The IT Nerd

Cado Security Labs researchers recently discovered a novel campaign targeting publicly exposed instances of the Docker Engine API. Attackers exploit this misconfiguration to deliver a malicious Docker container containing malware written in Python and compiled as an ELF executable. The malware acts as a DDoS bot agent, capable of conducting DoS attacks via several methods. 

In the Docker API command, the attacker retrieves an image named OracleIV, uploaded to Dockerhub by a malicious user, and was still live at the time of writing with over 3,000 pulls and appeared to be undergoing regular iteration, with the most recent changes pushed only 3 days before Cado’s blog writeup.

OracleIV demonstrates that attackers are still intent on leveraging misconfigured Docker Engine API deployments for various campaigns. Containerization’s portability allows malicious payloads to be executed deterministically across Docker hosts, regardless of the host’s configuration. Users of Docker Hub should be aware that malicious container images exist in Docker’s image library. 

You can read their writeup on this here.

Cado Security, provider of the first cloud forensics and incident response platform, today announced Cado’s Incident Readiness Dashboard. This new dashboard provides the ability to proactively run readiness checks, see readiness trends over time, and identify issues that could prevent the organization from rapidly responding to active threats.

The ever-increasing global incident reporting mandates are also putting increased pressure on organizations to ensure they are prepared to determine the scope of an active incident in a timely manner. Some examples include the SEC’s fast-approaching “Final Rule” on incident response and breach disclosures, the European Union’s GDPR’s 72-hour reporting requirement for data breaches, and the upcoming NIS 2 Directive for critical infrastructure organizations coming into effect in 2024.

The Cado Platform enables security teams to:

• Automate the entire end-to-end incident response process – from collecting, preserving and analyzing forensic evidence, to containing the threat and limiting its impact.
• Prepare comprehensively for an incident by setting up accesses, testing data acquisition, implementing automation rules, and integrating with third-party systems including incident management platforms such as XDR, SOAR, CNAPP, and SIEM.
• Test for incident preparedness in order to continuously understand risk posture, know where gaps exist, and where to invest in reducing exposure.

For more information about Cado’s Readiness Dashboard, please visit https://www.cadosecurity.com/cado-incident-readiness-dashboard-comprehensive-cloud-incident-response-preparedness/.

Cado Security has discovered a new cryptojacking campaign targeting exposed Jupyter Notebooks, commonly deployed in cloud environments, with providers such as Google and AWS offering them as managed services. This campaign is particularly “cloud-y” – not only is it targeting Jupyter, but the malware developer is deliberately trying to steal cloud credentials. Cado even saw attempts to use these credentials to access cloud services.

The payloads for the campaign are all hosted on codeberg.org, providing much of the same functionality as Github – the first time Cado researchers have encountered this platform in an active malware campaign. The malware includes relatively sophisticated command and control (C2) infrastructure, with the controller using Discord’s bot functionality to issue commands on compromised nodes and monitor the campaign’s progress.

Qubitstrike (the name given to malware by the developer) attackers specifically seek Cloud Service Provider (CSP) credentials. Cado observed attempts by the attackers to utilize stolen CSP credentials for further exploitation.

You can read the report here.

Cado Security discovered P2Pinfect, a novel peer-to-peer botnet targeting servers hosting publicly-accessible instances of Redis. At that time, it was clear that the malware was under active development, and the botnet was in its infancy. 

Since then, Cado has closely followed the proliferation of this malware, noting a sharp increase in initial access events attributable to P2Pinfect. The malware’s developers appear to be iterating on the capabilities of deployed payloads, releasing new variants with incremental updates at an extremely frequent rate. 

Cado Security has published a new blog analyzing the botnet itself, which has grown exponentially since the malware’s discovery and covering the new capabilities of P2Pinfect Linux variants. At this time, Cado researchers have analyzed four variants of P2Pinfect payloads. 

Cado researchers have witnessed the following:

• A 60,216.7% or a 600x increase in P2Pinfect traffic since August 28, 2023. 
• A 12.3% increase in traffic occurred in just the week before this.
• The highest concentration of compromises are seen in China.
• East Asian & US Cloud Service Providers (CSPs) leveraged as P2Pinfect peers.

You can read the details here.

While many organizations have doubled down on cloud security in recent years, most still wrestle with closing the gap between detection and response. Once malicious activity has been identified, it can feel nearly impossible to understand the true scope and impact. 

When it comes to incident response, the more data sources you can analyze in aggregate, the better your investigation will be; however, this isn’t easy – especially in the case of complex, multi-cloud environments. In Azure alone there are over 200 products and services, each with their own set of best practices and data sources. Each cloud provider has their own terminology, security tools, monitoring logs, and APIs, making it extremely difficult for analysts to know which data sources are most valuable to capture, how to capture them, and moreover, how to best investigate them. 

Naturally, security teams have attempted to apply legacy investigation tools and processes to the cloud, but deep-dive investigations are still too complicated and time consuming. In many cases, analysts need to use a patchwork of legacy and open-source tools and resort to spreadsheets to piece together an investigation. Worse, due to the amount of time and resources required to perform forensics in the cloud, security teams often don’t have the cycles to do an investigation as frequently as they feel is necessary, leaving the organization vulnerable to risk. 

Cado’s mission is to provide security teams with a faster and smarter way to perform forensics investigations in the cloud. The Cado platform harnesses automation at its core to expedite the end-to-end incident response process. When it comes to the investigation itself, the platform automatically presents key incident details including a full timeline of events, saving analysts weeks of time that would have been spent in spreadsheets. Cado’s timeline feature provides analysts with a unified view of hundreds of data sources across cloud-provider logs, disk, memory and more. Further, the Cado timeline supports cross-cloud evidence items to be viewed in a single pane of glass in cases where an incident spans multiple public cloud environments. This level of contextual awareness is vital in understanding the impact and scope of an incident. 

As part of this latest product release, Cado has introduced additional enhancements to its timeline feature to help security teams further supercharge investigations and reduce Mean Time To Response (MTTR). Here’s an overview of the most recently released timeline functionality:

New Timeline View

Cado is excited to have revamped the look and feel of the timeline feature so that it is more intuitive to navigate and pivot off key artifacts during an investigation. From card view to a powerful tabular view, we hope this will greatly streamline the analysis process. This new view also aligns with our mission to make forensics more approachable so that analysts of all levels can perform incident response in the cloud. 

Cado is excited to have revamped the look and feel of the timeline feature so that it is more intuitive to navigate and pivot off key artifacts during an investigation. From card view to a powerful tabular view, we hope this will greatly streamline the analysis process. This new view also aligns with our mission to make forensics more approachable so that analysts of all levels can perform incident response in the cloud. 

Faceted Search

Faceted search will allow users to narrow down their search results quickly using facet options, which represent categories of data. The facet options Cado presents will provide awareness to the user on the core data types/ attributes the events contain, enabling them to refine datasets quickly and efficiently using the facet navigation, rather than having to add filters to their query in the search bar manually, which can burden the user. 

Saved Search

Saved search will allow users to save investigation queries for re-use at a later date. During an investigation, particularly in the earlier analysis phases, a user will be exploring and pivoting across datasets and will have naturally built-up a considerable query in the search bar. Users can now preserve this query so they can re-execute it on their next session (or even share it with colleagues). This feature will save precious investigation time by not having to rebuild a query from scratch, thus enabling rapid search and visibility.

If you’re interested in learning more, reach out to our team or take advantage of a 14-day free trial of the Cado platform! 

Cado Security, provider of the first cloud forensics and incident response platform, today announced the release of Cado Security Labs 2023 Cloud Threat Findings Report. The report reveals noteworthy discoveries about the evolving cloud threat landscape, shedding light on the heightened risk of cyberattacks due to the rapid adoption of cloud-focused services.

Cado Security Labs is the internal threat research division within Cado’s engineering team. Responsible for conducting industry-leading threat intelligence and cloud security research, the team proactively monitors the latest cloud attack trends and Tactics, Techniques, and Procedures (TTPs). Since its inception, Cado Security Labs have discovered numerous novel cloud-based malware and threat techniques. One such example being Denonia, the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment.  

Cado Security Labs researchers operate honeypot infrastructure to collect cloud attacker telemetry across services known to be targeted by cloud-focused threat actors. Findings are examined in real time and novel attack patterns are identified, reported on, and distributed to the security community. 

As organizations increasingly embrace cloud technologies and inherently expose themselves to new and evolving risks, understanding emerging cloud trends on a deeper level is critical. In this report, Cado equips the security community with knowledge that will help them better protect against the latest threats. 

Key findings from the report include:

• Botnet agents are the most common malware category, representing around 40.3% of all traffic. Use of botnets has been especially relevant in the context of the Russia-Ukraine war, where they have been leveraged by hacktivists on both sides to conduct DDoS attacks on strategic targets.
• SSH is the most commonly targeted service accounting for 68.2% of the samples seen, followed by Redis at 27.6%, and low Log4Shell traffic at a mere 4.3%, indicating a shift in threat actor strategy no longer prioritizing the vulnerability as a means of initial access.
• Further, in an overwhelming majority, nearly all (97.5%) opportunistic threat actors scan for vulnerabilities in only one “single” specific service to identify vulnerable instances deployed in the wild. This could be due to the fact that attackers are aware of a specific vulnerability in a particular service or they have development experience in that area. 

From the attacker telemetry analyzed, Cado Security Labs has derived several projections and recommendations. The team anticipates attacks leveraging serverless functions will increase in severity and sophistication, ransomware groups will develop more non-Windows ransomware, and threat actors will continue to exploit cloud services to aid in phishing and spam campaigns. 

In light of these predictions, Cado Security experts advise organizations to understand the AWS shared responsibility model, ensure access to relevant evidence, limit the exposure of services like Docker and Redis, check public repositories for cloud credentials, and apply the principle of least privilege.

To download the full report, please visit: https://offers.cadosecurity.com/cado-security-labs-2023-threat-findings-report.

Cado Security will publish a new blog revealing that Cado Security Labs has discovered a novel malware campaign.

Cado Security Labs researchers recently encountered a novel malware campaign targeting publicly-accessible deployments of the Redis data store. The malware, named “P2Pinfect” by the developer, is written in Rust and acts as a botnet agent. The sample analyzed by Cado researchers includes an embedded Portable Executable and an additional ELF executable, suggesting cross-platform compatibility between Windows and Linux.

In the time between encountering P2Pinfect and publishing this blog, Unit42 researchers also published an in-depth analysis of the Windows variant of the malware. According to their findings, the variant they encountered was delivered via exploitation of CVE-2022-0543, an LUA sandbox escape vulnerability present in specific versions of Redis. Cado researchers witnessed a different initial access vector, which will be detailed further in this blog. Which you can read here.

Cado Security has revealed the discovery of brute-forcing malware payloads, which didn’t have any public reporting and were missing from common repositories, being used as part of a new campaign by Romanian hacking group, Diicot, formerly known as Mexals.

Artifacts from the group’s campaigns contain messaging and imagery related to the Romanian organized crime and anti-terrorism policing unit, a vital significance, given both groups are named Diicot. Combined with Romanian-language strings and log statements in the payloads, Cado researchers attribute the malware to Diicot. 

Cado Labs discovered evidence of the group deploying an off-the-shelf Mirai-based botnet agent named Cayosin, targeted at routers running the Linux-based embedded devices operating system, OpenWRT. An investigation of one of Diicot’s servers led to the discovery of a Romanian-language doxxing video depicting a feud between the group and what appears to be other online personas. 

This report will provide a brief overview of attributing the campaign to Diicot’s distinctive TTPs, along with the execution chain employed by the group in their latest campaign, before focusing on the newest version of their self-propagating SSH brute-forcer. Cado researchers identified four channels used for this campaign and confirmed that the campaign is recent and ongoing.

You can view the report here.

Cado Security has released an update on Legion, an AWS Credential Harvester and SMTP Hijacker discovered last month by Cado Labs researchers. Matt Muir, Threat Intelligence Researcher at Cado Security, is set to reveal fresh insights into the evolution of the Python-based hacktool that has been actively undergoing development to exploit vulnerable web applications and recent findings that indicate a significant broadening of scope.

Legion has now developed capabilities to compromise SSH servers and presents expanded features to retrieve additional AWS-specific credentials from Laravel web applications. This demonstrates that Legion’s focus on targeting cloud services is becoming increasingly refined with each iteration.

A key update of the Legion malware is its ability to exploit SSH servers. In the prior version, the code to exploit SSH servers using the Python library Paramiko was commented out. However, this code has been uncommented and is now operational. 

Researchers also discovered that the updated Legion had expanded its credential harvesting capabilities with an increased focus on cloud services. The malware now searches for credentials specific to several services, including DynamoDB, Amazon CloudWatch, and AWS Owl.

You can read the update here.

Cado Security will release a report on a newly discovered Python-based credential harvester and hacktool called Legion, which targets various services for email exploitation. Cado’s research indicates that Legion is likely linked to the AndroxGh0st malware family, first reported in December 2022. Interestingly, the tool is being marketed and sold via Telegram messenger.

Legion is designed to exploit web servers running CMS, PHP, or PHP-based frameworks. It can retrieve credentials for a wide range of web services, such as email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe and PayPal. Furthermore, Legion can hijack SMS messages and compromise AWS credentials.

A unique aspect of Legion, not previously covered in the research, is its ability to send SMS spam messages to users of mobile networks in the United States. The report will provide a comprehensive list of targeted carriers, including AT&T, Sprint, Verizon, and others.

Cado Labs discovered a YouTube channel containing tutorial videos on Legion, indicating that the tool is widely distributed and likely paid malware. Cado also found several Indonesian-language comments, suggesting the developer may be Indonesian or based in Indonesia.

You can read the report here.