VERT’s Cybersecurity News Roundup – for the week of March 18, 2022
All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of March 14, 2022. I’ve also included some comments on these stories.
Most Orgs Would Take Security Bugs Over Ethical Hacking Help
It turns out most organizations would rather seem impervious than be it. A new survey suggests that security is becoming more important for enterprises, but they’re still falling back on old “security by obscurity” ways, reports Threatpost.
Samantha Zeigler | Security Researcher at Tripwire
The change in security views has been slow but essential. Change tends to be hard to adapt to and thus the transition to ethical hacking rather than “security by obscurity”. The transition to transparent security provides a much higher level of security for users. Allowing bug bounty programs and ethical hackers to run penetration tests allows companies to fix vulnerabilities before adversaries break in and exploit those same vulnerabilities.
Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders
Lapsus$ Ransomware gang is looking for insiders willing to sell remote access to major technology corporations and ISPs. They are recruiting from within tech giants like Microsoft, Apple, EA Games and IBM. And the best part – “You will be paid if you would like.”
Dylan D’Silva | Security Researcher at Tripwire
Having a ransomware group openly attempt to recruit employees at major technology, software and ISPs is a serious concern for all companies and the industry. Noted in the article, some previously used tactics included receiving messages on LinkedIn or directly to personal emails. The Lapsus$ group is looking to up the ante and openly advertising their need to acquire VPN access directly into companies’ networks in exchange for being compensated.
This creates a large risk for creating Insider Threats that will need to be managed and mitigated as best as possible. Let’s take a quick look at what Insider Threats are:
· Occurs when an employee, contractor, vendor, or other individual with authorized access to information and systems leverages it to attack the organization.
· Typically aimed at disclosing confidential information (the first tenet of the Cybersecurity Triad – Confidentiality, Integrity, Availability) but may also seek to alter information or disrupt business processes.
· Could have any skill level and their motivations could vary, from financial to activist to personal.
Mitigations, Resources & Recommendations
Whether you’re a tech giant or a small startup, it’s important to understand and assess the risk of Insider Threats as no company will be 100% immune to them. There are some great resources out there to help guide and develop a coherent strategy:
· ISASC – Key Tactics to Assess and Mitigate Insider Threats
· CISA.gov – Insider Threat Mitigation
· EY (Ernst & Young) – Managing Insider Threat
One last piece of advice to consider: The risk of insider attack is not a “one and done” scenario. Admins, HR, IT, and cybersecurity departments need to understand this and consistently assess and respond to risks accordingly.
Dirty Pipe Linux flaw impacts most QNAP NAS devices
Taiwanese hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by the recently discovered Linux vulnerability ‘Dirty Pipe.’
Dylan D’Silva | Security Researcher at Tripwire
QNAP, the makers of NAS (Network Attached Storage, Networking and Surveillance solutions for both home and business users) reports that most of their NAS devices are affected by a high-severity Linux vulnerability known as ‘Dirty Pipe’.
An attacker with local access can leverage the exploit to gain root privileges.
Affecting Linux Kernel 5.8 and later versions, the exploit allows local users to overwrite any file contents in the page cache, even those which are not permitted to be written to, are immutable or are on a R/O mount. From there, a malicious user can modify the /etc/passwd file to set the root user without a password, thereby gaining root access as a non-root user by issuing the “su root” command.
QNAP reported that the following versions of QTS and QuTS hero are affected by the flaw:
• QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS
• QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS
Here is the full list of Kernel Versions; validate in the “5.10.0.60” section. Also note that devices running the 4.x Kernel version are not affected.
At this time, a fix for this flaw is currently in the works. Users should set a reminder for themselves to check back and install the appropriate security updates as they become available. Customers that have NAS devices that are internet-facing should disable Port-Forwarding, as well as UPnP (Universal Plug and Play).
Here is another good reminder to have a vulnerability management program in place. This will help play a strategic part in shoring up your cybersecurity posture while reducing attack surfaces and vectors. Vulnerability management will also help ensure that your hardware and software asset catalogues are aligned and that everything is accounted for – meaning that for every piece of hardware and software you have, you have a plan in place to address both existing and new vulnerabilities. It’s almost akin to the CI/CD methodology; vulnerability management is not a ‘one-and-done’ scenario.
NVIDIA staff shouldn’t have chosen passwords like these…
Last month, the LAPSUS$ hacking group stole up to one terabyte of internal data from graphics card maker NVIDIA, reports Graham Cluley. The malicious hackers claimed to steal source code from the GPU chip manufacturer, as well as the email addresses and password hashes of some 71,335 employees.
Dylan D’Silva | Security Researcher at Tripwire
As a follow-up to the NVIDIA hacking incident from last month in which 1TB of data was stolen (which included source code as well as email address and password hashes for 70K+ employees), it looks like weak passwords were allowed. Analysis done on the cracked passwords showed the following top 10:
1. nvidia
2. nvidia3d
3. mellanox
4. ready2wrk
5. welcome
6. password
7. mynvidia3d
8. nvda
9. qwerty
10. September
This goes to show that weak passwords, which could be interpreted as poor cybersecurity policies, still plague organizations of all sizes, including the world’s largest manufacturer of GPUs.
Recommendations
Amongst other things, this comes down to leveraging an effective Group Policy on Password Policies when administering your Domain. Enforcing policies such as ‘Password History’, ‘Maximum Password Age’, ‘Minimum Password Age’, ‘Minimum Password Length’, and ‘Meeting Complexity Requirements’ will help combat weak and ineffectual passwords.
Beyond that, company-wide continuing education on cybersecurity best practices is needed, including instructing users to avoid dictionary words and to start using passphrases instead of words overall. When it comes to educating, what might help is showing how quickly a weak password can be compromised and iterating the potential costs (both financial and reputational) of such.
Microsoft removes Windows 11 update block for VirtualBox users
Microsoft has removed the last Windows 11 safeguard hold after Oracle addressed a known VirtualBox issue causing errors and virtual machine start failures when Hyper-V or the Windows Hypervisor were installed. The workaround meantime? Uninstall VirtualBox, Hyper-V or Windows Hypervisor.
Andrew Swoboda | Senior Security Researcher at Tripwire
Windows 11 was blocked from installing on system with both Hyper-V and VirtualBox installed on the system. An interaction between the two software caused an instability with Windows 11, and Microsoft blocked Windows 11 from being installed. Oracle has released an update for VirtualBox and the issue has been fixed in version 6.1.28. Users that have upgraded to this version are allowed to install Windows 11. A small number of users may still be affected by the block if they have an application that bundles VirtualBox.
New Linux botnet exploits Log4J, uses DNS tunneling for comms
A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info – installing rootkits, creating reverse shells, and acting as web traffic proxies.
Andrew Swoboda | Senior Security Researcher at Tripwire
Researchers at Qihoo 360’s Network Security Research Lab found malware that they called B1txor20 that targeted the Linux ARM/X64 CPU architecture. This malware was seen on February 9 and it targeted devices that were still vulnerable to the Log4j vulnerability. After a system is infected with B1txor20, the malware uses DNS tunneling for communication channels with the command and control server.
New ransomware threatens to wipe Windows PCs
It’s all fun and games until someone wipes a disk. A relatively new Ransomware, LokiLocker, uses the standard extortion-through-encryption racket but also incorporates disk-wiper functionality. Double extortion soared in popularity last year, with ransomware gangs stealing files before encrypting them to threaten victims with a sensitive data leak if they didn’t pay up.
Andrew Swoboda | Senior Security Researcher at Tripwire
LokiLocker is a somewhat new ransomware that encrypts files. However, it also includes functionality that can wipe a disk. This increases pressure on a victim because their files have been encrypted and will then be deleted. Deleted files can be recovered, but encryption can cause bigger issues.
In general, users should have a plan to recover from a bad drive and have backups that can be used restore to a functional state. There are online services that make the job of recovery easy.
CISA adds 15 vulnerabilities to list of flaws exploited in attacks
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added fifteen additional flaws to its list of actively exploited vulnerabilities known to be used in cyberattacks, reports Bleeping Computer.
Dylan D’Silva | Security Researcher at Tripwire
CISA (Cybersecurity & Infrastructure Security Agency) has added fifteen new vulnerabilities to their Know Exploited Vulnerabilities Catalog, bringing the total to 504. Fourteen of the fifteen vulns are Windows related and almost all of them deal with Privilege Escalation.
Privilege Escalation is defined as the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. One of these already has a PoC (Proof of Concept) published so attackers can review and immediately implement on vulnerable systems.
Some of these new vulnerabilities have been disclosed since 2015. If they have not been patched yet, it presents a large issue for organizations not paying close attention to vulnerability and patch management. US Federal Agencies have until April 5th, 2022 to apply the available security updates to address the 15 “new” vulnerabilities.
Recommendations
1. Review the new vulnerabilities and take immediate action to address all that relate to your systems.
a. Ensure you are following best practices as they relate to patching/updating (i.e.: if you are patching mission critical applications/software/hardware etc., have users been notified, has downtime been scheduled, is data backed up, do you have a roll-back plan in place to address if issues arise, etc.). *Note, the preceding is not an exhaustive list. Consult with the appropriate teams.
2. Review the existing catalog and take immediate action(s) to address all that relate to your systems. Same “Best Practices” from Recommendation 1 apply.
3. Subscribe to Known Exploited Vulnerabilities Catalog Update Bulletin to ensure you are kept up to date on critical news and information related to exploited vulnerabilities.
4. If you/your business does not have a patching and vulnerabilities management strategy in place, review the justifications as to why not, and see if they are still relevant today. Is your business ready for a potential data breach or worse, along with the financial and reputational harm that will be inflicted because continued due diligence and best practices have not been applied to vulnerability management?
New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers
The Hacker News reports that ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed. The malware abused WatchGuard firewall appliances as a steppingstone to gain remote access to breached networks.
Dylan D’Silva | Security Researcher at Tripwire
Users that have ASUS Routers should pay close attention, as there is a new botnet called Cyclops Blink that targets ASUS hardware.
The underlying purpose of this bot is to build out infrastructure for further attacks on high-value targets, as ASUS hardware is aimed at the consumer/SOHO section of the market.
It leverages OpenSSL to encrypt communications with its C2 (Command-And-Control Server) as well as using modules that read and write from the flash memory, which enables it to survive factory resets. A secondary recon module helps exfiltrate information back to the C2 server, and a file download component helps retrieve payloads via HTTPS.
ASUS has acknowledged that a number of models are affected and it’s working on an update to address exploitation.
Affected products
GT-AC5300 firmware under 3.0.0.4.386.xxxx
GT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC5300 firmware under 3.0.0.4.386.xxxx
RT-AC88U firmware under 3.0.0.4.386.xxxx
RT-AC3100 firmware under 3.0.0.4.386.xxxx
RT-AC86U firmware under 3.0.0.4.386.xxxx
RT-AC68U, AC68R, AC68W, AC68P firmware under 3.0.0.4.386.xxxx
RT-AC66U_B1 firmware under 3.0.0.4.386.xxxx
RT-AC3200 firmware under 3.0.0.4.386.xxxx
RT-AC2900 firmware under 3.0.0.4.386.xxxx
RT-AC1900P, RT-AC1900P firmware under 3.0.0.4.386.xxxx
RT-AC87U (EOL)
RT-AC66U (EOL)
RT-AC56U (EOL)
Here is their Product Security Advisory.
Recommendation
Follow the security checklist (below) provided by ASUS to help mitigate this issue until a proper update is provided.
(1) Reset the device to factory default: Login into the web GUI, go to Administration → Restore/Save/Upload Setting, click the “Initialize all the setting and clear all the data log”, and then click the “Restore” button.
(2) Update all devices to the latest firmware.
(3) Ensure the default admin password has been changed to a more secure one.
(4) Disable Remote Management (disabled by default, can only be enabled via Advanced Settings).
Please note that if you choose not to install this new firmware version, then ASUS strongly recommends that you disable remote access from WAN and reset your router to its default settings to avoid any potential unwanted intrusion.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.