[Some Interesting] Cloud ‘n Sec news: 15th Apr 22

What’s worth your reading time

Cloud

AWS

AWS RDS Vulnerability reported

A researcher from Lightspin’s Research team reported findings of a vulnerability in AWS RDS.

The write-up by the researcher is amazing, have a read.

The vulnerability has been fixed. As reported by the researcher:

We reported about this vulnerability to AWS security team, and they released a fix for the latest engine version within few days. AWS security team did an investigation to validate that this vulnerability was not exploited previously by someone else and confirmed that.

AWS published a security bulletin on the vulnerability:

https://aws.amazon.com/security/security-bulletins/AWS-2022-004/

Security

Industry

Raspberry removing default “PI” user

Good news for enthusiasts, new versions of the Raspberry PI OS from release “Bullseye” forwards, the default user “pi” has been removed. The change means that in new installations of the OS, the user will be prompted, not only for a password — like before, but for a new username too, handy.

A Raspberry engineer said the following according to Bleeping Computer’s article:

We are not getting rid of the ‘pi’ user on existing installs. We are not stopping anyone from entering ‘pi’ and ‘raspberry’ as the username and password on a new install. All we are doing is making it easy for people who care about security to not have a default ‘pi’ user — which is something people have been requesting for some time now.

Said Simon Long, Senior Principal EngineerSenior at Raspberry Pi.

End of quote.

Atlassian services offline, affecting customers

The outage started back on April 5th and by 15th april still hasnt been solved.

Bleeping computer reported:

Seven days later, the company’s status page still shows ‘Active Incidents’ for Jira Software, Jira Work Management, Jira Service Management, Confluence, Opsgenie, Statuspage, and Atlassian Access.

While the impact on businesses using its products is undeniable, Atlassian said only around 400 of its more than 200,000 customers are affected.

End of quote.

Threats

Reports of FBI removing Russian Malware from companies

Arstechnica reported late last week about FBI removing a russion state botnet malware from US-infected devices.

Taking action before any internal Blue team could, secret kudos to you.

The article from Arstechnica reported, quoting it:

The infected devices were primarily made up of firewall appliances from WatchGuard and, to a lesser extent, network devices from Asus. Both manufacturers recently issued advisories providing recommendations for hardening or disinfecting devices infected by the botnet, known as Cyclops Blink. It is the latest botnet malware from Russia’s Sandworm, which is among the world’s most elite and destructive state-sponsored hacking outfits.

End of quote.

Microsoft security team dimanttled a Zloader operation — a malware family derived from 15 year old Zeus banking campaign. Its modern implementation includes ability to:

  • evade defense (disabling security and antivitus tools)
  • access-as-a-service, selling it to other groups — including ransomware operators
  • Capturing screenshots
  • collecting cookies
  • stealing credentials and banking data
  • launching persistence machanisms
  • Providing remote access
  • and more…

The original report by Microsoft details all findings, highly recomend a read. Looking at the impact of Zloader, the report mentioned and I quote:

ZLoader campaign operators evolved the malware from a basic banking trojan to a more sophisticated piece of malware capable of monetizing compromised devices by selling access to other affiliate groups. By leveraging and misusing legitimate tools like Cobalt Strike and Splashtop, affiliates gain hands-on-keyboard access to affected devices, which can be further misused for other malicious activities like credential theft or downloading additional payloads, including ransomware. ZLoader has previously been linked to ransomware infections such as Ryuk, DarkSide, and BlackMatter.

End of quote.

CISA added high severity Windows bug to list of exploited vulnerabilities

This list maintained by CISA of Known Exploited Vulnerabilities (KEV) impacts US federal civilian Agencies directly — any bugs part of the list with actively exploits must by secured. Naturally this raises alarms everywhere else as well.

Among the bugs is a high severity local privilege escalation bug in the Windows Common Log File System Driver.

Bleeping computer reported:

This high severity security flaw (tracked as CVE-2022–24521) was reported by CrowdStrike and the US National Security Agency (NSA), and it got patched by Microsoft during this month’s Patch Tuesday.

End of quote.

POC released for a VMware workspace one Critical vulnerability

The report from Bleeping computer reads:

A proof-of-concept exploit has been released online for the VMware CVE-2022–22954 remote code execution vulnerability, already being used in active attacks that infect servers with coin miners.

The vulnerability is a critical (CVSS: 9.8) remote code execution (RCE) impacting VMware Workspace ONE Access and VMware Identity Manager, two widely used software products.

End of quote.

Dragos security released research new ICS-specific malware named PIPEDREAM

The team repored their findings on the 7th known ICS specific malware developed by the Chernovite Activity group. They named the malware “PIPEDREAM”.

There are no reports of the malware having been used in the wild.

As evidenced in the original report by Dragos’ team:

PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.

End of quote.

The report contains a whitepaper with further details on the matter and mitigation recommendations. Make sure to access it.

Attacks

Fashion house hit by Ransomware attack back in August 2021

The victim originally reported having been breached last year, but now the official SEC filing revealed that it was a Ransomware attack.

The report from SEC reveals potential investment risks to investors. Cybersecurity is a business decision — as it’s clear to everyone these days.

The Strain that impacted the Ermenegildo Zegna was claimed by the RansomEXX operation.

Reports by Bleeping computer.

Lots of reading for your easter. Crunch on!

Follow me on twitter.

Learn more about my Cloud and Security Projects on the Web, Podcast , Youtube.

Thank you for reading and leave your thoughts/comments!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store