VERT’s Cybersecurity News Roundup – for the week of March 18, 2022

All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of March 14, 2022. I’ve also included some comments on these stories.

Most Orgs Would Take Security Bugs Over Ethical Hacking Help

It turns out most organizations would rather seem impervious than be it. A new survey suggests that security is becoming more important for enterprises, but they’re still falling back on old “security by obscurity” ways, reports Threatpost.

Samantha Zeigler | Security Researcher at Tripwire

The change in security views has been slow but essential. Change tends to be hard to adapt to and thus the transition to ethical hacking rather than “security by obscurity”. The transition to transparent security provides a much higher level of security for users. Allowing bug bounty programs and ethical hackers to run penetration tests allows companies to fix vulnerabilities before adversaries break in and exploit those same vulnerabilities.

Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders

Lapsus$ Ransomware gang is looking for insiders willing to sell remote access to major technology corporations and ISPs. They are recruiting from within tech giants like Microsoft, Apple, EA Games and IBM. And the best part – “You will be paid if you would like.”

Dylan D’Silva | Security Researcher at Tripwire

Having a ransomware group openly attempt to recruit employees at major technology, software and ISPs is a serious concern for all companies and the industry. Noted in the article, some previously used tactics included receiving messages on LinkedIn or directly to personal emails. The Lapsus$ group is looking to up the ante and openly advertising their need to acquire VPN access directly into companies’ networks in exchange for being compensated.

This creates a large risk for creating Insider Threats that will need to be managed and mitigated as best as possible. Let’s take a quick look at what Insider Threats are:

· Occurs when an employee, contractor, vendor, or other individual with authorized access to information and systems leverages it to attack the organization.
· Typically aimed at disclosing confidential information (the first tenet of the Cybersecurity Triad – Confidentiality, Integrity, Availability) but may also seek to alter information or disrupt business processes.
· Could have any skill level and their motivations could vary, from financial to activist to personal.

Mitigations, Resources & Recommendations

Whether you’re a tech giant or a small startup, it’s important to understand and assess the risk of Insider Threats as no company will be 100% immune to them. There are some great resources out there to help guide and develop a coherent strategy:

· ISASC – Key Tactics to Assess and Mitigate Insider Threats
· CISA.gov – Insider Threat Mitigation
· EY (Ernst & Young) – Managing Insider Threat

One last piece of advice to consider: The risk of insider attack is not a “one and done” scenario. Admins, HR, IT, and cybersecurity departments need to understand this and consistently assess and respond to risks accordingly.

Dirty Pipe Linux flaw impacts most QNAP NAS devices

Taiwanese hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by the recently discovered Linux vulnerability ‘Dirty Pipe.’

Dylan D’Silva | Security Researcher at Tripwire

QNAP, the makers of NAS (Network Attached Storage, Networking and Surveillance solutions for both home and business users) reports that most of their NAS devices are affected by a high-severity Linux vulnerability known as ‘Dirty Pipe’.

An attacker with local access can leverage the exploit to gain root privileges.

Affecting Linux Kernel 5.8 and later versions, the exploit allows local users to overwrite any file contents in the page cache, even those which are not permitted to be written to, are immutable or are on a R/O mount. From there, a malicious user can modify the /etc/passwd file to set the root user without a password, thereby gaining root access as a non-root user by issuing the “su root” command.

QNAP reported that the following versions of QTS and QuTS hero are affected by the flaw:
• QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS
• QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS

Here is the full list of Kernel Versions; validate in the “5.10.0.60” section. Also note that devices running the 4.x Kernel version are not affected.

At this time, a fix for this flaw is currently in the works. Users should set a reminder for themselves to check back and install the appropriate security updates as they become available. Customers that have NAS devices that are internet-facing should disable Port-Forwarding, as well as UPnP (Universal Plug and Play).

Here is another good reminder to have a vulnerability management program in place. This will help play a strategic part in shoring up your cybersecurity posture while reducing attack surfaces and vectors. Vulnerability management will also help ensure that your hardware and software asset catalogues are aligned and that everything is accounted for – meaning that for every piece of hardware and software you have, you have a plan in place to address both existing and new vulnerabilities. It’s almost akin to the CI/CD methodology; vulnerability management is not a ‘one-and-done’ scenario.

NVIDIA staff shouldn’t have chosen passwords like these…

Last month, the LAPSUS$ hacking group stole up to one terabyte of internal data from graphics card maker NVIDIA, reports Graham Cluley. The malicious hackers claimed to steal source code from the GPU chip manufacturer, as well as the email addresses and password hashes of some 71,335 employees.

Dylan D’Silva | Security Researcher at Tripwire

As a follow-up to the NVIDIA hacking incident from last month in which 1TB of data was stolen (which included source code as well as email address and password hashes for 70K+ employees), it looks like weak passwords were allowed. Analysis done on the cracked passwords showed the following top 10:

1. nvidia
2. nvidia3d
3. mellanox
4. ready2wrk
5. welcome
6. password
7. mynvidia3d
8. nvda
9. qwerty
10. September

This goes to show that weak passwords, which could be interpreted as poor cybersecurity policies, still plague organizations of all sizes, including the world’s largest manufacturer of GPUs.

Recommendations

Amongst other things, this comes down to leveraging an effective Group Policy on Password Policies when administering your Domain. Enforcing policies such as ‘Password History’, ‘Maximum Password Age’, ‘Minimum Password Age’, ‘Minimum Password Length’, and ‘Meeting Complexity Requirements’ will help combat weak and ineffectual passwords.

Beyond that, company-wide continuing education on cybersecurity best practices is needed, including instructing users to avoid dictionary words and to start using passphrases instead of words overall. When it comes to educating, what might help is showing how quickly a weak password can be compromised and iterating the potential costs (both financial and reputational) of such.

Microsoft removes Windows 11 update block for VirtualBox users

Microsoft has removed the last Windows 11 safeguard hold after Oracle addressed a known VirtualBox issue causing errors and virtual machine start failures when Hyper-V or the Windows Hypervisor were installed. The workaround meantime? Uninstall VirtualBox, Hyper-V or Windows Hypervisor.

Andrew Swoboda | Senior Security Researcher at Tripwire

Windows 11 was blocked from installing on system with both Hyper-V and VirtualBox installed on the system. An interaction between the two software caused an instability with Windows 11, and Microsoft blocked Windows 11 from being installed. Oracle has released an update for VirtualBox and the issue has been fixed in version 6.1.28. Users that have upgraded to this version are allowed to install Windows 11. A small number of users may still be affected by the block if they have an application that bundles VirtualBox.

New Linux botnet exploits Log4J, uses DNS tunneling for comms

A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info – installing rootkits, creating reverse shells, and acting as web traffic proxies.

Andrew Swoboda | Senior Security Researcher at Tripwire

Researchers at Qihoo 360’s Network Security Research Lab found malware that they called B1txor20 that targeted the Linux ARM/X64 CPU architecture. This malware was seen on February 9 and it targeted devices that were still vulnerable to the Log4j vulnerability. After a system is infected with B1txor20, the malware uses DNS tunneling for communication channels with the command and control server.

New ransomware threatens to wipe Windows PCs

It’s all fun and games until someone wipes a disk. A relatively new Ransomware, LokiLocker, uses the standard extortion-through-encryption racket but also incorporates disk-wiper functionality. Double extortion soared in popularity last year, with ransomware gangs stealing files before encrypting them to threaten victims with a sensitive data leak if they didn’t pay up.

Andrew Swoboda | Senior Security Researcher at Tripwire