Category Archives: cyber security incident news highlight

Kubernetes Hardening Guidance by NSA & CISA (3rd Aug 2021)

Preface: Docker helps to “create” containers, and Kubernetes allows you to “manage” them at runtime. What is Kubernetes Security? That is Cloud, Cluster, Container and code.

Background: Kubernetes is commonly targeted for three reasons observing by NSA and CISA. They are data theft, computational power theft, or denial of service. Cyber attacks encountered in the Kubernetes environment in 2020. Details are as follow:

Capital One – Occurring in 2019, this breach saw 30GB of credit application data affecting about 106 million people being exfiltrated.
A mis-configured firewall that allowed an attacker to query internal metadata and gain credentials of an Amazon Web Services
Docker hub – Attackers managed to plant malicious images in the Docker hub. unknowingly deployed cryptocurrency miners in the form of Docker
containers that then diverted compute resources toward mining cryptocurrency for the attacker.
Microsoft Azure – Microsoft is another organization that’s been seeing a lot of cryptojacking woes of its own. After disclosing that there was a large-scale cryptomining attack against Kubernetes cluster in Azure in April 2020.
Telsa – Automaker Tesla was one of the earlier victims of cryptojacking when a Kubernetes cluster was compromised due to an administrative
console not being password protected.(Mis-configuration)
Jenkins – Hackers managed to exploit a vulnerability in Jenkins to cryptomine to the tune of about $3.5 million, or 10,800 Monero in 18 months. In Docker’s operation environment, it was discovered that six malicious images had been collectively pulled over 2 million times, that’s 2 million users potentially mining Monero for the attacker.

To avoid similar incidents from happening – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance,” Primary actions include the scanning of containers and Pods for vulnerabilities or mis-configurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing. Please refer to the link for details – https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/

DarkSide Ransomware ready to move. Operational Technology (OT) should staying alert (7-7-2021)

Preface: IDC report predicted that By 2024, 60% of industrial organizations will integrate data from edge OT systems with cloud-based reporting and analytics, moving from single-asset views to sitewide operational awareness.

Background: PowerShell provides an adversary with a convenient interface for enumerating and manipulating a host system after the adversary has gained initial code execution.

Security Focus: According to the observation of the security company. You can use PowerShell to execute various Base64 encoding commands. The trend of operation technology will be programmed and developed on powershell.
Cybercriminals responsible for ransomware activities often try to delete them so that their victims cannot restore file access by restoring to shadow copies. The method is to use this (Invoke-ReflectivePEInjection to directly inject DLL into PowerShell).
Meanwhile, they require system administrator privileges, so they rely on zero-day and unpatched victim workstations for privilege escalation.

Remark: What’s more telling is the inclusion of function names that correspond with a PowerShell payload called “Invoke-ReflectivePEInjection”, which lets an attacker inject a dynamic link library (DLL) directly into PowerShell.

Should you have interested of above details. CISA Publishes Malware Analysis Report and Updates Alert on DarkSide Ransomware. For more details, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

Headline News – unauthorized access to japan government systems via Fujitsu ProjectWeb – 28-05-2021

Headline News – The incident affected the Ministry of Land, Infrastructure, Transport and Tourism, Ministry of Foreign Affairs, Cabinet Office and Narita Airport. The stolen data included files stored by government employees on the cloud-based collaboration and file sharing platform ProjectWEB, which was launched by Fujitsu in the mid-2000s and was very popular among Japanese civil servants.
According to Japanese media reports, hackers stole documents containing employees of the Ministry of Land, Infrastructure, Transportation and Tourism and extended more than 76,000 email addresses, but the government did not confirm this information.

Background: ProjectWEB is a a cloud-based enterprise collaboration and file-sharing platform that Fujitsu has operated since the mid-2000s, and which a number of agencies within the Japan government currently use.

One of the possibilities of data leakage in this accident:
If daily operation in many small projects will go through web base management system. Furthermore, daily communication between project managers and project members uses Excel to complete status management and quality management. If excel spreadsheet encounter design weakness (CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0030, CVE-2017-0031, and CVE-2017-0053). Therefore, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document. As a result, the data breaches will be occurred.

Headline News – https://www3.nhk.or.jp/nhkworld/en/news/20210526_28/

Aforementioned – Insurance company infected by ransomware – 25th May 2021

News feed: AXA Group announced on Sunday (16-05-2021) that the company has become a victim of a ransomware attack. Axa Hong Kong said there has been no evidence that data processed by Inter Partners Asia in markets other than Thailand have been affected by the targeted ransomware attack. No official announcement till today to update this incident.

Technology exploration: Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. With AES128-bit key, the task of cracking AES by checking each of the 2128 possible key values (a “brute force” attack) is so computationally intensive that even the fastest supercomputer would require, on average, more than 100 trillion years to do it. Microsoft .NET Cryptography library is capable to encrypt and decrypt file on his own.
The Windows 10 operating system incorporates the . NET Framework 4 installed and enabled by default. Therefore cybercriminal can share this service. For more details, please refer to attached document.

What is the consequence if AXA underestimate this matter? Or it is just a bluff!

A similar type of attack (files encrypted with RSA-2048 and AES-128 passwords) will allow cyber-criminals to gain access through remote control systems. After the machine is infected with the ransomware. The data exfiltration will be occurred. In fact, the hacker group claimed to have stolen 3 terabytes of data, including a long list of information: ID cards, passport copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs and bank account scanned papers, hospital and doctor reserved material (private investigation for fraud) and customer medical reports including HIV, hepatitis, STD and other illness reports.

Latest news: https://www.thestandard.com.hk/section-news/section/2/230327/Axa-HK-unaffected-by-cyberattack

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ said Headline News – 9th May 2021

Preface: The hacker group claimed that its ransomware attacks were only used for “right targets.” The organization claimed that they only targeted ransomware attacks and large profitable companies to “make the world a better place.”

Background: Cyber attacks in the oil and gas industry can threaten an organisation’s information technology (IT), its operational technology (OT) and any internet of things (IoT) systems in place.
Last year, the security department expressed such concerns.

Security Focus: The hacking team is very active on hack forums and keeps its customers updated with news related to the ransomware. Speculated that attacker gaining an initial foothold in the network not limited to email phishing. Perhaps they exploit SSL VPN design weakness or Microsoft Zero day. In the Oil and Gas Industry . It is common of the implementation of OPC UA technology. It is hard to avoid to using Microsoft product. Even though their OPC UA is running on a linux base machine.But Darkside 2.0 has fastest encryption speed on the market, and it capable for Windows and Linux versions. So this related thing started the story.

Headline News – https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/

CISA urge to public that to aware of Codecov software vulnerability – 30th Apr, 2021

Preface: CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021.

Background: A Supply Chain Attack Gone Undetected for 2 Months.Codecov has over 29,000 enterprise customers, including reputed names like Atlassian, Washington Post, GoDaddy, Royal Bank of Canada, and Procter & Gamble.

Vulnerability details: Regarding to this cyber security incident, Through vendor investigation, they are now have additional information concerning what environment variables may have been obtained without authorization and how they may have been used. The issue occurred due to an error in Codecov’s Docker image creation process that enabled the actors to extract sensitive credentials and modify the Bash Uploader script. Meanwhile it let the attacker exfiltrate sensitive information. For more details, please refer to link – https://about.codecov.io/security-update/

NSA releases urgent Guidance (ORN U/OO/800922-17), thus urge to public that not to use obsolete TLS configurations (6th Jan,2020)

Preface: However, obsolete TLS configurations are still in use in U.S. Government systems. Perhaps it is being change. According to the Office of Management and Budget (OMB) memorandum M-15-13 all public accessible federal websites and web services are require to only provide through secure connections.

Synopsis: The Internet Engineering Task Force (IETF) published TLS 1.3 in August 2018. TLS 1.2, the version it replaced, was standardized a decade previous, in 2008. Attached diagram shown the examples of TLS Vulnerabilities and Attacks.

Consequent: Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected.
Network connections employing obsolete encryption protocols are at an elevated risk of exploitation and decryption.

Recommendation: NSA recommends that only TLS 1.2 or 1.3 be used. As a result, SSL 2.0,3.0,TLS 1.1 not be used anymore.If additional interoperability support is need, configurations should use non-deprecated options from NIST SP 800-52r2 as necessary.

Official announcement (NSA Releases Guidance on Eliminating Obsolete TLS Protocol Configurations): https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF

Visa proactively urge public aware of Baka Skimmer attack. (Baka credit card skimmer bundles stealth, anti-detection capabilities) – Sep 2020

Preface: Visa identified a previously unknown eCommerce skimmer, and named the skimmer ‘Baka’.

Synopsis: The malicious JavaScript code aimed to avoid detection for modern defense system. Baka is stealth, anti-detection capabilities.
According to an alert from Visa’s Payment Fraud Disruption (PFD) division, the skimmer also attempts to avoid detection and analysis by “removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated”.

Reference: Visa security alert – https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/visa-security-alert-baka-javascript-skimmer.pdf

Additional: Briefly describe the concept of attack. The attacker sneaks some malicious JavaScript (usually via a <script> tag) into your html which is then executed.

How to protect against this attack?
– Sanitizing at the url param layer
– Sanitizing at the templating layer

Ransomware hits Jack Daniel’s, said Bloomberg News – August 15, 2020

Preface: Whiskey production involves multiple procedures carried out in potentially hazardous atmospheres. LB Remote I/O System connects sensors and actuators to the DCS via PROFIBUS. In terms of application, DCS is suitable for whisky production and complex control processes.

Incident background: Brown-Forman Corp., a manufacturer of alcoholic beverages including Jack Daniel’s and Finlandia, said it was hit by a cyber-attack in which some information, including employee data, may have been impacted. Please refer to the link for more details – https://www.bloomberg.com/news/articles/2020-08-14/brown-forman-was-target-of-apparent-ransomware-attack

Technical details of ransomware: A message sent anonymously to Bloomberg claimed to have hacked Brown-Forman and compromised its internal network. Ransomware aka REvil. The infection mechanism of this ransomware relies Microsoft design weakness (CVE-2018-8453).

As usual, ransomware will copy the data then write data to the registry. The ransomware process will destroy all shadow volumes of the victim machine and disable the protection of the recovery boot. Finally, it encrypts files in all logical units and network shares, and displays the ransom notice on the screen.

Recommendation: In order to avoid ransomware attack. We should follow the patch management by vendor. And maintain update of antivirus program.

Australia (ACSC) urges local citizens to be vigilant against cyber attacks. The so-called copy-paste compromises – 18th June 2020

Preface: Australia’s government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says. Mr Morrison did not name specific cases but said it had spanned “government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure”. 19th June 2020

Technical details: Long story short. The nick name of this attack ‘Copy-Paste Compromises. It is derived from the cyber attacker heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source. For more details, please refer below link to download the report.

https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

Attack highlights: Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation. When a potential web shell is detected, administrators should validate the file’s origin and authenticity.

Recommendation: In normal circumstances, firewall locked down rule (deny any source to any destination) is hard to do the analytic through eyeball. But the attack vector designated to Australia. In order to avoid cyber attack in your firm. So firewall administrator should check their SIEM see whether it can find out the hints. If no such facility installed, Perhaps export the web server log see whether you can find out the attack activities details.