A Month In Breaches: October

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

Egregor Ransomware Attack

Egregor is an occult term meaning collective energy of a group of people united for a common cause. The main purpose of this ransomware is to encrypt the files of victims and make them inaccessible. It adds random character and strings as a new extension of each new encrypted file during the encryption process. This newly discovered ransomware is seen hitting companies worldwide where threat actors behind the attack/ransomware would hack into a company’s network and steal sensitive data. Exfiltrated files are then encrypted, leaving the target company with a ransom note where they threaten to leak part of the stolen data via “mass media”.

To minimise the likelihood of being attacked by Egregor Ransomware or any ransomware attack, it is advised to use good antivirus software. Most of the software manufacturers issue updates or patches regularly to support to keep our devices risk free, so it is important to ensure all the software, programmes, operating system, and browsers are up to date. It is always best to set the software to perform automatic updates upon the release of patches. In addition, backing up data frequently to an external drive or to a cloud-based system can be helpful to have alternative access to files if they were locked. Most ransomware attacks start with phishing emails; therefore, users should be cautious before clicking on any links or opening any attachments in the emails received.

Oracle WebLogic Server RCE (CVE-2020-14882)

Oracle WebLogic Server is a popular application server that is used in building and deploying enterprise-level Java EE applications. Recently the older versions were found to be vulnerable to Remote Code Execution (RCE) attack and are being actively exploited by the attackers based on honeypot observations. The threat has a severity rating of 9.8 on 10 as per CVSS. The attack is not considered to be complex and hence requires no privileges and user interaction to be exploited by the adversary. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. The attack attempts on the honeypots so far originated from four IP addresses: 114.243.211.182, 139.162.33.228, 185.225.19.240 and 84.17.37.239.

CTRL Group suggests updating the unpatched versions of the Oracle WebLogic Server to the latest builds which are recently released by Oracle. This update also fixes 401 other vulnerabilities across the platform. In addition, based on the information we have, it is advisable to block the above-mentioned IP addresses as a preventive measure. However, these IPs are bound to differ in an attack scenario. For system patches please follow the link.

Containerd Bug Exposes Cloud Account Credentials (CVE-2020-15157)

A new vulnerability was found in containerd, located in the container image-pulling process. Containerd is a daemon that runs on Linux and Windows and it can be used to manage the container lifecycle including tasks such as image transfer, container execution, some storage, and networking functions. In containerd before version 1.2.14, there is a credential leaking vulnerability. A container image is a combination of a manifest file and some individual layer files. The manifest can contain a ‘foreign layer’ which is pulled from a remote registry. When using containerd, if the remote registry responds with an HTTP 401 status code, along with specific HTTP headers, the host will send an authentication token that can be stolen. The attacker can take control of a cloud project by using this vulnerability.

Researcher earlier in October disclosed two flaws in Microsoft’s Azure web hosting application service, App Services, which if exploited could enable an attacker to take over administrative servers. It is recommended to use the latest version of software. Containerd patched the bug which is listed as a medium in severity in version 1.24 and confirmed 1.3.x is not vulnerable.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh, V-MSK, Jae, Yvette and Ann