company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Access Control

SonicWall

loading..
loading..
loading..

SonicWall SSLVPN Access Control Flaw Exploited in Attacks (CVE-2024-40766)

Critical SonicWall CVE-2024-40766 flaw exploited in attacks. Apply patches now to protect against unauthorized access and firewall crashes

06-Sep-2024
4 min read

Related Articles

loading..

Cloudflare

DDoS

Cloudflare mitigated the largest recorded DDoS attack peaking at 3.8 Tbps, highl...

In a landmark DDoS event, Cloudflare has announced the successful mitigation of the largest recorded Distributed Denial-of-Service (DDoS) attack to date, which peaked at a staggering 3.8 terabits per second (Tbps). This hyper-volumetric attack targeted organizations across the financial services, internet, and telecommunications sectors, underscoring the escalating scale and sophistication of cyber threats facing global infrastructure. ### A Month-Long Siege of Volumetric Attacks The colossal assault was part of a sustained campaign spanning over a month, during which more than 100 hyper-volumetric DDoS attacks were launched. These attacks aimed to overwhelm network infrastructure by inundating it with massive amounts of illegitimate traffic, thereby consuming bandwidth and depleting system resources. This deluge of data effectively denied legitimate users access to services, fulfilling the primary objective of a DDoS attack. ### Technical Anatomy of the Attack The attacks primarily targeted the network and transport layers (Layers 3 and 4) of the OSI model. Many of these assaults surpassed two billion packets per second (pps) and exceeded bandwidths of 3 Tbps. The threat actors orchestrated the campaign using a diverse array of compromised devices, including: - Asus Home Routers - MikroTik Systems - Digital Video Recorders (DVRs) - Web Servers These infected devices formed a global botnet with significant concentrations in Russia, Vietnam, the United States, Brazil, and Spain. ### UDP Exploitation on Fixed Ports The attackers predominantly utilized the User Datagram Protocol (UDP) on fixed ports to transmit data. UDP is favored in such attacks due to its connectionless nature, allowing rapid transmission without the overhead of establishing a formal connection, thus amplifying the attack's speed and volume. ### Cloudflare's Autonomous Defense Mechanism Cloudflare's advanced DDoS mitigation infrastructure autonomously detected and neutralized all the attacks in real-time. The peak attack, which hit 3.8 Tbps, lasted approximately 65 seconds. The company's ability to withstand such a massive onslaught without manual intervention highlights the effectiveness of its automated defense systems and the importance of robust cybersecurity measures. ### Global Distribution of Attack Sources ### Infected devices were distributed globally, with hotspots in key regions. #### Comparative Analysis with Previous Records Before this incident, the record for the largest publicly disclosed volumetric DDoS attack was held by Microsoft, which mitigated a 3.47 Tbps attack targeting an Azure customer in Asia. Cloudflare's recent mitigation surpasses this figure, indicating a troubling increase in the scale at which malicious actors are operating. #### Emerging Threats: The CUPS Vulnerability In a related development, cybersecurity firm Akamai has identified that recently disclosed vulnerabilities in the Common UNIX Printing System (CUPS) for Linux could serve as a new vector for DDoS attacks. Akamai's research revealed: #### Over 58,000 publicly accessible systems vulnerable to CUPS exploitation. These systems could be co-opted to send thousands of requests in amplification attacks. Some CUPS servers responded repeatedly to initial requests, potentially leading to endless loops of malicious traffic. ### Implications for Cybersecurity The escalation in both the scale of attacks and the exploitation of new vulnerabilities like CUPS underscores the evolving threat landscape. Organizations must adopt proactive and adaptive security strategies, including: Investing in Automated Defense Systems: As demonstrated by Cloudflare, autonomous mitigation can effectively neutralize large-scale attacks without human intervention. Regular Vulnerability Assessments: Identifying and patching vulnerabilities like those in CUPS can prevent systems from being exploited in botnets. Global Collaboration: Sharing threat intelligence across industries and borders is crucial for anticipating and defending against emerging threats. Cloudflare's successful mitigation of the largest recorded DDoS attack serves as both a warning and a call to action. As cyber threats continue to grow in scale and complexity, the importance of robust, automated, and adaptive cybersecurity measures cannot be overstated. Organizations worldwide must remain vigilant and collaborative to safeguard the integrity of global digital infrastructure.

loading..   03-Oct-2024
loading..   4 min read
loading..

Docker

A new cryptojacking attack exploits Docker Swarm and Kubernetes via exposed APIs...

Cybersecurity researchers have disclosed a new, sophisticated cryptojacking campaign that targets the [Docker](https://www.secureblink.com/cyber-security-news/new-cyberattack-targets-docker-ap-is-with-advanced-cryptojacking-tactics-1) Engine API to hijack cloud resources and create a malicious Docker Swarm botnet. In a detailed Datadog Security Research analysis, attackers exploit unauthenticated and exposed Docker Engine API endpoints to deploy cryptocurrency miners on compromised containers. By leveraging Docker Swarm's orchestration features for command-and-control (C2) purposes, the attackers effectively turn compromised systems into coordinated botnets. This [Threatfeed](https://www.secureblink.com/cyber-security-news) delves into the mechanics of the critical cryptojacking attack, the tools, and scripts leveraged by the threat actors, and provides comprehensive recommendations for safeguarding against such threats. ## Understanding the Attack Vector ### Initial Access via Exposed Docker APIs Attackers initiate the campaign by scanning the internet for exposed Docker Engine API endpoints using tools like **masscan** (a fast port scanner) and **ZGrab** (an application layer scanner). These endpoints, typically listening on ports **2375**, **2376**, **2377**, **4243**, and **4244**, can be unauthenticated and, if misconfigured, provide root-level access to the host. **Quote from Datadog's Report:** > "We have discovered a new cryptojacking campaign targeting Docker Engine API, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers." — [Datadog Security Research](https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/) ### Deployment of Malicious Containers Once an exposed API is found, the attackers spawn an Alpine Linux container with the host's filesystem mounted inside. This container retrieves an initialization shell script (`init.sh`) from a remote server (`solscan[.]live`). The script performs several actions: - Ensures data transfer tools like `curl` and `wget` are installed. - Checks for root privileges. - Downloads and executes the **XMRig** miner for cryptocurrency mining. - Installs a custom **libprocesshider** rootkit to hide malicious processes. ### Hiding Malicious Activity The **libprocesshider** rootkit is employed to conceal the **XMRig** miner process from system monitoring tools like `top` and `ps`, making it difficult for administrators to detect unusual activity. ## Lateral Movement and Propagation ### Additional Payloads and Scripts The `init.sh` script also fetches additional scripts for lateral movement: 1. **`kube.lateral.sh`**: Targets Kubernetes environments. 2. **`spread_docker_local.sh`**: Scans local network ranges for other Docker hosts. 3. **`spread_ssh.sh`**: Attempts to spread via SSH by adding authorized keys and creating new users. ### Targeting Kubernetes with `kube.lateral.sh` The script disables security measures like firewalls and SELinux before scanning local network ranges for open **Kubelet API** ports (10250). If vulnerable Kubernetes nodes are found, it can execute commands to deploy the miner on pods running on those nodes. ### Scanning and Exploitation with `spread_docker_local.sh` - Uses `masscan` and `zgrab` to find hosts with open Docker-related ports. - Deploys malicious containers on discovered hosts using images hosted on Docker Hub by user **nmlmweb3**. - The images execute `init.sh`, propagating the malware. ### SSH Backdoors with `spread_ssh.sh` - Scans for SSH servers on the local network. - Adds a new SSH key and creates a new user named **ftp** with root privileges. - Searches for credential files related to SSH, AWS, Google Cloud, and Samba, particularly targeting GitHub Codespaces environments. - Uploads any found credentials to the C2 server. ### Manipulating Docker Swarm with `TDGINIT.sh` - Forces compromised Docker hosts to leave existing Swarms. - Joins them to a new Swarm controlled by the attacker using a predefined token. - Allows attackers to use Docker Swarm's orchestration for C2, issuing commands across all compromised nodes. ## Persistence Mechanisms ### Process Hiding and Dynamic Linker Hijacking - Uses **Dynamic Linker Hijacking** by modifying `/etc/ld.so.preload` to ensure the rootkit is loaded for every new process. - Hides the **XMRig** miner process, preventing detection. ### Cron Jobs and Immutable Files - Installs cron jobs to maintain persistence. - Uses the `chattr +ai` command to make backdoor files immutable, preventing their removal or modification. ## Broader Implications ### Threat to Cloud Infrastructure This campaign highlights significant risks: - **Resource Drain**: Cryptocurrency mining consumes substantial CPU and memory resources, affecting performance and increasing costs. - **Security Risks**: Attackers with root access can exfiltrate data, install additional malware, or use the infrastructure for further attacks. - **Botnets**: Compromised hosts can be coordinated for distributed denial-of-service (DDoS) attacks or other malicious activities. ### Potential Attribution to TeamTNT While some tactics resemble those of **[TeamTNT](https://www.secureblink.com/cyber-security-news/teamtnt-targets-compromised-docker-hub-accounts-to-distribute-crypto-mining-malware)**, a known threat group specializing in cloud-focused attacks, definitive attribution remains uncertain. ## Recommendations for Prevention and Mitigation 1. **Secure Docker API Endpoints**: - Do not expose the Docker Engine API to the internet. - Secure it with TLS authentication and firewall rules. 2. **Regularly Update and Patch Systems**: - Keep Docker, Kubernetes, and associated services updated. - Apply security patches promptly. 3. **Monitor Network Traffic and Logs**: - Use intrusion detection systems (IDS) to monitor for unusual activity. - Be alert for large outbound traffic volumes indicative of cryptomining or data exfiltration. - Regularly check system logs for unauthorized modifications. 4. **Implement Principle of Least Privilege**: - Limit user permissions and avoid running containers as root when possible. - Use role-based access control (RBAC) in Kubernetes. 5. **Use Security Tools and Best Practices**: - Employ tools like Docker Bench Security to assess the security posture. - Utilize cloud security posture management (CSPM) solutions for continuous monitoring. - Enable logging and monitoring features in Docker and Kubernetes. 6. **Educate and Train Staff**: - Ensure that DevOps and IT teams are aware of security best practices for containerized environments. - Conduct regular security awareness training. 7. **Audit and Secure Credentials**: - Regularly audit credentials and keys stored in environments like GitHub Codespaces. - Use secrets management tools to store sensitive information securely. ## Conclusion The discovery of this cryptojacking campaign underscores the critical need for securing containerized environments. Exposed Docker APIs and misconfigured Kubernetes clusters present significant risks, enabling attackers to mine cryptocurrency and establish botnets for broader malicious activities. Organizations must proactively secure their Docker and Kubernetes environments, regularly audit configurations, and stay informed about emerging threats. By implementing robust security measures and educating staff, the risk of such attacks can be significantly mitigated. ## Indicators of Compromise (IOCs) - **Files and Scripts**: - `init.sh`, `kube.lateral.sh`, `spread_docker_local.sh`, `spread_ssh.sh`, `ar.sh`, `TDGINIT.sh`, `pdflushs.sh` - Use of `libprocesshider` rootkit - **Domains and IPs**: - `solscan.live` - `147.75.47.199` - Docker Hub user `nmlmweb3` - **Ports Targeted**: - Docker ports: 2375, 2376, 2377, 4243, 4244 - Kubernetes Kubelet API port: 10250 - SSH port: 22 ## References - [Datadog Security Research Detailed Analysis](https://www.datadoghq.com/blog/threat-actors-leverage-docker-swarm-and-kubernetes-to-mine-cryptocurrency-at-scale/) - [Docker Security Documentation](https://docs.docker.com/engine/security/security/) - [Kubernetes Security Best Practices](https://kubernetes.io/docs/concepts/security/overview/) - [TeamTNT Threat Analysis by Trend Micro](https://www.trendmicro.com/en_us/research/20/j/teamtnt-targeting-docker-systems-using-weak-credentials.html)

loading..   01-Oct-2024
loading..   6 min read
loading..

Iran

Hacking

USA

Three Iranian hackers linked to the IRGC indicted for a "hack-and-leak" campaign...

In a landmark cybercrime case, the U.S. Department of Justice (DOJ) has unsealed an indictment accusing three Iranian hackers of orchestrating a _"hack-and-leak"_ campaign. This cyberattack was strategically aimed at manipulating the outcome of the 2024 U.S. presidential election. ### Identification of Perpetrators Iranian nationals Masoud Jalili, Seyyed Ali Aghamiri, and Yaser Balaghi—affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC)—are accused of hacking into the accounts of U.S. government officials, individuals tied to several U.S. political campaigns, and members of the media. ### Detailing the Attacks As per the [DoJ](https://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us), these cyberattacks were part of a larger Iranian effort to steal classified information about U.S. officials and manipulate the outcome of American elections. ### Target Shift to Trump Campaign In May 2024, after years of targeting former U.S. government officials, the hackers allegedly shifted their focus toward individuals associated with the Trump 2024 presidential campaign, as outlined in the [indictment](http://www.justice.gov/opa/media/1371191/dl). ![FBI-IRGC-hackers-wanted-poster.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/FBI_IRGC_hackers_wanted_poster_f7c0649a13.jpg) ***WANTED POSTER*** ### Unauthorized Access and Theft The hackers successfully infiltrated the personal accounts of campaign officials, illicitly obtaining confidential campaign documents and sensitive emails. ### Hack-and-Leak Campaign Begins By late June, the hackers initiated a _"hack-and-leak"_ operation, attempting to disseminate stolen materials to U.S. media outlets and individuals tied to the Biden campaign, with the intention of undermining Trump's 2024 presidential bid. ### Joint Statement and Timeline Between late June and early July, Iranian cyber actors sent unsolicited emails to individuals associated with President Biden's campaign. These emails contained excerpts from stolen, non-public materials tied to Trump’s former campaign, according to a joint [statement](https://www.fbi.gov/news/press-releases/joint-odni-fbi-and-cisa-statement-091824) released by CISA, the FBI, and the Office of the Director of National Intelligence on September 18. ### Hack-and-Leak Timeline and Tactics This _"hack-and-leak"_ campaign began in January 2020, deploying spear phishing and social engineering techniques to compromise high-profile targets. ### Expanded Operations in 2022 By 2022, their operations expanded, targeting a former U.S. government official to steal personal information that would aid in identifying future victims. ### Concluding Government Actions The U.S. State Department has offered a $10 million reward for [information](https://x.com/RFJ_USA/status/1839704122531987863) on Jalili, Aghamiri, and Balaghi. Concurrently, the Treasury Department's Office of Foreign Asset Control (OFAC) has [designated Jalili](https://home.treasury.gov/news/press-releases/jy2621) for his IRGC involvement, imposing sanctions to thwart foreign interference in U.S. elections. ### Closing Quote from Officials Assistant Attorney General Matthew G. Olsen [stated](https://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us), _"Iran's hack-and-leak efforts are a direct assault on the integrity of our democratic processes."_

loading..   30-Sep-2024
loading..   3 min read