Cyber Pulse: Edition 141 | 11 January 2021

Here is our cyber security news round-up of the week:

Crypto-mining botnet is stealing Docker and AWS credentials

Analysts from security firm Trend Micro said in a report that they've spotted a malware botnet that collects and steals Docker and AWS credentials. Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms. Researchers said the hacking group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company's other IT systems to infect even more servers and deploy more crypto-miners.

The researchers said that the gang's malware code had received considerable updates since it was first spotted last summer. It has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code. This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature. Researchers points out that with the addition of this feature, "implementing [Docker] API authentication is not enough" and that companies should make sure Docker management APIs aren't exposed online in the first place, even when using strong passwords. But in case the API ports have to be enabled, the Trend Micro researcher recommends that companies deploy firewalls to limit who can access the port using allow-lists.

Sensitive London council data published three months after breach

Sensitive data stolen from Hackney Council in the UK has allegedly been published online, three months after the ransomware attack on the local authority that took place last year. The data includes sensitive personal data of staff and residents, such as passport documents.

In October 2020, London’s Hackney Council revealed it had been the victim of a serious cyber-attack that affected many of its services and IT systems. In a new statement on its website, the council said it was working with NCSC, National Crime Agency, Information Commissioner's Office, the Metropolitan Police and other experts to investigate what has been published and the next steps to take. It noted that experts believe the data has not been published on a widely available public forum and is not visible through internet search engines, adding that “at this stage, it appears that the vast majority of the sensitive or personal information held by the council is unaffected, but the council and its partners are reviewing the data carefully and will support any directly affected people.”

Mayor of Hackney, Philip Glanville, stated:

“I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected. While we believe this publication will not directly affect the vast majority of Hackney’s residents and businesses, that can feel like cold comfort, and we are sorry for the worry and upset this will cause them. We are already working closely with the police and other partners to assess any immediate actions we need to take, and will share further information about the additional action we will be taking as soon as we can.”

Google Chrome & Firefox Browser Critical Vulnerabilities

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) asked clients of Mozilla Foundation's Firefox browser and Windows, macOS, and Linux clients of Google's Chrome browser to fix bugs, traced as CVE-2020-16044 and CVE-2020-15995 respectively. The vulnerability of CVE-2020-16044 is classified as a use-after-free bug and attached to the manner in which Firefox handles browser cookies and whenever exploited permits hackers to access the computer, telephone, or tablet running the browser software. Google's Chrome browser bug CVE-2020-15995 was affecting the current 87.0.4280.141 rendition of the software. The CISA-bug cautioning expressed that the update to the most recent version of the Chrome browser would "addresses vulnerabilities that an attacker could exploit to take control of a tainted system." Microsoft's most recent Edge browser depends on Google Chromium browser engine, Microsoft additionally encouraged its clients to update to the most recent 87.0.664.75 rendition of its Edge browser. Coincidently Mozilla Firefox have also announced they are disabling the browser's backspace key to prevent users from accidentally losing data typed into forms.

While researchers at Tenable group called the out-of-bounds bug as critical, both Google and Microsoft characterized the vulnerability as being of high seriousness. Neither Microsoft nor Google clarified why the September 2020 CVE-2020-15995 is being highlighted again in both their security bulletins. Typically, that means that the first fix was incomplete. Separately Google paid security researchers $20,000 for fixes to 16 other Chrome vulnerabilities.

Nvidia Warns Windows Gamers of High-Severity Graphics Driver Flaws

In all, Nvidia patched flaws tied to 16 CVEs across its graphics drivers and vGPU software, in its first security update of 2021. Nvidia, which makes gaming-friendly graphics processing units (GPUs), on Thursday fixed a slew of high-severity flaws affecting its graphics driver. The vulnerabilities allow bad actors to cripple systems with denial of service attacks, escalate privileges, tamper with data or sniff out sensitive data. Affected is Nvidia’s graphics driver (formally known as the GPU Display Driver) for Windows. The graphics driver is used in devices targeted to enthusiast gamers; it’s the software component that enables the device’s operating system and programs to use its high-level, gaming-optimized graphics hardware.

Nvidia’s Thursday security update addresses flaws tied to 16 CVEs overall. The most severe of these (CVE‑2021‑1051) is an issue in the graphic drivers’ kernel mode layer. This flaw ranks 8.4 out of 10 on the CVSS scale, making it high severity. Many of the flaws addressed in Nvidia’s Thursday security advisory stem from Nvidia’s vGPU manager, its tool that enables multiple virtual machines to have simultaneous, direct access to a single physical GPU, while also using Nvidia graphics drivers deployed on non-virtualized operating systems. Various Nvidia GeForce Windows and Linux driver branches are affected; Nvidia has released a full list of affected versions and updated driver versions on its security advisory. The graphics chip manufacturer has likewise released fixes for specific versions of the vGPU software affected by these flaws on its website.

Defending Open Source from Supply Chain Attacks

The software supply chain attack against IT infrastructure vendor SolarWinds last year has served to revive interest in technologies that might mitigate against this kind of attack. One promising project aiming to prevent such incidents is Gossamer, which is billed as offering supply chain security for open source software. Gossamer uses a combination of cryptographic signatures and transparency logs in order to safeguard software updates from tampering by making any malfeasance apparent.

Transactions (such as issuing an update or adding a software signing key) are published on an append-only cryptographic ledger. The technology offers a means to verify who released an update as well as its authenticity.

As this timeline illustrates, the genesis of the Gossamer project dates way back to July 2014. The project has gone through numerous significant revisions in the six and a half years since its inception. The developer tools aspect of the project is described as two-thirds complete and “in progress”, whilst WordPress and Composer integration are both pending. A roadmap for the project explains that the ultimate goal of Gossamer is to ensure that PHP and WordPress developers have the capability of signing their open source software and verifying that the dependencies they install from third-party developers is authentic.

Nissan source code leaked online after Git repository misconfiguration

Nissan was allegedly running a Bitbucket Git server with the default credentials of admin/admin. The source code of mobile apps and internal tools developed and used by Nissan North America has leaked online after the company misconfigured one of its Git servers. The leak originated from a Git server that was left exposed on the internet with its default username and password combo of admin/admin, Tillie Kottmann, a Swiss-based software engineer, told ZDNet in an interview this week. Kottmann, who learned of the leak from an anonymous source and analysed the Nissan data on Monday, said the Git repository contained the source code of:

• Nissan NA Mobile apps
• some parts of the Nissan ASIST diagnostics tool
• the Dealer Business Systems / Dealer Portal
• Nissan internal core mobile library
• Nissan/Infiniti NCAR/ICAR services
• client acquisition and retention tools
• sale / market research tools + data
• various marketing tools
• the vehicle logistics portal
• vehicle connected services / Nissan connect things
• and various other backends and internal tools

The Git server, a Bitbucket instance, was taken offline yesterday after the data started circulating on Monday in the form of torrent links shared on Telegram channels and hacking forums.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses