The IT Nerd

So this is a new one and a sure sign that the bad guys are evolving their attacks at a rapid place.

Earlier this week, threat researchers at Sophos discovered a new strain of ransomware, written in Python and designed to deploy ransomware unusually fast. The strain was used to compromise and encrypt virtual machines hosted on an ESXi hypervisor.

In what was one of the quickest attacks Sophos has investigated, from the time of the initial compromise until the deployment of the ransomware script, the attackers only spent just over three hours on the target’s network before encrypting the virtual disks in a VMware ESXi server.

That’s pretty scary. I’d read the full report as it’s pretty eye opening. But I did get this comment from Mieng Lim, VP of product management at Digital Defense by HelpSystems:

“Ransomware threats are constantly evolving. From the commoditization of ransomware through the recent availability of as-a-service tools, to increasingly sophisticated attack strategies, it is a threat landscape that demands constant monitoring and education from organizations and governments alike. This is perfectly illustrated by the new strain of ransomware discovered by Sophos this week.

Typically, hackers enter their victim’s systems and linger undetected, harvesting data and identifying targets before they deploy a targeted ransomware attack. However, this new python-based ransomware enters systems and initiates an attack within a few hours, making fast-acting threat detection and response absolutely essential for businesses. 

The first step in building an effective ransomware mitigation strategy is always setting realistic expectations. Ransomware breaches are no longer fully preventable, so businesses must focus on layering defensive barriers between an attacker and their most sensitive data. Running regular penetration testing and vulnerability scanning can help an organization identify and repair possible attack vectors, closing backdoors before an attacker can enter them and minimizing an attacker’s ability to escalate their privileges once inside the system. 

However, for any organization looking to improve its cyber threat response time, threat detection tools are a must. Network Traffic Analysis (NTA) works to monitor a network for any suspicious activity, detecting ransomware breaches and infection as quickly as possible. On top of these, active threat scans can give the organization peace of mind. If a breach is spotted, it is important to reassess the state of the IT environment to ensure that there isn’t a repeat attack. Unfortunately, we live in an era where preventing 100% of cyber risks is no longer possible, but constant vigilance, ongoing-cyber threat education, and a well-planned threat detection and response strategy will go a long way towards keeping your organization’s most sensitive data safe.”

The people responsible for securing critical IT infrastructure are really working hard to earn their money as this ransomware attack via Python shows that the attack surface that they have to secure is constantly growing. And will continue to grow.

New research from PenTestPartners shows Scottish brewery BrewDog exposed data of over 200,000 shareholders a year by hardcoding authentication tokens associated with their API endpoints designed for BrewDog’s mobile application. Here’s the scope of this #EpicFail:

• BrewDog exposed the details of over 200,000 ‘Equity for Punks’ shareholders for over 18 months plus many more customers
• Every mobile app user was given the same hard coded API Bearer Token, rendering request authorisation useless
• It was therefore trivial for any user to access any other user’s PII, shareholding, bar discount, and more
• Disclosure was rather fraught. Instead of being ‘cool’ as we had hoped, given their reputation as being a bit counter-culture, BrewDog instead declined to inform their shareholders and asked not to be named. It took 4 failed fixes to properly resolve the problem.
• It’s public knowledge that BrewDog are considering an IPO. We are concerned for future investors if BrewDog’s wider approach to security and disclosure is this weak.
• But, best of all, shareholders get a free beer on the 3 days before or after their birthday under the terms of the Equity for Punks scheme. One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!

And how BrewDog handed this is even more of an #EpicFail:

It took several days for BrewDog to respond properly, which was a fail in itself. We had to escalate via LinkedIn, as their social media team didn’t know what to do with the report.

Top tip: A company who puts out an app should have a clear means to allow vulnerability reports to reach the right people. These clowns didn’t. Another #EpicFail. And while they did get the issue fixed…. eventually, there was this:

The vulnerability is fixed. As far as I know, BrewDog have not alerted their customers and shareholders that their personal details were left unprotected on the internet.

And what makes this really bad is that it isn’t clear if this vulnerability was exploited. This is wrong on so many levels and reflects poorly on BrewDog.

Yariv Shivek, VP of Product, Neosec had this to say about said #EpicFail:

“Hardcoding API credentials (API keys, tokens, etc.) into mobile apps is sadly a common mistake. Mobile applications — as well as single-page web applications (aka SPAs) — run in untrusted client environments, environments under the (ab)user’s control. Looking for API credentials in applications is easy, and when those credentials allow bypassing authentication or authorization, this can lead to data leaks and even complete account takeovers.”

“Secure coding and client-based security controls can and should be employed to prevent these things from happening. But as with all things, prioritization is key, and prioritization relies on knowing which API endpoints pass sensitive data, the types of sensitive data being passed, as well as what each service and endpoint’s risk posture is. This knowledge is actually at most organizations’ fingertips — in the form of unmined logs.”

Hopefully BrewDog suffers some repetitional damage from this #EpicFail as this coding decision and the response to it is completely unacceptable.

New research from Ermetic finds the majority of AWS accounts surveyed are vulnerable to ransomware, citing high risk identities and configuration errors that expose Amazon S3 buckets to compromise:

Ermetic researchers identified the following findings in the organizations they evaluated which would allow ransomware to reach and execute on Amazon S3 buckets:

• Overall, every enterprise environment studied had identities at risk of being compromised and that could perform ransomware on at least 90% of the buckets in an AWS account
• Over 70% of the environments had machines that were publicly exposed to the internet and identities whose permissions allowed the exposed machines to perform ransomware
• Over 45% of the environments had third party identities with the ability to perform ransomware by elevating their privileges to admin level (an astounding finding with far-reaching implications beyond the ransomware focus of this research)
• Almost 80% of the environments contained IAM Users with enabled access keys that had not been used for 180 days or more, and had the ability to perform ransomware

It’s important to note that these findings focus on single, compromised identities. In many ransomware campaigns, bad actors often move laterally to compromise multiple identities and use their combined permissions, greatly increasing their ability to access resources.

That’s not trivial given how popular using Amazon S3 buckets happen to be. Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say:

“This report highlights the urgent need to “detect threats” in the cloud and not just focus on misconfigurations. Research from Cloud Security Alliance shows that even if misconfigurations are detected in S3 buckets or IAM access keys not being used for a long time, it takes a while for these to get detected and remediated – sometimes days, weeks and even months. It also highlights that ransomware is not just an on-premises problem but as the pandemic has accelerated cloud migration of workloads it has also accelerated cloud migration for attackers and ransomware criminal operators.”

“It is critical to monitor 3 things in the cloud:

1. Runtime activity of identities in terms of what they are doing and from where
2. Cloud storage (S3) in terms of not just the permissions and configurations but actually the      read/write pattern and what is actually being stored in there. 
3. Network activity which can highlight when instances either inadvertently or deliberately opened to the Internet are brute-forced and then identities stored on those instances are used for lateral movement.” 

     “You cannot guarantee that mistakes like identities being enabled for too long, too permissive, leaked in code will not happen. They can only be reduced. On the other hand, keeping an eye on active attacks on the cloud infrastructure can thwart attackers from gaining enough privilege and access to ransom the data.”

It’s clear that companies need to up their threat detection efforts to extend to the cloud to ensure that they are fully secure.

For the second time this week, Twitch has been pwned. Hackers have managed to deface Twitch for a few hours this morning, replacing a number of background game images with photos of Amazon CEO Jeff Bezos:

Users reported seeing images of Bezos in the listings for GTA V, Dota 2, Smite, Minecraft, Apex Legends, and many more on the Amazon-owned service. It’s not clear how the background images were changed or whether this latest incident was aided by a huge security breach at Twitch earlier this week. Hackers were able to exploit a server misconfiguration and steal hundreds of gigabytes of information. Twitch is still investigating the breach, and so far a wealth of information pertaining to the website’s source code, unreleased projects, and even how much the top streamers make has been released.

Clearly Twich still has serious security issues that it clearly hasn’t closed. And given that the source code is out there, you can fully expect that more hacks are coming. Which is bad if you’re Twitch and their corporate parent Amazon.