Eliana Willis

A new brand of malware designed to compromise Windows containers to reach Kubernetes clusters has been revealed by researchers. 

The malware, dubbed Siloscape, is considered unusual as malware generally designed to target containers focuses on Linux as a popular operating system for managing cloud applications and environments.  According to Palo Alto Networks’ Unit 42, Siloscape, first discovered in March this year, has been named as such because its overall aim is to escape Windows containers via a server silo. In a blog post on Monday, the cybersecurity researchers said Siloscape uses the Tor proxy and an .onion domain to connect to its command-and-control (C2) server, used by threat actors to manage their malware, data exfiltration, and to send commands.  The malware, labeled as CloudMalware.exe, targets Windows containers — using Server rather than Hyper-V isolation —  and will launch attacks utilizing known vulnerabilities that have not been patched for initial access against servers, web pages, or databases.  Siloscape will then attempt to achieve remote code execution (RCE) on the underlying node of a container by using various Windows container escape techniques, such as the impersonation of the CExecSvc.exe, a container image service, to obtain SeTcbPrivilege privileges. “Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 says. “More specifically, it links its local containerized X drive to the host’s C drive.”

If the malware is able to escape, it will then try to create malicious containers, steal data from applications running in compromised clusters, or will load up cryptocurrency miners to leverage the system’s resources to covertly mine for cryptocurrency and earn its operators profit for as long as the activities go undetected.  The malware’s developers have ensured that heavy obfuscation is in place — to the point where functions and module names are only deobfuscated at runtime — in order to conceal itself and make reverse-engineering more difficult. In addition, the malware uses a pair of keys to decrypt the C2 server’s password — keys that are suspected to be generated for each unique attack.  “The hardcoded key makes each binary a little bit different than the rest, which is why I couldn’t find its hash anywhere,” the research states. “It also makes it impossible to detect Siloscape by hash alone.” Unit 42 managed to obtain access to the C2 and identified a total of 23 active victims, as well as 313 victims in total, likely secured in campaigns over the past year. However, it was mere minutes before the researchers’ presence was noted and they were kicked out of the server and the service was rendered inactive — at least, at that .onion address.  Microsoft recommends that Hyper-V containers are deployed if containerization is utilized as a form of security boundary rather than relying on standard Windows containers. Unit 42 added that Kubernetes clusters should be configured properly and should not allow node privileges alone to be enough to create new deployments. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Cybersecurity and Infrastructure Security Agency has warned companies running VMware vCenter Server and VMware Cloud Foundation software to update as soon as possible because attackers are scanning the internet for vulnerable servers. VMware released a patch for two critical remote code execution flaws on May 25. The two bugs, tracked as CVE-2021-21985 and CVE-2021-21986, have a severity rating of 9.8 out of 10. The bugs affect VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation).  CISA  has now warned that it is “aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985”. It said organisations should apply the necessary updates as soon as possible, even if out-of-cycle work is required.As ZDNet reported last month, CVE-2021-21985 affects the vSphere HTML5 client and allows an attacker with network access to port 443 to exploit it to execute commands freely on the underlying operating system that hosts vCenter Server and take control of it.   “Although patches were made on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system,” CISA warned. Via Ars Technica, Troy Mursch, a security researcher for Bad Packets, has been tracking mass scanning for the bugs on internet-exposed VMware vCenter servers. On Saturday, Mursch reported he had seen exploit activity using a proof of concept exploit targeting VMware vCenter servers harboring CVE-2021-21985. Bad Packets runs a honeypot that contains servers with the bug. 

CVE-2021-21985 exploit activity detected from 119.28.15.199 (🇭🇰) based on this PoC (https://t.co/qhBbHdOaK4) targeting our VMware vCenter honeypot.Query our API for “source_ip_address=119.28.15.199″ for full payload and other relevant indicators. #threatintel— Bad Packets (@bad_packets) June 5, 2021

VMware urged customers to patch affected servers immediately. The virtualization software firm warned organisations that have placed their vCenter Servers on networks that are exposed to the internet and thus may not have firewall protection — often the last line of defence — that they should therefore audit these systems for compromise.”In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” it previously said.CISA recommended administrators review VMware’s VMSA-2021-010 advisory, its blogpost, and its FAQ about the issue.  More

The cost of ransomware incidents worldwide is expected to spiral out of control, exceeding $265 billion by 2031. 

Ransomware is now one of the most potentially damaging — and a very popular — types of malware. If ransomware lands on a vulnerable system, files are usually encrypted, users are locked out, and payment is demanded, usually in cryptocurrency, in return for a decryption key. In a more recent evolution of the applications of ransomware, operators will also steal information during an attack and will threaten to publish this information on leak sites on the dark web or sell it on, doubling the pressure for victims to pay up.  At present, some of the most well-known groups that have turned ransomware into a lucrative ‘business’ opportunity are Maze, Nefilim, Clop, and DarkSide, the latter of which left the scene — at least, under that name — after extorting Colonial Pipeline out of $4.4 million following a devastating attack that disrupted fuel supplies across the United States.  Cybersecurity Ventures predicts that the damage caused by ransomware could cost the worldwide stage $265 billion by 2031, based on this type of cybercrime attacking both enterprises and consumers at a rate of one attack every few seconds.  Currently, the cybersecurity agency estimates that ransomware will cost us approximately $20 billion this year, a 57x jump from 2015.  The latest estimates released by the company have been generated based on a 30% growth in incidents year-over-year.

Ransomware infections can result in costly insurance premiums and payouts, the need to hire cyberforensics firms to investigate incidents, damage limitation or system repair, data loss, and potentially payments made to attackers to retrieve critical systems or prevent data from being leaked.  The latest estimate also includes during and post-attack business disruption, reputational harm, and the expense of employee training following a ransomware incident.  Palo Alto Networks suggests that ransomware payouts alone have surged from $115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase. The largest demand recorded in recent years is $30 million. Despite government officials across the globe becoming involved, including figures such as US President Biden who recently signed an executive order demanding that federal agencies work toward improving the country’s cybersecurity posture, ransomware incidents are only becoming worse.  “Despite authorities’ recent success in busting several ransomware gangs, this particular breed of malware has proven to be a hydra — cut off one head and several appear in its place — and all signs are that the coming decade will be no less problematic,” Cybersecurity Ventures noted.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australians in 2020 reported losses to scams totalled AU$851 million, with AU$128 million lost to business email compromise (BEC), AU$8.4 million classed as remote access scams, and AU$3.1 million a result of identity theft.Topping the list of scams was investment scams, ripping people off to the tune of AU$328 million. The total number of scam incidents was 444,164.The information was revealed in a report [PDF] from the Australian Competition and Consumer Commission’s (ACCC) Scamwatch. The AU$851 million loss figure is reduced to AU$156 million, however, when information from Australia’s top financial institutions is removed. This is still an increase of around 23% compared to the AU$143 million in losses reported in 2019.The total number of scams received by Scamwatch during the 2020 calendar year was 216,087.Bank transfer remained the most common payment method used in scams, with just over AU$97 million lost, but bitcoin and other cryptocurrency was the second highest payment method, with AU$26.5 million lost.Those aged over 65 were the ones reporting the most loss, comprising AU$37.7 million of the total, but those in the 25 to 34-year old bracket made the most reports to Scamwatch, with 33,000 reports. The scam victims were almost split exactly 50-50 among those that identified as men and those that identified as women.It was shown phone calls were still the number one method for scammers to use, at 47.7%, or 103,153 scams, with email accounting for 22%, text message for 15%, “internet” for 6.3%, and 4.5% of victims were spoofed via social media.

Unsurprisingly, COVID-19 led to an increase in losses and reports for several categories. Victoria, which was the hardest hit with lockdowns, was the origin of AU$49 million of the total losses for 2020.
Image: Scamwatch/ACCC
Compared with 2019, remote access scam reported losses increased more than 74% to AU$8.4 million and threat-based scam reported losses increased more than 178% to AU$11.8 million. 8,691 scams were attributed to “hacking”, 3,885 to ransomware and malware, and phishing accounted for 44,079 reports.The most commonly impersonated entities for phishing scams in 2020 were the same as those in 2019: Telstra, NBN Co, government organisations, the big four banks, and package delivery companies, with a large increase in the number of phishing scams involving impersonations of Amazon.Email phishing in 2020 most commonly impersonated PayPal, followed by Netflix.Health and medical scam reported losses increased more than 2,000% compared with 2019 as a result of the pandemic, reaching over AU$3.9 million.In 2020, there were over 24,000 reports about government impersonation scams made to the ACCC, with losses of AU$1.9 million.There was also a 220% increase in reports and a 322% increase in reported losses to scams related to buying vehicles including cars, caravans, and campervans, with reported losses of just over AU$1 million. The ACCC said scammers targeted both people buying and selling vehicles and used Facebook Marketplace, Gumtree, Car Sales, and Autotrader, mostly, to make contact with potential victims.Scamwatch also received over 330 bushfire-related Scamwatch reports through its website.Celebrity endorsement scams caused reported losses of over AU$1.8 million in 2020. Some of these, the ACCC said, included encouraging people to invest in cryptocurrencies.Scamwatch received 2,082 reports with reported losses of over AU$7 million to Chinese authority scams in 2020. This was a 77% increase in the number of reports and a 250% increase in the amount reported lost compared with 2019.Scam losses reported by businesses increased by 260% in 2020, to AU$18 million. Businesses made the most reports about false billing and phishing scams, with the scams typically involving a request for payment for a service or item that wasn’t ordered or a scammer diverting money by impersonating the intended recipient of a payment.In 2020, WhatsApp was added as an option in the reporting form. The ACCC received 347 reports selecting WhatsApp from the drop down menu. Scam reports listing the contact mode as social networking/online forum and identifying the platform as dating app Tinder increased from 73 in 2019 to 174 in 2020. “This 138% increase in reporting was primarily in relation to romance scams, but also included investment scams where scammers encouraged victims to invest in cryptocurrencies,” the reported added.SEE ALSO More

The US Department of Justice (DoJ) has charged a Latvian woman for her alleged role in creating and deploying Trickbot, the computer banking trojan that has evolved to become a highly popular form of malware among cyber criminals.The accused individual, Alla Witte, was arrested in Miami four months ago.According to the charges, Witte worked in the criminal organisation, called Trickbot Group, which deployed the Trickbot malware. In this role, she allegedly wrote code related to the control, deployment, and payments of ransomware for the organisation. Trickbot malware provides cyber criminals with a means of delivering malware onto compromised machines to steal personal and financial information, including login credentials, credit card numbers, emails, passwords, dates of birth, social security numbers, and addresses. Once the information is obtained, the attackers use that information to gain access to online bank accounts, execute unauthorised electronic funds transfers, and launder the money through US and foreign beneficiary accounts, the DoJ alleges. According to the indictment, Witte and others have stolen money and confidential information from unsuspecting victims, including businesses and their financial institutions, across Australia, Belgium, Canada, Germany, India, Italy, Mexico, Spain, Russia, the United States, and the United Kingdom, through the use of the Trickbot malware. Initially emerging as a banking trojan in 2014, Trickbot malware has increasingly been used by cyber criminals to distribute malware attacks, particularly in the wake of the takedown of the Emotet botnet.

Emotet was the world’s most prolific and dangerous malware botnet before it was disrupted by an international law enforcement operation in January. In addition to the accusation that Witte helped write code for the Trickbot malware, the department also issued an indictment against Witte for her role in allegedly ransoming victims. Witte and her co-conspirators allegedly coerced victims into purchasing special software through a bitcoin address controlled by the Trickbot Group in order to decrypt compromised files. Witte also allegedly provided code to the Trickbot Group that monitored and tracked authorised users of the malware and developed tools and protocols to store stolen login credentials. In total, Witte has been charged in 19 counts of a 47-count indictment. If convicted, she could face up to 87 years in prison. Information about the other individuals charged in the indictment is currently confidential. “These charges serve as a warning to would-be cybercriminals that the Department of Justice, through the Ransomware and Digital Extortion Task Force and alongside our partners, will use all the tools at our disposal to disrupt the cybercriminal ecosystem,” Deputy Attorney-General Lisa Monaco said. Related Coverage More

New South Wales Health has confirmed being impacted by a cyber attack involving the file transfer system owned by Accellion.  The system was widely used to share and store files by organisations around the world, including NSW Health, the government entity said on Friday afternoon.”Following the NSW government’s advice earlier this year around a world-wide cyber attack that included NSW government agencies, NSW Health is notifying people whose data may have been accessed in the global Accellion cyber attack,” it said in a statement.The state entity said medical records in public hospitals were not affected and the software involved is no longer in use by NSW Health.”Different types of information, including identity information and in some cases, health-related personal information, were included in the attack,” it added.NSW Health said it has been working with NSW Police and Cyber Security NSW and that to date, there is no evidence any of the information has been misused.See also: How NSW Health used tech to respond to COVID-19

“A cyber incident help line has been set up to provide further information and support to those people NSW Health is contacting,” it said. “If you are contacted by NSW Health, you will be given the cyber incident help line details; if you are not contacted by NSW Health, no action is required.”The NSW Police Force and Cyber Security NSW have set up Strike Force Martine to determine the impact on NSW government agencies that were caught up in the attack on Accellion.Accellion’s file-sharing program, File Transfer Appliance, is an enterprise product used to transfer large files. While now discontinued and supplanted by other software such as Kiteworks, a zero-day vulnerability in the legacy software was found in December and has since been exploited by attackers in the wild. It is estimated that some 100 organisations around the world were among those affected by the breach.Transport for NSW in February confirmed being caught up in the breach.The Australian Securities and Investments Commission (ASIC) in January said one of its servers was breached earlier in the month in relation to Accellion software used by the agency to transfer files and attachments.Accellion was also used as the vector to breach the Reserve Bank of New Zealand (RBNZ) in January.HERE’S MORE More