Cisco hacked: Six backend servers used by customer VIRL-PE deployments compromised via SaltStack

Plus other news from infosec land this week


Roundup Six Cisco-operated servers were hacked via SaltStack security vulnerabilities, the networking giant revealed this week.

The compromised systems act as the salt-master servers for releases 1.2 and 1.3 of Cisco's Virtual Internet Routing Lab Personal Edition (VIRL-PE) product, and customer installations connect to these Cisco-maintained backend boxes.

SaltStack is a tool for managing software running on remote systems, and issued security patches at the end of April for two vulnerabilities in its code that can be exploited to gain control of host computers. Cisco patched the six VIRL-PE salt-master boxes – us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info, and vsm-us-2.virl.info – on May 7, and discovered they had been hacked.

According to an advisory on May 28:

Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE. Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.

Cisco VIRL-PE connects back to Cisco maintained Salt Servers that are running the salt-master service. These servers are configured to communicate with a different Cisco salt-master server, depending on which release of Cisco VIRL-PE software is running. Administrators can check the configured Cisco salt-master server by navigating to VIRL Server > Salt Configuration and Status.

Switchzilla was tight on details, such as the impact on customers: if your installation of VIRL-PE is affected, feel free to hit up your Cisco rep, is our immediate advice.

In the same advisory, Cisco said it has patched the two critical SaltStack vulnerabilities – CVE-2020-11651 and CVE-2020-11652 – in VIRL-PE and Cisco Modeling Labs Corporate Edition (CML).

Meanwhile, Cisco acquired internet and network monitoring biz ThousandEyes in a deal thought to total $1bn. The San Francisco upstart will be merged with Cisco's new Networking Services business unit.

“I’m excited to welcome the ThousandEyes team to Cisco,” said Todd Nightingale, general manager of Cisco Enterprise Networking and Cloud unit. “The combination of Cisco and ThousandEyes will enable deeper and broader visibility to pin-point deficiencies and improve the network and application performance across all networks.

Zoom's end-to-end encryption is coming to paying customers only, such as schools and enterprises, a spokesperson told Reuters. Users of free accounts won't benefit from the enhanced privacy-protecting cryptography.

GitHub issues alert over Octopus malware attacks on Netbeans

More than two-dozen projects on GitHub were found to be serving up malware, says the Microsoft-owned outfit.

An alert posted this week stated that 26 NetBeans Java repos were infected with a remote-access malware called Octopus Scanner.

"On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware," GitHub said.

"After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself."

Interestingly, GitHub said the malware was likely planted without any notification to the developers who ran the otherwise legitimate projects. Rather, the attackers were seeking out specific Java projects and modifying the nbproject/cache.dat files to include their malware.

Make sure you've installed the latest iOS 13.5 security patches, as they contain fixes to prevent things like Bluetooth traffic from being intercepted and images triggering malicious code execution.

They do not contain a fix for a kernel-level arbitrary code execution hole exploited by the unc0ver jailbreak. It is said the hole exists in iOS 13.5 because although Apple previously fixed the bug at the heart of the jailbreak, it reopened it with its latest OS release.

As such, the jailbreak is said to work on iOS 11 to 13.5, except versions 12.3-12.3.2 and 12.4.2-12.4.5 in which the vulnerability was closed.

US watchdog warns of college-focused Coronavirus scams

Those in higher education in America should take note of this warning from America's consumer regulator about phishing emails targeting university students.

The FTC said miscreants have been looking to lift the logins of students by posing as members of their schools' financial assistance departments. The students are told they should log into their accounts to obtain their coronavirus financial assistance checks. Instead, students are sent to sites that harvest their account details and/or try to install malware on their machines.

A hacker called VandaTheGod has been identified after a seven-year spree due to poor opsec, according to Check Point Research.

Capital One told to cough up hack analysis

Capital One has been ordered to cough up a security outfit's investigative report into the credit-card giant's 2019 network security breach.

A judge handling a class-action complaint filed on behalf of customers in the US, whose info was stolen by hackers who broke into the financial biz, has said Capital One cannot legally hide the confidential forensic report produced by Mandiant at Capital One's request.

This means that the suing attorneys, at least, will get a rare look into the internal dossiers produced for large companies by professionals hired to assess network intrusions; dossiers that explain what went wrong, and what can be done in future to avoid catastrophe. Capital One had asked the court to keep the information private on the grounds it was protected legal document, an argument the judge found unpersuasive.

Minted hacked

Graphic design marketplace Minted has fessed up to being the source of five million account details flogged on darknet markets earlier this month. The site said the user records were stolen on May 6, a theft detected on May 15.

"The information involved includes customers’ names and login credentials to their Minted accounts, consisting of their email address and password. The passwords were hashed and salted and not in plain text," Minted said.

"Telephone number, billing address, shipping address(es), and, for fewer than one percent of affected customers, date of birth, also may have been impacted."

Real-estate app Tellus exposes sensitive paperwork

This week in "companies forgetting to close their Amazon Web Services S3 buckets" we have real-estate app Tellus.

The research team at Cybernews found an AWS-hosted cloud storage silo open on the internet containing tens of thousands account details and documents.

These included property owner records, renters' documents, metadata on financial transactions, and transaction records. The documents also contain email addresses and phone records.

If there's any good news to be had, it's that there's no indication yet that anyone other than the Cybernews crew was aware of the database facing the internet. The system has since been secured.

Michigan State hit by ransomware gang

Bad news, Spartans. It seems Michigan State University in the US has reportedly fallen victim to ransomware. The Netwalker hacker crew laid claim to the intrusion, and has said they will be releasing documents obtained during the security breach shortly, unless the school coughs up an unspecified amount of cryptocurrency.

While the exact nature of what was stolen is not known, it is said to include the personal documents of students.

Valak malware spreading like wildfire

The team at Cybereason took a deep dive into the Valak malware, and found dozens of strains of the software nasty cropping up in an astonishing amount of time. Most notably, they found that the malware has expanded in scope beyond its original purpose, as a loader for other bits of spyware and similar malicious code.

"Though it was first observed in late 2019, the Cybereason Nocturnus team has investigated a series of dramatic changes, an evolution of over 30 different versions in less than six months," the report noted. "This research shows that Valak is more than just a loader for other malware, and can also be used independently as an information stealer to target individuals and enterprises."

Ted Cruz wants Twitter brought up for hosting the Ayatollah

US Senator Ted Cruz (R-TX) has joined President Trump's lead in piling on Twitter for alleged misdeeds.

The Texas conservative wants the microblogging site to be investigated [PDF] by American prosecutors for continuing to host the accounts of Iranian leaders Ali Khamenei and Javad Zarif.

"Twitter stated that it will not eliminate these accounts because 'to deny our service to [Iran’s] leaders at a time like this would be antithetical to the purpose of our company,' and because Twitter’s 'goal is to elevate and amplify authoritative health information as far as possible'," Cruz thundered.

"The position cannot be aligned with Iranian policy as it actually exists or with how designated Iranian officials use Twitter."

Surely this has nothing to do with Twitter's handling of the President's account, and Cruz filed this complaint entirely by coincidence and out of genuine concern for national security. ®

Broader topics


Other stories you might like

  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Musk repeats threat to end $46.5bn Twitter deal – with lawyers, not just tweets
    Right as Texas AG sticks his oar in

    Elon Musk is prepared to terminate his takeover of Twitter, reiterating his claim that the social media biz is covering up the number of spam and fake bot accounts on the site, lawyers representing the Tesla CEO said on Monday.

    Musk offered to acquire Twitter for $54.20 per share in an all-cash deal worth over $44 billion in April. Twitter's board members resisted his attempt to take the company private but eventually accepted the deal. Musk then sold $8.4 billion worth of his Tesla shares, secured another $7.14 billion from investors to try and collect the $21 billion he promised to front himself. Tesla's stock price has been falling since this saga began while Twitter shares gained and then tailed downward.

    Morgan Stanley, Bank of America, Barclays, and others promised to loan the remaining $25.5 billion from via debt financing. The takeover appeared imminent as rumors swirled over how Musk wanted to make Twitter profitable and take it public again in a future IPO. But the tech billionaire got cold feet and started backing away from the deal last month, claiming it couldn't go forward unless Twitter proved fake accounts make up less than five per cent of all users – a stat Twitter claimed and Musk believes is higher.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading

Biting the hand that feeds IT © 1998–2022