Information Technology

A new ransomware operator is targeting Confluence servers by using a recently-disclosed vulnerability to obtain initial access to vulnerable systems. 

According to Sophos cybersecurity researchers Sean Gallagher and Vikas Singh, the new threat actors, dubbed Atom Silo, are taking advantage of the flaw in the hopes that Confluence server owners are yet to apply the required security updates to resolve the bug.  Atlassian Confluence is a web-based virtual workplace for the enterprise, allowing teams to communicate and collaborate on projects.  Sophos described a recent attack conducted by Atom Silo over a period of two days. The vulnerability used in the attack, tracked as CVE-2021-08-25, allowed the cybercriminals to obtain initial access to the victim’s corporate environment.   The Confluence vulnerability is being actively exploited in the wild. While fixed in August, the vendor warned that Confluence Server and Confluence Data Center are at risk and should be patched immediately.  If exploited, unauthenticated threat actors are able to perform an OGNL injection attack and execute arbitrary code. CVE-2021-08-25 was used to compromise the Jenkins project in September. US Cybercom said in the same month that attacks were “ongoing and expected to accelerate.”

In the case examined by Sophos, Atom Silo utilized the vulnerability on September 13 and was able to use the code injection bug to create a backdoor, leading to the download and execution of a second, stealthy backdoor.  To stay under the radar, this payload dropped a legitimate and signed piece of software vulnerable to an unsigned DLL sideload attack. A malicious .DLL was then used to decrypt and load the backdoor from a separate file containing code similar to a Cobalt Strike beacon, creating a tunnel for remotely executing Windows Shell commands through WMI.  “The intrusion that made the ransomware attack possible made use of several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software,” the researchers say. Within a matter of hours, Atom Silo began moving laterally across its victims’ network, compromising multiple servers in the process and executing the same backdoor binaries on each while also conducting additional reconnaissance.  11 days after its initial intrusion, ransomware and a malicious Kernel Driver utility payload, designed to disrupt endpoint protection, were then deployed. Separately, another threat actor noticed the same system was vulnerable to CVE-2021-08-25 and quietly implanted cryptocurrency mining software.  The ransomware is “virtually identical” to LockFile. Files were encrypted using the .ATOMSILO extension and a ransomware note demanding $200,000 was then dropped on the victim’s system. “Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof of concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly to profit off them,” Sophos says. “To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Apache Airflow instances that have not been properly secured are exposing everything from Slack to AWS credentials online. 

On Monday, Intezer malware analyst Nicole Fishbein and cybersecurity researcher Ryan Robinson said the instances, vulnerable to data theft, belong to industries including IT, cybersecurity, health, energy, finance, and manufacturing, among other sectors.   Apache Airflow, available on GitHub, is an open source platform designed for scheduling, managing, and monitoring workflows. The modular software is also used to process data in real-time, with work pipelines configured as code.  Apache Airflow version 2.0.0 was released in December 2020 and implemented a number of security enhancements including a new REST API that enforced operational authentication, as well as a shift to explicit value settings, rather than default options. While examining active, older versions of the workflow software, the cybersecurity firm found a number of unprotected instances that exposed credentials for business and financial services including Slack, PayPal, AWS, Stripe, Binance, MySQL, Facebook, and Klarna.  “They [instances] are typically hosted on the cloud to provide increased accessibility and scalability,” Intezer noted. “On the flip side, misconfigured instances that allow internet-wide access make these platforms ideal candidates for exploitation by attackers.” The most common security issue causing these leaks was the use of hardcoded passwords within instances that were embedded in Python DAG code.
Intezer

In addition, the researchers discovered that the Airflow “variables” feature was a credential leak source. Variable values can be set across all DAG scripts within an instance, but if it is not configured properly, this can lead to exposed passwords. The team also found misconfigurations in the “Connections” feature of Airflow which provides the link between the software and a user’s environment. However, not all credentials may be input properly and they could end up in the “extra” field, the team says, rather than the secure and encrypted portion of Connections. As a result, credentials can be exposed in plaintext.  “Many Airflow instances contain sensitive information,” the researchers explained. “When these instances are exposed to the internet the information becomes accessible to everyone since the authentication is disabled. In versions prior to v1.10 of Airflow, there is a feature that lets users run Ad Hoc database queries and get results from the database. While this feature can be handy, it is also very dangerous because on top of there being no authentication, anyone with access to the server can get information from the database.” Intezer has notified the owners of the vulnerable instances through responsible disclosure.  It is recommended that Apache Airflow users upgrade their builds to the latest version and check user privilege settings to make sure no unauthorized users can obtain access to their instances.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Software company JFrog has become the latest organization to be designated by the CVE Program as a CVE Numbering Authority.Currently, there are 189 organizations from 31 countries participating as CNAs, with more than 100 based in the US. The classification will allow the company to assign CVE identification numbers to newly discovered security vulnerabilities and publish related details in associated CVE Records for public consumption. JFrog will now be authorized to work with the cybersecurity community on a variety of security issues and provide customers with  differentiated remediation data through its JFrog XrayMoran Ashkenazi, CISO and VP of Security Engineering at JFrog, said becoming a CNA will not only allow them to help security researchers verify and triage their vulnerabilities but also help keep companies’ binaries more secure by collaborating on potential threats with the wider security community.”The number of security risks in software and connected devices continues to grow. As a CNA we’re empowered to work with the community to accelerate threat detection and share information on new vulnerabilities fast — before they compromise businesses,” Ashkenazi said. CVE records are used around the world to identify and organize the critical software vulnerabilities that are discovered on a daily basis. Each vulnerability is assigned a CVE IDs by companies like JFrog. 

JFrog Security CTO Asaf Karas said that with the CNA designation, the company can more effectively and efficiently disseminate the results of their research to customers and the software community in general — for both newly discovered vulnerabilities and existing CVE records that may be inaccurate or incomplete.”With this achievement, JFrog reinforces its commitment to being an active participant in the security community and providing our customers with scalable, secure, development to edge DevSecOps solutions,” Karas said.  More

October 4th got off to a bad start for Facebook. The world’s most popular social network went down at about 11:44 EDT. It wasn’t just Facebook though. Instagram, WhatsApp, and Facebook Messenger also went down.While Facebook has yet to report on what’s happening with this total social network failure, website status sites such as DownForEveryoneOrJustMe and DownDetector are all reporting that Facebook is down. The problem isn’t limited to just the United States. There are numerous reports that the site is down in Europe and the Middle East.Some Facebook users report seeing an error message reading: “Sorry, something went wrong. We’re working on it and we’ll get it fixed as soon as we can.” Instagram and WhatsApp users say they’re getting a “5xx Server Error.” Facebook Communications Director Andy Stone tweeted, “We’re aware that some people are having trouble accessing our apps and products. We’re working to get things back to normal as quickly as possible, and we apologize for any inconvenience.”This collapse comes the morning after Facebook whistleblower Frances Haugen revealed on 60 Minutes that Facebook’s own research shows that it amplifies hate, misinformation, and political unrest to maximize profits over the good of the public.Related Stories: More

Apple was in such a rush to get iOS 15 out based on its self-imposed timeline that it tripped over its shoelaces and fell flat onto its face in front of millions of iPhone users.The bugs were big and obvious and included “Storage almost full,” an inability to unlock with the Apple Watch when wearing a mask, weird camera juddering, and a temperamental swipe to unlock function.Those were a lot of bugs for iPhone owners to get used to, especially users who’d dropped a lot of money on new hardware.It took almost two weeks for Apple to release iOS 15.0.1, an update that consists of last-minute bug fixes and improvements.But is it an improvement?In a word, yes.And taking that further, it’s what iOS 15 should have been.

iOS 15.0.1 fixes a lot of the big obvious bugs.
Gone is the “Storage almost full” message.Apple Watch unlocking when wearing a mask now works.The Camera app doesn’t do that crazy judder when switching between lenses.The unlocking bug seems gone.The operating system feels a lot smoother and less glitchy.It doesn’t feel like ProMotion is working properly yet, but it doesn’t feel as jarring now, so it’s better on the eyes.Battery life and performance seem to be about the same as for iOS 15, but your mileage there may vary across different devices.The first few weeks and months following a new iOS release is a busy time for Apple, and iOS 15 is no exception. iOS 15.1 is making its way through the beta stages, and we’re likely to see more releases between now and spring.If you’ve been holding back on making the leap to iOS 15, then I’d say that iOS 15.0.1 is not a bad time to jump. There may be some surprises waiting to be uncovered, but early reports seem good and it’s a huge improvement on the initial release. More

Nozomi Networks and the SANS Institute released a survey showing that companies are investing more in industrial control system (ICS) cybersecurity to match the increasingly elaborate cyber threat landscape.The 2021 SANS ICS/OT survey got 480 responses, with 47% reporting that their ICS security budgets increased over the past two years. Another 32% said there had been no change.Nearly half of respondents said they did not know if their organizations had suffered from a cybersecurity incident while just 15% admitted that they had one in the last 12 months. Of those who did say they dealt with cybersecurity incidents, more than half said they were able to detect compromise between 6-24 hours. Thirty percent were able to detect compromise in under six hours. 

Special feature

The Rise of Industrial IoT

Infrastructure around the world is being linked together via sensors, machine learning and analytics. We examine the rise of the digital twin, the new leaders in industrial IoT (IIoT) and case studies that highlight the lessons learned from production IIoT deployments.

Read More

Almost 20% said the engineering workstation was an initial infection vector. About half cited “external connections” as the dominant access vector while 36% mentioned remote access services as a prevalent reported initial access vector for incidents.Surprisingly, nearly 70% of respondents rated risk to their environment high or severe, a significant increase compared to the 51% seen in 2019. More than half cited ransomware, cybercrime and nation-state attacks as the top threat vectors. More than 31% of respondents said unprotected devices were also a major concern.Thankfully, about 70% of respondents said they have some form of monitoring program in place for OT security and nearly 76% said they have conducted a security audit of their OT/control systems or networks in the past year. 

Nearly 30% have put in place a continual assessment program and 50% of respondents said they use a vendor-provided ICS-specific threat intelligence feed.The cloud is also playing a bigger role in OT environments, with 40% of respondents saying they use some form of cloud-based services for OT/ICS systems. More than 90% are using cloud technology for remote monitoring configuration and analysis, OT support as well as remote control/logic. Every respondent using cloud technology said they use it for at least one kind of cybersecurity function. Mark Bristow, cyber defense coordination branch chief at CISA and SANS Institute Certified Instructor, authored the report and told ZDNet that three things stood out to him: the level of adoption of cloud technologies for operational outcomes, the lack of incident visibility and the number of incidents involving engineering workstations.”Two years ago, cloud adoption was not being seriously discussed and now 49% are using it. The implication of engineering workstations in so many incidents is highly concerning. These devices are what are needed to develop predictable repeatable effects operations against control systems and the targeting and successful exploitation of these systems indicates significant current and future risk,” Bristow said. “It’s great that we now have monitoring programs in place, but we are still mostly looking at the IT aspects of our OT environments. We need to be correlating our IT and OT security telemetry as well as process data to truly understand potential impacts to safety and operations. Focus on fundamentals. Too many respondents do not have a formal program for asset identification and inventory.  Without this foundational step, further security investments may be invalid or misplaced. Ransomware is a huge risk, but it’s not one that is specifically targeting ICS.  A malicious actor who is specifically targeting your ICS environment will not be as blunt or noisy as ransomware is, and we are struggling to defend against ransomware.”Bristow added that he was encouraged to see that some respondents are using continuous patching of the OT environment.  “A few years ago, this was considered impossible and seeing implementation is really encouraging,” Bristow noted. 

Nozomi Networks technology evangelist Chris Grove, who worked on the report with Bristow, echoed many of the assessments cited by his co-author, touting the industry acceptance of cloud-base services.Grove told ZDNet that he believes ICS organizations will continue to adopt cloud technologies and the adoption of cloud-base security solutions will grow significantly over the next few years. But he noted how alarming it is to see that detection and response is still a significant issue for organizations. “In almost all cases, increased visibility makes everything easier to manage. From having a detailed asset inventory, to monitoring network traffic patterns, to inspecting traffic for attacks or operational anomalies…visibility is a crucial component of successfully defending operations,” Grove said. “As part of a post-Breach mindset, operators should consider the fact that eventually the attackers will breach the perimeter, and one should be prepared for that day. How do we limit the blast radius of the attack? How do we hold them at bay, and subsequently eradicate them from the system? How do we carefully maintain, safely shutdown, or restore operations potentially affected by the breach? These are tough questions to be asked before that day comes.” More

Two ‘prolific’ ransomware operators, which police said are known for their extortionate ransom demands of between €5 and €70 million, have been arrested.Police said assets have been seized including $375,000 in cash, two luxury cars and $1.3 million in cryptocurrencies. Authorities haven’t disclosed which ransomware syndicate the two people arrested are involved with, only that the organised cyber crime group is suspected of carrying out a string of coordinated attacks against “very large industrial groups” across Europe and North America. Ukrainian cyber police have said they believe the ransomware operation has targeted more than one hundred organisations. SEE: A winning strategy for cybersecurity (ZDNet special report)Each of the attacks involved cyber criminals infiltrating networks and stealing sensitive information before encrypting files with ransomware and demanding a payment for the decryption key. “They would then proceed to offer a decryption key in return for a ransom payment of several millions of euros, threatening to leak the stolen data on the dark web should their demands not be met,” Europol said.The operation leading to the arrests involved six investigators from the French Gendarmerie, four from the US FBI, a prosecutor from the French Prosecution Office of Paris, two specialists from Europol’s European Cybercrime Centre (EC3) and one Interpol officer who were all deployed to Ukraine. 

Ransomware is one of the biggest cybersecurity issues the world faces today, with major attacks causing significant disruption to services people need. MORE ON CYBERSECURITY More

Google is backing a new project from the Linux Foundation to the tune of $1 million that aims to bolster the security of critical open-source projects.  Rather than a bug bounty, Google’s latest investment – a part of its $10 billion pledge to President Biden’s cybersecurity push – seeks to address potential security issues before they become bugs through improvements in hardening software against attacks. 

ZDNet Recommends

Dubbed Secure Open Source (SOS), the pilot program run by the Linux Foundation, “financially rewards developers for enhancing the security of critical open-source projects”.  SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes The rewards range from “$10,000 or more” for hardening software in a way that prevents major bugs to $505 for “small improvements” that have merit, according to a Google blogpost.  Rewards of between $5,000 to $10,000 are available for “moderately complex improvements that offer compelling security benefits” while rewards of $1,000 to $5,000 are for for solutions that display “modest complexity and impact”.  “We are starting with a $1 million investment and plan to expand the scope of the program based on community feedback,” say members of the Google Open Source Security Team. 

The program aims to support projects that proactively harden critical open-source projects and supporting infrastructure against application and supply chain attacks.Software supply chains came into focus after the Kremlin-backed cyberattack on US government agencies and tech firms via a poisoned update from enterprise software firm, SolarWinds      SolarWinds wasn’t the first supply chain attack. NotPetya, the 2017 ransomware attack that was also blamed on Kremlin-backed hackers, was another example.  European cybersecurity think tank ENISA is also worried about software supply chain attacks, urging organizations to vet and document software suppliers, define their risk, and monitor software supply chains.   Open-source software presents another challenge that Google is attempting to address through SOS: the funding gap for software projects that are largely run on a voluntary basis. In other words, these projects need money to deliver security.    “The SOS program is part of a broader effort to address a growing truth: the world relies on open source software, but widespread support and financial contributions are necessary to keep that software safe and secure,” Google notes.  “We envision the SOS pilot program as the starting point for future efforts that will hopefully bring together other large organizations and turn it into a sustainable, long-term initiative under the OpenSSF,” it adds.  SEE: A cloud company asked security researchers to look over its systems. Here’s what they found Google and the OpenSSF – or the Open Source Security Foundation – earlier this year backed this goal with the launch of OpenSSF security scorecards, which automatically check software.  Via a risk score, that initiative aims to lower the cost of making secure software and bumping it up on the list of priorities by helping developers evaluate security when changing packages in a project’s supply chain.     The new rewards are linked to this score card and Google’s Supply chain Levels for Software Artifacts framework, or SLSA. All new reward submissions for SOS rewards will be assessed by the Linux Foundation and Google Open Source Security Team (GOSST). But the project team emphasizes that it is not a bug bounty.    “It is not a bug bounty program and does not reward reports of specific project vulnerabilities. Any vulnerabilities found in a project should be reported according to the project’s security disclosure policy, not through this program,” the SOS page notes.  More