Docker Hub Suffers a Data Breach, Asks Users to Reset Password

Por Wang Wei em 24 de abril de 2019 no site The Hacker News.

Docker Hub, one of the largest cloud-based library of Docker container images, has suffered a data breach after an unknown attacker gained access to the company's single Hub database.

Docker Hub is an online repository service where users and partners can create, test, store and distribute Docker container images, both publicly and privately.

The breach reportedly exposed sensitive information for nearly 190,000 Hub users (that's less than 5 percent of total users), including usernames and hashed passwords for a small percentage of the affected users, as well as Github and Bitbucket tokens for Docker repositories.

Docker Hub started notifying affected users via emails informing them about the security incident and asking them to change their passwords for Docker Hub, as well as any online account using the same password.

"On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site."

"For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place."

The company has not revealed any further details about the security incident or how the unknown attackers gained access to its database.

Docker says the company is continuing to investigate the security breach and will share more information as it becomes available.

The company is also working to enhance its overall security processes and reviewing its policies following the breach.

TRITON Malware Targeting Critical Infrastructure Could Cause Physical Damage

Por Wang Wei em 14/12/2017 no site The Hacker News

Security researchers have uncovered another nasty piece of malware designed specifically to target industrial control systems (ICS) with a potential to cause health and life-threatening accidents.

Dubbed Triton, also known as Trisis, the ICS malware has been designed to target Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric—an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically, if a dangerous state is detected.

Researchers from the Mandiant division of security firm FireEye published a report on Thursday, suggesting state-sponsored attackers used the Triton malware to cause physical damage to an organization.

Neither the targeted organization name has been disclosed by the researchers nor they have linked the attack to any known nation-state hacking group.

According to separate research conducted by ICS cybersecurity firm Dragos, which calls this malware "TRISIS," the attack was launched against an industrial organization in the Middle East.

Triton leverages the proprietary TriStation protocol, which is an engineering and maintenance tool used by Triconex SIS products and is not publicly documented, suggesting that the attackers reverse engineered it when creating their malware.

"The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers," FireEye researchers said.

The hackers deployed Triton on an SIS engineering workstation running Windows operating system by masquerading it as the legitimate Triconex Trilog application.

The current version of TRITON malware that researchers analyzed was built with many features, “including the ability to read and write programs, read and write individual functions and query the state of the SIS controller.”

"During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation," the researchers said.

Using TRITON, an attacker can typically reprogram the SIS logic to falsely shut down a process that is actuality in a safe state. Though such scenario would not cause any physical damage, organizations can face financial losses due to process downtime.

Besides this, attackers can also cause severe life-threatening damages by reprogramming the SIS logic to allow unsafe conditions to persist or by intentionally manipulating the processes to achieve unsafe state first.

"The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available."

Researchers believe Triton is emerging as a severe threat to critical infrastructures, just like Stuxnet, IronGate, and Industroyer, because of its capabilities to cause physical damage or shut down operations.

Firewall Bursting: A New Approach to Better Branch Security

Wang Wei em 18/12/2017 no site The Hacker News

One of the most common network security solutions is the branch firewall. Branch firewall appliances can pack into a single device a wide range of security capabilities including a stateful or next-generation firewall, anti-virus, URL filtering, and IDS/IPS.

But the reality is that most of these edge devices lack the processing power to apply the full scope of capabilities on all of the necessary traffic.

If the firewall deployed in the branch cannot scale to address critical security needs, an alternative strategy must be used. Wholesale appliance upgrades are easy but expensive. Regional security hubs are complex and also costly.

A new approach, called firewall bursting, leverages cloud scalability to offer an easier, more cost-effective alternative to branch office security. (You can find a great table comparing the different Firewall approaches here.)

Costly Appliance Upgrades and Secure Hub Architectures

The existing methods of evolving branch security force IT into a tough trade-off: the cost and complexity of managing appliance sprawl or the complexities of a two-tier network security architecture.

Upgrading all branch firewalls to high-performance, next-generation branch firewalls improve network security, no doubt. Branch offices gain more in-depth packet inspection and more protections to be applied on more traffic. This is a relatively straightforward, but very costly, solution to achieving stronger security.

Aside from the obvious, the firewall upgrade cost, there are also the costs of operating and maintaining the appliance, which includes forced upgrades. Sizing branch firewall appliances correctly can be tricky.

The appliance needs enough power to support the mix of security services across all traffic—encrypted and unencrypted—for the next three to five years.

Alone that would be complex, but the constantly growing traffic volumes only complicate that forecast. And encrypted traffic, which has become the new norm of virtually all Internet traffic, is not only growing but must be first decrypted, exacting a heavy processing toll on the appliance.

All of which means that IT ends up either paying more than necessary to accommodate growth or under provision and risk compromising the company’s security posture.

Regional hubs avoid the problems with upgrading all branch firewalls. Instead, organizations continue with their branch routers and firewalls, but backhaul all traffic to a larger firewall with public Internet access, typically hosted in a regional co-location hub.

The regional hub enables IT to maintain minimal branch security capabilities while benefitting from advanced security.

However, regional hubs bring their own problems. Deployment costs increase as regional hubs must be built out at significant hosting expense and equipment cost. And we’re not just speaking about throwing up an appliance in some low-grade hosting facility.

Hub outages impact not just one small office but the entire region. They need to be highly available, resilient, run the up-to-date software, and maintained by expert staff.

Even then, there are still the same problems of forced upgrades due to increased traffic volume and encrypted traffic share, this time, though, of only the hub firewall appliances.

The network architecture is also made far more complex, particularly for global organizations. Not only must they rollout multiple regional hubs, but multiple hubs must be deployed in geographically dispersed regions or those regions with a high concentration of branches.

In short, while the number of firewall instances can be reduced, regional hubs introduce a level of complexity and cost often too excessive for many organizations.

Firewall Bursting: Stretching your Firewalls to the Cloud

Cloud computing offers a new way to solve the edge firewall dilemma. With "cloud bursting," enterprises seamlessly extend physical data center capacity to a cloud datacenter when traffic spikes or they exhaust resources of their physical datacenter.

Firewall bursting does something similar to under-capacity, branch firewalls. Edge security processing is minimized where firewall capacity is constrained, and advanced security is applied in the cloud, where resources are scalable and elastic.

The on-premise firewall handles basic packet forwarding, but anything requiring "heavy lifting," such as decryption, anti-malware or IPS, is sent to the cloud. This avoids forced branch firewall upgrades.

Firewall bursting is similar to the regional hub approach, but with a key difference: the IT team isn't responsible for building and running the hubs. Hubs are created, scaled, and maintained by the cloud service provider.

Who Delivers Firewall Bursting Capabilities?

Secure web gateways (SWGs) delivered as cloud services, can provide firewall bursting for Internet traffic. However, since firewalls need to apply the same inspection to WAN traffic, SWGs only offer a partial solution.

Purpose-built, global Firewall as a Service (FWaaS) is another option. FWaaS providers, such as Cato Networks, create a global network of Points of Presence (PoPs), providing a full network security stack specifically built for cloud scalability.

While the PoPs are distributed, they act "together" as a single logical firewall instance. The PoPs are highly redundant and resilient, and in case of outages, processing capacity seamlessly shifts inside or across PoPs, so firewall services are always available.

The PoPs are capable of processing very large volumes of WAN and Internet traffic. Because adding processing capacity either within PoPs or by adding new PoPs is transparent to customers, you don't have to adjust policies or reconfigure your environment to accommodate changes in load or traffic mix.

Summary

With firewall bursting customers can keep their current edge firewalls and still improve security. If you are running out of gas on your edge firewalls, you have options.

Beyond the obvious approaches of firewall upgrades and hub-and-branches set up, new innovations like FWaaS are now available.

FWaaS leverages cloud elasticity and scalability to globally extend network security with minimal impact on current network design.

Firewall refresh, capacity upgrades, mergers and acquisition, all represent a great opportunity to look at firewall bursting and FWaaS to evolve your network security beyond the edge.

New Rapidly-Growing IoT Botnet Threatens to Take Down the Internet

Friday, October 20, 2017 Wang Wei no site The Hacker News

Just a year after Mirai—biggest IoT-based malware that caused vast Internet outages by launching massive DDoS attacks—completed its first anniversary, security researchers are now warning of a brand new rapidly growing IoT botnet.

Dubbed 'IoT_reaper,' first spotted in September by researchers at firm Qihoo 360, the new malware no longer depends on cracking weak passwords; instead, it exploits vulnerabilities in various IoT devices and enslaves them into a botnet network.

IoT_reaper malware currently includes exploits for nine previously disclosed vulnerabilities in IoT devices from following manufactures:

• Dlink (routers)
• Netgear (routers)
• Linksys (routers)
• Goahead (cameras)
• JAWS (cameras)
• AVTECH (cameras)
• Vacron (NVR)

Researchers believe IoT_reaper malware has already infected nearly two million devices and growing continuously at an extraordinary rate of 10,000 new devices per day.

This is extremely worrying because it took only 100,000 infected devices for Mirai to took down DNS provider Dyn last year using a massive DDoS attack.

Besides this, researchers noted that the malware also includes more than 100 DNS open resolvers, enabling it to launch DNS amplification attacks.

"Currently, this botnet is still in its early stages of expansion. But the author is actively modifying the code, which deserves our vigilance." Qihoo 360 researchers say.

Meanwhile, researchers at CheckPoint are also warning of probably same IoT botnet, named "IoTroop," that has already infected hundreds of thousands of organisations.

"It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organisations make proper preparations and defence mechanisms are put in place before attack strikes." researchers said.

According to CheckPoint, IoTroop malware also exploits vulnerabilities in Wireless IP Camera devices from GoAhead, D-Link, TP-Link, AVTECH, Linksys, Synology and others.

At this time it is not known who created this and why, but the DDoS threat landscape is skyrocketing and could reach tens of terabits-per-second in size.

"Our research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come." CheckPoint researchers warned.

You need to be more vigilant about the security of your smart devices. In our previous article, we have provided some essential, somewhat practical, solutions to protect your IoT devices.

Hackers Steal $60 Million from Taiwanese Bank; Two Suspects Arrested

Wang Wei

Em 11/10/2017 no site The Hacker News.

A Taiwanese bank has become the latest to fall victim to hackers siphoning off millions of dollars by targeting the backbone of the world financial system, SWIFT.

SWIFT, or Society for Worldwide Interbank Telecommunication, is a global financial messaging system that thousands of banks and commercial organizations across the world use to transfer billions of dollars every day.

Hackers reportedly last week managed to steal almost $60 Million from Far Eastern International Bank in Taiwan by planting malware on the bank's servers and through the SWIFT interbank banking system.

According to Taiwanese state-owned news agency Central News Agency, most of the stolen money has now been recovered, with only $500,000 remaining, and authorities have made two arrests in connection with the bank cyber-heist.

Far Eastern on Friday admitted that some unknown hackers managed to install malware on computers and servers within its organization, and most crucially, onto a SWIFT terminal employed by the bank.

Once there, the hackers then obtained credentials needed for payment transfers and then transferred almost $60 million to fraudulent accounts based in the United States, Cambodia and Sri Lanka.

In the wake of the cyber heist, Taiwan Premier William Lai ordered government agencies to review their information security defences and develop appropriate measures to deal with future cyber incidents.

The Criminal Investigation Bureau (CIB) of Taiwan said that it has launched an investigation into the cyber heist and asked the bank to submit details about its computer operations. The bureau has also informed the Interpol of the case and asked for assistance.

Most of the stolen funds have been recovered, and two arrests connected to the cyber theft have already been made in Sri Lanka by the police, and one of them is Litro Gas company chairman Shalila Moonesinghe, according to the Colombo Gazette.

Moonesinghe was arrested by the CIB after the authorities allegedly found $1.1 million of the stolen Taiwanese funds in his personal bank account.

However, the federal authorities are still looking for the third suspect.

"We are looking at some US$1.3 million that had come into three accounts in Sri Lanka," an unnamed Sri Lankan officer involved in the investigation was quoted as saying in an AFP report. "We have taken two people into custody, and we are looking for one more person."

It wasn't the first case in which malware was implanted into a bank's SWIFT network to steal millions of dollars. Last year, some unknown hackers targeted banks worldwide by gaining access to SWIFT that is being used to transfer billions of dollars every day.

Earlier last year, hackers managed to steal $81 Million from the Bangladesh central bank's account in the New York Federal Reserve in a similar way—by hacking into SWIFT network using a piece of malware and obtaining credentials needed for payment transfers.

In May same year, another incident was reported in which hackers targeted an unnamed commercial bank and malware installed on SWIFT was used against the banks' PDF reader.

In May 2016, another case involving SWIFT emerged wherein cybercriminals managed to steal around $12 million from an Ecuadorian bank called Banco del Austro (BDA) by attacking the Swift global network.

Also in June 2016, Hackers stole $10 million from an unnamed bank in Ukraine by exploiting the SWIFT international banking system.