This week, Unistellar attackers wiped over 12,000 MongoDB databases, a Slack bug that allows remote file hijacking, Baltimore ransomware nightmare could last weeks more, over 25,000 smart Linksys routers are leaking sensitive data, and Huawei’s microchip vulnerability explained! In the expert commentary, we welcome Charles Thompson, Senior Director of Product Management at VIAVI to talk about Security Forensics!
To learn more about VIAVI Solutions, visit: https://securityweekly.com/viavi
- Unistellar attackers already wiped over 12,000 MongoDB databases – Bleeping Computer first reported the attacks and cited the expert Sanyam Jain as the person that discovered the deleted MongoDB databases. “this person might be charging money in cryptocurrency according to the sensitiveness of the database.” explained Jain. The expert discovered 12,564 unprotected MongoDB DBs that were wiped by an attacker tracked as Unistellar, he searched the text “hacked_by_unistellar” that the attacker left in the message. Making the same search on Shodan experts at BleepingComputer found a smaller number, 7,656 databases, while doing the same search I found 8.133 compromised installs exposed online. It is likely the attacker has automated its attacks chain due to the lange number of MongoDB databases deleted by Unistellar. The attack surface is potentially large. Slack said in January that it has 10 million active daily users, and 85,000 organizations use the paid version (it’s unclear how many are Windows users). Fortunately, Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0, so users should upgrade their apps and clients.
- Slack Bug Allows Remote File Hijacking, Malware Injection – According to Tenable Research’s David Wells, who discovered the bug and reported it via the HackerOne bug-bounty platform, a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows would allow an attacker to post a specially crafted hyperlink into a Slack channel that changes the document download location path when clicked. Victims can still open the downloaded document through the application, however, that will be done from the attacker’s Server Message Block (SMB) share.
- Security researchers discover Linux version of Winnti malware | ZDNet – Chronicle says it discovered this Linux variant after news broke last month that Bayer, one of the world’s largest pharmaceutical companies, had been hit by Chinese hackers, and the Winnti malware was discovered on its systems. During subsequent scans for Winnti malware on its VirusTotal platform, Chronicle said it spotted what appeared to be a Linux variant of Winnti, dating back to 2015 when it was used in the hack of a Vietnamese gaming company. I love this insight: “The lower prevalence [of Linux malware] may be because Linux provides ample opportunity for actors to ‘live off the land’ which renders customized tooling unnecessary,” says Silas Cutler, Reverse Engineering Lead at Chronicle.
- Baltimore ransomware nightmare could last weeks more, with big consequences – There are some lessons to learn here, but also cut them some slack as transitioning to the cloud is not all that easy: Until the ransomware attack, the city’s email was almost entirely internally hosted, running on Windows Server 2012 in the city’s data center. Only the city’s Law Department had moved over to a cloud-based mail platform. Now, the city’s email gateway has moved to a Microsoft-hosted mail service, but it’s not clear whether all email will be migrated to the cloud—or if it’s even possible. While Mayor Young said the city had data backups, it’s not clear how widely backups were implemented. And Johnson would not say whether there was a disaster-recovery plan in place to deal with a ransomware attack.
- Core Elastic Stack Security Features Now Available For Free Users As Well – This seems to be a trend: Since the free version of Elastic Stack by default does not have any authentication or authorization mechanism, many developers and administrators fail to properly implement important security features manually. The core security features—like encrypted communication, role-based access control, authentication realms—in previous versions required a paid Gold subscription, but the latest versions 6.8.0 and 7.1.0 of the Elastic Stack released today offers these features for free so that everyone can run a fully secure cluster without any hassle. It is so important that companies and open-source projects make security available by default, even in the free and/or open-source version of their software.
- Over 25,000 smart Linksys routers are leaking sensitive data | ZDNet – The first question is how? Turns out that’s easy, a vulnerability from 2014: CVE-2014-8244 allows remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request. A patch was issued and likely not applied to many routers allowing for the following results: Subsequent scans revealed that 25,617 Linksys Smart Wi-Fi routers are vulnerable and are leaking not only MAC addresses, but also device names, operating system types, and in some cases WAN settings, firewall status, firmware update settings, and DDNS configurations.
- Huawei’s microchip vulnerability explained – Google’s announcement that it was no longer able to work with Huawei is just one repercussion of the US decision to add the Chinese tech giant to its “entity list” of companies American firms cannot work with. The true impact to Huawei may be enormous. While we often refer to the firm’s devices as simply “Chinese”, the reality is much more complicated – it sources parts and expertise from all over the world. The same can be said for the likes of Apple, of course, which relies at least in part on chips created by its rival, Samsung. This will have some farther-reaching effects: As well as Google having to pull back on supplying its version of Android, major US technology suppliers including Xilinx, Qualcomm, Broadcom, and Intel have all warned they will need to stop selling their technology to Huawei in order to comply with the ban.
Expert Commentary: Charles Thompson, Viavi
Charles Thompson, Sr. Director of Product Management at VIAVI Solutions, has a career spanning 20 years in the IT space specializing in using wire-data to assist SecOps and NetOps teams with management, analysis, and protection of critical applications, services, and data. At VIAVI, Charles leads product management for the enterprise security and performance management solutions allowing earlier detection and faster, more comprehensive responses to security threats. Prior to VIAVI, Charles held various leadership roles in product management and services at Network Instruments. To learn more about VIAVI Solutions security solutions and to access a variety of premium whitepapers and assets, visit securityweekly.com/viavi.
Topic: Security Forensics
Full Show Notes
- Register for our upcoming webcasts with Kaseya, SaltStack, and DomainTools by going to securityweekly.com/webcasts. If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand