Azure Cosmos DB
Critical Vulnerability

Summary: On August 12, 2021, a critical vulnerability in the Azure Cosmos DB Jupyter Notebook feature was reported to Microsoft. This exploit has been dubbed “ChaosDB” by the cloud infrastructure security company WIZ. Azure Cosmos DB is a globally distributed, multi-model database service for any scale. The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. With no prior access to the target environment, a threat actor can exploit a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB allowing them to query information about the target’s Notebook. This allows an attacker to obtain credentials to a user’s account for Cosmos DB, the Jupyter Notebook Compute, Jupyter Notebook Storage, and the Cosmos DB Primary keys. With access to Cosmos DB’s Primary Key, a threat actor would have full read, write, and delete permissions to the entire database associated with that key.

Why it matters: Microsoft’s security teams took immediate action to fix the problem and disable the vulnerable feature. However, WIZ indicates that the vulnerability has been exploitable for months and says, “every Cosmos DB customer should assume they’ve been exposed.” To ensure that risk is mitigated, Microsoft advises its customers to re-generate the Cosmos DB Primary Keys. WIZ has provided a blog regarding further mitigations found here.

 

Atlassian Confluence
Exploited For Crypto Mining

Summary: On August 25th 2021, Atlassian disclosed a remote code execution vulnerability for their product Confluence. Confluence is a popular web-based workspace used for collaborative projects in corporate environments. The vulnerability and its details were disclosed on the Confluence support page, tracked as CVE-2021-26084. Advisories from the Cyber National Mission Force and the Cybersecurity and Infrastructure Security Agency were also published to urge users of the Confluence product to update to the latest versions. Customers who have not upgraded to the latest versions risk remote code execution on their Confluence servers, giving attackers the ability to maliciously download software and launch applications remotely. Just days after the vulnerability was disclosed, cyber security intelligence firm Bad Packets reported instances of exploits in which the vulnerability was being used to install crypto mining malware on affected servers

Why it matters: Remote code execution allows attackers to download, install, and launch scripts and programs of their choosing. In the case of the Confluence vulnerability, attackers were reported installing crypto mining malware. However, there is nothing stopping the attackers from utilizing this vulnerability to conduct other types of cyber-attacks. This type of malware uses the victim’s servers’ resources to mine crypto currency for the attackers and slows the performance of these devices potentially halting business functions. Vulnerabilities such as this one highlights the importance of keeping software and systems up-to-date.

 

Credentials Pilfered From 87,000
Unpatched Fortinet SSL-VPNs
Have Been Posted Online

Summary: Fortinet released a report on September 8th 2021, that confirms 87,000 Fortinet SSL-VPNs were pilfered for credentials and leaked. Analysis done by AdvIntel shows a total of 22,500 victimized entities in various countries, with the US count being 2,959. The attacks exploited tracked vulnerabilities FG-IR-18-384 / CVE-2018-13379, a path traversal weakness related to FortiOS that was discovered in 2018 and has been persistently exploited since then and has recently made it into CISA’s top 30 most exploited flaws. Exploiting this weakness allows an unauthorized user to use HTTP resource requests to download system files under the SSL VPN web portal. Fortinet fixed the glitch back in May 2019 and has encouraged their customers to upgrade their devices.

Why it matters:Attackers can use the leaked VPN credentials to gain unauthorized access to perform data exfiltration, install malware, and even launch ransomware attacks. Security teams that have patched their VPNs but have failed to reset the device passwords will still be vulnerable to this attack, which is why this exploit is still commonly used.

 

Uptick In
Ransomware

Summary: Across September, ransomware attacks appear to have ramped up in activity. Attacks range in a variety of malicious hacking groups, from BlackMatter hitting medical technology company Olympus to REvil returning from a two month-long hiatus, to Ragnar Locker threatening to release confidential information. In this Bleeping Computer article by Lawrence Abrams, a collaborative report by the Cyber Threat Intelligence company KELA is broken down for the most likely targets of ransomware gangs. Basic findings indicate ransomware gangs are more likely to target high revenue companies with high-value geolocations, such as Australia, Canada, the United States, and European countries.

Why It matters: If there is one thing that remains true, it’s that organizations need to stay up-to-date and educated on recent attacks and what that means for their security posture. Following this trend, it is important to understand common attack vectors, what industries are being targeted, and what organizations can do to survive a ransomware attack. Here at the Zyston SOC, we are always keeping an eye out on news regarding potential Indicators of Compromise (IOC) for ongoing ransomware attacks. In the additional reading section below, we have included some trusted resources on how to improve your company’s security posture against ransomware and survival guides if you’ve been hit.

 

Security Tip Of The Month

Summary: On September 1st, a fired credit union employee pled guility to deleting 21G of confidential data as well as anti-ransomware software files from the company shared drive after the IT department failed to revoke access following her termination. Due to insufficient backups, the credit union ended up paying over $10,000 to restore data following the loss. The LockBit ransomware group attempted to recruit insiders to help deploy malware on corporate networks. Vindictive former employees or employees motivated financially can pose a threat to internal security.

Why It matters:Employees, vendors, and partners have insight into how a company operates and can use that knowledge maliciously. Best practices include provisioning account permissions with the least privilege necessary to complete routine tasks. Zyston monitors access to high-privilege groups as well as suspicious mass deletions to stay abreast of potential data loss and privilege escalation. Additionally, it is important to automate identity and access management where possible to ensure that employees are terminated properly across all company resources.