XorDDos Trojan Shows Need For Linux Endpoint Protection; Check and Secure Your Kubernetes APIs; Governments Are Buying and Exploiting Android Zero Days on Vulnerable Phones

As endpoint detection and response (EDR) improves on Windows systems, we see a shift to Linux systems where EDR may not be running or is not detecting as well. We will see more focus on Linux now, with multiple solutions for detection. As usual, you can’t just set it and forget it. Detection engineering will be required to ensure the correct data/log sources, telemetry, tuned alerts, and people trained to respond.

Jorge Orchilles

As a CSO, or someone responsible for security in your organisation, do not be lured into a false sense of security if you think "This does not impact me as we don’t have Linux desktops." Remember many devices have Linux embedded in them so you need to ensure they are part of your vulnerability management program.

Brian Honan

XorDdos uses brute-force SSH attacks to get onto systems. At a minimum make sure that you're not allowing password access for Internet facing Linux servers. Even better, don't allow password authentication mechanisms, ideally disallowing root login over the network. Endpoint protection systems are able to detect and thwart this malware; the question is have you installed one on your Linux servers? If you have, make sure that the coverage is equivalent to other endpoint protection services deployed in your environment, to include centralized reporting and management. Many solutions are now cross platform.

Lee Neely

This is very sad but not surprising. We just can't seem to get the message across that new shiny technologies need to employ some of the same old boring security measures.

Johannes Ullrich

This reminds me of the amount of S3 buckets open to everyone on the public Internet until Amazon defaulted to non-public buckets. Kubernetes documentation provides multiple methods to secure your APIs including but not limited to ACLs, using TLS, API Authentication, and API Authorization.

Jorge Orchilles

Make sure that you're controlling access to your Kubernetes APIs. Use authentication and firewall rules to limit access to only authorized devices and users. Think of your container orchestration as a back-end service which you protect like any other management interfaces.

Lee Neely

Now defunct NSO Group has shown how lucrative mobile spyware can be. No surprise that governments are using new vendors to keep up their spying, and companies are setting up shop in countries with a less developed legal framework around commercial malware.

Johannes Ullrich

The CVE-2021-1048 exploit points out one of the problems of Android-based devices – the flaw had been fixed in 2020 but not flagged as a security issue, so not all of the cell phone vendors had incorporated the fix into their Android kernels. Samsung phones were vulnerable, but most Google Pixel phones were not. Google needs to make sure future security-relevant Android fixes get properly tagged; phone vendors need to speed up security-relevant fixes. The iPhone “monoculture” avoids this issue and has advantages for high value users to avoid this type of problem in the future.

John Pescatore

The underground market for 0days is alive and well. If this topic interests you, I recommend reading “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth. It goes into the history of buying, selling, and brokering exploits.

Jorge Orchilles

Research indicates the attacks were highly targeted, as in tens of devices, and attempted to leverage the delays different manufacturers have in releasing Android updates. While the fastest update cycle will come from Google-provided devices, understand the release timing for both OS and security updates for your preferred Android device manufacturer as well as looking at user expectations for deploying those updates to see what your exposure is then adjust accordingly. Even with the smallest interval, users still need to be careful with unknown messages, email, application sources as well as their permissions. Make sure that your devices are managed to have visibility into any malfeasance and look for situations where it may be ideal for users to carry a loaner device.

Lee Neely

These types of attacks keep happening. And for good reason - they work. Organizations need to recognize that no technology stack will fully mitigate such attacks. This should shift some focus to "assumed breach" assessments where endpoint and network controls are tuned to discover (and validated against) post-exploitation activity. The good news is that detecting post-exploitation activity is substantially easier than preventing exploitation in the first place, largely owed to the fact that the search space is so much smaller.

Jake Williams

Grab those IOC's from the Sonatype blog and make sure you're not messing with the typo squatting PyMafka project (vs PyKafka). Getting projects working with components from the legitimate versions of software packages is hard enough already; now we need to arm our developers with tools to detect and block malicious versions. Which means the next thing you need to do is to get smart about services which amount to an open-source firewall that performs inline analysis of downloaded content to block bogus packages.

Lee Neely

No one said security was easy. If you update your WordPress Plugins quickly, you don’t have time to review for backdoors. I don’t expect schools to be doing that especially for the premium version which they pay for. Automated scanning of code may have helped here as it did for the PyPi Registry package.

Jorge Orchilles

The malicious code was heavily obfuscated, so you wouldn't have spotted it if you went looking. To add insult to injury, this is their premium version, not the free version. Double check you're running at least 9.9.7; now that the vulnerability is published it's certain that attempts will be made to exploit it.

Lee Neely

This plugin is widely used. If one is using a WordPress plugin, the minimum security requirement is to stay current.

William Hugh Murray

Ransomware is the final “action on objectives” phase of the cyber kill chain. Organizations have multiple opportunities to detect and respond to these attacks prior to exfiltration and encryption. CISA has been doing a lot on the ransomware front and I welcome this initiative. For a quick look, I worked with CISA to come up with the top Ransomware TTPs last year: https://www.scythe.io/library/threat-thursday-top-ransomware-ttps

Jorge Orchilles

It is good to see this type of initiative happening. We cannot rely solely on end user organizations to have the appropriate security measures in place all the time. A coordinated and multi-disciplined approach by various government bodies will reduce the threat by ransomware gangs. I am glad to see there is also an international element in this, as countries acting alone will not have a major impact on this threat. We need international cooperation and the sharing of information to tackle this problem.

Brian Honan

This takes the year-old CISA Ransomware Task force to the next level, bringing resources from the FBI to the table. They are also planning to leverage a partnership with the Department of State for overseas liaisons to help assist foreign law enforcement and prosecutors address cybercrime.

Lee Neely

The health check service, by default, opens port 6379 and allows for unauthenticated access to the Redis database, filesystem and execute remote code on the system. Follow the Cisco guidance to determine if you're vulnerable. Workarounds include disabling the health check or adding ACLs to the service. The best fix is to update to a non-vulnerable version of the software and ensure that access to the health check is only from authorized devices.

Lee Neely

There was a common missing element in the testimony – addressing the major cause of vulnerabilities that enable many attacks: poor IT practices that lead to use of unpatchable versions of software and missing patches on supported software and other basic security hygiene issues. Too much of the security budget is spent on reaction to/remediation of those issues. Talks of incentives for improving security need to include the root cause of the vulnerabilities.

John Pescatore

There is a challenge with the pace of providing care, incorporating new devices which increase effectiveness of that care for both patients and doctors, which are all connected, without sufficient time to back off and really work the security. This was a trend even prior to the pandemic, but the last few years not only increased the demand for services but also shrunk the number of medical practitioners (per patient) to deliver them, which is a recipe for rapid adoption while fixing security later. While suppliers and regulators figure out the right balance needed to deliver secure devices, make sure that you're consistently assessing your environment, applying fixes to discovered issues in a timely fashion. Don't forget your back-office or other supporting services which may also have been re-engineered or reinvented.

Lee Neely

Part of the challenge was restoring services after the attack crashed some components. While it can be difficult, make sure that you've got dependencies mapped out as well as startup order prior to needing a full restart. Then here's the scary part: test it in production.

Lee Neely