My information Resource (blog.mir.net)

    Over the years there has been a fundamental shift in evolving software development practices. In the past it was typical to build and maintain large monolithic code bases and run it on large servers, individual virtual machines, or even bare metal. Now, like many of us know already, many applications are being packaged as small services, loosely coupled together into what is called microservices architecture across a smaller group of distributed commodity hardware. The nature of this security infrastructure creates layers between application and host environments, facilitates fast and easy application of patches and updates across the technologies, and helps to maintain overall security compliance.
    This past January there was a severe vulnerability disclosure affecting these containerized environments, which allows an attacker to escape from container to host system via docker-runc identified as CVE2019-5736. This vulnerability affects containerized technologies such as cri-o, containerd, and Kuerbenetes and it is to note an attacker would have to have root level access within the target container. Then an attacker would need to create a nefarious binary that is run on user entry. According to researcher’s attack description an attacker would then need their code execution to replace any dynamic library used by docker-runc with a custom .so file that has an additional global constructor. This function opens /proc/self/ exe for reading and then executes another binary which opens this time for writing to /proc/self/fd/3, which is a file descriptor of docker-runc which is opened before execve. An attacker could essentially subsequently write to the docker-runc file descriptor any arbitrary code they wish which would then overwrite the original docker-runc file on the system host and affect the host operating system.
    As researchers describe the attack timeline, when a host user runs the affected container, the new docker-runc process is executed within the container but using the actual binary on the host file system. The docker-runc process however, loads the attacker controlled .so files from the container file system. The malicious global constructor function will be executed and load the attacker controlled binary. This binary overwrites the docker-runc on the host file system with a compromised docker-runc. Then when any user starts a docker image on the host file system the compromised docker-runc file is executed within the host environment, which fully compromises that system.
    A fix to docker-runc was created, the applied code creates a memory based file descriptor, which loads a known good docker-runc binary. Before entering namespaces docker-runc is then run from the memory based file descriptor so the docker-runc on the host file system cannot be overridden. There also are other potential mitigations that involve appropriately configuring SELinux, configuring appropriate affected files to read-only, and lowering privileges of users inside of containers.

 Sources
• https:// blog.dragonsector.pl/2019/02/cve2019-5736-escape-from-dockerand.html
• https://cyware.com/news/proof-ofconcept-for-container-escapevulnerability-unleashed-0c79f909

!!!ALERT!!!! Update Feb 11 2019
www.vfemail.net and mail.vfemail.net are currently unavailable in their prior form.
We have suffered catastrophic destruction at the hands of a hacker, last seen as [email protected]
This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.

Main points:

• If you didn’t use nl101.vfemail.net, then your mailbox is gone. Send yourself an email to re-create it (if necessary).
• After the initial incident on 2/11, incoming mail was queued on the sending servers.
  These
  should have started coming in within 12 hours, creating new mailboxes
  for existing accounts – ‘new’ mail should not be lost.
• Accounts exist, the mail data does not. If your mailbox hasn’t
  been re-created, you can’t login. Send yourself an email to re-create
  it.
• If you’re one of the 10% who used webmail, your addressbook and calendars still exist.
• If you can’t login, use https://nl101.vfemail.net to login to webmail.
• If you used POP. Change your mail server to nl101.vfemail.net
• If you used IMAP. CREATE A NEW ACCOUNT, and use nl101.vfemail.net for the server name.
  
  DO NOT CHANGE AN EXISTING ACCOUNT, YOU WILL SYNC WITH AN EMPTY MAILBOX AND LOSE YOUR LOCAL MAIL.
• There is no control panel
• Consider your mailbox data to be lost, but we haven’t given up yet.

Timeline –

As of 5am 2/11/19
www.vfemail.net and mail.vfemail.net are currently unavailable.
We have suffered catastrophic destruction at the hands of a hacker, last seen as [email protected]
This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.

New updates 2/11/19 6pm CST:

• Incoming mail is now being delivered.
• Webmail is up. Note-mailboxes are created upon new mail delivery. If you cannot login, you may not have received mail.
• Mailboxes are new, no subfolders exist.
• No filters are in place. If you created a filter with Horde, Login to Horde, Create any folders you need.
  
  Click Filter, Click Script, then click ‘Activate Script’.
• There is no spam scanning at this time – Incoming mail may be Spam scanned depending on DNS status.
• Free users should not attempt to send email, there is currently
  no delivery mechanism for free accounts. Paid accounts should be
  useable, including Horde/Roundcube contacts and calendars.
• NL hosted email is available (if you bought and requested a Migraiton).

At this time I am unsure of the status of existing mail for US users. If
you have your own email client, DO NOT TRY TO MAKE IT WORK.
If you reconnect your client to your new mailbox, all your local mail will be lost.

2/12/19
AT YOUR OWN RISK – POP users can use ‘nl101.vfemail.net’
IMAP Users should create a new account, then use ‘nl101.vfemail.net’ as the IMAP/SMTP server

2/13/19

• If you are unable to login, send yourself an email from another location. Receipt of an email creates your new mailbox.
• We have engaged a data recovery vendor to discuss options.
• Mailboxes were shutdown for a short time while we move data between volumes
  We’ve used 11Gb of space in 2 days – FYI.
• Vanity domains should receive mail properly now
• If you were set to ‘nobackup’, you should start receiving mail now.

“Yes, @VFEmail is effectively gone,” VFEmail founder Rick Romero wrote on Twitter
Tuesday morning after watching someone methodically reformat hard
drives of the service he started in 2001. “It will likely not return. I
never thought anyone would care about my labor of love so much that
they’d want to completely and thoroughly destroy it.”

VFEmail says data for virtually all US users is gone for good!

Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.

How many times have you downloaded an executable file, but were
afraid to run it? Have you ever been in a situation which required a
clean installation of Windows, but didn’t want to set up a virtual
machine?

 At Microsoft we regularly encounter these situations, so we developed Windows Sandbox:
an isolated, temporary, desktop environment where you can run untrusted
software without the fear of lasting impact to your PC. Any software
installed in Windows Sandbox stays only in the sandbox and cannot affect
your host. Once Windows Sandbox is closed, all the software with all
its files and state are permanently deleted.

Windows Sandbox has the following properties:

• Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
• Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
• Disposable – nothing persists on the device; everything is discarded after you close the application
• Secure – uses hardware-based virtualization for
  kernel isolation, which relies on the Microsoft’s hypervisor to run a
  separate kernel which isolates Windows Sandbox from the host
• Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU

Prerequisites for using the feature

• Windows 10 Pro or Enterprise Insider build 18305 or later
• AMD64 architecture
• Virtualization capabilities enabled in BIOS
• At least 4GB of RAM (8GB recommended)
• At least 1 GB of free disk space (SSD recommended)
• At least 2 CPU cores (4 cores with hyperthreading recommended)

If you have this build here are the steps located here to implement this technology.

The information posted here comes from Microsoft

The Federal Trade Commission (FTC) has released an article addressing a rise
in reports of internet romance scams. In this type of fraud, cyber criminals
gain the confidence of their victims and trick them into sending money. Use
caution when online dating, and never send money or gifts to someone you have
not met in person.

The National Cybersecurity and Communications Integration Center (NCCIC),
part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages
users to review FTC’s article on Romance
Scams and NCCIC’s tip on Staying Safe on Social
Networking Sites. If you think you have been a target of a romance scam,
file a report with

• the online dating site,
• the Federal
  Trade Commission, and
• the Federal Bureau of Investigation’s Internet Crime Complaint Center.

Vulnerable
plugin for a remote management tool gave attackers a way to encrypt
systems belonging to all customers of a US-based MSP.

The attack resulted in some 1,500 to 2,000 systems belonging to the
MSP’s clients getting cryptolocked and the MSP itself facing a $2.6
million ransom demand.

Discussions this week on an MSP forum on Reddit over what appears to
be the same — or at least similar — incident suggest considerable
anxiety within the community over such attacks, with a few describing
them as a nightmare scenario.

To read the full article go here

    Some people like to look their best and sometimes reality just isn’t enough. With the addition of an altered reality landscape we can add and modify our worlds and ourselves through the lens of our phones. There are apps that can access your phone’s camera, detect your facial position, add features, correct color imbalances, enhance traits that we find desirable, and can remove elements that aren’t so desirable. 

    Researchers at Trend Micro have found 29 beauty apps in the Google Play store that have malicious traits. These apps take a user’s desire to be more than what they are to open themselves up for attack. They are connected to remote ad configuration servers that receive data about the device the malicious app is installed upon and directs the victim to attacks tailored for that device.

    The authors of these malicious apps have included efforts to hide traces of their existence in a feeble attempt at permanence. Once downloaded, one of the packages included in these apps will provide the user a shortcut icon to impale themselves upon, but it will hide the app icon from the application list in an attempt to prevent its own deletion. 

    These apps have several methods of monetizing their targets including phishing for personal information, collecting freshly taken photos, or even just accepting payments for services not rendered. They can include false “contests” that result in a request for personal information to deliver a promised prize. One app offers beautification of an image uploaded to its server but never gets it, while the attacker compiles a data set full of images that can be used for future fraudulent social media profiles. Another app pushes an ad for a paid online pornography player which accepts payment and likely collects payment information. The researchers have found that the player does not play despite payment.

    The Google Play Store has already removed these apps from their roster. The top three (Pro Camera Beauty, Cartoon Art Photo, & Emoji Camera) have had over one million downloads each. The next eight have already had downloads in the hundreds of thousands. The large majority of these downloads occurred in Asia, particularly India. 

   The best recommendation is to read reviews in any app that you want to try out. Any reviews that are indicative of malicious behavior is sufficient warning. Anything produced by an untrusted source should be subject to scrutiny, and anything requesting information should be doubly so.
Source

• https://blog.trendmicro.com/ trendlabs-security-intelligence/ various-google-play-beauty-cameraapps-sends-users-pornographiccontent-redirects-them-to-phishingwebsites-and-collects-their-pictures/

• https://www.dpreview.com/ news/0890709908/google-removes29-malicious-android-camera-appsfrom-play-store

• https://securityaffairs.co/ wordpress/80666/malware/ malicious-beauty-apps.html

     Siri sets alarms, calls your mother, and finds you that piece of trivia that’s been itching in your brain for the past week. Siri helps people manage their electronic fears and control their digital world in a human way. So when Siri Shortcuts came along with iOS 12, I’m sure many people were elated at the thought of automating their daily ritual and streamlining repeated complex tasks. 

    While it’s doubtful that most users will automate their household energy consumption or repeatedly perform multi step computations via voice command, the average user might be interested in shortcuts designed by business owners trying to make it smoother to exchange money for services and goods. Also, it just feels a bit cool to do many things with just a click. However, with automation and complexity there’s always an avenue for abuse. Security Intelligence from IBM has outlined a few methods for a pseudo ransom attack involving many of the capabilities of Siri Shortcut.

    The app has the ability to perform many of the phone’s basic functions which can be used to confuse then scare a user into paying a ransom to the attacker. Some of Siri Shortcuts’ capabilities include text to speech, flash light control, vibration control, volume and brightness control, clipboard data collection, data storage manipulation, IP address collection, GPS location information collection, and other forms of information collection.

   The most alarming capability is message creation and deployment along with contact list access. A maliciously crafted shortcut could send a copy of itself to each person in the victim’s contact list. It has been advised time and again to never download anything from an untrusted source, but who would think your grandson would send you anything malicious? Suddenly you’re at an ATM, your phone is vibrating and flashing, it snaps a picture of your face and your bank card, and tells you that you’re being tracked repeating your location and reading your browsing history. Even the most cool-headed person would be shaken and might fall for  the ruse. And if you’re savvy enough to remain composed and ignore it, a co-worker or a cousin might not be.

   A pound of cure is worth an ounce of prevention. Never install shortcuts from untrusted sources. Never allow anything to exist on your phone that requires permissions outside your comfort zone. Take advantage of the “Show Actions” button to see what a shortcut actually does before using it. Constant vigilance when it comes to anything that can run without your direct control is the minimum in this day and age.

Sources:
 • https://securityintelligence.com/hey-siri-get-my-coffee-hold-the-malware/
 • https://securityaffairs.co/wordpress/80592/hacking/siri-shortcutsabuses.html
 • https://www.securityweek.com/malicious-hackers-can-abuse-siri-shortcuts -ibm

The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients in order to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals.  

This FLASH has been released TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

Chinese APT10 intrusion activities target Government, Cloud-Computing Managed Service Providers and Customer networks worldwide. The following information was obtained through FBI investigations and is provided in accordance with the FBI’s mission and policies to prevent and protect against federal crimes and threats to the national security.

The FBI is providing the following information with HIGH confidence:

SUMMARY: 

The FBI obtained information regarding a group of Chinese APT cyber actors stealing high value information from commercial and governmental victims in the U.S. and abroad.  This Chinese APT group is known within private sector reporting as APT10, Cloud Hopper, menuPass, Stone Panda, Red Apollo, CVNX and POTASSIUM.  This group heavily targets managed service providers (MSP) who provide cloud computing services; commercial and governmental clients of MSPs; as well as defense contractors and governmental entities.  APT10 uses various techniques for initial compromise including spearphishing and malware.  After initial compromise, this group seeks MSP administrative credentials to pivot between MSP cloud networks and customer systems to steal data and maintain persistence.  This group has also used spearphishing to deliver malicious payloads and compromise victims.  

WE NEED YOUR HELP! If you find any of these indicators on your networks, or have related information, please contact  FBI CYWATCH immediately. Email:  [email protected] Phone: 1-855-292-3937