Sam Stelfox

Enterprise Cybersecurity Roundup [August 2021]

 <img src="technology-lock-enterprise-cybersecurity-roundup.png" alt="technology-lock-enterprise-cybersecurity-roundup">

Minim's cybersecurity roundup is a monthly digest of the latest security threats such as malware, breaches, vulnerabilities, and more. Where possible, we provide additional documentation in the form of discovery reports and share best practices. To stay informed, subscribe to our newsletter at the bottom of the page. 

ChaosDB vulnerability allows admin access in Microsoft Azure Cosmos DB

Last month, security researchers at cloud security firm Wiz discovered a vulnerability in the Azure Cosmos DB Jupyter Notebook that could potentially have used an account's primary read-write key to grant access to their customers’ databases. The list of Azure Cosmos DB clients included customers like Coca-Cola, ExxonMobil, Walgreens, Liberty Mutual, and Skype.  

The Microsoft Security Response Center issued a blog reassuring its customers that the problem only affected a subset of customers and the problem was resolved:  

Our investigation indicates no customer data was accessed because of this vulnerability by third parties or security researchers. We've notified customers whose keys may have been affected during the researcher activity to regenerate their keys.

 

Microsoft Security Response Center 

Despite reassurance from Microsoft that the vulnerability has not caused data compromise so far, Microsoft published an update on the vulnerability and has specified the mitigation actions they have taken, including turning off the preview feature, forensic investigation and log search, updating their threat model, and further monitoring.  

In their blog titled #ChaosDB, Wiz details how they discovered the vulnerability. In a two-part process, Wiz was able to steal primary keys through Jupyter Notebook as an attack vector and obtain long-term full admin access to data stored in the CosmosDB account. This included read, write, and delete functionality.  

They praised Microsoft's security team for disabling the feature containing the vulnerability within 48 hours. Conveniently, the feature was built to self-disable if it was not used within three days. However, Wiz still recommends regenerating keys for any Cosmos DB account that used the feature or that was created after January 2021. They suggest short-term remediation in two steps:  

  • Replace your Cosmos DBs' primary keys 
  • Reduce network exposure of Cosmos DB accounts 

Longer-term remediation recommendations include using role-based access control (RBAC) and private endpoints. The initial discovery report from Wiz can be viewed on their blog here, while their more technically detailed report including steps for remediation and monitoring can be viewed here. 

Hive ransomware targeting healthcare industry after attack on Memorial Health System 

On August 15th, Ohio's Memorial Health System suffered a cyberattack so crippling that radiology exams and surgical procedures were cancelled and hospital staff reverted back to paper records. This attack has been linked to Hive ransomware, prompting the Federal Bureau of Investigation to warn other healthcare providers of the dangers it poses.

The FBI partnered with the Cybersecurity and Infrastructure Security Agency (CISA) to issue a FLASH update on recent ransomware that particularly targeting the healthcare industry. Hive ransomware uses various techniques, most often phishing emails with malicious attachments, to infiltrate systems using the Remote Desktop Protocol (RDP) that navigate devices on a network. 

Hive ransomware is capable of exfiltrating files off a network as well as encrypting files on the network. A ransom note is left which directs the victim to Hive's Tor domain to send payment and threatens victims not to attempt tampering with the ransom process through strategic shutdowns, third-party decryption software, file modification, etc.  

The ransomware can search processes linked to backups, anti-virus/anti-spyware, and file copying to terminate them. Once files are encrypted, they often are affixed with a .hive extension. It also includes a script titled hive.bat which forces a one-second timeout delay for post-encryption cleanup and shadow.bat to delete shadow copies.  

Indicators of Compromise 

Filename 

Description 

Winlo.exe

Found in C:\Windows\SysWOW64\winlo.exe. Used to place 7zG.exe, Winlo_dump_64_SCY.exe, and HOW_TO_DECRYPT.txt in succession.

HOW_TO_DECRYPT.txt 

Stops and disables Windows Defender, deletes its definitions, removes its context menu. Stops several services and disables them from restarting. Attempts to delete volume shadow copies. Deletes Windows Event Logs. Uses Notepad++ to create key file. Changes boot up to ignore errors. Places PowerShell script. 

 

The FBI also reported that Hive representatives have solicited some of their victims by phone for payments. Deadlines to send payment to Hive representatives vary, as some of the reported attacks have allowed less time than others. However, Hive has been known to extend deadlines when companies respond to contact. A few of the preventative measures include: 

  • Maintain offline backups of critical data 
  • Copy critical data to the cloud 
  • Refer to government cybersecurity resources such as StopRansomware.gov 

While post-infection ransomware mitigations include: 

  • Isolate the infection 
  • Power off and segregate devices 
  • Secure backups 

Consult the official FBI FLASH update (PDF) for full details on indicators of compromise, best practices, recommended mitigations, and more on Hive ransomware. This report serves as the main source for most of our highlights. 

RealTek WiFi module in routers and IoT devices discovered to have critical vulnerabilities 

RealTek has disclosed vulnerabilities found on their Jungle SDK-based routers, stating there are "potential memory corruption vulnerabilities in some services that may cause their denial of the service." Based on research and calculations through Shodan, close to one million devices have been affected. Exploits of these vulnerabilities have been found to allow for full compromise of devices with either remote code execution of the highest privilege or command injection. 

Vulnerability Details 

CVE 

Severity Rating 

CVSS Score 

Description 

CVE-2021-35392 

High 

8.1 

Heap buffer overflow vulnerability from unsafe SSDP NOTIFY messages received from M-SEARCH message's ST header 

CVE-2021-35393 

High 

8.1 

Stack buffer overflow vulnerability within UPnP SUBSCRIBE/ 
UNSUBSCRIBE Callback header 

CVE-2021-35394 

Critical 

9.8 

Buffer overflow vulnerabilities and a command injection vulnerability in UDPServer MP tool from insufficient legality detection on commands from clients 

CVE-2021-35395 

Critical 

9.8 

Buffer overflow vulnerabilities triggered by copies of lengthy form parameters. Successful exploitation crashes server and denies service. List of exact parameters in SDK Advisory. 

Affected versions include the following series: rtl819x-SDK-v3.2.x, -v3.4.x, -v3.4T, -V3.4T-CT, and rtl819x-eCos-v1.5x. Source: Realtek AP-Router SDK Advisory (PDF) 

Security researcher Q. Kaiser of IoT Inspector Research Lab details a full report on their findings of the vulnerabilities, which states that there are at least 65 vendors affected including Netgear, MT-Link, ASUSTek, LG International, Logitech, and NetComm. Affected devices range from VoIP and traditional wireless routers, residential gateways, IP cameras, WiFi repeaters, comprising nearly 200 unique device fingerprints. 

Realtek has provided patches of the affected WiFi module, but some sources speculate there may still be many devices left unpatched for some time, particularly citing public WiFi services. 

You can view the full report of attack methods, a timeline of discoveries, and a list of affected devices/vendors at IoT Inspector's blog 


More enterprise cybersecurity roundups you may enjoy 

We want to keep you informed of recent cybersecurity news and the current threatscape. If you want to receive our monthly newsletter, please subscribe below. Please enjoy the following articles: 

Like this blog?

Subscribe to our newsletter.