Here is our cyber security round-up of the week:
Insecure internet-facing databases wiped
Researchers warn that thousands of unsecured internet-facing databases have been on the receiving end of automated ‘Meow’ attacks that involve destroying the data without leaving as much as an explanatory note. A search on Shodan shows the Meow attacks have escalated in recent days, with almost 4,000 databases now wiped. While more than 97% of the attacks hit Elasticsearch and MongoDB instances, systems running Cassandra, CouchDB, Redis, Hadoop, Jenkins, and Apache ZooKeeper have been targeted as well.
The onslaughts owe their moniker to the fact that the data is overwritten with random characters that include the word ‘meow’. Both the perpetrators and their reasons for the scorched-earth tactics remain unknown.
Meanwhile, a security researcher wrote on Twitter that the attacks have been carried out using ProtonVPN IP addresses. Proton responded by saying, “We are looking into this and will block all usage of ProtonVPN which goes against our terms and conditions.”
While some researchers debate whether the attackers are trying to ‘educate’ administrators to keep their databases locked down, the fact remains that administrators should properly secure their assets. Attacks on misconfigured databases are not a rare occurrence. However, wiping ill-secured databases without leaving any (ransom) notes whatsoever could be considered unusual.
Undetectable Linux malware targeting docker servers with exposed APIs
Cyber-security researchers today uncovered a completely undetectable Linux malware that exploits undocumented techniques to stay under the radar and targets publicly accessible Docker servers hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud. According to the latest research, an ongoing Ngrok mining botnet campaign is scanning the internet for misconfigured Docker API endpoints and has already infected many vulnerable servers with new malware.
Dubbed 'Doki', the new multi-threaded malware leverages "an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address despite samples being publicly available in VirusTotal." Doki managed to stay under the radar for more than six months despite having been uploaded to VirusTotal on 14 January 2020, and scanned multiple times since.
Surprisingly, at the time of writing, it's still undetectable by any of the 61 top malware detection engines. Users and organisations who run Docker instances are advised not to expose docker APIs to the internet, but if you still need to, ensure that it is reachable only from a trusted network or VPN, and only to trusted users to control your Docker daemon. If you manage Docker from a web server to provision containers through an API, you should be even more careful than usual with parameter checking to ensure that a malicious user cannot pass crafted parameters causing Docker to create arbitrary containers.
Secure boot vulnerability ‘BootHole’ impacts billions of devices
A team of cyber-security researchers today disclosed details of a new high-risk vulnerability affecting billions of devices worldwide—including servers and workstations, laptops, desktops, and IoT systems running nearly any Linux distribution or Windows system. Dubbed 'BootHole' and tracked as CVE-2020-10713, the reported vulnerability resides in the GRUB2 bootloader, which, if exploited, could potentially let attackers bypass the Secure Boot feature and gain high-privileged persistent and stealthy access to the targeted systems.
Discovered by researchers from Eclypsium, BootHole is a buffer overflow vulnerability that affects all versions of GRUB2 and exists in the way it parses content from the config file, which typically is not signed like other files and executables—leaving an opportunity for attackers to break the hardware root of trust mechanism. According to the detailed report, this vulnerability can lead to major consequences, and that's primarily because the attack allows hackers to execute malicious code even before the operating system boots, making it difficult for security software to detect the presence of malware or remove it.
Experts at Eclypsium have already contacted related industry entities, including OS vendors and computer manufacturers, to help them patch the issue. However, it doesn't appear to be an easy task to patch the issue altogether. Just installing patches with updated GRUB2 bootloader would not resolve the issue, because attackers can still replace the device's existing bootloader with the vulnerable version.
In an advisory released today, Microsoft acknowledged the issue, informing that it's "working to complete validation and compatibility testing of a required Windows Update that addresses this vulnerability." It also recommended users to apply security patches as soon as they are rolled out in the coming weeks. Besides Microsoft, many popular Linux distributions have also released related advisories explaining the flaw, possible mitigations, and timeline on the upcoming security patches.
Here's a list for all advisories:
More organisation fall victim to ransomware in France
Maze actors have compromised Lectra, a textile-cutting equipment expert from France. The ransomware group has already leaked 5% of the stolen data, and they are threatening to release more soon. There has been a wave of ransomware attacks in France lately, and it could be the result of coordination. The Paris-based CAD, CAM, software, and Lectra have been compromised by the Maze ransomware group.
As confirmed by the Cyble research team, the prolific group of actors has already published 5% of the data they stole from the company’s systems, in the context of the typical coercion procedure. But since Lectra client data is also in the actors’ hands, this is not just about the French. The company sells industrial systems to Louis Vuitton, Hermes, H&M, as well as large automotive and aerospace manufacturers who need leather-cutting tech.
What is particularly interesting in this case is that it’s the fourth recent ransomware attack on a big French company. This month alone, Netwalker has breached Axens SA and Rabot Dutilleul, while Nefilim operators struck Orange S.A., a big telco in the country. All of this could be unconnected, although it’s very likely that malicious actors exchange info, help each other, and generally move in some level of coordination. This is just an assumption, though, as there are no clear links to connect the individual breaches just yet. Maze is a very active RaaS program that is run by Russian operators and has been a particularly troubling entity for large organisations globally. From Chubb to Banco BCR and from Westech International to Lectra, the hackers have stolen large quantities of sensitive information that enabled them to extort millions from their victims.
Critical vulnerabilities in industrial VPN implementation
Cybersecurity researchers have discovered critical vulnerabilities in industrial VPN implementations primarily used to provide remote access to operational technology (OT) networks that could allow hackers to overwrite data, execute malicious code, and compromise industrial control systems (ICS).
A new report published by industrial cybersecurity company Claroty demonstrates multiple severe vulnerabilities in enterprise-grade VPN installations, including Secomea GateManager M2M Server, Moxa EDR-G902, and EDR-G903, and HMS Networks eWon's eCatcher VPN client. These vulnerable products are widely used in field-based industries such as oil and gas, water utilities, and electric utilities to remotely access, maintain and monitor ICS and field devices, including programmable logic controllers (PLCs) and input/output devices.
According to Claroty researchers, successful exploitation of these vulnerabilities can give an unauthenticated attacker direct access to the ICS devices and potentially cause some physical damage. The critical flaw, identified as CVE-2020-14500, affects the GateManager component, the main routing instance in the Secomea remote access solution. The flaw occurs due to improper handling of some of the HTTP request headers provided by the client. This flaw can be exploited remotely and without requiring any authentication to achieve remote code execution, which could result in gaining full access to a customer's internal network, along with the ability to decrypt all traffic that passes through the VPN.
All three vendors were notified of the vulnerabilities and responded quickly to release security fixes that patch their products' loopholes.
Remote timing attacks regardless of congestion
Security researchers have outlined a new technique that renders a remote timing-based side-channel attack more effective regardless of the network congestion between the adversary and the target server. Remote timing attacks that work over a network connection are predominantly affected by variations in network transmission time (or jitter), which, in turn, depends on the load of the network connection at any given point in time.
The new method, called Timeless Timing Attacks (TTAs), instead leverages multiplexing of network protocols and concurrent execution by applications, thus making the attacks immune to network conditions. Currently, 37.46% of all desktop websites are served over HTTP/2, a number that increases further to 54.04% for sites that support HTTPS. Although this makes a huge number of websites susceptible to TTAs, the researchers note that many of them rely on content delivery networks (CDN), such as Cloudflare, which still uses HTTP/1.1 for connections between the CDN and the origin site.
But in a twist, the researchers found that concurrency-based timing attacks can also be deployed against Tor onion services, including those that only support HTTP/1.1, allowing an attacker to create two Tor connections to a particular onion service, and then simultaneously send a request on each of the connections to measure a timing difference of 1μs.
Edited and compiled by QA's Director of Cyber, Richard Beck.
Subscribe to our weekly Cyber Pulse newsletter below.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard BeckRichard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
More articles by Richard
Cyber Pulse: Edition 189 | 05 August 2022
Cyber Pulse: Edition 188 | 27 July 2022
Cyber Pulse: Edition 187 | 18 July 2022
Cyber Pulse: Edition 186 | 23 June 2022
Cyber Pulse: Edition 185 | 23 May 2022
Cyber Pulse: Edition 184 | 13 May 2022
Cyber Pulse: Edition 183 | 29 April 2022
Cyber Pulse: Edition 182 | 22 April 2022
Cyber Pulse: Edition 181 | 13 April 2022
Cyber Pulse: Edition 180 | 04 April 2022