Cyber Pulse: Edition 126 | 24 August 2020

Here is our cyber security news round-up of the week:

Continued threat to DevOps pipelines

Researchers have identified that the increased adoption of containers has given rise to a wide range of potential threats to DevOps pipelines. Many of the attacks we observed involved the abuse of container images to carry out malicious functionalities. In our monitoring of Docker-related threats, we recently encountered an attack coming from 62[.]80[.]226[.]102. Further analysis revealed that the threat actor uploaded two malicious images to Docker Hub for cryptocurrency mining. Docker was already notified of this attack and has since removed the malicious images.

The two images were labelled "alpine" and "alpine2" to trick developers into using them, as Alpine Linux is a popular base Docker image. Analysing the Dockerfile of the threat actor’s alpine image revealed that containers ran from this image could scan the internet for vulnerable Docker servers using Masscan, a network port scanner. Further analysis showed that the script sends a command that will run a container from the threat actor’s alpine2 image to all exposed Docker servers that it could find. A closer look into the Dockerfile of the alpine2 image revealed that the image was built using Alpine Linux as its base image and that alpine2 installs dependencies and clones the source code of the mining software from the official XMRIG GitHub repository. Lastly, the cryptocurrency miner would be built from the source code and then executed.

Advice for defending against Docker-related threats

The discovery of yet another threat that abuses Docker containers should remind development teams to avoid exposing Docker Daemon ports to the public internet. Development teams should also consider using only official Docker images to prevent potential security risks and threats. Here are other best practices for securing containers:

• Minimise the use of third-party software and use verifiable ones to avoid introducing malicious software to the container environment.
• Scan images in the repository to check for misconfigurations and determine if they contain any vulnerabilities.
• Prevent vulnerability exploitation by using tools such as Clair, which provides static analysis for containers.
• Host containers in a container-focused OS to reduce the attack surface.

Vishing attacks spike following Twitter hack

The phone-based phishing caper that enabled takeover of more than a hundred high-profile Twitter accounts is apparently serving as a template for other attacks. Researchers report that a growing number of organisations are experiencing similar copycat approaches, with varying but disturbing degrees of success. Like the Twitter hack, these attacks seem to be launched by young, English-speaking troublemakers organising on Discord and shady forums, but researchers say their techniques are so effective that organisations should prepare to see these tactics deployed by more sophisticated criminals and state-sponsored groups. Says the researcher:

“Simultaneous with the Twitter hack and in the days that followed, we saw this big increase in this type of phishing, fanning out and targeting a bunch of different industries. I've seen some unsettling stuff in the past couple of weeks, companies getting broken into that you wouldn't think are soft targets. And it's happening repeatedly, like the companies can't keep them out."

Voice- phishing, also called "vishing," isn’t new but in the past it’s primarily been used against mobile carriers in SIM-swapping attacks. This recent wave of vishing attacks is more wide-ranging and often involves convincing a victim to enter their credentials on a spoofed login page.

Taiwan blames Chinese APTs for hacking campaign

Authorities in Taiwan have blamed four Chinese government hacking groups – Blacktech, Taidoor, Mustang Panda and APT40 – for running cyber-espionage campaigns against 10 Taiwanese government agencies since at least 2018, the South China Morning Post reports. The Taiwan Investigation Bureau's Cyber Security Investigation Office said the actors placed backdoors on email servers and gained access to around 6,000 government email accounts. In some cases, the attackers first compromised Taiwanese tech companies that worked as contractors for the government, using these to obtain footholds within government networks. Taipei isn't sure exactly what information was stolen, since the attackers erased evidence of their activities. Beijing called Taiwan's accusations "malicious slander", Reuters reports.

GoldenSpy's operators are trying to cover their tracks

Researchers report finding five versions of an uninstaller for the GoldenSpy backdoor carried by tax software whose use is required of companies doing business in China. The uninstaller was dropped by an update module to erase GoldenSpy before deleting itself. Researchers believe the uninstallers were deployed by those behind the GoldenSpy backdoor to cover their traces. The actors also issued modified versions of the uninstallers, which Trustwave says were "specifically designed to evade our YARA rules we published." The researchers conclude that their findings "should serve as a wake-up call for organisations because it proves any actions including implanting and extracting malware can be taken covertly and at the will of the attacker with the help of the updater module without impacting the functionality of the Golden Tax software."

FritzFrog P2P botnet is cryptomining, for now

Researchers have found a peer-to-peer Linux botnet, FritzFrog, which it describes as sophisticated, fileless, evasive, proprietary and aggressive. It's attempted to brute-force tens of millions of IP addresses using an extensive dictionary, and has succeeded in breaching "over 500 SSH servers, including those of known high-education institutions in the U.S. and Europe, and a railway company."

The FritzFrog malware operates completely in-memory and doesn't attempt to survive reboots, but it leaves a public SSH key as a backdoor, enabling the attackers to return at their leisure. The malware could potentially be used to deliver a range of payloads, but so far seems to have for the most part been engaged in cryptojacking systems to mine Monero. The botnet seems to be unique, which is why the researchers call its code "proprietary", although it bears some minor similarities to another P2P botnet known as "Rakos". P2P botnets are harder to identify and shut down since they use a decentralised administration scheme instead of a few conspicuous command-and-control servers.

Freepik compromised – 8.3 million users impacted

Freepik, one of the most popular online graphic resources sites, has disclosed a major security breach that impacted 8.3 million users. Freepik says that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company’s Flaticon website.

Freepik is one of today’s most popular sites, it is currently ranked #97 on the Alexa Top 100 sites list, while Flaticon is ranked #668. The company is notifying the impacted registered users via email. Freepik said the hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites. According to the company, 4.5M out of these 8.3M user records had no hashed password because they used exclusively federated logins, which means that attackers only accessed their email address. The company did not disclose technical details of the incident, such as when the intrusion took place. The company is currently investigating the incident.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.