Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

RCE Vulnerability in Spotify Backstage

Back in early October, we reported on a vulnerability which allowed an attacker to escape from the popular Node.js Javascript sandbox, vm2, and execute code on the underlying server. Now the same researchers have found that the same underlying vulnerability in a popular DevOps toolbox.

In a DevOps environment, especially one using microservices architecture, developers need a central portal where they have easy access to share the tools, services and documentation that they need to integrate services. Initially developed by Spotify and then donated to the Cloud Native Computing Foundation, Backstage is a toolbox for building such portals from a few core services and plugins, and allows easier integration of projects with existing enterprise platforms and tools like Jira, ElasticSearch, Prometheus and others.

One of the more privileged components of Backstage is the Scaffolder, which executes tasks like creating Github repositories, and because this exposes the possibility of remote code execution attacks, tasks like string templating are executed in a vm2 sandbox. However, Backstage's threat model only provides authentication in order to identify the user, not for access control, and implementors are advised to protect their deployment from unauthorized access by placing it behind an authenticating proxy like Amazon's Application Load Balancer or the Google Cloud Platform Identity-Aware Proxy.

What researchers at Oxeye discovered was that their previously-discovered vm2 sandbox-escape vulnerability was present in the Backstage Scaffolder and could be exploited through the template engine, and - quelle horreur - many of the 500 Backstage servers they found by a simple Shodan search were running with no authentication or authorization protection, allowing unauthenticated remote code execution. They disclosed the resultant CVSS 9.8 vulnerability to Spotify, and a patch has been released; users should not only apply it, but check they have appropriate authentication and authorization around their deployment.

Goldstein, Gal, Yuval Ostrovsky and Daniel Abeles, Remote Code Execution in Spotify's Backstage via vm2 Sandbox Escape (CVSS Score of 9.8), blog post, 15 November 2022. Available online at https://www.oxeye.io/blog/remote-code-execution-in-spotifys-backstage.

Lazarus Group Deploys New DTrack Variant

North Korean cybercrime group Lazarus (APT38, associated with the DPRK Reconnaisance General Bureau) has long used the DTrack backdoor to deploy keyloggers, screen capture and other tools in campaigns against a range of targets. Now Kaspersky has produced a report on a new variant of DTrack which is spreading around the world.

Delivered as part of what looks like a legitimate executable, this variant performs multiple stages of decryption before activating the malware payload. First, the second stage is extracted from either an offset location or a resource within the PE executable and then decrypted, using a modified version of RC4. This second stage consists of heavily obfuscated shellcode which reads and decrypts the third stage. This shellcode has to find the decryption key by searching for the first occurrence of a string, then uses it to decrypt a configuration block which follows it and gives the final location of the payload, which may be encrypted with  a modified version of either RC4, RC5 or RC6.

The decrypted third stage is a DLL which is loaded into explorer.exe (replacing some of its code, to become the final backdoor, and contacts any of three C2 servers. Kaspersky has detected DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, the US and elsewhere, indicating that the Lazarus group is expanding its operations to Europe and Latin America.

Zykov, Konstantin and Jornt van der Wiel, DTrack activity targeting Europe and Latin America, SecureList blog, 15 November 2022. Available online at https://securelist.com/dtrack-targeting-europe-latin-america/107798/.

Magento TrojanOrder Attacks Grow Rapidly

Specialist merchant server malware security scanning firm Sansec is warning of a rapid increase in attacks on sites which use Adobe's popular Magento 2 ecommerce server. The attacks exploit an email template vulnerability, CVE-2022-24086, which dates back to February of this year - but Sansec estimates that at least one third of all Magento and Adobe Commerce stores have not been patched to date.

The attack begins with some manual interaction by the threat actor on the site - this is because the Magento order flow is highly flexible and customisable. - intended to trigger the system to send an email with the exploit code in one of the fields. This can be achieved by any of several actions, including placing an order, signing up as a customer or sharing a wishlist. If this is successful, the attacker gains access to the site and will then typically install a remote access trojan. This means that, in many cases, patching the Magento code after the site has been exploited, will not remove the attackers.

In many cases, the backdoor is hidden in the normally legitimate Magento component, health_check.php, and an observed big increase in active scanning for this file suggests that different attacker groups are trying to take over sites which had previously been pwned by another group. As of November 2022, Sansec has identified seven different initial attack vectors, suggesting that at least seven different Magecart groups are actively running these attacks on Magento 2 web sites, probably using exploits they have bought via hacker forums.

Obviously, the first order of business for Magento and Adobe Commerce users is to patch their systems, but this may not stop an attacker who is already present in the system. Sansec is offering a free scan to determine whether the site has been compromised.

Sansec Threat Research, Adobe Commerce merchants to be hit with TrojanOrders this season, blog post, 15 November 2022. Available online at https://sansec.io/research/trojanorder-magento.

Amazon RDS Snapshots Leak PII

A report from cloud incident response company Mitiga sounds the alarm on an often-misused feature of Amazon Web Services' Relational Database Service (RDS), which they discovered can - and does - leak personally indentifiable information.

The RDS snapshot feature is, as you might expect, primarily used for backing up databases. However, a public RDS snapshot is also useful for sharing database templates, or even database content which is meant to be publicly accessible, and occasionally it is used as a quick mechanism for sharing data with colleagues without having to deal with the complexities of database accounts, roles and policies. Once the colleague has the data, the snapshot can be deleted or access withdrawn.

However, by developing a scanner using AWS's Lambda Steo Function and boto3, Mitiga found a lot of snapshots that were shared publicly for a few hours, days or even weeks and were able to clone them, extracting potentiall sensitive information.

There are several lessons here, not all of them obvious; Mitiga's report provides a comprehensive write-up with actionable recommendations for Amazon RDS customers.

Szarf, Ariel, Doron Karmi and Lionel Saposnik, Oops, I leaked it Again - How Mitiga Found PII in Exposed Amazon RDS Snapshots, blog post, 16 November 2022. Available online at https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.