Apr 15, 2022
[Some Interesting] Cloud ‘n Sec news: 15th Apr 22
What’s worth your reading time
Cloud
AWS
AWS RDS Vulnerability reported
A researcher from Lightspin’s Research team reported findings of a vulnerability in AWS RDS.
The write-up by the researcher is amazing, have a read.
The vulnerability has been fixed. As reported by the researcher:
We reported about this vulnerability to AWS security team, and they released a fix for the latest engine version within few days. AWS security team did an investigation to validate that this vulnerability was not exploited previously by someone else and confirmed that.
AWS published a security bulletin on the vulnerability:
https://aws.amazon.com/security/security-bulletins/AWS-2022-004/
Security
Industry
Raspberry removing default “PI” user
Good news for enthusiasts, new versions of the Raspberry PI OS from release “Bullseye” forwards, the default user “pi” has been removed. The change means that in new installations of the OS, the user will be prompted, not only for a password — like before, but for a new username too, handy.
A Raspberry engineer said the following according to Bleeping Computer’s article:
We are not getting rid of the ‘pi’ user on existing installs. We are not stopping anyone from entering ‘pi’ and ‘raspberry’ as the username and password on a new install. All we are doing is making it easy for people who care about security to not have a default ‘pi’ user — which is something people have been requesting for some time now.
Said Simon Long, Senior Principal EngineerSenior at Raspberry Pi.
End of quote.
Atlassian services offline, affecting customers
The outage started back on April 5th and by 15th april still hasnt been solved.
Seven days later, the company’s status page still shows ‘Active Incidents’ for Jira Software, Jira Work Management, Jira Service Management, Confluence, Opsgenie, Statuspage, and Atlassian Access.
While the impact on businesses using its products is undeniable, Atlassian said only around 400 of its more than 200,000 customers are affected.
End of quote.
Threats
Reports of FBI removing Russian Malware from companies
Arstechnica reported late last week about FBI removing a russion state botnet malware from US-infected devices.
Taking action before any internal Blue team could, secret kudos to you.
The article from Arstechnica reported, quoting it:
The infected devices were primarily made up of firewall appliances from WatchGuard and, to a lesser extent, network devices from Asus. Both manufacturers recently issued advisories providing recommendations for hardening or disinfecting devices infected by the botnet, known as Cyclops Blink. It is the latest botnet malware from Russia’s Sandworm, which is among the world’s most elite and destructive state-sponsored hacking outfits.
End of quote.
Microsoft security team dimanttled a Zloader operation — a malware family derived from 15 year old Zeus banking campaign. Its modern implementation includes ability to:
- evade defense (disabling security and antivitus tools)
- access-as-a-service, selling it to other groups — including ransomware operators
- Capturing screenshots
- collecting cookies
- stealing credentials and banking data
- launching persistence machanisms
- Providing remote access
- and more…
The original report by Microsoft details all findings, highly recomend a read. Looking at the impact of Zloader, the report mentioned and I quote:
ZLoader campaign operators evolved the malware from a basic banking trojan to a more sophisticated piece of malware capable of monetizing compromised devices by selling access to other affiliate groups. By leveraging and misusing legitimate tools like Cobalt Strike and Splashtop, affiliates gain hands-on-keyboard access to affected devices, which can be further misused for other malicious activities like credential theft or downloading additional payloads, including ransomware. ZLoader has previously been linked to ransomware infections such as Ryuk, DarkSide, and BlackMatter.
End of quote.
CISA added high severity Windows bug to list of exploited vulnerabilities
This list maintained by CISA of Known Exploited Vulnerabilities (KEV) impacts US federal civilian Agencies directly — any bugs part of the list with actively exploits must by secured. Naturally this raises alarms everywhere else as well.
Among the bugs is a high severity local privilege escalation bug in the Windows Common Log File System Driver.
This high severity security flaw (tracked as CVE-2022–24521) was reported by CrowdStrike and the US National Security Agency (NSA), and it got patched by Microsoft during this month’s Patch Tuesday.
End of quote.
POC released for a VMware workspace one Critical vulnerability
The report from Bleeping computer reads:
A proof-of-concept exploit has been released online for the VMware CVE-2022–22954 remote code execution vulnerability, already being used in active attacks that infect servers with coin miners.
The vulnerability is a critical (CVSS: 9.8) remote code execution (RCE) impacting VMware Workspace ONE Access and VMware Identity Manager, two widely used software products.
End of quote.
Dragos security released research new ICS-specific malware named PIPEDREAM
The team repored their findings on the 7th known ICS specific malware developed by the Chernovite Activity group. They named the malware “PIPEDREAM”.
There are no reports of the malware having been used in the wild.
As evidenced in the original report by Dragos’ team:
PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.
End of quote.
The report contains a whitepaper with further details on the matter and mitigation recommendations. Make sure to access it.
Attacks
Fashion house hit by Ransomware attack back in August 2021
The victim originally reported having been breached last year, but now the official SEC filing revealed that it was a Ransomware attack.
The report from SEC reveals potential investment risks to investors. Cybersecurity is a business decision — as it’s clear to everyone these days.
The Strain that impacted the Ermenegildo Zegna was claimed by the RansomEXX operation.
Reports by Bleeping computer.
Lots of reading for your easter. Crunch on!
