Browser automation script.
Roundup Here’s a quick summary of news in the world of information security beyond everything we’ve already covered.
Docker containers banished to the coin mines
Last week was not a great week for the Docker security team, first with the revelation of a race condition flaw, then with a warning from Trend Micro of active attacks against Docker installations.
The infosec house said it spotted a number of infected Docker containers running Monero mining scripts. The malware probes running containers to check for open APIs and, if exposed, then uses the API to install a Monero mining script on the container, which then run a Shodan.io search to look for further containers to infect.
This does not appear to be a one-off attack, either, as Trend senior threat researcher Alfredo Oliveira believes more Docker containers will be targeted in the future.
“The increased adoption of containers has also led to an increase in threats that target the technology. These threats are often successful, not only due to the exploitation of flaws and vulnerabilities in the container software but also due to misconfiguration, which remains a constant challenge for organizations,” Oliveira said.
“In this case, the hosts that have exposed APIs are not just victims of cryptocurrency-mining operations — they also contribute further to the distribution of the infected containers.”
Uh oh, Nginx just sounded the klaxon on a remote code execution flaw
Bad news for potentially anyone running an Nginx server (so around 30 per cent of the websites on the planet) with nJS: make sure your installation is up to date, and stays up to date.
Alisa Esage (via the Trend ZDI) has privately reported at least one remote code execution flaw in Nginx nJS that will definitely warrant an immediate patch when available. While Nginx claims the two bugs she found and disclosed can’t be easily exploited in the wild, Esage is not so sure.
One of the bugs, an array overflow, was addressed in Nginxs nJS version 0.3.2, and an integer overflow will be patched in the upcoming nJS version 0.3.3. Make sure you apply both as soon as you can, if you use a combination of Nginx and nJS.
Hotels betrayed by leaky security servers
It’s not really news to see a hotel chain involved in a massive data leak these days. Unless the leak involved their own security tools.
Researchers with VPNmentor claim they have uncovered an exposed trove of nearly 85GB of data from Pyramid Hotel Group that had been left sitting on an unsecured, public-facing server running the free and open-source Wazuh intrusion-detection tool.
The cache of data is said to include details about the hotel chain’s security systems, employees’ personal information, network infrastructure records, and data on software and hardware systems. The records would be immensely useful to any attackers doing reconnaissance.
“This database gives any would-be attacker the ability to monitor the hotels’ network, gather valuable information about administrators and other users, and build an attack vector targeting the weakest links in the security chain,” VPNmentor said.
“It also enables the attacker to see what the security team sees, learn from their attempts based on the alerts raised by the systems, and adjust their attacks accordingly. It’s as if the nefarious individuals have their own camera looking in on the company’s security office.”
Pyramid has since been notified and the archive was taken down.
Russia beefs up its in-house Linux distro
The Kremlin has long been planning to get itself off of Windows and onto its own FSB-approved version of Linux. That effort took a step forward this week when Astra Linux cleared a major security hurdle.
The certification means the Kremlin now believes Astra is able to handle its most sensitive communications, clearing the way for a larger rollout across government systems.
Checkers chapped by POS malware
Did you enjoy a burger at retro-tastic drive-in eatery Checkers recently? If so, you will want to keep a close eye on your bank statements for a while.
The fast food chain disclosed (PDF) that it is the latest eatery operation to be hit by the scourge of point-of-sale malware that took customer card details. This includes card numbers, names, verification codes, and expiration dates.
Anyone who visited one of the compromised restaurants is being advised to monitor their bank statements and keep an eye on their credit reports.
Terrible trio of CoreOS container bugs unveiled
Bug-hunters with security house TwistLock have disclosed three new unpatched vulnerabilities in CoreOS.
The three flaws are all found in RKT, a container runtime for CoreOS, and a successful exploit would allow the attacker to escape the container and take over the host server.
“Once an attacker is running in the context of a container process spawned by ‘rkt enter’, he can escape the container and gain root access on the host with relative ease, as he runs with all capabilities, no seccomp filteringand without cgroup isolation,” said TwistLock’s Yuval Avrahami.
Google looks into HTTPS alerts for webmasters
Google’s security research team tackled an interesting idea recently: how to help site owners fix broken HTTPS setups.
The research project looked into whether a system of direct notifications would be helpful in getting webmasters to improve the security of their sites and make sure that the secured connections were operating properly. The results were something of a mixed bag, with the team concluding that alerts alone won’t be enough:
“We find that security notifications alone have a moderate impact on remediation outcomes, similar to or less than notifications for other types of security vulnerabilities.”
Apple updates Windows apps
If you’re a Windows user, chances are you don’t pay much attention to Apple’s security updates. In this case, however, you really should.
This week the Cupertino software slinger kicked out fixes for multiple flaws in the SQLite and WebKit components used by both iCloud and iTunes on Windows. Seeing as the flaws would allow for things like elevation of privilege and arbitrary code execution, you will want to update both apps sooner than later. ®