BootHole – the new security hole affects one of the most popular bootloader components in the market. The list of affected systems includes servers and workstations, laptops and desktops, and possibly a large number of Linux-based OT and IoT systems.
GRUB2 with a ‘BootHole’ – Linux and Windows users are at risk
The vulnerability, named BootHole, allows attackers to tamper with the bootloading process that precedes starting up the actual operating system.
The boot process is critical to securing any device. It relies on a variety of components known as bootloaders that are responsible for loading the firmware of all computer hardware components on which the actual OS runs. Now let’s get back to the BootHole. It is the vulnerability in GRUB2 – one of the most popular bootloader components. It is used in all major Linux distros, some Windows machines, macOS and BSD-based systems as well. It looks like the Secure Boot is not that secure…
Secure Boot is meant to protect the boot process from malicious code. During the boot process, anything that loads earlier has a higher privilege than something that loads later. Attackers who exploit it could interfere with the boot process and control how the operating system is loaded, bypassing security controls. While GRUB2 is the primary bootloader for modern Linux distros, this bug affects systems using Secure Boot even if they’re not using GRUB2. This issue also extends to Windows devices using Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority, meaning most laptops, desktops, servers, and workstations are affected, along with network appliances and equipment used in the industrial, healthcare, and finance sectors.
BootHole is a buffer overflow vulnerability that exists in the way that GRUB2 parses content from the GRUB2 configuration file. The GRUB2 config file is a text file and usually isn’t signed like other files or executables. An attacker could change the contents of the GRUB2 config file to ensure malicious code is run before the OS is loaded. Successful exploitation would let an attacker disable future code integrity checks, allowing more executables and drivers to be loaded. They would have control over the device’s OS, applications, and data. The attack would work even if Secure Boot is enabled and properly verifying signatures on all loaded executables.
Not an easy fix…
All versions of GRUB2 that load commands from an external grub.cfg configuration file is vulnerable. As such, this will require the release of new installers and bootloaders for all versions of Linux. Vendors will also need to release new versions of their bootloader shims to be signed by the Microsoft 3rd Party UEFI CA. New bootloaders will need to be signed and deployed – vulnerable ones should be revoked to prevent its use in some future attack. Admins will need to update installed versions of operating systems as well as installed images – including disaster recovery media. And do it before updates are pushed across an enterprise. This is not an easy task and will require a lot of manual testing on the part of administrators. It is expected to be a lengthy process.
Undetectable Linux malware targeting Docker servers with exposed APIs
Cybersecurity researchers uncovered a completely undetectable Linux malware that targets publicly accessible Docker servers hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud.
Dubbed Doki, the malware strand is part of the Ngrok Cryptominer Botnet campaign, active since at least 2018. The hackers are abusing the Docker API to deploy new servers inside a company’s cloud infrastructure. The servers, running a version of Alpine Linux, are then infected with crypto-mining malware, but also Doki.
According to researchers, the malware:
- has been designed to execute commands received from its operators,
- uses a Dogecoin cryptocurrency block explorer to generate its C2 domain in real-time dynamically,
- uses the embedTLS library for cryptographic functions and network communication,
- crafts unique URLs with a short lifetime and uses them to download payloads during the attack.
As opposed to relying on a particular domain or set of malicious IPs, Doki uses dynamic DNS services like DynDNS. Combined with a unique blockchain-based Domain Generation Algorithm (DGA), it can generate and locate the address of its C2 server in real-time and “phone home.”
Besides this, the attackers have also managed to compromise the host machines by binding newly created containers with the server’s root directory, allowing them to access or modify any file on the system.
“By using the bind configuration the attacker can control the cron utility of the host. The attacker modifies the host’s cron to execute the downloaded payload every minute.” – says researcher.
“This attack is very dangerous due to the fact the attacker uses container escape techniques to gain full control of the victim’s infrastructure.”
Once done, the malware also leverages compromised systems to further scan the network for ports associated with Redis, Docker, SSH, and HTTP, using a scanning tool like zmap, zgrap, and jq.
Doki managed to stay under the radar for more than six months despite having been uploaded to VirusTotal on January 14, 2020, and scanned multiple times since. Surprisingly, at the time of writing, it’s still undetectable by any of the 61 top malware detection engines. According to VirusTotal only six antivirus engines mark this sample as malicious.
Users and organizations who run Docker instances are advised not to expose docker APIs to the Internet, but if you still need to, ensure that it is reachable only from a trusted network or VPN, and only to trusted users to control your VirusTotal .
The best Docker security practices find here.
Be wary of fake SharePoint alerts – a new Office 365 phishing campaign in the wild
Microsoft Office 365 customers are under a continuous fire of targeted phishing campaigns. The end goal? Of course – to steal their credentials.
These new phishing messages are camouflaged as automated SharePoint notifications. Bad actors are addressing all employees working at a targeted organization. Stats gathered by the security company Abnormal Security shows that the number of attacked mailboxes reached up to 50k.
The phishing messages are short and vague as much as possible. The targeted company’s name is included multiple times within the emails. This is a very popular tactic – recipients may be convinced that the email is safe and coming from their company. The phishing messages’ goal is to make the targets click on an embedded hyperlink that sends them to a SharePoint themed landing page through a series of redirects. After tricking one of employees attackers use her or his credentials to further compromise the targeted system. There is also a considerable risk for attackers to launch an internal attack to steal more credentials and information from the organization.
62,000 QNAP NAS devices infected with QSnatch malware
QSnatch malware, first spotted in late 2019, has grown from 7,000 bots to more than 62,000 according to a joint US CISA and UK NCSC security alert.
This sophisticated malware targets QTS, the Linux-based OS powering QNAP’s NAS devices, and is able to log passwords, scrape credentials, set up an SSH backdoor and a webshell, exfiltrate files and, most importantly, assure its persistence by preventing users from installing updates that may remove it and by preventing the QNAP Malware Remover app from running.
QSnatch is not new – its various versions have been around for many years. Last time QNAP alarmed his users in November 2019. Interestingly enough, it’s still a mystery how the malware is delivered.
In mid-June, the number of infected devices worldwide was 62,000. 46% in Western Europe, 8% in Eastern Europe, 15% in North America.
What to do if your QNAP has been infected? The agencies say that the infrastructure used by the malicious cyber actors in both campaigns is not currently active, but unpatched devices are likely to be compromised.
Since it hasn’t been confirmed that a successful update removes the malware, the general advice is to run a full factory reset on the device before completing the firmware upgrade, then check whether the updates have been applied. This will “destroy” the malware, but also all the data stored on the device. Maybe it’s the best moment to additionally invest in cloud backup to implement backup 3-2-1 rule into your data protection strategy.
The agencies additionally advise organizations to block external connections when the device is intended to be used strictly for internal storage.
Here you can find full QNAP’s advisory for preventing QSnatch infections.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins (ZDNet)
2. Emotet malware replaced by animated gifs (ACS Information)
3. Cerberus banking Trojan team breaks up, source code goes to auction (ZDNet)
4. Almost 4,000 databases now wiped in ‘Meow’ attacks (WeLiveSecurity)
5. Zoom bug allowed attackers to crack private meeting passwords (Bleeping Computer)
6. Critical bugs in utilities VPNs could cause physical damage (Threat Post)
7. Microsoft to remove all Windows downloads signed with SHA-1 (Bleeping Computer)
8. Crypto wallet Ledger data breach; hackers steal 1m emails & other data (HackRead)
9. New attack leverages HTTP/2 for effective remote timing side-channel leaks (The Hacker News)
10. Theoretical technique to abuse EMV cards detected used in the real world (ZDNet)