Search This Blog

Showing posts with label Cloud Security. Show all posts

Cisco SD-WAN Security Flaw Allows Root Code Execution


Cisco SD-WAN implementations are vulnerable to a high-severity privilege-escalation flaw in the IOS IE operating system, which could result in arbitrary code execution. 

Cisco's SD-WAN portfolio enables enterprises of all sizes to link different office sites over the cloud utilising a variety of networking technologies, including standard internet connections. Appliances at each location allow advanced analytics, monitoring, application-specific performance specifications and automation throughout a company's wide-area network. Meanwhile, IOS XE is the vendor's operating system that runs those appliances. 

The vulnerability (CVE-2021-1529) is an OS command-injection flaw that allows attackers to execute unexpected, harmful instructions directly on the operating system that would otherwise be inaccessible. It exists especially in the command-line interface (CLI) for Cisco's IOS XE SD-WAN software, and it could permit an authenticated, local attacker to run arbitrary commands with root privileges. 

According to Cisco’s advisory, posted this week, “The vulnerability is due to insufficient input validation by the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.” 

The alert further stated that the exploit method would comprise authenticating to a susceptible device and delivering "crafted input" to the system CLI. An attacker with successful compromise would be able to read and write any files on the system, execute operations as any user, modify system configurations, install and uninstall software, update the OS and/or firmware, and much more, including subsequent access to a corporate network. 

CVE-2021-1529 has a rating of 7.8 on the CVSS vulnerability-severity scale, and researchers and the Cybersecurity and Infrastructure Security Agency (CISA) have advised organisations to fix the problem as soon as possible. 

Greg Fitzgerald, the co-founder of Sevco Security, cautioned that some firms may still have outdated machines connected to their networks, which might provide a hidden threat with issues like these. 

He stated in the email, “The vast majority of organizations do an excellent job patching the vulnerabilities on the systems they know about. The problem arises when enterprises do not have complete visibility into their asset inventory, because even the most responsive IT and security teams can’t patch a vulnerability for an asset they don’t know is connected to their network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”

This is solely the latest SD-WAN vulnerability addressed by Cisco this year. It patched many significant buffer-overflow and command-injection SD-WAN flaws in January, the most serious of which could be abused by an unauthenticated, remote attacker to execute arbitrary code with root privileges on the affected server.

Thousands of Organizations Targeted Via 'Operation Chimaera'


TeamTNT hacking group has enhanced its abilities by adding a set of tools that allow it to target multiple operating systems. 

Earlier this week, cybersecurity experts from AT&T Alien Labs published a report on a new campaign, tracked as Chimaera. According to AT&T researchers, infection statistics on the command-and-control (C2) server used in Chimaera suggests that the campaign began on July 25,2021. 

TeamTNT was first discovered last year and was related to the installation of cryptocurrency mining malware on susceptible Docker containers. The operations of the TeamTNT hacking group have been closely monitored by security firm Trend Micro, but in August 2020 experts from Cado Security contributed the more recent discovery of TeamTNT targeting Kubernetes installations. 

Now, the researchers at Alien Labs believe the hacking group is targeting Windows, AWS, Docker, Kubernetes, and various Linux installations, including Alpine. Despite the short time period, the latest campaign is responsible for "thousands of infections globally," the researchers say. 

In its latest campaign, TeamTNT is using open-source tools like the port scanner Masscan, libprocesshider software for executing the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne. 

Lazagne is an open-source application for multiple web operating systems that are stored on local devices including Chrome, Firefox, Wi-Fi, OpenSSH, and various database programs. According to Palo Alto Networks, the group has also added Peirates, a cloud penetration testing toolset in its armory to target cloud-based apps. 

“With these techniques available, TeamTNT actors are increasingly more capable of gathering enough information in target AWS and Google Cloud environments to perform additional post-exploitation operations. This could lead to more cases of lateral movement and potential privilege-escalation attacks that could ultimately allow TeamTNT actors to acquire administrative access to an organization’s entire cloud environment,” according to Palo Alto’s June report.

While now self-armed with the kit necessary to target a wide range of operating systems, TeamTNT still focuses on cryptocurrency mining. For example, Windows systems are targeted with the Xmrig miner. A service is created and a batch file is added to the startup folder to maintain persistence -- whereas a root payload component is used on vulnerable Kubernetes systems.

HolesWarm Cryptominer Botnet Targets Unpatched Windows, Linux Servers

Researchers at Tencent have issued a warning regarding a HolesWarm cryptominer malware campaign that has exploited more than 20 known vulnerabilities in Linux and Windows servers. The cryptominer botnet has been so effective in interchanging so many different known vulnerabilities between attacks, making Tencent researchers refer to the malware as the “King of Vulnerability Exploitation.”

HolesWarm has been able to break into more than 1,000 cloud hosts just since June. Tencent warned that both government and enterprise should immediately address known security flaws in order to prevent them from falling prey to the following HolesWarm attack. The cryptominer botnet also provides hackers password information and full access to the victim’s server. 

“As the HolesWarm virus has changed more than 20 attack methods in a relatively short period of time, the number of lost cloud hosts is still on the rise. Tencent security experts recommend that the operation and maintenance personnel of government and enterprise organizations actively repair high-risk vulnerabilities in related network components to avoid servers (becoming) a broiler controlled by hackers.” Tencent researchers said in their Tuesday report. 

HolesWarm targeting known security flaws 

Security analysts at Tencent noticed HolesWarm taking advantage of high-risk flaws in several common office server components, including Apache Tomcat, Jenkins, Shiro, Spring boot, Structs2, UFIDA, Weblogic, XXL-JOB, and Zhiyuan. 

The malware uses compromised systems to mine for Monero cryptocurrency. This sort of thing is only lucrative if there are several devices counting numerous strings of blockchain. Cryptominer malware gains full access to the victim’s system and puts it to work as an aspect of a much more common criminal effort to mine Monero at scale, utilizing anyone else’s assets. According to Tencent researchers, attackers are constantly updating their strategies. 

“By pulling and updating other malicious modules, HolesWarm virus will record the version information in the configuration with the same name text while installing the malicious module,” Tencent said. “When the cloud configuration is newer, it will end the corresponding module process and update automatically.”

According to Dirk Schrader from New Net Technologies, the rapid evolution of cryptominer malware suggests that a hacking group was just getting started with their criminal activities.

“Collecting crypto-money is a necessary step for any cybercrime group to grow and later maintain capabilities, to acquire additional exploits traded in the Dark Web or to use some cybercrime-as-a-service,” Schrader explained.

NATO's Cloud Platform Hacked


The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries. 

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium. 

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles. 

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence. 

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities". 

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment. 

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Indian Organizations Suffer the Most in Public Cloud Security Incidents

In a survey of 26 countries for public Cloud security incidents, India emerges as the nation which endured the hardest hits the previous year with 93 percent of the nation's organizations encountering the problem.

The survey included more than 3,500 IT managers across 26 nations in Europe, the Americas, Asia Pacific, the Center East, and Africa that currently host data and workloads at hand in the Public Cloud.

The cybersecurity incidents that Indian organizations suffered most included ransomware (53 percent) and other malware (49 percent), exposed data (49 percent), compromised accounts (48 percent), and cryptojacking (36 percent), said the report titled "The State of Cloud Security 2020" by cybersecurity company Sophos.

While Europeans seem to have endured the least level of security incidents in the Cloud, an indicator that compliance with General Data Protection Regulation (GDPR) guidelines are assisting with protecting organizations from being undermined.

However, India still hasn't enforced a data protection law.

Chester Wisniewski, Principal Research Scientist at Sophos said in a statement, "Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public Cloud."

 "The recent increase in remote working provides extra motivation to disable Cloud infrastructure that is being relied on more than ever, so it's worrisome that many organizations still don't understand their responsibility in securing Cloud data and workloads," Wisniewski added later.

"Cloud security is a shared responsibility, and organizations need to carefully manage and monitor Cloud environments in order to stay one step ahead of determined attackers."

According to the report, more than 55 percent of Indian organizations and businesses revealed that cybercriminals obtained access through the stolen Cloud provider account credentials.

Regardless of this, only 29 percent said managing access to Cloud accounts is a top area of concern. Albeit 'accidental exposure' keeps on plaguing organizations, with misconfigurations exploited in 44 percent of reported attacks on Indian organizations.

With 76 percent of organizations utilizing the Public Cloud, detection and response are driving the Cloud security concern for IT managers in India while data security still stays as a top concern across the world for organizations.

Public Cloud Infrastructures suffering from Security Loopholes and Vulnerabilities, researchers say

Igal Gofman, XM head of security research, and Yaron Shani, XM senior security researcher, in their research, found a new attack vector in cloud providers API ( application programming interface), that gives miscreants a window to access secured cloud data. Public Cloud Infrastructure, has added a new invisible management layer, that complicates the procedure creating security challenges, that requires better understanding. Often organizations fail to understand this management layer and hence lag in securing it, inviting attacks.

Working with public cloud infrastructure without the right understanding of risks and security challenges may lead to fatal consequences with customer risks, as was the case in Capital One breach."Current security practices and controls are not sufficient to mitigate the risk posed by a misunderstanding of the public cloud", said the researchers.

 Findings in the research

Researchers found that public cloud providers' APIs' accessibility over the internet opens a window for adversaries to exploit and gain access to confidential data on the cloud. And current security systems and practices are not equipped to beat the risk posed by misconfiguration of the cloud.

People who are in charge of managing cloud resources can easily gain access to APIs' using software kits and command-line tools as they are part of the development and IT team. "Once those account credentials are compromised, gaining access to high-value resources is trivial," the researchers say. Cloud APIs' can be accessed through the internet, with the correct API key, for example, the Command line interface tool, which saves the user's credentials which can be accessed by the cloud provider.

Attackers don't need a very sophisticated approach to sneak in cloud API, "In practice, the sophistication required to develop such tools is not high, because basically all the information is publicly available and well-documented by most cloud providers, meaning they document each security feature in great detail and it can serve both the defenders and the adversaries," Gofman and Shani say. And once, their credentials are compromised using cloud providers tools, it's easy for the black hats to rob you blind.

In order to protect themselves, organizations and companies should follow the best practice guidelines from the cloud provider. Large organizations should constantly and periodically monitor permissions and risk factors. Analyzing attack paths can decrease the risk factors, suggest the researchers.