 649 ransomware attacks, healthcare was the most targeted with 148 complaints received, followed by financial services and information technology. Critical manufacturing and government were also top targets. That averages out to 1.7 attacks per day, which highlights the need for resilience and the need to be continuously aware and monitor your environments.

With ransomware and other cyberattacks on CI increasing in complexity and sophistication year-over-year with no obvious sign of letting up, it’s important to leverage the available resources from CISA and/or the Government of Canada (or your respective government) to help protect and defend Critical Infrastructure. The NIST Cybersecurity Framework is also a great place to start, as it will lay the groundwork for a stronger cybersecurity IT/OT posture, while reducing attack surfaces and vectors.

Critically Exposed Web Apps Discovered Across Europe’s Top Chemical Manufacturers

New research has revealed the top chemical manufacturers in the EU all have concerning levels of vulnerabilities and weak spots in their attack surface. According to the 2022 Web Application Security for Manufacturers Report by Outpost24, 60% of European chemical manufacturers had vulnerabilities that are critically exposed and open to attacks, reports IT Security Guru.

Dylan D’Silva | Security Researcher at Tripwire

Researchers in the EU have found that 60% of European chemical manufacturers have vulnerabilities that are critically exposed and open to attack. This is an almost unbelievable number. Let’s look at some other numbers to get a better understanding and scope of the issue:

• A total of 22,507 internet exposed web applications across 6175 domains
• 16% (1 in 6) applications discovered are using outdated components with known vulnerabilities
  • 4% classified as being suspicious
  • 1% deemed dangerous
• 60% of the manufacturers studied were deemed to be critically exposed, putting them at a much higher risk of a cyberattack

Given the fact that chemical manufacturing is a part of critical infrastructure sectors of Europe, this is highly concerning as web apps are prime targets to gain an initial foothold to launch malware and ransomware. Doing a little digging, it looks like EPCIP (European Programme for the Critical Infrastructure Protection) was created in the mid-2000’s but tracking down what their recommended framework is for mitigation, detection, response etc. has been a bit tricky.

If we move the lens to focus on North America, it would be interesting to see what the numbers are here for chemical, but broadly across all sectors. For professionals in the OT Sector in the US, you can refer to CISA’s Cybersecurity Best Practices for Industrial Control Systems. CISA also offers Cybersecurity Assessment Services at no cost for Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations. They can conduct vulnerability scanning, web application scanning, phishing campaign assessment and remote penetration tests. See https://www.cisa.gov/cyber-hygiene-services.

For Canadian cybersecurity professionals in the CI Sectors, consider participating in the RRAP (Regional Resilience Assessment Program), which looks to be a 4-5 day assessment.

SonicWall Patches Critical Vulnerability in Firewall Appliances

Security Week reports that SonicWall has released patches for a critical-severity vulnerability in the web management interface of multiple firewall appliances. Tracked as CVE-2022-22274 (CVSS score of 9.4), the security flaw is described as a stack-based buffer overflow bug that impacts SonicOS.

Andrew Swoboda | Senior Security Researcher at Tripwire

SonicOS is subject to a stack-based buffer overflow. CVE-2022-22274 allows an attacker to be able to cause a denial of service or execute arbitrary code on the firewall. SonicWall has released patches to fix this vulnerability. Upgrade to 7.0.1-5051 or 6.5.4.4-44v-21-1519.

New Report on Okta Hack Reveals the Entire Episode LAPSUS$ Attack

An independent security researcher has shared a detailed timeline of events that transpired as the notorious LAPSUS$ extortion gang broke into a third-party provider linked to the cyber incident at Okta in late January 2022, reported Security Week on March 29.

Samantha Zeigler | Security Researcher at Tripwire

Articles like this are a good reminder that transparent security is the most effective way to establish trust with users. Breaches happen – so it’s important to keep those impacted by the breach in the loop so that they can ensure their system is safe as well. When a breach occurs, the threat can move through the layers of the system and impact a wider group.

RCE Bug in Spring Cloud Could Be the Next Log4Shell, Researchers Warn

The so-called ‘Spring4Shell’ bug has cropped up, so to speak, and could be lurking in any number of Java applications. Some researchers have noted that because of its ease of exploit and Java-based nature, it’s reminiscent of the Log4Shell vulnerability discovered in December, reports ThreatPost.

Dylan D’Silva | Security Researcher at Tripwire

A new RCE (Remote Code Execution) bug has been identified in the Spring application framework/Spring Cloud Function (built within Java) which could lead to an entire host being compromised. Currently affecting Spring Cloud Function versions 3.1.6 and 3.2.2 and older unsupported versions, users need to upgrade/patch to 3.1.7 and 3.2.3 respectively.

This vulnerability will have high impact, and far-reaching consequences as it’s an open-source microservices framework typically used in building enterprise-level applications and is used across multiple industries. What’s more is that Spring can be leveraged with Cloud serverless functions (Azure Serverless Functions, AWS Lambda and Google Cloud Functions), potentially leading to a compromise of your cloud infrastructure.

Researchers have discovered that it can be exploited over HTTP, with an attacker sending a specially crafted Spring Expression Language payload which uses a routing-expression to access local sources and obtain command execution on the host.

Recommendations from the Researchers

• Patch/upgrade as soon as possible, but ensure you have proper backups and roll-back strategies in place in case there are issues. Follow best practices of patching and vulnerability management.
• After patching, go back and inventory your systems to ensure a compromise hadn’t already occurred.
• Ensure there is documentation on, and understanding of, what packages are being used in your environment to build applications.

The last point speaks to vulnerability management. If there is no clear documentation as to what assets (hardware, software, cloud etc.) you have in your environment, how can there be any reasonable expectation of risk reduction? Simply put, if the organization doesn’t know what it has, how can you defend against a possible breach or attack?

Shutterfly Employee Data Compromised in Ransomware Attack

Photography and personalized products platform Shutterfly is notifying employees that some of their personal information was compromised in a ransomware attack in December 2021. Shutterfly operates numerous services and brands – such as BorrowLenses, GrooveBook, Lifetouch, Shutterfly, Snapfish, Spoonflower, and Tiny Prints – and helps users create cards, home décor, invitations, gifts, and more, noted Security Week on March 30.

Dylan D’Silva | Security Researcher at Tripwire

Another day, another reported breach. This time, it’s Shutterfly, the online photography and personalized products platform. In some senses, it might be considered odd or weird that a company like that would be the target of a breach and a ransomware attack, but the goal is typically to obtain as much sensitive data as possible (to be ransomed back or sold elsewhere). For those that don’t realize it, data is, by far, one of the most valuable resources in the world. Look at the top 10 richest/most valuable companies in the world; 5 of them are technology companies (I would also argue Tesla is a technology company first and an auto manufacturer second, but that’s a personal opinion).

Back to the breach at Shutterfly, let’s look at some key details that Shutterfly has disclosed:

• Portions of its networks were crippled with ransomware, affecting manufacturing and corporate systems.
• Attackers had access for about 10 days in early December 2021.
• PII information looks to have been stolen, including employment agreements, financial and payroll data, legal documents and more.
• While a specific ransomware hasn’t been named, the Conti gang claimed responsibility in January.
• One key piece sticks out to me RE: their network being infected. They noted that both their manufacturing and corporate systems were compromised. Without further details, I can only conclude that their network segmentation and architecture is/was not as strong as it should have been if attackers were able to gain a foothold in one network and be able to move and pivot to other, critical segments to cause more damage.

Recommendations

• Again, without further details on how the ransomware was deployed (i.e.: through phishing/malicious email, a vulnerability, etc.), it’s hard to say what areas need to be improved, but at minimum, Shutterfly might look at the NIST Cybersecurity Framework to develop/redevelop their cybersecurity posture. While it’s typically used in the Critical Infrastructure sectors, there’s a lot of best practices that can seamlessly transfer over.
• If the breach and ransomware attack occurred because of a vulnerability, Shutterfly should strongly consider implementing a vulnerability management program. This requires an asset inventory (hardware, software, cloud etc.) so the IT and Cybersecurity teams and continuously monitor, manage, and patch the assets as new vulnerabilities are discovered. This will help reduce the attack surface, the attack vectors and minimize the risk.

New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs

Researchers at industrial cybersecurity firm Claroty have identified two serious vulnerabilities that could allow malicious actors to launch Stuxnet-style attacks against programmable logic controllers (PLCs) made by Rockwell Automation, states Security Week.

Dylan D’Silva | Security Researcher at Tripwire

For those in the OT Sectors/Critical Infrastructure Sectors that use Rockwell PLCs (Programmable Logic Controllers), they will want to pay close attention. Two new vulnerabilities have been discovered that will allow attackers who have access to a victim’s system to make changes to the PLC Code, as well as modify automation processes without being detected.

One of the vulnerabilities affects a range of logic controllers, while the other affects the Studio 5000 Logix Designer programming software that typically runs on engineering workstations. It should go without saying, but I’ll say it anyway: Not patching and mitigating these flaws can have serious consequences.

The researchers that discovered these flaws liken them to the Stuxnet attacks from about a decade ago. In those attacks, a vulnerability was exploited to cause damage to Iran’s nuclear program, specifically damaging the centrifuges at the core of the uranium enrichment.

Digging a little deeper and reviewing the flaws, it targets the process of developing code and transferring to the PLC. This process consists of developing the code on an engineering workstation using the Studio 5000 software, compiling it to PLC-compatible binary code, and transferring that code from the engineering workstation to the PLC, where it will get executed. Where the attack comes into play is during the delivery of the binary code to the PLC; instead, it delivers malicious code, while the engineer is shown the legitimate code.

Recommendations for Mitigation

Follow Rockwell’s Risk Mitigation and Recommended User Actions, found here.  Note that they’ve also developed a tool that can detect hidden code running on a PLC.

Critical Bugs in Rockwell PLC Could Allow Hackers to Implant Malicious Code

Two new security vulnerabilities have been disclosed in Rockwell Automation’s programmable logic controllers (PLCs) and engineering workstation software that could be exploited by an attacker to inject malicious code on affected systems and stealthily modify automation processes, noted Security Week on March 30.

Andrew Swoboda | Senior Security Researcher at Tripwire

Rockwell Automation’s programmable logic controllers (PLCs) are subject to a code injection and modification of automation processes. These vulnerabilities are known as CVE-2022-1161 and CVE-2022-1159. CVE-2022-1161 allows attackers to inject code into separate memory locations. CVE-2022-1159 allows authenticated attackers to inject code into a program. Both of these vulnerabilities allow attackers to run arbitrary code on vulnerable systems.

Chrome Zero-Day from North Korea

North Korean hackers have been exploiting a zero-day in Chrome. The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean hacking groups. Both groups deployed the same exploit kit on websites that either belonged to legitimate organizations and were hacked or were set up for the express purpose of serving attack code on unsuspecting visitors.

Samantha Zeigler | Security Researcher at Tripwire

The zero-day Chrome vulnerability (CVE-2022-0609) was discovered earlier this year and is being actively exploited, states Schneier on Security. The exploit kit used with this vulnerability takes multiple steps and the attackers have done a good job of hiding what each phase does. The best way to protect yourself from this vulnerability is to update Google Chrome and Microsoft Edge Chromium if installed on a system.

Keep in Touch with Tripwire VERT

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.

Previous VERT Cybersecurity News Roundups