Cyber Pulse: Edition 116 | 15 June 2020

Here is our cyber security round-up of the week:

Kubernetes falls to cryptomining via machine-learning framework

A unique cyberattack campaign that targets Kubeflow has affected large swathes of container clusters, according to Microsoft researchers. The Kubeflow open-source project is a popular framework for running machine-learning (ML) tasks in Kubernetes.

According to an analysis this week, a suspicious Kubeflow image was seen deployed to thousands of clusters in April, all from a single public repository. Closer inspection showed that the image runs a common open-source cryptojacking malware that mines the Monero virtual currency, known as XMRIG.

So how was Kubeflow used as the entry point for this kind of attack? Weizman noted that Kubeflow can manage the various tasks required to put an ML model into action, such as training ML algorithms. According to its website, Kubeflow simplifies the many steps required to build and deploy an ML model, including “data loading, verification, splitting, processing, feature engineering, model training and verification, hyperparameter tuning and model serving". As Kubeflow is a containerised service, these various tasks run as containers in the Kubernetes cluster, and each can present a path for an attacker into the core Kubernetes architecture.

For protection from this kind of attack, if Kubeflow is deployed within a cluster, admins should take care to make sure that its dashboard isn’t exposed to the internet, Weizman noted. “Check the type of the Istio ingress service by the following command and make sure that it is not a load balancer with a public IP:

‘kubectl get service istio-ingressgateway -n istio-system.

While this is the first known attack to use Kubeflow as an initial pathway into Kubernetes clusters, containerisation technology is no stranger to cryptomining offensives. Kubernetes was at the center of another recent large-scale XMRIG campaign, according to Microsoft. Also, in April, an organised, self-propagating cryptomining campaign was found targeting misconfigured open Docker Daemon API ports; while last October, more than 2,000 unsecured Docker Engine (Community Edition) hosts were found to be infected by a cyptojacking worm dubbed Graboid.

European power company Enel Group hit by ransomware

European power company Enel was also hit by Ekans, but the attack was apparently contained by the company's antivirus software. As a precaution, the Company temporarily isolated its corporate network in order to carry out all interventions aimed at eliminating any residual risk. The connections were restored safely on Monday early morning.

Enel informs that no critical issues have occurred concerning the remote control systems of its distribution assets and power plants, and that customer data have not been exposed to third parties. Enel did not comment on the name of the ransomware used in the attack but security researcher found a SNAKE/EKANS sample submitted to VirusTotal on June 7 that shows that it checks for the domain “enelint.global”.

Honda's operation was also brought to a standstill last week with its computer networks in Europe and Japan affected by issues that are reportedly related to the same SNAKE Ransomware. Disruptions to customer care activities could have occurred for a limited time caused by the temporary blockage of the internal IT network. Security researchers discovered that both Honda and Enel Group had RDP connections exposed to the Internet, but it's not clear if this is how the attackers gained entry. This is also confirmed by analysis from industrial cybersecurity company Dragos, who confirmed that Snake ransomware was the first in its category to target industrial control system (ICS) operations.

Resurgence of activity by Tor2Mine

Researchers identify a resurgence of activity by Tor2Mine, a cryptocurrency mining group that was likely last active in 2018. Tor2Mine is deploying additional malware to harvest credentials and steal more money.

The actors are also using a new IP address and two new domains to carry out their operations. The addition of new tactics, techniques, and procedures (TTPs) suggest Tor2Mine is seeking ways to diversify their revenue in a volatile cryptocurrency market. Tor2Mine has traditionally been a cryptocurrency mining malware actor notorious for infecting victims with cryptominers that steal system resources to mine currency.

In a new development, the Tor2Mine actors have incorporated additional malware into their operations, likely as a way to diversify revenue streams and stay relevant in a Covid-19 world where cryptocurrencies are fluctuating wildly. Between January and June 2020, researchers observed resurgent activity from Tor2Mine, a profit-driven actor that remains active despite a global economic recession and volatile cryptocurrency market. To address these challenges, Tor2Mine, a group traditionally known to deliver cryptocurrency mining malware, has begun using additional malware to harvest victims’ credentials and steal more money.

The addition of new TTPs, as well as the use of new infrastructure, highlights Tor2Mine’s resilience in a challenging threat environment. These developments also underscore threat actors’ persistence more broadly and should serve as a reminder that organisations must maintain heightened security at all times. What makes the Tor2Mine group notable is their use of Tor2web for command and control (C2) for their malware infections. The Tor2web services act as a bridge between the internet and the Tor network, a system that allows users to enable anonymous communication. These services are useful for malware authors because they eliminate the need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden.

During the course of our research, we also discovered evidence suggesting that the Tor2Mine actors are deploying additional malware in tandem with XMRig during their operations to harvest credentials and steal more money. The new malware includes AZORult, an information-stealing malware; the remote access tool Remcos; the DarkVNC backdoor trojan; and a clipboard cryptocurrency stealer.

SA Postbank suffers major breach

The South African Postbank has been left with no option but to replace 12 million bank cards for account holders and social grants beneficiaries after the bank discovered a security breach. The Postbank master key was stolen by employees of the bank and it is going to be costly to replace the card, an estimate put at R1 billion. The banking system master key is a 36-digit code that allows a user to have control over accounts and to be able to change account balances and manipulate transactions.

Most affected are the 8 to 10 million social grant beneficiaries with the bank. The criminals also have access to over 1 million other post bank accounts. According to reports produced by the bank and seen by Sunday Times, from March 2018 and December 2019, the Postbank lost R56 million stolen from bank cards of social grant beneficiaries to criminals who generated the master key.

Ransomware attack hits Tennessee City

The city of Knoxville, Tenn. is reeling from a ransomware attack that knocked the city’s network offline and prevented police officers from responding to non-life-threatening traffic crashes. The incident occurred Wednesday and shuttered systems until Thursday. Also impacted was the city’s internal IT network, public website and court systems – forcing Friday court sessions to be rescheduled.

“Our Information Technology team acted swiftly and followed best-practices protocols to shut down the City’s computer network, identify and isolate problems, and minimize damage,” according to a city official report. 

While officials have not confirmed an initial source of the ransomware, local reports point to a spear-phishing email, which was opened by a city employee. According to local news reports, the city has received an unspecified ransom demand from attackers. Based on ransomware groups’ current activity levels and past victim profiles, the most likely suspects for this attack are probably Maze, DoppelPaymer and NetWalker – all of which exfiltrate and publish data.

Tracking a hack-for-hire operation

Researchers at the University of Toronto's Citizen Lab published a report on a hack-for-hire outfit based in India. The operation, which the researchers track as "Dark Basin," was tied to a Delhi-headquartered technology company called BellTroX InfoTech Services. The organisation has allegedly carried out commercial espionage against targets involved in legal battles, high-profile financial transactions, news stories, journalism, advocacy, and criminal cases.

The hackers primarily rely on phishing and social engineering to compromise their targets. Much of the report centres around the targeting of people involved in an environmentalist campaign focused on ExxonMobil, although the researchers are careful to stress that they have no evidence pointing to who actually hired the BellTroX hackers. BellTroX was also behind a spearphishing campaign that targeted net neutrality advocates in the summer of 2017.

The hacking firm is apparently headed and owned by one Sumit Gupta, who was charged in 2015 by the US Attorney for the Northern District of California for "crimes related to a conspiracy to access the e-mail accounts, Skype accounts, and computers of people opposing" his co-conspirators in civil lawsuits. The Justice Department said at the time that the FBI's office in New Delhi was seeking to secure Mr. Gupta's prosecution, but it's not clear if he was ever arrested.

Cyber attacks target vendor VPN vulnerabilities

Earlier this week, IT services giant Conduent confirmed that it had been affected by a ransomware attack. The company, which deliver services and solutions on behalf of business and governments across the world, said that its European operations were hit by the attack overnight on 29 May. Cyber attackers took advantage of a vulnerability in Citrix VPN appliances in the early hours of the morning, but in a statement Conduent confirmed that the incident resulted in only “partial interruption” and that most of its systems were back online by 10am that morning. Meanwhile, the ongoing exploitation of known vulnerabilities affecting VPN products from Pulse Secure, Fortinet and Palo Alto continue to cause alarm.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.