
Enterprise Cybersecurity Roundup [August 2021]
- Jupyter Notebook feature enabled by default was linked to a full-access vulnerability in Microsoft Azure Cosmos DB - Skip to details with mitigations and full report
- Hive ransomware has been targeting the healthcare industries and the FBI issues a report for best preventative and after-care measures - Skip to details with mitigations and full report
- IoT and router vulnerabilities discovered in products with RealTek WiFi module - Skip to details with full report
Minim's cybersecurity roundup is a monthly digest of the latest security threats such as malware, breaches, vulnerabilities, and more. Where possible, we provide additional documentation in the form of discovery reports and share best practices. To stay informed, subscribe to our newsletter at the bottom of the page.
ChaosDB vulnerability allows admin access in Microsoft Azure Cosmos DB
Last month, security researchers at cloud security firm Wiz discovered a vulnerability in the Azure Cosmos DB Jupyter Notebook that could potentially have used an account's primary read-write key to grant access to their customers’ databases. The list of Azure Cosmos DB clients included customers like Coca-Cola, ExxonMobil, Walgreens, Liberty Mutual, and Skype.
The Microsoft Security Response Center issued a blog reassuring its customers that the problem only affected a subset of customers and the problem was resolved:
Our investigation indicates no customer data was accessed because of this vulnerability by third parties or security researchers. We've notified customers whose keys may have been affected during the researcher activity to regenerate their keys.
Despite reassurance from Microsoft that the vulnerability has not caused data compromise so far, Microsoft published an update on the vulnerability and has specified the mitigation actions they have taken, including turning off the preview feature, forensic investigation and log search, updating their threat model, and further monitoring.
In their blog titled #ChaosDB, Wiz details how they discovered the vulnerability. In a two-part process, Wiz was able to steal primary keys through Jupyter Notebook as an attack vector and obtain long-term full admin access to data stored in the CosmosDB account. This included read, write, and delete functionality.
They praised Microsoft's security team for disabling the feature containing the vulnerability within 48 hours. Conveniently, the feature was built to self-disable if it was not used within three days. However, Wiz still recommends regenerating keys for any Cosmos DB account that used the feature or that was created after January 2021. They suggest short-term remediation in two steps:
- Replace your Cosmos DBs' primary keys
- Reduce network exposure of Cosmos DB accounts
Longer-term remediation recommendations include using role-based access control (RBAC) and private endpoints. The initial discovery report from Wiz can be viewed on their blog here, while their more technically detailed report including steps for remediation and monitoring can be viewed here.
Hive ransomware targeting healthcare industry after attack on Memorial Health System
On August 15th, Ohio's Memorial Health System suffered a cyberattack so crippling that radiology exams and surgical procedures were cancelled and hospital staff reverted back to paper records. This attack has been linked to Hive ransomware, prompting the Federal Bureau of Investigation to warn other healthcare providers of the dangers it poses.
The FBI partnered with the Cybersecurity and Infrastructure Security Agency (CISA) to issue a FLASH update on recent ransomware that particularly targeting the healthcare industry. Hive ransomware uses various techniques, most often phishing emails with malicious attachments, to infiltrate systems using the Remote Desktop Protocol (RDP) that navigate devices on a network.
Hive ransomware is capable of exfiltrating files off a network as well as encrypting files on the network. A ransom note is left which directs the victim to Hive's Tor domain to send payment and threatens victims not to attempt tampering with the ransom process through strategic shutdowns, third-party decryption software, file modification, etc.
The ransomware can search processes linked to backups, anti-virus/anti-spyware, and file copying to terminate them. Once files are encrypted, they often are affixed with a .hive extension. It also includes a script titled hive.bat which forces a one-second timeout delay for post-encryption cleanup and shadow.bat to delete shadow copies.
Indicators of Compromise
Filename |
Description |
Winlo.exe |
Found in C:\Windows\SysWOW64\winlo.exe. Used to place 7zG.exe, Winlo_dump_64_SCY.exe, and HOW_TO_DECRYPT.txt in succession. |
HOW_TO_DECRYPT.txt |
Stops and disables Windows Defender, deletes its definitions, removes its context menu. Stops several services and disables them from restarting. Attempts to delete volume shadow copies. Deletes Windows Event Logs. Uses Notepad++ to create key file. Changes boot up to ignore errors. Places PowerShell script. |
The FBI also reported that Hive representatives have solicited some of their victims by phone for payments. Deadlines to send payment to Hive representatives vary, as some of the reported attacks have allowed less time than others. However, Hive has been known to extend deadlines when companies respond to contact. A few of the preventative measures include:
- Maintain offline backups of critical data
- Copy critical data to the cloud
- Refer to government cybersecurity resources such as StopRansomware.gov
While post-infection ransomware mitigations include:
- Isolate the infection
- Power off and segregate devices
- Secure backups
Consult the official FBI FLASH update (PDF) for full details on indicators of compromise, best practices, recommended mitigations, and more on Hive ransomware. This report serves as the main source for most of our highlights.
RealTek WiFi module in routers and IoT devices discovered to have critical vulnerabilities
RealTek has disclosed vulnerabilities found on their Jungle SDK-based routers, stating there are "potential memory corruption vulnerabilities in some services that may cause their denial of the service." Based on research and calculations through Shodan, close to one million devices have been affected. Exploits of these vulnerabilities have been found to allow for full compromise of devices with either remote code execution of the highest privilege or command injection.
Vulnerability Details
CVE |
Severity Rating |
CVSS Score |
Description |
CVE-2021-35392 |
High |
8.1 |
Heap buffer overflow vulnerability from unsafe SSDP NOTIFY messages received from M-SEARCH message's ST header |
CVE-2021-35393 |
High |
8.1 |
Stack buffer overflow vulnerability within UPnP SUBSCRIBE/ |
CVE-2021-35394 |
Critical |
9.8 |
Buffer overflow vulnerabilities and a command injection vulnerability in UDPServer MP tool from insufficient legality detection on commands from clients |
CVE-2021-35395 |
Critical |
9.8 |
Buffer overflow vulnerabilities triggered by copies of lengthy form parameters. Successful exploitation crashes server and denies service. List of exact parameters in SDK Advisory. |
Affected versions include the following series: rtl819x-SDK-v3.2.x, -v3.4.x, -v3.4T, -V3.4T-CT, and rtl819x-eCos-v1.5x. Source: Realtek AP-Router SDK Advisory (PDF)
Security researcher Q. Kaiser of IoT Inspector Research Lab details a full report on their findings of the vulnerabilities, which states that there are at least 65 vendors affected including Netgear, MT-Link, ASUSTek, LG International, Logitech, and NetComm. Affected devices range from VoIP and traditional wireless routers, residential gateways, IP cameras, WiFi repeaters, comprising nearly 200 unique device fingerprints.
Realtek has provided patches of the affected WiFi module, but some sources speculate there may still be many devices left unpatched for some time, particularly citing public WiFi services.
You can view the full report of attack methods, a timeline of discoveries, and a list of affected devices/vendors at IoT Inspector's blog.
More enterprise cybersecurity roundups you may enjoy
We want to keep you informed of recent cybersecurity news and the current threatscape. If you want to receive our monthly newsletter, please subscribe below. Please enjoy the following articles: