Threat Report

Thursday December 6, 2018

This week we’re covering a developing story around a Kubernetes vulnerability that is still shrouded in mystery, a string of high-profile data breaches, and following up on the mobile spyware topic from last week.

You Never Forget Your First Hack

You’ve been hacked. How did this happen? You learn a lot from responding to security incidents and Kubernetes is learning some of those lessons now, the hard way. Red Hat security researchers have recently discovered Kubernetes’ first major security flaw, CVE-2018-1002105, a privilege escalation vulnerability that targets Kubernetes-based services and products.

Red Hat disclosed the flaw to Kubernetes after they detected an exploitation attempt to the Kubernetes API server’s Transport Layer Security (TLS) credentials. Red Hat also noticed that the vulnerability makes it possible for any user to gain full administrative access on any machine running with the Kubernetes platform. Researchers have detected active attacks using this vulnerability. However, it is unclear at present how this vulnerability is being delivered because the de-auth requests are made over an established connection and do not appear in Kubernetes API server audit logs.

The affected versions are Kubernetes v1.0.x through v1.9.x. Users and organizations were advised to update to one of the following patched versions of Kubernetes: v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1. No indicators of compromise were released with Red Hat’s findings; however, they have published an in-depth technical report.

Big Data Score in High-Profile Data Heist

We’ve seen a burst of high-profile data drops recently. Data from over 600 million users was recently compromised in just three breaches. The Nation Republican Congressional Committee (NRCC), Quora, and Marriot have all recently disclosed breaches. Each of these breaches can teach us different lessons related to merger and acquisition security, the benefits of security monitoring, and encrypting data at rest.

Although there was a low number of user accounts compromised in the NRCC hack, it only takes one compromised user to have a data breach. NRCC was notified about the breach through a managed security service provider (MSSP). The NRCC then reported the breach to Crowdstrike, one of their security vendors. It’s good that the NRCC had security monitoring. This breach could have lasted for more than the “several months” that attackers reportedly maintained access to compromised accounts.

If this were a hacktivist group, we would expect to see a data dump. If this were a profiteer, we would expect to see a ransom. Neither of these scenarios has occurred. That gives us good reason to believe that the threat actors are not motivated by money or protest. Allow me to be speculative. The threat actors are likely after the intelligence. With enough private communications between Republican politicians, they could gain the leverage needed to ease sanctions related to ongoing Crimea occupation and DNC email hack. During this time, we have seen exactly this occur as House Republicans cool on Russian sanctions.

Quora recently lost user information related to 100 million users. Although the information was not particularly sensitive information, it did include email addresses and hashed passwords. There was no indication if the passwords were salted. And there was no mention of a salt being used in the password hashes. Millions of these hashes have likely been cracked. We’ve already heard private reports about this data being leveraged to attempt to access email accounts. If you’ve ever used Quora with a common password, you should reset that password wherever you have used it.

On Friday, November 30, 2018, Marriott Hotels publicly disclosed a breach impacting the network of their subsidiary, Starwood Hotels and Resorts. This shows the danger of mergers and acquisitions. When you buy another company their security problems become your security problems. Amazon saw this with Twitch, and Marriott is now seeing it with the Starwood acquisition. The official statement emphasizes that the Marriott network was not involved, as the investigation only identified unauthorized access to Starwood’s network.

According to the investigation, the intrusion occurred on or before September 10, 2018, and targeted guest information from reservations. Marriott estimates that the activity affected 500 million guests. Compromised data included a combination of names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, reservation dates, and other data points. Marriott also stated that an unknown amount of payment card numbers and payment card expiration dates were accessed with other customer data. It is not clear if the accessed data was successfully exfiltrated by attackers, so we should assume that it definitely was.

Marriott states during their investigation, there had been unauthorized access to the Starwood network since 2014. The investigation was partially alerted to the activity due to the actors copying and encrypting data from the Starwood Guest Reservation Database. Marriott was able to decrypt the data and determined it was from guest reservations on or close to September 10, 2018. It is unclear if the data was encrypted to help with exfiltration or to destroy evidence of the intrusion. However, the steps taken by the actor to hide the stolen data, or potentially destroy it, show their interest in the sensitive personally identifiable information and ensuring a delayed discovery that such information had been compromised. Speaking of stealthy backdoors, ESET published follow-on research from Operation Windigo related to the use of stealthy SSH backdoors to maintain persistence on compromised hosts. We looked at some of the published indicators and searched for them in Perchybana. No indicators were observed in the last 30 days that match this threat. If you’re a Perch customer, you’re in the clear.

11 Critical Android Vulnerabilities Patched Amid Pegasus Abuse Claims

Google recently patched 11 critical code execution vulnerabilities in Android. Nine were tied to escalation-of-privilege (EoP) bugs. One of the few EoP bugs (CVE-2018-10840) that linked to an external description revealed the flaw was tied to the Android Kernel component (ext4 filesystem). Forty-two high criticality vulnerabilities were also patched. The timing couldn’t be better for Journalists using android. There has been a lot of talk recently about NSO Pegasus mobile spyware abuse. NSO Pegasus spyware is only sold to government organizations and should only be used against criminals and terrorists, yet it has been increasingly used to target journalist cellphones. NSO Pegasus spyware was found on Abdulaziz’s phone. The installation has been linked to the Saudi government and he believes it has something to do with the murder of U.S. journalist Khashoggi.

On Sunday, Abdulaziz’s lawyers filed a lawsuit in Tel Aviv alleging NSO broke international law by knowingly allowing its spyware to be used to infringe upon human rights. “NSO should be held accountable in order to protect the lives of political dissidents, journalists, and human rights activists,” said Abdulaziz’ lawyer, Alaa Mahajna, speaking to CNN.

“The hacking of my phone played a major role in what happened to Jamal, I am really sorry to say,” Abdelaziz told CNN. “The guilt is killing me.”

The lawsuit claims that in the months before the killing, the royal court had access to Mr. Khashoggi’s communications about opposition projects with Mr. Abdulaziz because of the spyware on Mr. Abdulaziz’s phone.

Paul Scott

Paul Scott
SOC Nightwatchman
LinkedIn