Information Technology

Microsoft has fixed a bug in the Azure Automation service that could have allowed one account owner to access another customer’s accounts using the same service. Azure Automation lets customers automate cloud management tasks or jobs, update Windows and Linux systems, and automate other repetitive tasks. 

According to security firm Orca, the bug, which it reported to Microsoft on December 6, allowed a potential attacker on the service to “gain full control over resources and data of a targeted account, depending on the permissions of the account.”SEE: What is cloud computing? Everything you need to know about the cloud explainedOrca researcher Yanir Tsarimi says the flaw he found allowed him to interact with an internal Azure server that manages the sandboxes of other customers. “We managed to obtain authentication tokens for other customer accounts through that server. Someone with malicious intentions could’ve continuously grabbed tokens, and with each token, widen the attack to more Azure customers,” explains Tasrimi. Microsoft has clarified that only Azure Automation accounts that used Managed Identities tokens for authorization and an Azure Sandbox for job runtime and execution were exposed.  However, Orca also notes that the Managed Identities feature in an Automation account is enabled by default. Microsoft says it had not detected evidence that tokens had been misused and has notified customers with affected Automation accounts. According to Orca, on December 7 it discovered several large companies were potentially at risk, including “a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more.”Microsoft explains that an Azure automation job can acquire a Managed Identities token for access to Azure resources. The scope of the token’s access is defined in Automation Account’s Managed Identity. “Due to the vulnerability, a user running an automation job in an Azure Sandbox could have acquired the Managed Identities tokens of other automation jobs, allowing access to resources within the Automation Account’s Managed Identity,” Microsoft Security Response Center (MSRC) notes. Azure Automation accounts that use another Automation Hybrid worker for execution and/or Automation Run-As accounts for access to resources weren’t impacted.   Microsoft mitigated the issue on December 10 by blocking access to Managed Identities tokens to all sandbox environments except the one that had legitimate access, MSRC explains.   More

In an examination of more than 200,000 infusion pumps on the networks of several healthcare organizations, Palo Alto Networks security researchers discovered that more than 52% were susceptible to two known vulnerabilities that were disclosed in 2019 – one with a “critical” severity score and the other with a “high” severity score.Palo Alto Network’s Unit 42 released a report examining 200,000 infusion pumps on the networks of hospitals and clinics that use their security program for IoT devices. 

ZDNet Recommends

“An alarming 75% of infusion pumps scanned had known security gaps that put them at heightened risk of being compromised by attackers,” the researchers said. “These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices.”The report lists several vulnerabilities affecting most infusion pumps, including CVE-2019-12255, CVE-2019-12264, CVE-2016-9355, CVE-2016-8375, CVE-2020-25165, CVE-2020-12040, CVE-2020-12047, CVE-2020-12045, CVE-2020-12043 and CVE-2020-12041. CVE-2019-12255, which had a 9.8 rating, was found in 52.11% of all the infusion pumps Palo Alto looked at. CVE-2020-12040, CVE-2020-12047, CVE-2020-12045, CVE-2020-12043 and CVE-2020-12041 all had ratings of 9.8 and were found in at least 15% of the infusion pumps examined. Aveek Das, the Unit 42 researcher who conducted the study, told ZDNet that threat actors could potentially exploit some of these vulnerabilities to take control of pump functions, including medication dosing.Also: Some ‘Smol’ NFTs returned after Treasure marketplace exploit leads to theftDas added that the issues they discovered are “just the tip of the iceberg” and noted that it was likely that they would find similar things with other connected devices in hospitals.”We focused on infusion pumps because they are so prevalent — they account for 44% of all medical devices and are the most widely used type of connected devices in healthcare settings,” Das said.Most large hospital systems have thousands of infusion pumps, making it difficult for security teams to manage and figure out which ones need to be replaced or updated. “The most common vulnerabilities we observed that are specific to the infusion systems we studied can be grouped into several categories according to the effects they may have: leakage of sensitive information, unauthorized access and overflow. Other vulnerabilities stem from third-party TCP/IP stacks but can affect the devices and their operating systems,” the researchers explained. “We observe that a large number of vulnerabilities in infusion pump systems – and in internet of medical things (IoMT) devices overall – are related to leakage of sensitive information. Devices vulnerable to this type of issue can leak operational information, patient-specific data, or device or network configuration credentials. Attackers looking to exploit these vulnerabilities need varying degrees of access. For example, CVE-2020-12040, which is specific to clear-text communication channels, can be remotely exploited by an attacker via a man-in-the-middle attack to access all the communication information between an infusion pump and a server. On the other hand, CVE-2016-9355 and CVE-2016-8375 can be exploited by someone with physical access to an infusion pump device to gain access to sensitive information – which makes the attack less likely, but still possible for an attacker with specific motivations.”The report adds that some of the other vulnerabilities discovered could give unauthenticated users the ability to gain access to a device or to send network traffic in a certain pattern that can cause a device to become unresponsive or operate in a way that is not expected. The researchers said the vulnerabilities can lead to a variety of bad outcomes, including disruptions to hospital operations and patient care.”Continuous use of default credentials, which are readily available online via a simple search, is another major issue in IoT devices in general – since it can give anyone who is in the same hospital network as the medical devices direct access to them,” the report said. “Many IoMT (and IoT) devices and their operating systems use third-party cross-platform libraries, such as network stacks, which might have vulnerabilities affecting the device in question. For example, for CVE-2019-12255 and CVE 2019-12264, the vulnerable TCP/IP stack IPNet is a component of the ENEA OS of Alaris Infusion Pumps, thereby making the devices vulnerable.”Infusion pumps have long been a source of ire for cybersecurity experts and vendors who have spent more than a decade trying to improve their security. Palo Alto noted that the US Food and Drug Administration announced seven recalls for infusion pumps or their components in 2021 and nine more recalls in 2020.There has also been a movement to establish a base level of cybersecurity for the industry, but it has been hampered by the fact that most infusion pumps last about 10 years. This means many hospitals are using years old pumps, making it more difficult to apply newer security features. Palo Alto could not say whether these vulnerabilities have ever been exploited, and almost no expert contacted could identify situations where these vulnerabilities were used during attacks. But Casey Ellis, CTO at Bugcrowd, said medical device security issues are incredibly personal and disconcerting. “I’ve seen wireless exploitation of similar systems used to create condition which were able to dump the entire contents of an infusion pump or cause a pacemaker to discharge its battery all at once. These vulnerabilities don’t have that same kind of immediate safety implication, but an attacker could easily exploit the information leakage bugs, for example, to obtain data usable to threaten and extort a user with a similar outcome,” Ellis said. “Medical devices are intimately tied with their user, and in the case of a targeted attack, the possibilities range from extortion to surveillance to direct compromise of the individual themselves. The vulnerabilities in the report don’t seem to be directly tied to the ability to harm a user, but where there’s smoke, there is usually fire. The implication of the report is that software vulnerabilities (and lag time in patches them) is a systemic problem with medical devices. This is partly an area of important improvement for medical device manufacturers, and partly a challenge of testing and updating safety-critical systems.” More

The FBI has issued an alert over the RagnarLocker gang, a group known to use crafty techniques like running ransomware inside a virtual machine to evade antivirus detection. The law enforcement agency said it became aware of RagnarLocker in April 2020 and that, as of January 2022, it had “identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker.”

ZDNet Recommends

These include entities in critical manufacturing, energy, financial services, government, and tech. The ransomware group frequently changes its obfuscation techniques to avoid detection and prevention, it notes. SEE: How Russia’s invasion of Ukraine threatens the IT industryDeploying RagnarLocker in a stripped down virtual instance of Windows XP was one of those obfuscation methods. This tactic allowed the group to hide from local antivirus software and provided more time to encrypt files. The group was known for selecting enterprise targets only and has in the past compromised managed service provider tools to then breach their customers. The FBI’s warning is contained in a new Flash alert published in coordination with the Cybersecurity and Infrastructure Security Agency.The FBI notes that RagnarLocker still deploys within the attacker’s custom Windows XP virtual machine on a target’s site and then starts to encrypt files. “Instead of choosing which files to encrypt, RagnarLocker chooses which folders it will not encrypt. Taking this approach allows the computer to operate “normally” while the malware encrypts files with known and unknown extensions containing data of value to the victim,” the FBI states. The FBI notes that if the logical drive being processed is the C: drive, it doesn’t encrypt files from the folders named Windows, Windows.old, Mozilla, Mozilla Firefox, Tor browser, Internet Explorer, $Recycle.Bin, Program Data, Google, Opera, or Opera Software. It also doesn’t encrypt files with the extensions .db, .sys, .dll, .lnk, .msi, .drv, or .exe. The FBI has published the latest indicators of compromise as of January 2022, including IP addresses, Bitcoin addresses, and email addresses used by the attackers. The FBI is also appealing for victims to provide information that might include: a copy of the ransom note, any undiscovered malicious IPs and details about unusual RDP and VPN connections, virtual currency addresses, extortion amounts, malicious files, a timeline of events, and evidence of data exfiltration.      The FBI and US Secret Service (USSS) issued an alert last month about BlackByte ransomware, noting that the malware had compromised multiple US and foreign businesses, including entities from three US critical infrastructure sectors in government facilities, financial, and food and agriculture. More

Google is to acquire cybersecurity company Mandiant in a deal worth $5.4 billion. The all-cash acquisition will see Mandiant join Google Cloud and deliver an end-to-end security operations suite, as well as advisory services to help customers address critical security challenges and stay protected. The deal will also bring Mandiant’s threat detection and intelligence service, along with testing and validation services under Google Cloud’s umbrella. “Cybersecurity is a mission, and we believe it’s one of the most important of our generation. Google Cloud shares our mission-driven culture to bring security to every organization,” said Kevin Mandia, CEO, Mandiant.  

ZDNet Recommends

“Together, we will deliver our expertise and intelligence at scale via the Mandiant Advantage SaaS platform, as part of the Google Cloud security portfolio. These efforts will help organizations to effectively, efficiently and continuously manage and configure their complex mix of security products,” he added.SEE: A winning strategy for cybersecurity (ZDNet special report)Mandiant says that the acquisition by Google “underscores Google Cloud’s commitment to advancing its security offerings to better protect and advise customers across their on-premise and cloud environments”, and help enterprises stay protected at every stage of the security lifecycle.”Organizations around the world are facing unprecedented cybersecurity challenges as the sophistication and severity of attacks that were previously used to target major governments are now being used to target companies in every industry,” said Thomas Kurian, CEO, Google Cloud.  “We look forward to welcoming Mandiant to Google Cloud to further enhance our security operations suite and advisory services, and help customers address their most important security challenges.” The acquisition is subject to customary closing conditions, including the receipt of Mandiant stockholder and regulatory approvals, and is expected to close later this year. Upon the close of the acquisition, Mandiant will join Google Cloud. “The cloud represents a new way to change the security paradigm by helping organizations address and protect themselves against entire classes of cyber threats, while also rapidly accelerating digital transformation,” Google said.MORE ON CYBERSECURITY More

Ukrainian flag waving over Parliament in Kyiv, Ukraine.
Image: Getty Images
Google’s Threat Analysis Group (TAG) has provided an update in the wake of the Russian invasion of Ukraine, saying it has issued hundreds of warnings to Ukrainian users over the past year that they are being targeted by “government backed hacking”, particularly from Russia.In the weeks since Russia began its military action, TAG said it has seen FancyBear, a group said to be part of the Russian military intelligence agency GRU, conducting phishing campaigns against a Ukrainian media company called UkrNet.For Ghostwriter, a group Ukraine has previously said is part of the Belarusian Ministry of Defence, Google TAG has identified activity against Polish and Ukrainian government and military. The group has also been going after UkrNet webmail users as well as Yandex users.Google said its Safe Browsing service has been able to block Ghostwriter’s phishing domains.The update also noted that Chinese group Mustang Panda has switched from going after its usual Southeast Asian targets to focusing on Europeans. The group was sending out a malicious attachment that contained a downloader that would grab a payload.Google also said it continued to see DDoS attacks against Ukrainian sites, including the Ministry of Foreign Affairs and Ministry of Internal Affairs.”We expanded eligibility for Project Shield, our free protection against DDoS attacks, so that Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict can stay online, protect themselves and continue to offer their crucial services and ensure access to the information people need,” TAG wrote.”As of today, over 150 websites in Ukraine, including many news organizations, are using the service.”

Ukraine Crisis More

Image: Pigprox — Shutterstock
Coinbase has come out in full-throated support of sanctions, and revealed the extent to which it works with governments, while at the same time stating it has blocked over 25,000 accounts linked to Russians the company believes are undertaking illicit activity. “Many of which we have identified through our own proactive investigations,” the company said. “Once we identified these addresses, we shared them with the government to further support sanctions enforcement.” In a blog post, the cryptocurrency exchange said when a user opens an account, it checks provided information against a list of sanctioned individuals or entities provided by United States, United Kingdom, European Union, United Nations, Singapore, Canada, and Japan, as well as blocking users from sanctioned areas such as Crimea, North Korea, Syria, and Iran. The company also revealed it keeps a list of accounts held by sanctioned people outside of Coinbase. “When the United States sanctioned a Russian national in 2020, it specifically listed three associated blockchain addresses,” it said. “Through advanced blockchain analysis, we proactively identified over 1,200 additional addresses potentially associated with the sanctioned individual, which we added to our internal blocklist.” Coinbase also claimed that digital assets are able to “naturally deter common approaches to sanctions evasion”. “By transacting through shell companies, incorporating in known tax havens, and leveraging opaque ownership structures, bad actors continue to use fiat currency to obscure the movement of funds,” it said. “In this way, they leave complex financial trails that are difficult to trace, requiring investigators to separately request information from many different financial institutions, and follow a trail across multiple countries.” The exchange said due to the public, immutable, and traceable nature of blockchains, it is possible to trace transaction without needing to get information from multiple parties. “When applied to public blockchain data, analytics tools offer law enforcement additional capabilities. In many cases, law enforcement can trace the transaction history of a wallet from the very first transaction, follow transactions in real time, and group transactions according to risk level based on interactions with other wallets,” it said. “Coinbase’s proactive on-chain analysis identified more than 16,000 addresses possibly associated with Iranian exchanges, many of which had not yet been identified by others. We used this analysis to strengthen our compliance systems and inform law enforcement in order to enhance industry-wide awareness.” If Russia tried to get around sanctions through use of cryptocurrency, Coinbase said it would be more difficult than using fiat currency, gold, or even art. While promoting cryptocurrency, the exchange did not address the existence of coin tumbler services that can be used to disguise the provenance of digital assets and assist in laundering. A recent report said since 2017, cybercriminals had laundered $33 billion worth of cryptocurrency. Related Coverage More

The FBI released a warning on Monday about scammers impersonating government officials or law enforcement agencies before attempting to extort people and steal personal information. The notice says scammers are spoofing authentic phone numbers and names while also using fake credentials of well-known government and law enforcement agencies.”Scammers will use an urgent and aggressive tone, refusing to speak to or leave a message with anyone other than their targeted victim; and will urge victims not to tell anyone else, including family, friends, or financial institutions, about what is occurring,” the FBI explained. “Payment is demanded in various forms, with the most prevalent being prepaid cards, wire transfers, and cash, sent by mail or inserted into cryptocurrency ATMs. Victims are asked to read prepaid card numbers over the phone or text a picture of the card. Mailed cash will be hidden or packaged to avoid detection by normal mail scanning devices. Wire transfers are often sent overseas so funds almost immediately vanish.”Scammers typically call victims and say their identity was used in a crime before asking them to verify their social security number and date of birth.Some victims are threatened with prosecution or arrest if they do not provide the information or pay for the charges to be removed. Others are called and asked about not reporting for jury duty or other local fines. The FBI said victims have been told they missed a court date or have a warrant for their arrest that requires payment to solve. At times, attackers can even text victims pretending to be government agencies in need of a passport or driver’s driver’s license information for document renewals. “Medical practitioners are contacted to warn of the expiration of their medical licensing, or their license was utilized to conduct a crime. The scammers will threaten revocation of their license or registration, and the medical professional is compelled to renew their license to protect their professional reputation,” the FBI said. “Many victims report extortion by law enforcement and government impersonators in connection with other types of fraud. A romance scam victim begins to realize they are being defrauded and stops communicating with the scammer. Often, the victim is contacted by a law enforcement impersonator attempting to extort the victim to clear their name for participating in a crime or to aid in the capture of the romance scammer.”The FBI added that some lottery scam victims are contacted by cybercriminals who demand taxes or fees. The FBI reiterated that no law enforcement agency will ever ask you for money and urged people to be careful about who they share their personal information with over the phone and online. Erich Kron, security awareness advocate at KnowBe4, noted that social engineering and scams often rely on eliciting a strong emotional response from victims, causing them to miss or ignore red flags that could otherwise help them avoid falling for the scam. “Few government agencies cause as much fear as the IRS, as they have broad law enforcement powers and people are often confused by the U.S. tax system, making them more prone to believe they made a mistake and must correct it. US government entities such as the Social Security Administration, are the primary source of income for many older Americans, making a threat to income a very stressful ordeal, and making them prone to fall for related scams,” Kron said. “Whenever receiving a text message, phone call or email that elicits a strong emotional response, the best thing a person can do is to take a deep breath and treat it very suspiciously. Most government agencies will not communicate via email or a phone call, especially when initially informing a person of an issue.” More

On Monday, a cybersecurity researcher released the details of a Linux vulnerability that allows an attacker to overwrite data in arbitrary read-only files.The vulnerability — CVE-2022-0847 — was discovered by Max Kellermann in April 2021, but it took another few months for him to figure out what was actually happening. 

Kellermann explained that the vulnerability affects Linux Kernel 5.8 and later versions but was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.”It all started a year ago with a support ticket about corrupt files. A customer complained that the access logs they downloaded could not be decompressed. And indeed, there was a corrupt log file on one of the log servers; it could be decompressed, but gzip reported a CRC error. I could not explain why it was corrupt, but I assumed the nightly split process had crashed and left a corrupt file behind. I fixed the file’s CRC manually, closed the ticket, and soon forgot about the problem,” Kellermann said. “Months later, this happened again and yet again. Every time, the file’s contents looked correct, only the CRC at the end of the file was wrong. Now, with several corrupt files, I was able to dig deeper and found a surprising kind of corruption. A pattern emerged.”Kellermann went on to show how he discovered the issue and how someone could potentially exploit it. He initially assumed the bug was only exploitable while a privileged process writes the file and that it depended on timing.But he later found that it is possible to overwrite the page cache even in the absence of writers, with no timing constraints, “at (almost) arbitrary positions with arbitrary data.”

In order to exploit the vulnerability, the attacker needs to have read permissions, the offset must not be on a page boundary, the write cannot cross a page boundary and the file cannot be resized. “To exploit this vulnerability, you need to: Create a pipe, fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries), drain the pipe (leaving the flag set in all struct pipe_buffer instances on the struct pipe_inode_info ring), splice data from the target file (opened with O_RDONLY) into the pipe from just before the target offset [and] write arbitrary data into the pipe,” he explained. “This data will overwrite the cached file page instead of creating a new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set. To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”He also shared his own proof-of-concept exploit. The bug report, exploit, and patch were sent to the Linux kernel security team by Kellermann on February 20. The bug was reproduced on Google Pixel 6 and a bug report was sent to the Android Security Team. Linux released fixes (5.16.11, 5.15.25, 5.10.102) on February 23 and Google merged Kellermann’s bug fix into the Android kernel on February 24. Kellermann and other experts compared the vulnerability to CVE-2016-5195 “Dirty Cow” but said it is even easier to exploit.

Vulcan Cyber’s Mike Parkin said any exploit that gives root level access to a Linux system is problematic. “An attacker that gains root gains full control over the target system and may be able to leverage that control to reach other systems. The mitigating factor with this vulnerability is that it requires local access, which slightly lowers the risk,” Parkin said. “Escalating privileges to root (POSIX family) or Admin (Windows) is often an attacker’s first priority when they gain access to a system, as it gives them full control of the target and can help them extend their foothold to other victims. That hasn’t changed for ages and is unlikely to change in the foreseeable future.”Shweta Khare, cybersecurity evangelist at Delinea, noted that several Windows kernel, DNS server RCE, and Adobe vulnerabilities of high severity rating have already made news this year because they allow attackers to gain elevated local system or admin privileges. OS bugs and application-level vulnerabilities like these can allow attackers to elevate privileges, move laterally inside the network, execute arbitrary code, and completely take over devices, Khare said.   More