Cisco hacked: Six backend servers used by customer VIRL-PE deployments compromised via SaltStack

Plus other news from infosec land this week

6 Reg comments Got Tips?

Roundup Six Cisco-operated servers were hacked via SaltStack security vulnerabilities, the networking giant revealed this week.

The compromised systems act as the salt-master servers for releases 1.2 and 1.3 of Cisco's Virtual Internet Routing Lab Personal Edition (VIRL-PE) product, and customer installations connect to these Cisco-maintained backend boxes.

SaltStack is a tool for managing software running on remote systems, and issued security patches at the end of April for two vulnerabilities in its code that can be exploited to gain control of host computers. Cisco patched the six VIRL-PE salt-master boxes – us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info, and vsm-us-2.virl.info – on May 7, and discovered they had been hacked.

According to an advisory on May 28:

Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.

Cisco VIRL-PE connects back to Cisco maintained Salt Servers that are running the salt-master service. These servers are configured to communicate with a different Cisco salt-master server, depending on which release of Cisco VIRL-PE software is running. Administrators can check the configured Cisco salt-master server by navigating to VIRL Server > Salt Configuration and Status.

Switchzilla was tight on details, such as the impact on customers: if your installation of VIRL-PE is affected, feel free to hit up your Cisco rep, is our immediate advice.

In the same advisory, Cisco said it has patched the two critical SaltStack vulnerabilities – CVE-2020-11651 and CVE-2020-11652 – in VIRL-PE and Cisco Modeling Labs Corporate Edition (CML).

Meanwhile, Cisco acquired internet and network monitoring biz ThousandEyes in a deal thought to total $1bn. The San Francisco upstart will be merged with Cisco's new Networking Services business unit.

“I’m excited to welcome the ThousandEyes team to Cisco,” said Todd Nightingale, general manager of Cisco Enterprise Networking and Cloud unit. “The combination of Cisco and ThousandEyes will enable deeper and broader visibility to pin-point deficiencies and improve the network and application performance across all networks.

Zoom's end-to-end encryption is coming to paying customers only, such as schools and enterprises, a spokesperson told Reuters. Users of free accounts won't benefit from the enhanced privacy-protecting cryptography.

GitHub issues alert over Octopus malware attacks on Netbeans

More than two-dozen projects on GitHub were found to be serving up malware, says the Microsoft-owned outfit.

An alert posted this week stated that 26 NetBeans Java repos were infected with a remote-access malware called Octopus Scanner.

"On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware," GitHub said.

"After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself."

Interestingly, GitHub said the malware was likely planted without any notification to the developers who ran the otherwise legitimate projects. Rather, the attackers were seeking out specific Java projects and modifying the nbproject/cache.dat files to include their malware.

Make sure you've installed the latest iOS 13.5 security patches, as they contain fixes to prevent things like Bluetooth traffic from being intercepted and images triggering malicious code execution.

They do not contain a fix for a kernel-level arbitrary code execution hole exploited by the unc0ver jailbreak. It is said the hole exists in iOS 13.5 because although Apple previously fixed the bug at the heart of the jailbreak, it reopened it with its latest OS release.

As such, the jailbreak is said to work on iOS 11 to 13.5, except versions 12.3-12.3.2 and 12.4.2-12.4.5 in which the vulnerability was closed.

US watchdog warns of college-focused Coronavirus scams

Those in higher education in America should take note of this warning from America's consumer regulator about phishing emails targeting university students.

The FTC said miscreants have been looking to lift the logins of students by posing as members of their schools' financial assistance departments. The students are told they should log into their accounts to obtain their coronavirus financial assistance checks. Instead, students are sent to sites that harvest their account details and/or try to install malware on their machines.

A hacker called VandaTheGod has been identified after a seven-year spree due to poor opsec, according to Check Point Research.

Capital One told to cough up hack analysis

Capital One has been ordered to cough up a security outfit's investigative report into the credit-card giant's 2019 network security breach.

A judge handling a class-action complaint filed on behalf of customers in the US, whose info was stolen by hackers who broke into the financial biz, has said Capital One cannot legally hide the confidential forensic report produced by Mandiant at Capital One's request.

This means that the suing attorneys, at least, will get a rare look into the internal dossiers produced for large companies by professionals hired to assess network intrusions; dossiers that explain what went wrong, and what can be done in future to avoid catastrophe. Capital One had asked the court to keep the information private on the grounds it was protected legal document, an argument the judge found unpersuasive.

Minted hacked

Graphic design marketplace Minted has fessed up to being the source of five million account details flogged on darknet markets earlier this month. The site said the user records were stolen on May 6, a theft detected on May 15.

"The information involved includes customers’ names and login credentials to their Minted accounts, consisting of their email address and password. The passwords were hashed and salted and not in plain text," Minted said.

"Telephone number, billing address, shipping address(es), and, for fewer than one percent of affected customers, date of birth, also may have been impacted."

Real-estate app Tellus exposes sensitive paperwork

This week in "companies forgetting to close their Amazon Web Services S3 buckets" we have real-estate app Tellus.

The research team at Cybernews found an AWS-hosted cloud storage silo open on the internet containing tens of thousands account details and documents.

These included property owner records, renters' documents, metadata on financial transactions, and transaction records. The documents also contain email addresses and phone records.

If there's any good news to be had, it's that there's no indication yet that anyone other than the Cybernews crew was aware of the database facing the internet. The system has since been secured.

Michigan State hit by ransomware gang

Bad news, Spartans. It seems Michigan State University in the US has reportedly fallen victim to ransomware. The Netwalker hacker crew laid claim to the intrusion, and has said they will be releasing documents obtained during the security breach shortly, unless the school coughs up an unspecified amount of cryptocurrency.

While the exact nature of what was stolen is not known, it is said to include the personal documents of students.

Valak malware spreading like wildfire

The team at Cybereason took a deep dive into the Valak malware, and found dozens of strains of the software nasty cropping up in an astonishing amount of time. Most notably, they found that the malware has expanded in scope beyond its original purpose, as a loader for other bits of spyware and similar malicious code.

"Though it was first observed in late 2019, the Cybereason Nocturnus team has investigated a series of dramatic changes, an evolution of over 30 different versions in less than six months," the report noted. "This research shows that Valak is more than just a loader for other malware, and can also be used independently as an information stealer to target individuals and enterprises."

Ted Cruz wants Twitter brought up for hosting the Ayatollah

US Senator Ted Cruz (R-TX) has joined President Trump's lead in piling on Twitter for alleged misdeeds.

The Texas conservative wants the microblogging site to be investigated [PDF] by American prosecutors for continuing to host the accounts of Iranian leaders Ali Khamenei and Javad Zarif.

"Twitter stated that it will not eliminate these accounts because 'to deny our service to [Iran’s] leaders at a time like this would be antithetical to the purpose of our company,' and because Twitter’s 'goal is to elevate and amplify authoritative health information as far as possible'," Cruz thundered.

"The position cannot be aligned with Iranian policy as it actually exists or with how designated Iranian officials use Twitter."

Surely this has nothing to do with Twitter's handling of the President's account, and Cruz filed this complaint entirely by coincidence and out of genuine concern for national security. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020