This Week in Cyber 03rd May 2024

Analyst Insight

This week in cyber we have seen several important events to look out for. The UK has taken a significant step by passing new legislation banning default usernames and passwords on Internet of Things (IoT) devices. Manufacturers are now required to ensure that their products do not ship with easily guessable or default credentials. This move aims to enhance security and protect consumers from potential attacks.

Okta, a leading Identity Access Management service, has issued a warning about the surge in credential stuffing attacks against online services. Cyber researchers have discovered three large-scale campaigns targeting Docker Hub, a platform for distributing container images. These campaigns involved millions of imageless repositories that contained malicious payloads. Attackers have tried to leverage the credibility of a trusted service to distribute their malware.

Unauthorised access to the Dropbox Sign (formerly HelloSign) production environment was detected, impacting customer information. While the breach was isolated to Dropbox Sign infrastructure, the disclosure of user data should as always prompt all users to take precautionary measures to protect themselves. Palo Alto Networks identified a critical zero-day vulnerability in its PAN-OS software. Hackers can exploit this flaw remotely without authentication, potentially gaining complete control over affected firewalls. Organisations relying on Palo Alto firewalls should promptly apply patches released by the company to mitigate the risk. 

UK Bans Default Passwords for IoT Devices: Strengthening Cybersecurity Measures

The UK's National Cyber Security Centre (NCSC) has introduced new legislation, the Product Security and Telecommunications Infrastructure act (PSTI act), effective April 29, 2024. It mandates smart device manufacturers to avoid using default passwords, provide security contact points, and specify the duration of security updates. The law covers a range of internet-connected products, including smart speakers, TVs, doorbells, smartphones, and wearable devices. Failure to comply can result in recalls and fines up to £10 million or 4% of global annual revenues. This move positions the UK as the first country to prohibit default usernames and passwords in IoT devices, aiming to mitigate cyber threats such as DDoS attacks.

Okta Warns of Surge in Credential Stuffing Attacks: Insights and Mitigation Strategies

Okta, an IAM services provider, has issued a warning about a significant increase in credential stuffing attacks on online services. These attacks, observed in recent weeks, exploit residential proxy services, stolen credential lists, and scripting tools. The surge in attacks aligns with a broader trend highlighted by Cisco, which noted a surge in brute-force attacks targeting VPN services, web application interfaces, and SSH services since March 18, 2024. Okta's Identity Threat Research detected a spike in credential stuffing activity from April 19 to April 26, 2024, originating from similar infrastructure. Credential stuffing involves using stolen credentials from one service to gain unauthorised access to another. Attackers route requests through anonymising services like TOR, and millions of requests were traced back to residential proxies like NSOCKS, Luminati, and DataImpulse. These proxies misuse legitimate user devices to conceal malicious traffic, often through proxyware installed on devices without users' knowledge, effectively creating botnets. Okta recommends measures like enforcing strong passwords, enabling two-factor authentication, blocking requests from suspicious locations and IP addresses, and supporting passkeys to mitigate account takeover risks.

Docker Hub Targeted by Imageless Container Attacks

Cybersecurity researchers have recently uncovered a series of malicious campaigns targeting Docker Hub, involving the planting of millions of "imageless" containers. These containers serve as lures to redirect users to phishing or malware-hosting websites. Of the 4.6 million imageless Docker Hub repositories identified, 2.81 million have been linked to three primary campaigns: Downloader, E-book phishing, and Website. The Downloader campaign redirects users to sites offering pirated content or game cheats, while the E-book phishing campaign lures users seeking e-books to input financial information on fraudulent websites. The Website campaign contains links to benign content or online diary-hosting services. The payload from the downloader campaign contacts a command-and-control server to obtain links to cracked software. However, the motive behind the website cluster remains unclear. These campaigns involved the creation of 208,739 fake accounts, all of which Docker has since removed. Nevertheless, users are urged to exercise caution when downloading packages from open-source ecosystems, as threat actors continue to exploit vulnerabilities. With the increasing sophistication of such attacks, developers must remain vigilant to mitigate risks effectively.

Dropbox Sign Breach Exposes User Data

On May 2, 2024, Dropbox disclosed a breach affecting its digital signature service, Dropbox Sign (formerly HelloSign), revealing that unauthorised actors accessed emails, usernames, and account settings of all users of the platform. The breach, which the company became aware of on April 24, 2024, also exposed phone numbers, hashed passwords, and certain authentication data for subsets of users. Additionally, third parties who interacted with Dropbox Sign but didn't create accounts had their names and email addresses compromised. Investigations indicate that while the attackers accessed user data, they didn't breach account contents or payment information. The incident was contained to the Dropbox Sign infrastructure, with the attackers exploiting an automated system configuration tool and compromising a service account to gain access. Dropbox has taken steps to mitigate the breach, including password resets, logging users out of connected devices, and rotating API keys and OAuth tokens. Cooperation with law enforcement and regulatory bodies is ongoing as Dropbox continues to investigate the incident. This marks the second security breach for Dropbox within two years, following a phishing campaign in November 2022.

Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability

Palo Alto Networks has swiftly responded to an actively exploited security flaw in PAN-OS software with urgent hotfixes. Tracked as CVE-2024-3400 with a critical CVSS score of 10.0, the vulnerability enables unauthenticated attackers to execute arbitrary code with root privileges via command injection in the GlobalProtect feature. The fixes are available for PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3 versions, with patches for other commonly deployed releases expected soon. While Cloud NGFW firewalls are unaffected, specific PAN-OS versions and feature configurations in customer-managed firewall VMs deployed in the cloud are vulnerable. The threat actor behind the exploitation remains unidentified, but malicious activity is being tracked by Palo Alto Networks Unit 42 as Operation MidnightEclipse. Exploitation involves deploying a Python-based backdoor named UPSTYLE since at least March 26, 2024, enabling arbitrary command execution. Palo Alto Networks advises users to apply patches immediately and provides a CLI command to detect signs of potential compromise. Technical details and proof-of-concept exploit code have been made available by security researchers.