This week
Vulns in Azure Linux VMs being actively exploited
Security researchers from Wiz.io found vulnerabilities in Microsoft Open Management Infrastructure (OMI)project that can trivially be exploited and used to remotely execute code on Linux virtual machines running in Microsoft’s Azure cloud.
By not providing an authentication token, the OMI agent on the VM would simply not perform an authentication check and default to running the commands as root. Oops.
The OMI agent is installed when selecting other Azure monitoring and log management services. Some users may not realise it has been installed when selecting those options: those with port 5986, 5985, or 1270 externally exposed are vulnerable.
The four vulnerabilities involved range from CVSS scores of 7.0 to 9.8/10 and user’s need to manually update the OMI agent (version 1.6.8.1 onwards is not vulnerable).
It hasn’t taken cybercriminals long to pick up on the issue and, from Thursday this week, they have used a public proof-of-concept to enlist computer and bandwidth into mining cryptocurrency and participating in DDoS attacks.
“Astonishingly” sloppy work from Microsoft and one to check and patch immediately!
zdnet.com, theregister.com, therecord.media
Interesting stats
2/3 cloud environment breaches stem from improperly configured APIs, says IBM securityintelligence.com
1/4 European cyber insurance claims between 2016 and 2020 were for ransomware, rising to 32% in 2020, according to Marsh therecord.media
$133,400,000 reportedly lost in 1,800 romance scams in the first half of 2021, according to the FBI ic3.gov
Other newsy bits
OWASP Top 10 rankings updated
The Open Web Application Security Project (OWASP) has released a draft update to the ‘top 10’ vulnerabilities introduced by developers into software for the first time since 2017. Injection (such as SQL or XSS) falls from the top spot to third, while Broken Access Control is up five to take the crown.
The list is a good reference for software engineering and security teams to use as a benchmark for things that really shouldn’t be getting through to production environments.
Microsoft goes passwordless
Microsoft announced this week that users will soon be able to go ‘passwordless’ on their accounts, relying on security keys, multi-factor codes and an authenticator app to login instead of a string of letters, numbers and special characters.
In Redmond’s post, they highlighted that they believe there are 579 attacks using passwords event second, or 18 billion annually and that 15% of people use their pets’ names as inspiration for passwords.
For their ubiquity, passwords are one of the major things that ‘security has got wrong’ especially given the huge number of accounts and services that form part of our modern lives. So expect the trend to continue as other large players begin to phase them out in favour of other authentication mechanisms.
microsoft.com, therecord.media
Interesting thinking
- “The parts don’t fit” and importance of systems thinking: @HiredThought
- Lessons to learn from the One Laptop Per Child project in EdTech (and other xTech sectors) @gauravsingh961
In brief
Attacks, incidents & breaches
- Camera and scientific equipment manufacturer Olympus ransomwared by BlackMatter group techcrunch.com
- Travis CI (continuous integration) platform issue exposed user’s secrets and keys from build pipelines arstechnica.com
- Customer contact centre provider TTEC, used by Best Buy, Bank of America and Verizon, becomes a victim of apparent RagnarLocker ransomware attack krebsonsecurity.com
Threat intel
- Cybercriminals have rewritten Cobalt Strike from scratch for Linux zdnet.com
- Ransomware gangs don’t like negotiators: with Grief saying they will delete the decryption key if victims hire one bleepingcomputer.com
- Malware developers starting to use Windows Subsystem for Linux as a new method to compromise devices and avoid detection bleepingcomputer.com
- List of vulnerabilities commonly used by ransomware/initial access brokers @pancak3lullz
Internet of Things
- MikroTik publishes guidance on remediating devices compromised by the Meris Botnet mikrotik.com
Privacy
- France, Spain and Italy criticise Ireland for failing to act swiftly on data protection complaints against US tech companies arstechnica.com
- Google extends support for ‘Permission Auto-Reset’ for devices running older Android OS’ back to Android 6 therecord.media
Public policy
- US, UK and Australia form Aukus alliance, promises to share nuclear and cyber know-how theregister.com
Law enforcement
- Three ex-US intelligence agents are charged with operating as mercenaries for UAE and helping to compromise target’s networks and devices theguardian.com
- Man who bribed AT&T employees to install malware (vol. 2, iss. 32) sentenced to 12 years in prison therecord.media
- Illinois man found guilty of running two DDoS services used to launch more than 200,000 attacks faces up to 35 years in prison bleepingcomputer.com
Mergers, acquisitions and investments
- BitSight receives $250M investment from Moody’s (making them the largest shareholder) and acquires VisibleRisk to improve financial cyber risk exposure calculations techcrunch.com
And finally
If accounting were like cyber security
There are lots we can learn from other, more established professions and this fun, sarcastic take highlights some of the bizarre things cyber does as a profession and the things we could learn from accounts. (Something I’ve come to know a lot more about, and agree with, as part of a non-exec director diploma I’m doing)