Search This Blog

Showing posts with label Microsoft Azure. Show all posts

Kubeflow: The Target of Cryptomining Attacks

 

Microsoft has discovered a new, widespread, ongoing threat that aims to infect Kubernetes clusters running Kubeflow instances with malicious TensorFlow pods that mine cryptocurrencies. Kubeflow is a popular open-source framework for conducting machine learning (ML) tasks in Kubernetes, while TensorFlow is an end-to-end, open-source ML platform. 

Microsoft security experts cautioned on Tuesday that they noticed a rise in TensorFlow pod deployments on Kubernetes clusters at the end of May — pods that were running legal TensorFlow images from the official Docker Hub account. However, a closer examination of the pods' entry point revealed that they are used to mine cryptocurrency. 

In a post on Tuesday, Yossi Weizman, a senior security research software engineer at Microsoft's Azure Security Center, said that the "burst" of malicious TensorFlow deployments was "simultaneous," implying that the attackers scanned the clusters first, kept a list of potential targets, and then fired on all of them at the same time. The attackers used two distinct images, according to Weizman. The first is the most recent version of TensorFlow (tensorflow/tensorflow:latest), and the second is the most recent version with GPU support (tensorflow/tensorflow:latest-gpu). 

According to Weizman, using TensorFlow images in the network "makes a lot of sense," because “if the images in the cluster are monitored, usage of a legitimate image can prevent attackers from being discovered.” Another rationale for the attackers' decision is that the TensorFlow image they chose is an easy way to conduct GPU activities using CUDA, which "allows the attacker to optimize the mining gains from the host," according to him. 

The newly found vulnerability is comparable to a cryptocurrency mining attack revealed by Microsoft in June. That previous campaign also targeted Kubeflow workloads, launching a broad XMRIG Monero-mining campaign by exploiting misconfigured dashboards. The most recent campaign includes the following changes: According to Weizman, the attackers abused their access to the Kubeflow centralized dashboard to establish a new pipeline this time.

Kubeflow Pipelines is a framework for creating machine learning pipelines based on Argo Workflow, an open-source, container-native workflow engine for coordinating parallel jobs. A pipeline is a collection of steps, each of which functions as its own container, that together creates an ML workflow. 

Users of Kubeflow should ensure that the centralized dashboard is not insecurely exposed to the internet, according to Microsoft.

Microsoft Discovered Several Security Flaws in IoT Operating Systems

 

Security researchers at Microsoft recently uncovered a series of critical memory allocation vulnerabilities in the Internet of Things (IoT). Microsoft researchers said that they have discovered about 25 undocumented critical memory-allocation vulnerabilities across a number of vendors’ IoT and industrial devices that threat actors could exploit to execute malicious code across a network or cause an entire system to crash. 

‘BadAlloc,’ is the name assigned by the company's Section 52 —which is the Azure Defender for IoT security research group. BadAlloc has the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems, according to a report published online Thursday by the Microsoft Security Response Center (MSRC). 

“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds," says the company. "To date, Microsoft has not seen any indications of these vulnerabilities being exploited. However, we strongly encourage organizations to patch their systems as soon as possible.”

“Our findings show that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in the execution of malicious code on a target device," Microsoft researchers stated.

Memory allocation is exactly what it sounds like–the basic set of instructions device makers give a device for how to allocate memory. The vulnerabilities stem from the usage of vulnerable memory functions across all the devices, such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more, according to the report. 

From what researchers have discovered, the problem is systemic, so it can exist in various aspects of devices, including real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations, they said. And as IoT and OT devices are highly pervasive, “these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds,” researchers observed. 

In 2019, a security researcher discovered a similar flaw impacting the Windows IoT Core operating system that gives threat actors full control over vulnerable devices. The vulnerability affected the Sirep/WPCon communications protocol included with Windows IoT operating system.

Lithuanian Police Investigate Leak of 110,000 User Records of CityBee

 

Police in Lithuania is investigating after the personal information of 110,000 individuals was leaked to an online hacker site. The car-sharing service, CityBee, affirmed the records and data of thousands of its clients had been undermined in the incident. The first part of the database was posted on February 15 and incorporates 110,000 CityBee client IDs, usernames, hashed passwords, complete names, as well as personal codes (national identification numbers) that belong to mostly Lithuanian CityBee users. The subsequent part, posted on February 16 by the same threat actor, seems to contain more definite personal data, possibly including driver license numbers and CityBee credit limits, as well as a folder named “CreditCards.” 

While the proprietor of the post at first guaranteed that the information had been stolen from CityBee at some point in 2020, it was subsequently affirmed that the database was exfiltrated from an unsecured Microsoft Azure blob managed by CityBee at least from February 2018. Apparently, a Rapid7 Open Data Forward DNS tool was utilized to look through the reverse DNS lookup, which was how the threat actor found the unsecured CityBee blob. At that point, a directory brute-force attack was used to enumerate directories in the blob, after which the threat actor downloaded the files. 

“The data, which was uploaded to one of the cyber hackers favourite forums, is three years old,” CityBee said in a statement. A poster on the hacker forum said the rundown was extricated from data grabbed on February 2018 from an unsecured database backup and offered full hacked information for $1,000 paid in Bitcoin. Disclosure of stolen client information won't influence the security of CityBee client financial services, as the organization doesn't gather delicate data identified with client payment methods. 

“We are very sorry. I am one of the victims of the leak because I use the service, and I very well understand that feeling of insecurity,” CityBee CEO Kristijonas Kaikaris told journalists on Tuesday. He proposed the hacked clients “don’t panic” and change their passwords. The organization risks a fine of as much as 20 million euros ($24.21 million), or 4% of its turnover if found in breach of regulations.

SolarWinds Cyberattacks, Microsoft's Turn?

 

The United States is witnessing major cyberattacks, multiple government departments’ agencies are being targeted including treasury and commerce departments, homeland security and now Microsoft is the latest victim of a cyber attack. 

The ‘SolarWinds hack’ has emerged as one of the biggest cyberattacks against the US government, its agencies, and several other private companies, so much so that it has been said the world is under global cyber attack.  

According to Microsoft’s president, Brad Smith, more victims are expected to surface as investigations continue. 

Government departments and private organizations all across the globe are facing difficulties in disabling the compromised SolarWinds products from their systems. 

Intelligences investigating the matter, have named the hack ‘Sunburst’, saying that it will take years to fully decipher these cyber-attacks including the attack vectors and the origin. In this regard, Smith further stated, “We should all be prepared for stories about additional victims in the public sector and other enterprises and organizations.” 

Furthermore, he said that Microsoft has already notified 40 of its security customers that its products are being found to be compromised. The malicious actors are seen to be targeting them “more precisely and breaching the security through additional and sophisticated measures". Experts have predicted the continuity of the attacks, saying more victims are likely to come up. 

As per the researchers, approximately 80 percent of these customers were located in the United States, while others were from Mexico and Canada in North America, Spain, Belgium, and the United Kingdom in Europe, and UAE and Israel in the Middle East. 

Attackers have targeted the government agencies, security and other technology firms, and private organizations of the abovementioned nations. 

However, above all, the campaign is “effectively an attack on the United States and its government and other critical institutions,” Smith warned. So far, six federal entities have been attacked: the Department of Energy, The Pentagon, the National Institute of Health, the Department of Homeland Security the Department of Treasury, and the Department of Commerce. 

The information about the attack has come from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as the agency warned government and non-government agencies that there could be additional initial-access vectors, beyond the SolarWinds Orion platform. 

Sources from Reuters told that the malicious actors used Microsoft’s Azure cloud as part of their attacks, however, a Microsoft spokesperson denied this by saying that “there are no indications that our systems were used to attack others’’

Microsoft 365 Services Restored After Hours Long Outage


Recently Microsoft was hit with a massive global outage that interrupted users’ access to multiple services including Outlook.com, Office 365, Teams, Exchange, Azure, OneDrive Dynamics 365, SharePoint, amid other cloud-based services.

As per the Azure status history page, the users who were trying to access any of Microsoft’s services encountered issues with logging in and server connection as the downtime started around 21:25 UTC on Monday.


The service interruptions had a rather short lifetime, lasting for several hours before Microsoft technicians fixed the issue and successfully rolled back their systems on Tuesday.

In current times of global pandemic wherein physical access for people is restricted all over the world, the outage of online services has proven to be even more disruptive as the number of people relying on it for work and studies has sprung up by a remarkable margin. As classrooms moved online, students and educational institutions are heavily dependent on services offered by Microsoft and Google, primarily.

Giving insights on the matter, Microsoft said “Users who were not already authenticated to the cloud services using Azure AD would have seen multiple authentication request failures. The impact was primarily in the Americas based on the issue being exacerbated by load, but users in other regions may also have experienced some impact. Users that had previously authenticated prior to the issue may not have experienced any noticeable effect.”

Acknowledging the issue, Microsoft 365 Status said in a tweet, “we’ve received reports of users experiencing issues accessing their Exchange Online accounts via Outlook on the Web. Our initial investigation indicates that India-based users are primarily impacted audience. Further details can be found in your admin center under EX223208.”

“We took corrective actions to mitigate the impact to Exchange ActiveSync and have confirmed that service has been restored after users force a sync on their impacted devices. More information can be found under EX223053 in the admin portal.” Microsoft 365 Status said in another tweet.

The issues affecting Microsoft’s online authentication systems have been resolved by the company and the services are restored. Most users reported their system being fully recovered and services functioning normally again.

Hackers abusing Microsoft Azure to deploy malware

Now Microsoft Azure becomes a sweet spot for hackers to host powerful malware and also as a command and control server for sending and receiving commands to compromised systems.

Microsoft Azure is a cloud computing platform created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.

Initially, this malicious operation was uncovered and reported by @JayTHL & @malwrhunterteam via Twitter in which they provide the evidence that there is a malicious software being hosted in Microsoft Azure.

Researcher’s already reported this malicious operation to Microsoft. however, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later, Appriver Reported.

This is an evidence of Azure that failed to detect the malware residing on the Microsoft server, but Windows defender is detecting the malicious files if users attempt to download from the malware-hosting server.

Windows defender detects this malware as Trojan:Win32/Occamy.C and the first new sample ( searchfile.exe ) was initially uploaded to VirusTotal on April 26, 2019, and another sample (printer/prenter.exe) was first submitted on April 30, but also remains undetected on Azure servers.

According to appriver, however, it does not appear the service is currently scanning Azure sites or, one could surmise that these files would’ve been detected by now.

Based on the analysis report using the printer.exe file, attackers uncompiled this malware with the c# .net portable executable file.

Attackers cleverly using an uncompiled file as an attempt to evade the gateway and endpoint security detection by thoroughly examining the downloaded binaries.”

Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx”

This is not a first-time malware operator abusing Azure, but already we reported that attackers abuse Microsoft Azure Blog Hosting and it also attempted to steal the login credentials.