Cybersecurity Roundup #15
"Security is always going to be a cat and mouse game because there'll be people out there that are hunting for the zero day award, you have people that don't have configuration management, don't have vulnerability management, don't have patch management" - Kevin Mitnick
Cybersecurity vulnerability at major cosmetics brand leads to 7 gigabytes+ data leak
One of the world’s well-known cosmetic brands has been informed that a significant data breach was discovered on its web server, which was found to be publicly exposed, without password protection or encryption.
Our Security team, led by Anurag Sen, discovered Avon.com’s US server without encountering any security measures or protection. The vulnerability effectively means that anyone possessing the server’s IP-address could access the company’s open database.
In a statement to the market on 9 June 2020, Avon put out a statement confirming that an incident had “interrupted some systems and partially affected operations”; indicating that the statement was referencing a different issue that may, or may not, be related to the breach discovered by our security team.
A few days later, Avon submitted a second regulatory filing declaring that no financial data was involved “as its main e-commerce website does not store that information”. The company has also confirmed that its various online operations around the world remain in various stages of recovery, with some regions operating normally while others, still offline.
Undetectable Linux Malware Targeting Docker Servers With Exposed APIs
Cybersecurity researchers today uncovered a completely undetectable Linux malware that exploits undocumented techniques to stay under the radar and targets publicly accessible Docker servers hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud.
Docker is a popular platform-as-a-service (PaaS) solution for Linux and Windows designed to make it easier for developers to create, test, and run their applications in a loosely isolated environment called a container.
New Linux malware uses Dogecoin API to find C&C server addresses
While Linux malware was once sitting on the fringes of the malware ecosystem, today, new Linux threats are being discovered on a weekly basis.
The latest finding comes from Intezer Labs. In a report shared with ZDNet this week, the company analyzed Doki, a new backdoor trojan they spotted part of the arsenal of an old threat actor known for targeting web servers for crypto-mining purposes.
The threat actor, known as Ngrok because of its initial penchant for using the Ngrok service for hosting control and command (C&C) servers, has been active since at least late 2018.
Netflix credential phishing hides behind working CAPTCHA
A recent wave of phishing attacks aiming to steal payment card info and credentials for Netflix streaming service starts with redirecting to a functioning CAPTCHA page to bypass email security controls.
The actor behind these attempts used a "failed payment" theme to engage potential victims into the redirect chain leading to the phishing page.
Hacker disrupts Emotet botnet operation by replacing payload with GIFs
Online users are frequently the target of botnet malware campaigns, as cybercriminals are always hunting for extorting money or stealing data to carry out a range of scams. Emotet is one of the most commonly used botnets nowadays, which is distributed via wireless networks and can load different types of malware.
However, an unidentified genius hacker has come up with a hilarious twist on the use of Emotet by replacing Emotet’s malicious payloads with funny, animated GIFs and memes.
There’s a Hole in the Boot
Eclypsium researchers have discovered a vulnerability — dubbed “BootHole” — in the GRUB2 bootloader utilized by most Linux systems that can be used to gain arbitrary code execution during the boot process, even when Secure Boot is enabled. Attackers exploiting this vulnerability can install persistent and stealthy bootkits or malicious bootloaders that could give them near-total control over the victim device.
The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected. In addition, GRUB2 supports other operating systems, kernels and hypervisors such as Xen. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority. Thus the majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries. This vulnerability makes these devices susceptible to attackers such as the threat actors recently discovered using malicious UEFI bootloaders.
Eclypsium has coordinated the responsible disclosure of this vulnerability with a variety of industry entities, including OS vendors, computer manufacturers, and CERTs. Mitigation will require new bootloaders to be signed and deployed, and vulnerable bootloaders should be revoked to prevent adversaries from using older, vulnerable versions in an attack. This will likely be a long process and take considerable time for organizations to complete patching.