VERT’s Cybersecurity News for the Week of April 4, 2022
All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of April 4, 2022. I’ve also included some comments on these stories.
Borat RAT, a new RAT that performs ransomware and DDoS attacks
Cyble researchers discovered a new remote access trojan (RAT) named Borat which enables operators to gain full access to and remote control of an infected system. Bad actors can now expand their nefarious capabilities by launching ransomware and DDoS attacks, Security Affairs reports.
DYLAN D’SILVA | Security Researcher at Tripwire
A new type of RAT (Remote Access Trojan) offers expanded capabilities to attackers, including ransomware and DDoS attacks. For those that are unfamiliar with the term RAT, it is a remote access tool that provides a 3rd party access to your computer, with almost complete control over the operating system.
Researchers have found that the new Borat RAT has a modular structure, providing a level of customization for the attacker to deploy specific functionality, including:
- Keylogger
- Ransomware
- DDoS
- Audio & Webcam Recording
- Remote Desktop
- Credential System
RATs and other types of malware are typically delivered through malicious links and attachments in emails, or through file downloads from unfamiliar and/or unknown websites.
Defensive Recommendations and Strategies
- Be aware and cognizant of all emails you receive. While most companies will have their junk mail and spam traps setup, it may not catch everything. If you receive an unexpected email from someone outside your company with links and/or attachments, be wary as you review, and do not click any links or attachments. If unsure, delete the email (also from your Deleted Items). If your company employs a way to report phishing and/or suspicious emails, report it, so that the appropriate teams can take action.
- For System Admins and Cybersecurity professionals, ensure there is anti-virus and/or anti-malware programs running and up to date.
- Ensure there is a back-up strategy in place for important/sensitive/critical data so if a system(s) becomes infected that cannot be cleaned, there is way to restore data from a known good backup.
- Ensure there is proper network architecture and segmentation, especially for those in the Critical Infrastructure sectors. This can help limit the damage if systems do become infected.
- For IT/Cybersecurity and the general leadership, consider on-going education with respect to best practices in all thing’s cybersecurity. Highlight the need to do so, underscoring the importance of why.
- Implement a vulnerability management program, which includes proactive asset documentation. If you don’t know all the software, hardware, and cloud services you have, how can you expect to keep your company safe? Vulnerability management will help inventory those assets and help identify out of date hardware and software. Not patching these potentially presents easy entry points into your systems.
- Develop an incident response plan (if you don’t already have one), and ensure it is practiced regularly to remove any kinks or problems that may arise during an actual incident.
Bank had no firewall license, intrusion or phishing protection – guess the rest
An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees, noted The Register.
DYLAN D’SILVA | Security Researcher at Tripwire
I think the consensus would be that a bank is a safe place to put your money. The assumption would be that said bank would employ proper safety measures to ensure yours (and everyone else’s money is safe), both physically and digitally. Unfortunately, this was not the case for a bank in India, where over $1M in customer funds were stolen. Let’s look to see how they did it:
- The attackers sent over 200 phishing emails, with one of them being successful, resulting in the installation of a RAT (remote access trojan).
- VLANs and proper network segmentation were not used (it looks to be that they had a very flat network), allowing the attackers to pivot and access with ease, including accessing core banking applications.
- The bank allowed multiple super-users, sometimes with the same password. This allowed the attackers to gain access to critical databases containing customer information and account balances.
- The attackers created new bank accounts and transferred over $1M in customer funds to those accounts as well as to other financial institutions. From there, they made withdrawals at 900+ ATMs.
- One other large issue is that the bank did not have a valid license on their firewall, meaning any built-in IDS/IPS on that firewall would not have worked, or if it did, it did so in a limited capacity.
The article notes that this issue is not necessarily surprising, as enterprise hardware and software is typically priced for the Western market, so other users may find this cost prohibitive and choose to go forward without it.
Thoughts and Recommendations
I can’t speak with any authority on the required policies/regulations/checks that would be required for a bank/banking system, especially in a foreign country, but I can suggest that there be regular oversight and multiple checks and balances done to ensure the safety and security of people’s money. Taking a more narrowed focus on the technology and cybersecurity aspect, best practices apply no matter what country you are in:
- Having proper network architecture, segmentation and VLANs is an absolute must.
- Limiting the number of super-users/admins, ensuring the accounts are properly secured.
- Enabling multi-factor authentication.
- Employing both ‘Defense in Depth’ and ‘Zero Trust’ strategies.
- Having licensed and patched hardware and software; employ a vulnerability management strategy and program.
- Provide on-going user education and training so employees can spot a phishing attempt.
- Leverage existing cybersecurity frameworks to build and inform the technology and cybersecurity strategy.
I’m acutely aware that all these things take time, money, and resources to implement, with continual effort and reinvestment being required, but deciding not to do things the right way will have a much greater impact both financially and reputationally. Simply put, if you were deciding which bank to do business with, would you pick the one that you knew had been hacked?
GitHub now scans for secret leaks in developer workflows
GitHub has introduced a new scanning feature for protecting developers from accidental secret leaks, announced ZDNet. On April 4, the Microsoft-owned code repository said the GitHub Advanced Security suite had now been upgraded with a new push protection feature to prevent the leak of secrets that could compromise organization-owned projects.
Andrew Swoboda | Senior Security Researcher at Tripwire
GitHub Advanced Security suite has been updated to search for secrets and other known indicators to prevent the leak of secrets. A scan searches for patterns that are highly identifiable. A total of 69 patterns are available to check. Tokens for prevalent web services like Amazon, AWS, Azure, and more are included. GitHub estimates that there have been over 700 000 secrets that have been detected.
This tool adds another layer of defense to preventing secrets from being exposed. Developers have been known to include secrets in their code, but they forget to pull secrets before pushing code to GitHub. This adds another step to the process, but provides the benefit of locating potential secrets.
GitLab Patches Critical Account Takeover Vulnerability
DevOps platform GitLab has reset the passwords of some user accounts after addressing a critical account takeover (ATO) vulnerability, noted Security Week on April 4th. According to the company, in GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 14.7.7, 14.8.5, and 14.9.2, a hardcoded password was set when the account was registered using an OmniAuth provider.
Andrew Swoboda | Senior Security Researcher at Tripwire
GitLab was subject to an account takeover vulnerability. GitLab Community Edition and Enterprise Edition prior to 14.7.7, 14.8.5, and 14.9.2 are vulnerable to a hardcoded password set at registration. GitLab has released a script for administrators to determine which accounts were affected by CVE-2022-1162.
GitLab has released a fix that fixed this issue and CVE-2022-1175 and CVE-2022-1190.
Experts discovered 15-Year-Old vulnerabilities in the PEAR PHP repository
Security Week reported that researchers from SonarSource discovered two 15-year-old security flaws in the PEAR (PHP Extension and Application Repository) repository that could have enabled supply chain attacks. “An attacker exploiting the first one could take over any developer account and publish malicious releases, while the second bug would allow the attacker to gain persistent access to the central PEAR server,” the company announced.
ANDREW SWOBODA | Senior Security Researcher at Tripwire
The PEAR PHP repository was subject to a potential supply chain attack. An attacker with low skill level could have exploited this issue. The first bug could have allowed an attacker to take over any developer account and publish malicious code. This flaw was in the mt_rand() PHP function which allowed attackers to discover valid password reset tokens. The second bug could have allowed an attacker to gain persistent access to the central PEAR server. This flaw was in Archive_Tar which was using version 1.4.7 that was vulnerable to CVE-2020-36193.
Nearly 40% of Macs Left Exposed to 2 Zero-Day Exploits
Dark Reading notes that between 35% and 40% of all supported Macs might be at heightened risk of compromise from two zero-day vulnerabilities not yet issued a patch, but that Apple has said are being exploited in the wild. According to one security vendor, Apple’s emergency fixes last week for two actively exploited vulnerabilities neglected previous Big Sur and Catalina versions of macOS.
DYLAN D’SILVA | Security Researcher at Tripwire
This article left me wondering why Apple would leave nearly 40% of Macs exposed to two new zero-day exploits.
My initial thought was that it’s marked departure from standard practice (in my opinion) to not continue to patch OS/Software that continues to be within their supported lifecycle, which is typically a rolling three-year period. Looking back at other recent vulnerabilities, Apple has issued patches for all three OS’.
In the case of the two new zero-days, which look to allow arbitrary code execution with kernel privileges, as well as be able to read kernel memory, Apple has released a patch for macOS Monterey 12.3.1, but have yet to address it in the two preceding OS’, Big Sur and Catalina. I should note here that these flaws also impact iOS and iPadOS operating systems.
It’s also important to note that these two zero-days are being actively exploited in the wild, so patching machines that are vulnerable should remain a priority focus and not fall off the radar of those whohave responsibility for vulnerability management within their organization. Without patches for Big Sur and Catalina available, the only current way I see for this to be addressed is for users to upgrade to Monterey, which may or may not be feasible for a number of business reasons.
If your organization does not have a Vulnerability Management program/practice in place, I ask, what are you waiting for? Vulnerability Management is a key strategic defense in reducing risk to your business, users, data etc. Let’s quickly look at some numbers for perspective, which I believe will help sway organizations that don’t have a VM program in place (amongst all the other key risk reduction strategies)
There are great, free resources available to help build your cybersecurity defenses and strategies, which include the NIST Cybersecurity Framework, CISA’s Cyber Resilience Review, CISA’s Cyber Hygiene Services and for Canadians in the CI Sectors, the Regional Resilience Assessment Program.
Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug
American cybersecurity company Palo Alto Networks warned customers on Wednesday that some of its firewall, VPN, and XDR products are vulnerable to a high severity OpenSSL infinite loop bug disclosed three weeks ago, Bleeping Computer announced. Threat actors can exploit this security vulnerability (tracked as CVE-2022-0778) to trigger a denial of service state and remotely crash devices running unpatched software.
ANDREW SWOBODA | Senior Security Researcher at Tripwire
Palo Alto Networks firewall, VPN, XDR products are subject to an OpenSSL infinite loop vulnerability (CVE-2022-0778). To exploit this issue an attacker needs to specially craft a certificate to contain invalid elliptic parameters. Any product that is vulnerable should be upgraded to the latest version of the product that has the fix released.
VMware warns of critical vulnerabilities in multiple products
VMware has warned customers to immediately patch critical vulnerabilities in multiple products that threat actors could use to launch remote code execution attacks, reported Bleeping Computer on April 6. “This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011,” the company warned.
SAMANTHA ZEIGLER | Security Researcher at Tripwire
A number of critical security vulnerabilities were recently released pertaining to VMWare products. These vulnerabilities impact VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. The vulnerable products are at risk of remote code execution on the systems – making them a critical risk for most setups. The most effective way to keep a system safe is to patch it as recommended by VMware. They also have some workarounds available for those unable to patch – but recommend patching as soon as feasible to protect the users’ systems.
A cyberattack forced the wind turbine manufacturer Nordex Group to shut down some of IT systems
According to Security Affairs, Nordex Group, one of the largest manufacturers of wind turbines, was hit by a cyberattack that forced the company to take down part of its infrastructure. The company shut down “IT systems across multiple locations and business units” as a precautionary measure to prevent the threat from spreading across its networks.
DYLAN D’SILVA | Security Researcher at Tripwire
Another Critical Infrastructure manufacturer has been attacked. One of the world’s largest manufacturers of wind turbines, Nordex Group has reported they were a victim of a cyberattack on March 31st 2022, forcing them to take systems offline.
Per their report, the intrusion was in its early stages. It looks like they took the necessary precautions, including shutting down IT Systems across multiple lines of business, while in tandem following their incident response procedures, which is great to see. Based on how they’ve reported and framed the situation, it appears like they were a victim of a ransomware attack.
Two pieces stick out to me here (in a proactive, good way):
- The company openly disclosed that a cyber incident had occurred, quite soon after an attack.
- They reported that they followed their incident response protocols. If one was to guess, I would hope they are using the NIST Cybersecurity Framework, or an equivalent thereof, such has EPCIP, the European Programme for Critical Infrastructure Protection (EPCIP), which sets out a European-level all-hazards framework for critical infrastructure protection (CIP).
Without publicly disclosing how they were breached, it’s impossible to recommend specific remediations. I’m sure as a part of their internal debriefs, they will review how this situation came to be.
General Recommendations for CI Sectors (but also applicable to all businesses)
- Develop an Incident Response Plan and practice it! Theory is all well and good, and does make up “50%” of the plan, but if your IT and Cybersecurity Teams have never practiced responding to an incident, when it does actually happen, it will be a scramble, causing more confusion than necessary.
- Develop Cybersecurity and Risk Management policies from a known, good framework, in conjunction with the business. Remember, one of the main functions of Cybersecurity is to identify the threats and risks to the business. The business then needs to take those into account and make an informed decision on what is and is not an acceptable level of risk. Think of us like Risk Whisperers.
- Have an asset management and vulnerability management program; in my opinion, these two are tied together. If you don’t know what assets you have (physical/hardware, software, cloud etc.) how can you have any reasonable expectation that you can confidently secure your business. Tied to that, if you’re not consistently managing and patching new vulnerabilities as they are discovered, it’s only a matter of time before you are breached.
Balance IT and OT cybersecurity needs. IT and OT need to work together to understand each other’s perspective. There are some non-negotiables on both sides, but those are usually derived from best practices.
First Malware Targeting AWS Lambda Serverless Platform Discovered
A first-of-its-kind malware targeting Amazon Web Services’ (AWS) Lambda serverless computing platform has been discovered in the wild, announced The Hacker News. Dubbed “Denonia” after the name of the domain it communicates with, “the malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls,” Cado Labs researcher Matt Muir revealed.
DYLAN D’SILVA | Security Researcher at Tripwire
For teams and companies leveraging AWS’ Lambda Serverless Platform for development and application, take note that a first-of-its-kind malware has been discovered.
For those who are not familiar with AWS Lambda, it is a serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers. With this unique functionality, business can process data at scale, run interactive web and mobile backends, leverage it for machine-learning insights, and create event-driven applications, only ever paying for what you use (requests served and the compute time required to run the code).
Labelled as Denonia, researchers have found that the malware leverages new address resolution techniques for C&C/C2 (Command & Control) traffic to evade standard detection methods and virtual network access controls.
It also appears to use DNS over HTTPS (DoH), which performs remote DNS resolution via HTTPS. It’s typically meant to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by MITM attacks.
As for what researchers have analyzed so far of the malware, they’ve found two different payloads, one being labelled as “python”, while the other had a random string of characters with a ‘.virus’ extension. It currently only appears to run crypto-mining software, which will piggyback on existing resources and compute time, it’s demonstrating that cloud-specific malware is advancing.
Zoom Paid Out $1.8 Million in Bug Bounties in 2021
Video communications giant Zoom this week announced that it paid out roughly $1.8 million in bug bounty rewards in 2021. The company launched its bug bounty program on the HackerOne platform in 2019, and says it has handed out more than $2.4 million in bounty payouts to date, reported Security Week on April 7th.
SAMANTHA ZEIGLER | Security Researcher at Tripwire
Bug bounty programs are a powerful tool that many companies are starting to adopt to protect their systems. Encouraging people to hack and report bugs in their system for a reward allows them to discover and fix vulnerabilities before they are exploited by malicious actors.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.