Misconfigured Cloud Servers Targeted with Linux Malware for New Cryptojacking Campaign

Researchers at Cado Security Labs received an alert about a honeypot using the Docker Engine API. “A Docker command was received…” they write, “that spawned a new container, based on Alpine Linux, and created a bind mount for the underlying honeypot server’s root directory…”
Typically, this is exploited to write out a job for the Cron scheduler to execute… In this particular campaign, the attacker exploits this exact method to write out an executable at the path /usr/bin/vurl, along with registering a Cron job to decode some base64-encoded shell commands and execute them on the fly by piping through bash.

The vurl executable consists solely of a simple shell script function, used to establish a TCP connection with the attacker’s Command and Control (C2) infrastructure via the /dev/tcp device file. The Cron jobs mentioned above then utilise the vurl executable to retrieve the first stage payload from the C2 server… To provide redundancy in the event that the vurl payload retrieval method fails, the attackers write out an additional Cron job that attempts to use Python and the urllib2 library to retrieve another payload named t.sh

“Multiple user mode rootkits are deployed to hide malicious processes,” they note. And one of the shell scripts “makes use of the shopt (shell options) built-in to prevent additional shell commands from the attacker’s session from being appended to the history file… Not only are additional commands prevented from being written to the history file, but the shopt command itself doesn’t appear in the shell history once a new session has been spawned.”

The same script also inserts “an attacker-controlled SSH key to maintain access to the compromised host,” according to the article, retrieves a miner for the Monero cryptocurrency and then “registers persistence in the form of systemd services” for both the miner and an open source Golang reverse shell utility named Platypus.

It also delivers “various utilities,” according to the blog Security Week, “including ‘masscan’ for host discovery.” Citing CADO’s researchers, they write that the shell script also “weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents.”
The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet… [“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” the researchers writes.]

“This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers,” Cado notes. “It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments.”

Read more of this story at Slashdot.

MIT Researchers Build Tiny Tamper-Proof ID Tag Utilizing Terahertz Waves

A few years ago, MIT researchers invented a cryptographic ID tag — but like traditional RFID tags, “a counterfeiter could peel the tag off a genuine item and reattach it to a fake,” writes MIT News.

“The researchers have now surmounted this security vulnerability by leveraging terahertz waves to develop an antitampering ID tag that still offers the benefits of being tiny, cheap, and secure.”

They mix microscopic metal particles into the glue that sticks the tag to an object, and then use terahertz waves to detect the unique pattern those particles form on the item’s surface. Akin to a fingerprint, this random glue pattern is used to authenticate the item, explains Eunseok Lee, an electrical engineering and computer science (EECS) graduate student and lead author of a paper on the antitampering tag. “These metal particles are essentially like mirrors for terahertz waves. If I spread a bunch of mirror pieces onto a surface and then shine light on that, depending on the orientation, size, and location of those mirrors, I would get a different reflected pattern. But if you peel the chip off and reattach it, you destroy that pattern,” adds Ruonan Han, an associate professor in EECS, who leads the Terahertz Integrated Electronics Group in the Research Laboratory of Electronics.

The researchers produced a light-powered antitampering tag that is about 4 square millimeters in size. They also demonstrated a machine-learning model that helps detect tampering by identifying similar glue pattern fingerprints with more than 99 percent accuracy. Because the terahertz tag is so cheap to produce, it could be implemented throughout a massive supply chain. And its tiny size enables the tag to attach to items too small for traditional RFIDs, such as certain medical devices…

“These responses are impossible to duplicate, as long as the glue interface is destroyed by a counterfeiter,” Han says. A vendor would take an initial reading of the antitampering tag once it was stuck onto an item, and then store those data in the cloud, using them later for verification.”
Seems like the only way to thwart that would be carving out the part of the surface where the tag was affixed — and then pasting the tag, glue, and what it adheres to all together onto some other surface. But more importantly, Han says they’d wanted to demonstrate “that the application of the terahertz spectrum can go well beyond broadband wireless.”

In this case, you can use terahertz for ID, security, and authentication. There are a lot of possibilities out there.”

Read more of this story at Slashdot.

Google Brings Dark Web Monitoring At All US Gmail Users

At Google I/O on Wednesday, Google said that all Gmail users in the U.S. will soon be able to discover if their email address has been found on the dark web. The dark web report security feature will roll out over the coming weeks, and will be expanded to select international markets. BleepingComputer reports: Once enabled, it will allow Gmail users to scan the dark web for their email addresses and take action to protect their data based on guidance provided by Google. For instance, they’ll be advised to turn on two-step authentication to protect their Google accounts from hijacking attempts. Google will also regularly notify Gmail users to check if their email has been linked to any data breaches that ended up on underground cybercrime forums.

“Dark web report started rolling out in March 2023 to members across all Google One plans in the United States, providing a simple way to get notified when their personal information was discovered on the dark web. “Google One’s dark web report helps you scan the dark web for your personal info — like your name, address, email, phone number and Social Security number — and will notify you if it’s found,” said Google One Director of Product Management Esteban Kozak in March when the feature was first announced. The company says all the personal info added to the profile can be deleted from the monitoring profile or by removing the profile in the dark web report settings.

Read more of this story at Slashdot.

WordPress Plugin Hole Puts ‘2 Million Websites’ At Risk

A vulnerability in the “Advanced Custom Fields” plugin for WordPress is putting more than two million users at risk of cyberattacks, warns Patchstack researcher Rafie Muhammad. The Register reports: A warning from Patchstack about the flaw claimed there are more than two million active installs of the Advanced Custom Fields and Advanced Custom Fields Pro versions of the plugins, which are used to give site operators greater control of their content and data, such as edit screens and custom field data. Patchstack researcher Rafie Muhammad uncovered the vulnerability on February 5, and reported it to Advanced Custom Fields’ vendor Delicious Brains, which took over the software last year from developer Elliot Condon. On May 5, a month after a patched version of the plugins was released by Delicious Brains, Patchstack published details of the flaw. It’s recommended users update their plugin to at least version 6.1.6.

The flaw, tracked as CVE-2023-30777 and with a CVSS score of 6.1 out of 10 in severity, leaves sites vulnerable to reflected XSS attacks, which involve miscreants injecting malicious code into webpages. The code is then “reflected” back and executed within the browser of a visitor. Essentially, it allows someone to run JavaScript within another person’s view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That’s a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.

“This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path,” Patchstack wrote in its report. The outfit added that “this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin.”

Read more of this story at Slashdot.

Crooks Are Using CAN Injection Attacks To Steal Cars

“Thieves has discovered new ways to steal cars by pulling off smart devices (like smart headlights) to get at and attack via the Controller Area Network (CAN) bus,” writes longtime Slashdot reader KindMind. The Register reports: A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do. In a CAN injection attack, thieves access the network, and introduce bogus messages as if it were from the car’s smart key receiver. These messages effectively cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages. From that point, they can simply manipulate other devices to steal the vehicle.

“In most cars on the road today, these internal messages aren’t protected: the receivers simply trust them,” [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor’s RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota — which among other things allows you to inspect the data logs of your vehicle — helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, “Ian’s car dropped a lot of DTCs.” Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn’t failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.

Read more of this story at Slashdot.

Capita, Company Providing UK’s Nuclear Submarine Training, Says It’s Successfully Contained ‘Cyber Incident’

Capita, the United Kingdom’s largest outsourcing company, confirmed Monday that an IT outage which left staff locked out of their accounts on Friday was caused by “a cyber incident.” The Record reports: Staff attempting to login were erroneously told their usual passwords were “incorrect” according to reports, fueling speculation that a cyberattack was to blame, although not all of Capita’s 61,000 employees were affected. At the time, a Capita spokesperson said the company was investigating “a technical issue.”

In an update on Monday about the incident sent to the Regulatory News Service, the company confirmed it “experienced a cyber incident primarily impacting access to internal Microsoft Office 365 applications.” The nature of the incident has not been disclosed. While financially motivated ransomware attacks remain a prevalent threat for organizations in Britain, Capita also provides services to the British government that may be of interest to state-sponsored espionage groups.

Capita’s numerous contracts include several with the Ministry of Defence. Last year, a consortium it leads took control over engineering and maintenance support of training simulators for the Royal Navy’s nuclear-powered ballistic missile submarines used as part of the U.K.’s nuclear deterrent. In its statement, Capita said: “Immediate steps were taken to successfully isolate and contain the issue,” which was “limited to parts of the Capita network.”

Read more of this story at Slashdot.

‘Vulkan Files’ Leak Reveals Putin’s Global and Domestic Cyberwarfare Tactics

“The Gaurdian reports on a document leak from Russian cyber ‘security’ company Vulkan,” writes Slashdot reader Falconhell. From the report: Inside the six-storey building, a new generation is helping Russian military operations. Its weapons are more advanced than those of Peter the Great’s era: not pikes and halberds, but hacking and disinformation tools. The software engineers behind these systems are employees of NTC Vulkan. On the surface, it looks like a run-of-the-mill cybersecurity consultancy. However, a leak of secret files from the company has exposed its work bolstering Vladimir Putin’s cyberwarfare capabilities.

Thousands of pages of secret documents reveal how Vulkan’s engineers have worked for Russian military and intelligence agencies to support hacking operations, train operatives before attacks on national infrastructure, spread disinformation and control sections of the internet. The company’s work is linked to the federal security service or FSB, the domestic spy agency; the operational and intelligence divisions of the armed forces, known as the GOU and GRU; and the SVR, Russia’s foreign intelligence organization.

One document links a Vulkan cyber-attack tool with the notorious hacking group Sandworm, which the US government said twice caused blackouts in Ukraine, disrupted the Olympics in South Korea and launched NotPetya, the most economically destructive malware in history. Codenamed Scan-V, it scours the internet for vulnerabilities, which are then stored for use in future cyber-attacks. Another system, known as Amezit, amounts to a blueprint for surveilling and controlling the internet in regions under Russia’s command, and also enables disinformation via fake social media profiles. A third Vulkan-built system — Crystal-2V — is a training program for cyber-operatives in the methods required to bring down rail, air and sea infrastructure. A file explaining the software states: “The level of secrecy of processed and stored information in the product is ‘Top Secret’.”

Read more of this story at Slashdot.