The Hell's Keychain attack vector highlights common cloud misconfigurations and secrets exposure that can pose grave risk to enterprise customers.

A vulnerability in IBM Cloud databases for PostgreSQL could have allowed attackers to launch a supply chain attack on cloud customers by breaching internal IBM Cloud services and disrupting the hosted system's internal image-building process.

Security researchers from Wiz discovered the flaw, which they dubbed "Hell's Keychain." It included a chain of three exposed secrets paired with overly permissive network access to internal build servers, the researchers revealed in a blog post published Dec. 1. 

While now patched, the vulnerability is significant in that it represents a rare supply-chain attack vector impacting the infrastructure of a cloud service provider (CSP), Wiz CTO Ami Luttwak tells Dark Reading. The discovery also uncovers a class of PostgreSQL vulnerabilities affecting most cloud vendors, including Microsoft Azure and Google Cloud Platform.

"This is a first-of-a-kind supply-chain attack vector, showing how attackers might be able to leverage mistakes in the build process to take over the entire cloud environment," he says.

Specifically, researchers uncovered "major risk caused by improper sanitation of build secrets from container images, allowing for an attacker to gain write access to the central container image repository," Luttwak says. This would have allowed the actor to run malicious code in customers’ environments and modify the data stored in the database.

"Modifications to the PostgreSQL engine effectively introduced new vulnerabilities to the service," the researchers wrote in their post. "These vulnerabilities could have been exploited by a malicious actor as part of an extensive exploit chain culminating in a supply-chain attack on the platform."

As mentioned, the ability to use PostgreSQL to breach IBM Cloud is not unique to the service provider, researchers said. Wiz already has found similar vulnerabilities in other CSP environments, which they plan to disclose soon and which highlight a broader issue of cloud misconfigurations that pose a supply chain threat to enterprise customers.

The existence of the flaw also highlights how improper management of secrets — or long-lived authentication tokens for cloud APIs or other enterprise systems — can impose a high risk of unwanted intrusion by attackers on an organization using a cloud provider, Luttwak says.

"Finding and utilizing exposed secrets is the No. 1 method for lateral movement in cloud environments," he says.

For now, the researchers said they worked with IBM to remedy the issue in IBM Cloud and no customer mitigation action is required.

**Uncovering the Chain**

Researchers were doing a typical audit of IBM Cloud's PostgreSQL-as-a-service to find out if they could escalate privileges to become a "superuser," which would allow them to execute arbitrary code on the underlying virtual machine and continue challenging internal security boundaries from there.

Based on their experience, they said the ability to carry out a supply chain attack on a CSP lies in two key factors: the forbidden link and the keychain.

"The forbidden link represents network access — specifically, it is the link between a production environment and its build environment," the researchers wrote. "The keychain, on the other hand, symbolizes the collection of one or more scattered secrets the attacker finds throughout the target environment."

On its own, either scenario is "unhygienic," but not critically dangerous. However, "they form a fatal compound when combined," the researchers said.

Hell’s Keychain held three specific secrets: a Kubernetes service account token, a private container registry password, and continuous integration and delivery (CI/CD) server credentials.

Combining this chain with the so-called forbidden link between Wiz's personal PostgreSQL instance and IBM Cloud databases’ build environment allowed researchers to enter IBM Cloud’s internal build servers and manipulate their artifacts, the researchers said.

**Implications for Cloud Security**

The scenario presented in Hell's Keychain represents a broader problem within the cloud security community that demands attention and remediation, the researchers said. To wit: scattered plaintext credentials that are found across cloud environments that impose a huge risk on an organization, impairing service integrity and tenant isolation, they said.

For this reason, secret scanning at all stages of the pipeline is crucial, including in CI/CD, code repo, container registries, and within the cloud, Luttwak says.

"Furthermore, lockdown of privileged credentials to the container registry is crucial, as these credentials are often overlooked but are actually the keys to the kingdom," he adds.

CSP customers also should consider image signing verification via admission controllers to ensure these sort of attacks are prevented entirely, Luttwak says.

Hell's Keychain also highlights a common misconfiguration in the use of the popular Kubernetes API for container management within the cloud — pod access, ''which can lead to unrestricted container registry exposure," he says.

Another best practice the researchers recommend is any organization — CSP or otherwise — deploying a cloud environment can take is to impose strict network controls between the Internet-facing environment and the organization's internal network in the production environment, so attackers can't gain a deeper foothold and maintain persistence if they do manage to breach it.

IBM Cloud Supply Chain Vulnerability Showcases New Threat Class

No longer the realm of lone wolves, the world of cybercrime is increasingly strategic, commoditized, and collaborative.

Just as you keep up with the latest news, tools, and thought leadership in order to protect and secure your organization from cybercriminals, your adversaries are doing the same thing. They are connecting on forums, evaluating new software tools, talking with potential buyers, and searching for new ways to outsmart your security stack.

A peek into their world shows they have advanced capabilities that often outmaneuver well-funded security teams and corporate security tools, especially when pitted against legacy solutions like signature-based antiviruses. Many security operations centers (SOCs) fail to prioritize real threats, while wasting time trying to solve others that they can realistically never scale to meet.

Security defenders need to move beyond the mental image of the lone hooded figure sitting in a dimly lit basement as cigarette smoke wisps up from a dirty ashtray. Let's take stock of the world of cybercrime as it exists today: strategic, commoditized, and collaborative (especially if the criminals have money to spend).

**Strategic Intent Backs Every Attack**

Adversaries always have a business purpose; there’s a plan for every piece of malware. To begin, cybercriminals snoop around for access to your environment, looking for something they can steal and potentially resell to someone else. While an attacker may not know _exactly_ what they want to do once they gain access to your environment, they tend to recognize value when they see it.

They may perform reconnaissance by looking for misconfigurations or exposed ports to exploit, a process often made trivially easy by known CVE databases and free open-port scanners. Initial compromise can also be accomplished by stealing a user’s credentials to access the environment, a process that’s sometimes even easier, before moving laterally to identify key assets.

**The Cyber Weapons Black Market is Maturing**

Cybercriminals have developed a sophisticated underground marketplace. Tools have evolved from relatively inexpensive and low-tech products into those with advanced capabilities delivered via business models familiar to legitimate consumers, like software as a service (SaaS). Threat hunters are witnessing the commoditization of hacking tools.

Phishing kits, pre-packaged exploits, and website cloning tools used to be very common. Designed to mimic website login pages, such as Microsoft Office 365 or Netflix, these tools were quite effective at capturing users’ credentials for many years.

Over the past two decades, though, the security community responded to this type of activity with techniques like pattern recognition, URL crawling, and shared threat intelligence. Tools like VirusTotal have made it a common practice for the discovery of malicious files to be shared with the wider security community almost instantaneously. Naturally, adversaries are well aware of this and have adapted.

**A New Phishing Methodology**

Today’s adversaries have also learned to capitalize on the rise of multi-factor authentication (MFA) by hijacking the verification process.

One new type of phishing kit is called EvilProxy. Like kits of the past, it mimics website login pages to trick users into giving away their login credentials. Unlike phishing kits of the past that were sold as one-time purchases, this new methodology — sold by specialists in access compromise — operates via a rental model, whereby the seller rents out space on their own server for running phishing campaigns.

They host a proxy server that operates like a SaaS model. The service costs about $250 for 10 days of access. This allows the SaaS providers to make more money and enables them to collect statistics they can then publish on hacker forums to market their products and compete against other sellers.

New kits have built-in protections to defend their phishing environment from unexpected visitors. Since they obviously don’t want web crawlers indexing their sites, they use bot protection to block crawlers, nuanced virtualization detection technology to ward off security operations teams doing reconnaissance through a virtual machine (VM), and automation detection to prevent security researchers from crawling their kit websites from different angles.

**The “Adversary in the Middle” Scenario**

In the context of bypassing MFA, acting as a reverse proxy to the authentic login page content creates big problems for typical phishing detection. By sitting between the user and the target website, the reverse proxy server allows the adversary to gain access to the username, password, and session cookie that is set after MFA is completed. They can then replay the session back into a browser and act as the user on that destination.

To the user, everything looks normal. By using slight variations of names in the URLs, the cybercriminals can make the site seem completely legitimate, with everything working as it should. Meanwhile, they have gained unauthorized access through that user, which can then be exploited for their own purposes or auctioned off to the highest bidder.

**The Adversary’s Business Model**

In addition to new phishing methodologies, malware is sold openly on the Internet and operates in a sort of gray space, floating between legal and illegal. One such example is BreakingSecurity.net, which markets the software as a remote surveillance tool for enterprise.

Every piece of malware has a price point associated with it to drive an outcome. And these outcomes have a clear business intent, whether it’s to steal credentials, generate cryptocurrency, demand a ransom, or gain spy capabilities to snoop around a network infrastructure.

Nowadays the creators of these tools are partnering with the buyers through affiliate programs. Similar to a multi-level marketing scheme, they say to the affiliate buyer of the tool, “Come to me when you get in.” They even offer product guarantees and 24/7 support of the tool in exchange for splitting the profits. This allows them to scale and build a hierarchy. Other types of cybercriminal entrepreneurs sell pre-existing compromises to the highest bidder. There are multiple business models at play.

**Today’s Reality: Case for an Advanced Cloud Sandbox**

Security teams should understand what today’s adversaries do and how quickly their actions can play out. The advanced malware on the market now is even more severe than phishing. Whether it’s Maldocs that evade filters, ransomware, information stealers, remote access trojans (RATs), or post-exploitation tools that combine toolsets, threat actors are more advanced than ever before—and so are their business models.

Countermeasures based on standard sandboxes doesn’t provide much in the way of inline prevention. Detection that combines cloud and AI can stop the stealthiest threats inline, in real time, and at scale.

If you’re not evolving with adversaries, you're falling behind. Because today’s cybercriminals are as professional and on their game as you.

Read more _Partner Perspectives_ from Zscaler.

Of Exploits and Experts: The Professionalization of Cybercrime

A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems.
Tracked as CVE-2022-4116 (CVSS score: 9.8), the shortcoming could be trivially abused by a malicious actor without any privileges.
"The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by

A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems.

Tracked as CVE-2022-4116 (CVSS score: 9.8), the shortcoming could be trivially abused by a malicious actor without any privileges.

"The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks that could lead to remote-code execution (RCE)," Contrast Security researcher Joseph Beeton, who reported the bug, said in a write-up.

Quarkus, developed by Red Hat, is an open source project that's used for creating Java applications in containerized and serverless environments.

It's worth pointing out that the issue only impacts developers who are running Quarkus and are tricked into visiting a specially crafted website, which is embedded with malicious JavaScript code designed to install or execute arbitrary payloads.

This could take the form of a spear-phishing or a watering hole attack without requiring any further interaction on the part of the victim. Alternatively, the attack can be pulled off by serving rogue ads on popular websites frequented by developers.

The Dev UI, which is offered through a Dev Mode, is bound to localhost (i.e., the current host) and allows a developer to monitor the status of an application, change the configuration, migrate databases, and clear caches.

Because it's restricted to the developer's local machine, the Dev UI also lacks crucial security controls like authentication and cross-origin resource sharing (CORS) to prevent a fraudulent website from reading another site's data.

The problem identified by Contrast Security lies in the fact that the JavaScript code hosted on a malware-laced website can be weaponized to modify the Quarkus application configuration via an HTTP POST request to trigger code execution.

"While it only affects Dev Mode, the impact is still high, as it could lead to an attacker getting local access to your development box," Quarkus noted in an independent advisory.

Users are recommended to upgrade to version 2.14.2.Final and 2.13.5.Final to safeguard against the flaw. A potential workaround is to move all the non-application endpoints to a random root path.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Disclose Critical RCE Vulnerability Affecting Quarkus Java Framework

An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as KmsdBot has led to it being accidentally taken down.
KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.
The botnet strikes both Windows and Linux devices spanning a wide range of

An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as **KmsdBot** has led to it being accidentally taken down.

KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.

The botnet strikes both Windows and Linux devices spanning a wide range of microarchitectures with the primary goal of deploying mining software and corralling the compromised hosts into a DDoS bot.

Some of the major targets included gaming firms, technology companies, and luxury car manufacturers.

Akamai researcher Larry W. Cashdollar, in a new update, explained how commands sent to the bot to understand its functionality in a controlled environment inadvertently neutralized the malware.

"Interestingly, after one single improperly formatted command, the bot stopped sending commands," Cashdollar said. "It's not every day you come across a botnet that the threat actors themselves crash their own handiwork."

This, in turn, was made possible due to the lack of an error-checking mechanism built into the source code to validate the received commands.

Specifically, an instruction issued without a space between the target website and the port caused the entire Go binary running on the infected machine to crash and stop interacting with its command-and-control server, effectively killing the botnet.

The fact that KmsdBot doesn't have a persistence mechanism also means that the malware operator will have to re-infect the machines again and re-build the infrastructure from scratch.

"This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue," Cashdollar concluded. "This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers 'Accidentally’ Crash KmsdBot Cryptocurrency Mining Botnet Network

Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.

CVE-2022-45045: Xiongmai IoT Exploitation - Blog - VulnCheck

If unpatched, a host of GPU Display Driver flaws could expose gamers, graphic designers, and others to code execution, denial of service, data tampering, and more.

A new update from Nvidia for its GPU Display Driver includes fixes for a full 29 security vulnerabilities, seven with a base score of more than 7. 

The company's graphics cards are built to accelerate computing processing to support real-time or data-intensive applications. As such, they're known for their use by gamers, graphic designers, and other creative producers, and for artificial intelligence and machine learning. Impacted software products for the update specifically include GeForce, Studio, Nvidia RTX, Quadro, NVS, and Tesla.

The most serious of the bugs are two flaws that exist in the user mode layer for Windows versions, both of which could allow an unauthorized user to execute code, escalate privileges, launch denial-of-service attacks, and achieve data compromise and disclosure, according to the chipmaker:

*   **CVE‑2022‑34669** (CVSS score of 8.8): An unprivileged regular user can access or modify system files or other files that are critical to the application.
*   **CVE‑2022‑34671** (CVSS score of 8.7): An unprivileged regular user can cause an out-of-bounds write.

The display driver for Linux also received a number of updates in this latest security update. 

"Earlier software branch releases that support these products may also be affected," the Nvidia security update said. "If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nvidia GPU Driver Bugs Threaten Device Takeover & More

By Habiba Rashid
Currently, hackers are targeting public and private entities in Southeast Asia, the Asia-Pacific region, Europe, and the U.S., with a focus on the Philippines.
This is a post from HackRead.com Read the original post: Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, **USB drives** are being used to hack targets in Southeast Asia. The threat actor behind this activity, referred to as UNC4191 is targeting public and private entities in Southeast Asia, Asia-Pacific, Europe, and the US, with a focus on the Philippines. 

This new campaign began as far back as September 2021, according to Mandiant’s report. The researchers assess that this operation is being conducted as a **cyberespionage operation** related to China’s political and commercial interests. 

**Google-owned Mandiant** states that their observations suggest the Philippines is the main target of this operation, due to the number of affected systems located in the country. They also added that, even when the targeted organizations were based in other locations, the specific systems targeted were found to be physically located in the Philippines.

After the initial infection via Universal Serial Bus drives, the hackers then deployed legitimately-signed binaries while side-loading malware. The malware families used in the cyberespionage have been identified by Mandiant as Mistcloak Launcher, Darkdew Dropper, and Bluehaze Launcher.

Mandiant splits the overall infection cycle from the UNC4191 campaign into three distinct phases. 

Mistcloak is the first malware to be side-loaded because the execution of a version of the USB Network Gate application is triggered as soon as an infected USB is plugged into the machine. 

This piece of malware loads an INI file containing Darkdew, which is designed to achieve persistence and **infect USB drives** when they are connected to the system. 

Bluehaze, which is executed at the third phase of the infection chain, was designed to execute a renamed NCAT executable, which creates a reverse shell to a hardcoded command-and-control (C&C) server.

UNC4191 malware infection cycle (Image: Mandiant)

In their **blog post**, Mandiant researchers noted that these viruses are known to provide a reverse shell on the victim’s system, giving the UNC4191 hackers backdoor access. The malware then self-replicates by infecting any new removable devices plugged into the compromised systems. Due to this, the malware is even able to spread through air-gapped systems.

> “Mandiant has not observed evidence of reverse shell interaction; however, based on the age of the activity, this may be a result of visibility gaps or short log retention periods.”
> 
> Mandiant

1.  **Schneider Electric Shipped USB Drives Loaded with Malware**
2.  **VictoryGate cryptominer infected 35,000 devices via USB drives**
3.  **New malware tool can steal files from airgapped PCs using USBs**
4.  **Hackers sending malware infected USBs with Best Buy Gift Cards**
5.  **China’s insidious surveillance against Uyghurs with Android malware**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Hackers using USB drives to spread malware in ongoing attack

The North Korea-linked **ScarCruft** group has been attributed to a previously undocumented backdoor called **Dolphin** that the threat actor has used against targets located in its southern counterpart.

"The backdoor \[...\] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko said in a new report published today.

Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control.

The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper.

The campaign, first uncovered by Kaspersky and Volexity last year, entailed the weaponization of two Internet Explorer flaws (CVE-2020-1380 and CVE-2021-26411) to drop a backdoor named BLUELIGHT.

ScarCruft, also called APT37, InkySquid, Reaper, and Ricochet Chollima, is a geo-political motivated APT group that has a track record of attacking government entities, diplomats, and news organizations associated with North Korean affairs. It's been known to be active since at least 2012.

Earlier this April, cybersecurity firm Stairwell disclosed details of a spear-phishing attack targeting journalists covering the country with the ultimate goal of deploying a malware dubbed GOLDBACKDOOR that shares tactical overlaps with BLUELIGHT.

The latest findings from ESET shed light on a second, more sophisticated backdoor delivered to a small pool of victims via BLUELIGHT, indicative of a highly-targeted espionage operation.

This, in turn, is achieved by executing an installer shellcode that activates a loader comprising a Python and shellcode component, the latter of which runs another shellcode loader to drop the backdoor.

"While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims," Jurčacko explained.

What makes Dolphin a lot more potent than BLUELIGHT is its ability to search removable devices and connected smartphones, and exfiltrate files of interest, such as media, documents, emails, and certificates.

The backdoor, since its original discovery in April 2021, is said to have undergone three successive iterations that come with its own set of feature improvements and grant it more detection evasion capabilities.

"Dolphin is another addition to ScarCruft's extensive arsenal of backdoors abusing cloud storage services," Jurčacko said. "One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims' Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac