Ubuntu Security Notice 7042-3 - USN-7042-2 released an improved fix for cups-browsed. This update provides the corresponding update for Ubuntu 24.10. Simone Margaritelli discovered that cups-browsed could be used to create arbitrary printers from outside the local network. In combination with issues in other printing components, a remote attacker could possibly use this issue to connect to a system, created manipulated PPD files, and execute arbitrary code when a printer is used. This update disables support for the legacy CUPS printer discovery protocol.

    ==========================================================================Ubuntu Security Notice USN-7042-3October 21, 2024cups-browsed vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.10Summary:cups-browsed could be made to run programs if it received specially craftednetwork traffic.Software Description:- cups-browsed: OpenPrinting cups-browsedDetails:USN-7042-2 released an improved fix for cups-browsed. This update providesthe corresponding update for Ubuntu 24.10.Original advisory details: Simone Margaritelli discovered that cups-browsed could be used to create arbitrary printers from outside the local network. In combination with issues in other printing components, a remote attacker could possibly use this issue to connect to a system, created manipulated PPD files, and execute arbitrary code when a printer is used. This update disables support for the legacy CUPS printer discovery protocol.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.10  cups-browsed                    2.0.1-0ubuntu2.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-7042-3  https://ubuntu.com/security/notices/USN-7042-2  https://ubuntu.com/security/notices/USN-7042-1  CVE-2024-47176Package Information:  https://launchpad.net/ubuntu/+source/cups-browsed/2.0.1-0ubuntu2.1

Ubuntu Security Notice USN-7042-3

Cary, NC, 22nd October 2024, CyberNewsWire

**Cary, NC, October 22nd, 2024, CyberNewsWire**

INE Security offers essential advice to protect digital assets and enhance security.

As small businesses increasingly depend on digital technologies to operate and grow, the risks associated with cyber threats also escalate. INE Security, a leading provider of cybersecurity training and certifications, today shared its cybersecurity training for cyber hygiene practices for small businesses, underscoring the critical role of continuous education in safeguarding digital assets.

> “Small businesses face a unique set of cybersecurity challenges and threats and must be especially proactive with cybersecurity training,” said Dara Warn, CEO of INE Security. “At INE Security, we work directly with small business leaders to ensure they are able to assess their team’s skills and access the cybersecurity training that will be most effective to their unique needs.”

**Tip 1: Educating and Training the Workforce Regularly**

Human error remains one of the leading causes of data breaches. According to the Verizon 2024 Data Breach Investigations Report, 68% of cybersecurity breaches are caused by human error. INE Security emphasizes the importance of regular training for all employees. Cybersecurity training for small businesses is critical, and SMBs should invest in training programs to help employees recognize threats such as phishing attacks, ransomware, and other malicious activities.

**Tip 2: Implementing Strong Password Policies**

Weak passwords can be easily compromised, giving attackers access to sensitive systems and data. LastPass reports that 80% of all hacking-related breaches leveraged either stolen and/or weak passwords. INE Security recommends implementing strong password policies that require the use of complex passwords and regular updates. 

**Tip 3: Securing and Monitoring the Network**

Small businesses often overlook network security, leaving them vulnerable to attacks. INE Security advises businesses to secure their network by using firewalls, encrypting data, and regularly updating security software. Network monitoring tools can also detect unusual activities and prevent potential breaches. The cost of ignoring such measures can be substantial, as noted in IBM’s 2023 Cost of a Data Breach Report, which found the average impact of a data breach on small businesses can exceed $3.31 million.

**Tip 4: Regularly Updating and Patching Systems**

Keeping software and systems up to date is crucial in protecting against vulnerabilities. Many cyber attacks exploit vulnerabilities in outdated software. Nearly 60% of organizations hit by a data breach blame a known vulnerability for which they had not yet patched, according to reports published by Dark Reading. INE Security recommends establishing a routine for updating and patching software, which can significantly reduce the risk of a breach. 

**Tip 5: Backing Up Data Regularly**

Data loss can be devastating for small businesses. Regular backups ensure that businesses can recover quickly from ransomware attacks or other data loss incidents. INE Security suggests using automated backup solutions that regularly save copies of all critical data in a secure, off-site location, in addition to following the 3-2-1 rule recommended by the Department of Homeland Security’s Computer Emergency Readiness Team. The 3-2-1 rule recommends:

**3** – Keeping **3** copies of any important file: 1 primary and 2 backups.

**2** – Keeping the files on **2** different media types to protect against different types of hazards. 

**1** – Storing **1** copy offsite (e.g., outside the house or business facility)

For more information about cybersecurity training programs that can help protect small business, users can visit security.ine.com. 

**About** **INE Security****:** 

INE Security is the premier provider of online technical training for the IT/IS industry. Harnessing the world’s most powerful hands-on lab platform, cutting-edge technology, global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide and for IT professionals looking to advance their careers. INE’s suite of learning paths offers an incomparable depth of expertise across cybersecurity, cloud, networking, and data science. INE Security is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in a cybersecurity career. 

**Contact**

**Director of Global Strategic Communications and Events**  
**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Launches New Training Solutions to Enhance Cyber Hygiene for SMBs

Red Hat Security Advisory 2024-8014-03 - Network Observability 1.7 for Red Hat OpenShift. Issues addressed include code execution, cross site scripting, and denial of service vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8014.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Network Observability 1.7.0 for OpenShift  
Advisory ID:        RHSA-2024:8014-03  
Product:            Network Observability  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8014  
Issue date:         2024-10-22  
Revision:           03  
CVE Names:          CVE-2024-34155  
====================================================================

Summary: 

Network Observability 1.7 for Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

Network Observability 1.7.0

Security Fix(es):

* Network Observability: Code Execution Vulnerability in Send Library (CVE-2024-43799)  
* Network Observability: XSS vulnerability via prototype pollution (CVE-2024-45801)  
* Network Observability: axios: Server-Side Request Forgery (CVE-2024-39338)  
* Network Observability: Denial of Service Vulnerability in body-parser (CVE-2024-45590)  
* Network Observability: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule (CVE-2024-43788)  
* Network Observability: Backtracking regular expressions cause ReDoS (CVE-2024-45296)  
* Network Observability: Improper Input Handling in Express Redirects (CVE-2024-43796)  
* Network Observability: Improper Sanitization in serve-static (CVE-2024-43800)  
* Network Observability: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)  
* Network Observability: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* Network Observability: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-34155

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2308193  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://bugzilla.redhat.com/show_bug.cgi?id=2310908  
https://bugzilla.redhat.com/show_bug.cgi?id=2311152  
https://bugzilla.redhat.com/show_bug.cgi?id=2311153  
https://bugzilla.redhat.com/show_bug.cgi?id=2311154  
https://bugzilla.redhat.com/show_bug.cgi?id=2311171  
https://bugzilla.redhat.com/show_bug.cgi?id=2312631  
https://issues.redhat.com/browse/NETOBSERV-1377  
https://issues.redhat.com/browse/NETOBSERV-1509  
https://issues.redhat.com/browse/NETOBSERV-1538  
https://issues.redhat.com/browse/NETOBSERV-1540  
https://issues.redhat.com/browse/NETOBSERV-1564  
https://issues.redhat.com/browse/NETOBSERV-163  
https://issues.redhat.com/browse/NETOBSERV-1666  
https://issues.redhat.com/browse/NETOBSERV-1667  
https://issues.redhat.com/browse/NETOBSERV-1733  
https://issues.redhat.com/browse/NETOBSERV-1746  
https://issues.redhat.com/browse/NETOBSERV-1748  
https://issues.redhat.com/browse/NETOBSERV-1753  
https://issues.redhat.com/browse/NETOBSERV-1766  
https://issues.redhat.com/browse/NETOBSERV-1779  
https://issues.redhat.com/browse/NETOBSERV-1783  
https://issues.redhat.com/browse/NETOBSERV-1788  
https://issues.redhat.com/browse/NETOBSERV-1798  
https://issues.redhat.com/browse/NETOBSERV-1805  
https://issues.redhat.com/browse/NETOBSERV-1806  
https://issues.redhat.com/browse/NETOBSERV-1808  
https://issues.redhat.com/browse/NETOBSERV-1811  
https://issues.redhat.com/browse/NETOBSERV-1812  
https://issues.redhat.com/browse/NETOBSERV-1813  
https://issues.redhat.com/browse/NETOBSERV-1816  
https://issues.redhat.com/browse/NETOBSERV-1819  
https://issues.redhat.com/browse/NETOBSERV-1848  
https://issues.redhat.com/browse/NETOBSERV-1884

Red Hat Security Advisory 2024-8014-03

Red Hat Security Advisory 2024-7759-03 - Multicluster Engine for Kubernetes 2.6.3 General Availability release images and updated container images.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7759.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Multicluster Engine for Kubernetes 2.6.3 security updates  
Advisory ID:        RHSA-2024:7759-03  
Product:            multicluster engine for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7759  
Issue date:         2024-10-22  
Revision:           03  
CVE Names:          CVE-2024-42459  
====================================================================

Summary: 

Multicluster Engine for Kubernetes 2.6.3 General Availability release images and updated container images.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description:

Multicluster engine for Kubernetes v2.6.3 images

Multicluster engine for Kubernetes provides the foundational components  
that are necessary for the centralized management of multiple  
Kubernetes-based clusters across data centers, public clouds, and private  
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform  
clusters or to bring existing Kubernetes-based clusters under management by  
importing them. After the clusters are managed, you can use the APIs that  
are provided by the engine to distribute configuration based on placement  
policy.

Security fix(es):

nodejs/elliptic: EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended (CVE-2024-42459)   
nodejs/elliptic: ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero (CVE-2024-42460)   
nodejs/elliptic: ECDSA implementation malleability due to BER-enconded signatures being allowed (CVE-2024-42461)

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.11/html/clusters/cluster_mce_overview#mce-install-intro

CVEs:

CVE-2024-42459

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2302458  
https://bugzilla.redhat.com/show_bug.cgi?id=2302459  
https://bugzilla.redhat.com/show_bug.cgi?id=2302460

Red Hat Security Advisory 2024-7759-03

The North Atlantic Fella Organization, which started as a way to fight Kremlin propaganda, has raised millions of dollars to send vital equipment directly to soldiers fighting Russia.

In May 2022, just months after Russia’s full-scale invasion of Ukraine, a disparate group of people from across the globe decided that they wanted to fight back.

This turned into the North Atlantic Fella Organization (NAFO), a decentralized online activist network designed to combat pro-Kremlin propaganda, primarily focusing on the platform then known as Twitter. The members, identified by cartoon Shiba Inu avatars, mocked Russian government accounts and used meme warfare to disrupt Moscow’s propaganda over the invasion.

But in November 2022, Elon Musk took control of the platform, changed its name to X, and effectively allowed Russia’s propagandists free rein to do whatever they wanted.

While NAFO members continued to push back, posting memes in response to any posts from official Russian accounts, they knew they had to do something else to alter the course of the war. And so, over the course of the past two years, they have helped to raise tens of millions of dollars for Ukrainian frontline forces, funding weapons, ammunition, medical equipment, and vehicles—many of them branded with the distinctive NAFO livery.

Among the items funded by these shitposting cartoon dogs is a $250,000 marine drone dubbed “Raccoon’s Revenge” that the Ukrainian government says was used to take out a Russian warship. The group has also funded thousands of drones that have become an increasingly important weapon in pushing back Russian forces. Those on the front line say that NAFO’s efforts are vital in combating Russia’s assault.

“This is our only way to win, because the Russian army is bigger than us. We need more drones. It is very, very important,” Oleksandr Sokolenko, a commander of the drone unit in the 79th Air Assault Brigade, tells WIRED. When he spoke to WIRED earlier this month, Sokolenko said he was in a trench between Vuhledar and Kurakhove in the Donetsk Oblast in eastern Ukraine.

Sokolenko first heard about NAFO’s work from a friend who was also in the Ukrainian army, and now believes the work they are doing to fund drones for his brigade is vital to their chances of winning the war.

“In the beginning, when I joined the army, I was in the infantry. But I recognized that drones are really very critical,” Sokolenko says. “So I decided to work with drones. My first time \[flying a drone\] it was a DJI Mavic, I dropped grenades from it. Now, it's my main work.”

Sokolenko, who joined the Ukrainian military when the war broke out, previously worked as an actor, appearing onstage and in movies. “It’s like Shakespeare said, all the world’s a stage,” Sokolenko joked, flagging that Ukrainian president Vlodomyr Zelensky had also been an actor before becoming a politician.

Because of NAFO’s decentralized structure, it’s impossible to get specific figures on how many people identify as members of the movement—fellas, in NAFO parlance—but one member believes it has to be in the thousands at least.

“You can't just fundraise $250,000 for a naval drone if there's not thousands of people \[involved\],” a UK-based fella, who did not want to be named over fears of threats from Russia, tells WIRED. That was funded in direct collaboration with United24, the Ukrainian government organization that was set up to allow people to help the Ukrainian war effort.

“It all started in November 2022, when United24 launched the first fleet of naval drones, a project that would later change the course of the maritime war,” a spokesperson for United24 tells WIRED. “Fellas were eager to help and to encourage their initiative. We made a special offer: to fundraise a NAFO drone and brand it with a name of their choice.”

The incentive worked, and in the space of just two months, NAFO had raised $276,429, and decided to call the drone Raccoon’s Revenge, a reference to the raccoons stolen by Russian zookeeper Oleg Zubkov during the Russian retreat from Kherson in November 2022.

In total, NAFO has raised close to $1 million across four fundraising campaigns in collaboration with United24. Their current campaign—dubbed Fellas Fury—is seeking to raise funds for remote control combat robots. Beyond official fundraising efforts in conjunction with the Ukrainian government, NAFO members have also launched numerous separate campaigns conducted in close collaboration with troops on the ground.

Because NAFO does not have a central leader, the fundraising efforts are organized on the basis of brigades or divisions, typically led by one person who has a connection to a particular unit or soldier in the Ukrainian army. These brigades and divisions usually focus on one specific item, whether its vehicles, rifles, drones, or medical equipment, and part of their fundraising efforts is the sale of patches, which have become a huge collectors item.

The fundraising drives are organized on Discord, Signal, and Telegram—but not on X, the platform that the NAFO movement has thrived on for years.

“People are being forced away from X, just because Russia basically bought the platform,” the UK-based fella tells WIRED, citing the prevalence of Russian bots and pro-Kremlin accounts allowed on the platform under Musk’s stewardship. X did not respond to a request for comment.

One of the most successful and prolific NAFO fundraisers has been Ragnar Sass, who runs the NAFO 69th Sniffing Brigade, which has raised more than $10 million to date for Ukrainian troops. That money has allowed Sass and his brigade to send more than 460 vehicles to Ukrainian troops, as well as more than 1,000 drones and other equipment to soldiers on the ground. They have even rescued 32 Ukrainian pets.

Sass’s brigade not only supplies the trucks, but also kits them out with custom technology designed specifically for combat such as jammers and night vision cameras. The trucks and jeeps are then painted, including NAFO lettering, and driven in convoys to the front lines in Ukraine.

“What makes us different, is that we are analyzing every week what are the most effective electronic warfare solutions,” Sass tells WIRED while coordinating his brigade’s 33rd convoy to the Ukrainian front lines.

Sass is an Estonian entrepreneur and cofounder of cloud-based software company Pipedrive, which was valued at more than $1 billion in 2020. He has been operating in Ukraine for more than a decade, and in 2019 launched a startup incubator in Kiev called Lift99.

When the war broke out in early 2022, Sass donated $20,000 to the Ukrainian army. “Many people followed, and by the end of day, we collected $200,000,” Sass says. By March 2022, Sass had organized his first convoy of 14 cars, and by June of that year, he joined with NAFO.

Sass’ operation incentivizes donations by offering a patch to anyone who donates more than €100 ($110), and he says to date they have sent out more than 10,000 patches to donors in more than 50 countries.

The NAFO fundraisers are needed, Sass says, because of the glacial pace that organizations like NATO operate in response to wartime situations.

“We are the fastest and most effective,” Sass says. “We can fundraise and deliver help in a matter of days. Like we did with Kursk: We started a campaign on Thursday evening. Next week, car and drones were handed over to units in Kursk. This war will be won by drones, and NATO procurement is from the stone age.”

Recently, British lawmaker David Taylor joined Sass on one of his delivery missions. “You are doing incredible work and I was proud to have joined you,” Taylor wrote in response to a post by the 69th Sniffing Brigade on X.

Taylor is far from the only high-profile figure who has publicly thanked NAFO for their efforts.

“A massive shoutout to the incredible NAFO Fellas for your unwavering support of Ukraine,” Andriy Yermak, the head of the office of the president of Ukraine, wrote on X earlier this month. “Your ongoing fight for truth and against disinformation is of immense importance.” General Valerii Zaluzhnyi, the Ukraine ambassador to the UK and former commander-in-chief of the Ukrainian armed forces, has a NAFO patch.

US congressman Adam Kinzinger is a NAFO member, and Mark Rutte, the secretary general of NATO, was recently presented with his very own framed Shibu Inu cartoon dog.

Ukrainian troops also regularly share their thanks to NAFO donors on social media, posting pictures of the vehicles or weapons funded by the group and how they were used in combating Russia.

“While carrying out some special tasks, I came across a vehicle that helps partially destroy Russian UAV every day,” Bohdan Patel, a 21-year-old Ukrainian soldier, posted on X alongside a picture of a truck with a NAFO patch emblazoned on the side. “Thank you to the NAFO community for the support, it is priceless.”

The Shitposting Cartoon Dogs Sending Trucks, Drones, and Weapons to Ukraine’s Front Lines

Details have emerged about a now-patched security flaw in Styra's Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes.
"The vulnerability could have allowed an attacker to leak the NTLM credentials of the OPA server's local user account to a remote server, potentially allowing the attacker to relay the authentication or

Vulnerability / Software Security

Details have emerged about a now-patched security flaw in Styra's Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes.

"The vulnerability could have allowed an attacker to leak the NTLM credentials of the OPA server's local user account to a remote server, potentially allowing the attacker to relay the authentication or crack the password," cybersecurity firm Tenable said in a report shared with The Hacker News.

The security flaw, described as a Server Message Block (SMB) force-authentication vulnerability and tracked as CVE-2024-8260 (CVSS score: 6.1/7.3), impacts both the CLI and Go software development kit (SDK) for Windows.

At its core, the issue stems from an improper input validation that can lead to unauthorized access by leaking the Net-NTLMv2 hash of the user who is currently logged into the Windows device running the OPA application.

However, for this to work, the victim must be in a position to initiate outbound Server Message Block (SMB) traffic over port 445. Some of the other prerequisites that contribute to the medium severity are listed below -

*   An initial foothold in the environment, or social engineering of a user, that paves the way for the execution of the OPA CLI
*   Passing a Universal Naming Convention (UNC) path instead of a Rego rule file as an argument to OPA CLI or the OPA Go library's functions

The credential captured in this manner could then be weaponized to stage a relay attack in order to bypass authentication, or perform offline cracking to extract the password.

"When a user or application attempts to access a remote share on Windows, it forces the local machine to authenticate to the remote server via NTLM," Tenable security researcher Shelly Raban said.

"During this process, the NTLM hash of the local user is sent to the remote server. An attacker can leverage this mechanism to capture the credentials, allowing them to relay the authentication or crack the hashes offline."

Following responsible disclosure on June 19, 2024, the vulnerability was addressed in version 0.68.0 released on August 29, 2024.

"As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface," the company noted. "Additionally, organizations must minimize the public exposure of services unless absolutely necessary to protect their systems."

The disclosure comes as Akamai shed light on a privilege escalation flaw in the Microsoft Remote Registry Service (CVE-2024-43532, CVSS score: 8.8) that could permit an attacker to gain SYSTEM privileges by means of an NTLM relay. It was patched by the tech giant earlier this month after it was reported on February 1, 2024.

"The vulnerability abuses a fallback mechanism in the WinReg \[RPC\] client implementation that uses obsolete transport protocols insecurely if the SMB transport is unavailable," Akamai researcher Stiv Kupchik said.

"By exploiting this vulnerability, an attacker can relay the client's NTLM authentication details to the Active Directory Certificate Services (ADCS), and request a user certificate to leverage for further authentication in the domain."

The susceptibility of NTLM to relay attacks hasn't gone unnoticed by Microsoft, which, earlier this May, reiterated its plans to retire NTLM in Windows 11 in favor of Kerberos as part of its efforts to strengthen user authentication.

"While most RPC servers and clients are secure nowadays, it is possible, from time to time, to uncover relics of insecure implementation to varying degrees," Kupchik said. "In this case, we managed to achieve NTLM relay, which is a class of attacks that better belongs to the past."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Security Flaw in Styra's OPA Exposes NTLM Hashes to Remote Attackers

Bad actors have been observed targeting Docker remote API servers to deploy the SRBMiner crypto miner on compromised instances, according to new findings from Trend Micro.
"In this attack, the threat actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host," researchers Abdelrahman Esmail and Sunil Bharti said in a technical

Docker Security / Cloud Security

Bad actors have been observed targeting Docker remote API servers to deploy the SRBMiner crypto miner on compromised instances, according to new findings from Trend Micro.

"In this attack, the threat actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host," researchers Abdelrahman Esmail and Sunil Bharti said in a technical report published today.

"The attacker first checked the availability and version of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities."

It all starts with the attacker conducting a discovery process to check for public-facing Docker API hosts and the availability of HTTP/2 protocol upgrades in order to follow up with a connection upgrade request to the h2c protocol (i.e., HTTP/2 sans TLS encryption).

The adversary also proceeds to check for gRPC methods that are designed to carry out various tasks pertaining to managing and operating Docker environments, including those related to health checks, file synchronization, authentication, secrets management, and SSH forwarding.

Once the server processes the connection upgrade request, a "/moby.buildkit.v1.Control/Solve" gRPC request is sent to create a container and then use it to mine the XRP cryptocurrency using the SRBMiner payload hosted on GitHub.

"The malicious actor in this case leveraged the gRPC protocol over h2c, effectively bypassing several security layers to deploy the SRBMiner crypto miner on the Docker host and mine XRP cryptocurrency illicitly," the researchers said.

The disclosure comes as the cybersecurity company said it also observed attackers exploiting exposed Docker remote API servers to deploy the perfctl malware. The campaign entails probing for such servers, followed by creating a Docker container with the image "ubuntu:mantic-20240405" and executing a Base64-encoded payload.

The shell script, besides checking and terminating duplicate instances of itself, creates a bash script that, in turn, contains another Base64-encoded payload responsible for downloading a malicious binary that masquerades as a PHP file ("avatar.php") and delivers a payload named httpd, echoing a report from Aqua earlier this month.

Users are recommended to secure Docker remote API servers by implementing strong access controls and authentication mechanisms to prevent unauthorized access, monitor them for any unusual activities, and implement container security best practices.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks

There are more similarities between developing a professional athlete and developing a cybersecurity pro than you might expect.

Mike Mitchell, Vice President, Threat Hunt Intelligence, Intel 471

October 22, 2024

5 Min Read

Source: Augustas Cetkauskas via Alamy Stock Photo

COMMENTARY

What do professional sports and security operation centers (SOCs) have in common? Before I became a cybersecurity professional and after my baseball career with the Colorado Rockies, I would have said nothing at all. As I've navigated the cybersecurity industry over the past 10-plus years, I've identified three core tenets that form the foundation of successful SOCs and championship baseball teams: leadership, preparation, and collaboration. 

Early in my baseball career, my high school coaches taught me valuable lessons about the importance of leadership, and showed me one of the most effective ways I've seen it applied. Managers of a baseball team are much like managers of a SOC, in that they both must build and manage effective teams consisting of wildly different personnel, personalities, and challenges. It's how they choose to lead their teams that truly sets them apart from a "day-to-day" manager.  

The best managers I've had in cybersecurity and in baseball were all prior practitioners who led by example and used every opportunity as a teachable moment. In baseball terminology, these leaders were "player's coaches," meaning they had a visceral understanding, knowledge, and passion for the game based on their own experiences but still demanded excellence from each of us. SANS Institute recently published a blog post about becoming a leader in the SOC, stating, "A leader doesn't necessarily need to be able to perform all the specialized activities covered by the team, they should understand the responsibilities of each team member and know what it's like to walk in their shoes."  

Managers that take this approach allow team members to succeed, fail, and learn from their mistakes, while knowing their leadership can commiserate with their shared experiences. Being a leader takes more than just setting a lineup or creating a SOC process; it's about ensuring the team knows you are invested in their growth, and can be an example of the time, effort, and skills it takes to be an effective SOC analyst. 

**The Importance of Team Building**

The University of Virginia (UVA) baseball program changed my perspective on the significance of team building and what it means to create a culture that embodies teamwork and preparation as a foundational focus. These experiences drilled home the concept of "battling" for each other, knowing everyone's strengths and weaknesses, and allowed us to overprepare for the actual game. SOC managers, leveraging well-designed tabletops exercises, can offer the same level of "game-like" intensity, high-pressure situations, and team-building atmosphere. By engaging the security analysts, threat intelligence analysts, engineers, and incident responders, tabletop exercises enable SOCs to battle test their playbooks, effectively communicate, and validate their processes, all while developing teamwork and bolstering their trust in one another. The Cybersecurity and Infrastructure Security Agency (CISA) offers some amazing resources that can be used to build effective tabletops centered around a variety of different generic scenarios. However, organizational-specific scenarios allow SOCs to design tabletops that are unique to their risk profile, infrastructure, and protected assets. For example, if the company is in the financial industry, it may practice and drill on scenarios related to information stealers or ransomware groups targeting access for monetary gain. When it's "game time" and a real-world incident affects that organization, the SOC will be ready to tackle anything the threats throw at them. 

After my fourth year at UVA, I was extremely fortunate to be drafted by the Colorado Rockies, and during my career, I witnessed how collaboration can foster championship teams. Communication and information sharing between team members or departments are integral for successful collaboration. In a highly skilled environment like professional baseball or a mature SOC, everyone wants to be the one the manager leans on to get the job done. This competitive nature can sometimes lead individuals to isolate themselves so that their abilities and knowledge stay wholly unique to their skill set. However, I've experienced on the field and in the SOC individuals who put their pride aside and continually took time out of their day to share their knowledge to help upskill and provide guidance to their fellow teammates. 

**Working Together**

SOCs that encourage interpersonal communication between their analysts, threat hunters, engineers, or incident responders develop a team that understands the roles and responsibilities of every other team member, and can use that knowledge to help streamline or assist in more effective ways during an incident. SOCs can also establish collaborative environments by creating and executing a collective game plan against their opponents. Professional baseball organizations have advanced scouting groups that collect as much information as possible about the opposing team, including pitching/hitting tendencies (behaviors), and who and how they are going to pitch to hitters (tactics). By leveraging an intelligence-driven approach, the SOC can also achieve an effective collaborative environment. Cyber threat intelligence (CTI) acts like the advanced scouting group by gathering as much information about the threats, actors, tactics, techniques, and procedures (TTPs), and behaviors to effectively profile their organizational risk and priorities. Those priorities are then communicated to different teams like threat hunting, detection engineering, and security engineers, allowing them to work as a collaborative unit and communicate based on actionable intelligence.  

Reflecting on my time in baseball and in cybersecurity, there are more similarities than I expected between developing into a professional athlete and a cyber professional. Through my journey in both careers, I've worked with amazing individuals that led by example and were more than just a manager. They instilled in me the importance of preparation and the significance of building a culture of teamwork. These collaborative environments have allowed me to not only learn from my managers but also establish long-lasting relationships with my peers and teammates. 

**About the Author**

Vice President, Threat Hunt Intelligence, Intel 471

Mike Mitchell is Vice President, Threat Hunt Intelligence, of Intel 471. Prior to joining Intel 471, he was a co-founder of recently acquired threat hunting provider Cyborg Security. While at Cyborg, he was a cross-functional founder focused on technical implementation, sales, product architecture, and managing the content development team and its deliverables. Mike has more than 12 years of diverse cybersecurity experience in roles including senior solutions and security engineer, director of sales engineering to co-founder of Cyborg Security. Before his career in cybersecurity, Mike spent a number of years in pro baseball with the Colorado Rockies.

What Today's SOC Teams Can Learn From Baseball

Meta wants to introduce the option to upload a video selfie if you need to recover a lost Facebook or Instagram account.

Meta, the company behind Facebook and Instagram says its testing new ways to use facial recognition—both to combat scams and to help restore access to compromised accounts.

The social media giant is testing the use of video selfies and facial recognition to help users get their hijacked accounts back. Social media accounts are often lost when users forget their password, switch devices, or when they inadvertently or even willingly give their credentials to a scammer.

Another reason for Meta to use facial recognition are what it calls “celeb-bait ads.” Scammers often try to use images of public figures to trick people into engaging with ads that lead to fraudulent websites.

Since it’s trivial to set up an account that looks like a celebrity, scammers use this to attract visitors for various reasons, ranging from like-farming (a method to raise the popularity of a site or domain) to imposter scams, where accounts that seem to belong to celebrities reach out to you in order to defraud you.

_Several accounts that seem to belong to the same actor_

Meta’s existing ad review system uses machine learning to review the millions of ads that are run across Meta platforms every day. With a new facial recognition addition to that system, Meta can compare faces in the ad to the public figure’s Facebook and Instagram profile pictures, and then block them if it’s fake.

According to Meta:

> “Early testing with a small group of celebrities and public figures shows promising results in increasing the speed and efficacy with which we can detect and enforce against this type of scam.”

Over the coming weeks, Meta intends to start informing a larger group of celebs who have been used in scam ads that they will be enrolled into the new scheme and allow them to opt out if that’s what they want.

The problem of celeb-bait ads is a big one and I applaud Meta for trying to do something about it. The account recovery by video selfie, however, is something I’m far less fond of.

The idea of using facial recognition on social media is not new. In 2021, Meta shut down the Face Recognition system on Facebook as part of a company-wide move to limit the use of facial recognition in their products.

In the newly-announced system, the user can upload a video selfie, and Meta will use facial recognition technology to compare the selfie to the profile pictures on the account they’re trying to access. This is similar to identity verification tools you might already use to unlock your phone or access other apps. 

I do have a few questions though:

*   With the current development of deepfakes, how long will it take for this technology to be used for the exact opposite? Stealing your account by showing the platform a deepfake video of your face.
*   Do I want to provide Meta with even more material that might end up getting used to train its Artificial Intelligence (AI) models? Although Meta claims to delete the facial data after comparison, there are concerns about the collection and temporary storage of biometric information.
*   People have a tendency to post their best pictures and not change them as they grow older. Is a comparison always possible?
*   Is normalizing the use of biometrics for something as trivial as social media really necessary? Right now I only use a video selfie to approve bank transfers of over 1000 Euro (US$ 1075).  

There are probably good reasons why Meta is not implementing this option in the UK or the EU, because it needs to “continue conversations with regulators” first. The same is true for Illinois and Texas, likely due to stricter privacy laws in these states.

Surely there are better ways to reclaim a stolen account. What do you think? Let us know in the comments.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Upload a video selfie to get your Facebook or Instagram account back 

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Need a push? A day for a cybersecurity professional can be full of adrenaline-pumping moments. Come up with a clever cybersecurity-related caption for the cartoon above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 13, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

A round of congratulations goes to Chris Potter, whose caption for September's "Tug of War" contest nailed first place:

Thanks to all who participated. Some noteworthy contenders included "…And here we have the top contenders for our CAPTCHA the flag tournament," "AI Race Condition," and "Artificial or Human, I’m not seeing any intelligence."

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Latest News