Cyber Pulse: Edition 153 | 4 June 2021

Cryptojacking most common cloud threat

A recent report from Palo Alto Networks revealed that Cryptojacking is the most common cloud threat. A honeypot mimicking a misconfigured Docker daemon was deployed by Palo Alto Networks and the data collected between March and April was analysed. More than 75% of attacks on misconfigured Docker daemon honeypots were Cryptojacking attacks. Within a period of 50 days, the research group observed 33 different types of attacks, reaching a total of 850 attacks, implying that the honeypot was attacked around every 90 minutes.

The attacks were regular and conducted by different threat actors. Some attackers designed their malware to detect other malware on the machine and stop them to have a monopoly on the targeted device. Some attacks were collecting information and sending it to a remote server or deploying tools, for example, a DDoS agent or a botnet agent on a misconfigured Docker daemon. Misconfigured Docker daemons are a well-known security issue that has been actively exploited by cybercriminals for the past several years. Therefore, organisations hosting their data on Docker or other cloud-based platforms need to stay extra vigilant and follow security guidelines.

Swedish Health Agency shuts down SmiNet after hacking attempts

The Swedish Public Health Agency (Folkhälsomyndigheten) has shut down SmiNet, the country's infectious diseases database, on Thursday after it was targeted in several hacking attempts. SmiNet, which is also used to store electronic reports with statistics on Covid-19 infections, was shut down on Thursday to investigate the attacks and was brought back online on Friday evening.

"The Swedish Public Health Agency has discovered that there have been several attempted intrusions into the SmiNet database. The database has therefore been closed down temporarily," the agency said. "Work is underway to investigate as quickly as possible whether anyone may have accessed sensitive personal data from the database, as well as sort out and rectify any deficiencies."

The Swedish Public Health Agency could not report complete Covid-19 stats due to the database shut down. Additionally, while the investigation on the intrusion attempts is ongoing, no additional updates will be issued. While no evidence of unauthorised parties accessing sensitive information was found so far, the investigation will take at least a few more days until the reporting process will be restarted.

Security bug in Siemens PLCs used in industrial control networks

Siemens on Friday shipped firmware updates to address a severe vulnerability in SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs), which could be exploited by a malicious actor to remotely gain access to protected areas of the memory and achieve unrestricted and undetected code execution, in what the researchers describe as an attacker's "holy grail".

The memory protection bypass vulnerability, tracked as CVE-2020-15782 (CVSS score: 8.1), was discovered by operational technology security company Claroty by reverse-engineering the MC7 / MC7+ bytecode language used to execute PLC programs in the microprocessor. There's no evidence that the weakness was abused in the wild. In an advisory issued by Siemens, the German industrial automation firm said an unauthenticated, remote attacker with network access to TCP port 102 could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.

"Achieving native code execution on an industrial control system such as a programmable logic controller is an end-goal relatively few advanced attackers have achieved," Claroty researcher Tal Keren said. "These complex systems have numerous in-memory protections that would have to be hurdled in order for an attacker to not only run code of their choice, but also remain undetected."

Not only does the new flaw allow an adversary to gain native code execution on Siemens S7 PLCs, but the sophisticated remote attack also avoids detection by the underlying operating system or any diagnostic software by escaping the user sandbox to write arbitrary data and code directly into protected memory regions. Siemens is "strongly" recommending users to update to the latest versions to reduce the risk. The company said it's also putting together further updates and is urging customers to apply countermeasures and workarounds for products where updates are not yet available.

UK's largest independent furniture retailer hit by cyber attack

Furniture Village, the UK's largest independent furniture retailer with 54 stores nationwide, has been hit by a cyber attack. Although its website remains up and running, this is not the case for the back end. The problems emerged on 29 May when Furniture Village admitted it was experiencing "technical issues" and it was unable to answer calls. They later revealed they were “still experiencing technical issues with [its] internal systems” and that the team was working to resolve them as quickly as possible. These included delivery systems, phone systems, and according to customers, payment mechanisms.

In a statement, they said:

"Frustratingly, Furniture Village was recently the target of a cyber-attack, however, by immediately implementing security protocols, including shutting down the affected systems, we were able to restrict the scope of the attack. Thankfully, to the best of our knowledge, no personal data has been lost or compromised. We're working around the clock to restore all system-related functions of the business as soon as it’s safe to do so. The business remains healthy, and our teams are focused on supporting our customers, resorting to manual processes where necessary."

At this stage, the true nature of the attack remains unclear, but some industry experts believe the retailer could be the victim of a ransomware attack.

Cisco reveals security flaws in Webex Player, SD-WAN & ASR software

Cisco has addressed multiple vulnerabilities in its products, including high-risk flaws in Webex Player, SD-WAN software, and ASR 5000 series software.

“A vulnerability in Cisco Webex Network Recording Player for Windows and MacOS and Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system,” reads the advisory for CVE-2021-1503 published by CISCO. “This vulnerability is due to insufficient validation of values in Webex recording files that are in either Advanced Recording Format (ARF) or Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system.”

The CVE-2021-1526 is a memory corruption issue that attackers could exploit to execute arbitrary code on an affected system. The flaw could be exploited through rigged Webex Recording Format (WRF) files. The vulnerability affects Cisco Webex Player for Windows and MacOS. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user, reads the advisory. The company also addressed a high-risk vulnerability, tracked as CVE-2021-1528, in SD-WAN software. An attacker could exploit the vulnerability to gain elevated privileges on a vulnerable system.

Huawei USB dongles security flaw

Security researchers have discovered a code execution vulnerability in one of Huawei’s LTE USB dongles. Part of Huawei’s mobile broadband dongle range, the Huawei LTE USB Stick E3372, can be plugged into a computer to enable users to browse the internet using an LTE network. However, cybersecurity company Trustwave has now discovered a rather easy-to-exploit vulnerability in the device. In a post, Trustwave’s Security Research Manager Martin Rakhmanov explains the vulnerability exists because one of the installed files is missing appropriate access control settings. 

“All a malicious user needs to do is to replace the file with their own desired code and wait for a legitimate user to start using the cellular data service via Huawei device,” writes Rakhmanov.

According to Trustwave, this affected file is automatically executed when a user plugs the dongle. It’s designed to fire up the default web browser and point it to the dongle’s device management interface. However, Huawei hasn’t set proper permissions on the file. This enables any authenticated user on the computer to overwrite the file. Rakhmanov explains that all a malicious user needs to do is to replace the contents of the file with their own malicious code. Now when a user plugs in the dongle, it’ll automatically execute the malicious code.