The disruptive attacks highlight what some cyber experts say is an overlooked or underestimated threat vector among developers: Infrastructure-as-Code (IaC). Considered a key element of DevOps practices, IaC tools such as Salt typically allow developers to use code to automate the managing and provision of complex computer infrastructure environments, helping them avoid configuration discrepancies between machines that can hold up software deployments that might otherwise require manual intervention. But its these helpful capabilities that can also make the exploitation of IaC tools uniquely dangerous.
To understand the potential implications of an IaC, one must remember that IaC is designed to accomplish two fundamental objectives:consistency and speed, said Bill Santos,president and COO ofCerberus Sentinel. IaC tools are designed to quickly deploy and update large environments in a very standardised way very quickly.The implication to an exploited IaC is significant:Whereas the consistency and speed is advantageous for approved changes, an exploited change will get deployed equally quickly and equally consistently across that same environment, dramatically increasing its impact vs. other exploit approaches.
Santos added that many developers are not appreciating the importance of IaC code and are not reviewing it, testing it, etc. at the same level they would application-level code.And in so doing, they are creating or increasing a very real threat vector.
Therefore, Its important to elevate the significance of any automation code, especially IaC code, within the context of the development lifecycle, said Santos. It is not second class code, but rather carries the same importance and significance as any other code supporting an application. It needs to be reviewed, tested and assured in a [manner] similar to every other element of an application architecture.
Indeed, in the recently released Spring 2020 edition of theUnit 42 Cloud Security Report, researchers with Palo Alto Networkss global threat intel team warned that developers are failing to scan IAC templates for security issues whenever they are created or updated, which raises the likelihood of encountering exploitable cloud vulnerabilities.
We found that nearly 200,000 IaC templates contained at least one vulnerability or misconfiguration, which range in severity from exposing systems to the public to disabling encryption and logging requirements. So yes, IaC is often overlooked as a serious threat vector, said Nathaniel Quist senior cloud threat researcher with Unit 42.As an industry, we should encourage all organisations to employ the proper implementation of IaC templates within a vetted and secure CI/CD Development Operations using Cloud Native Security Platforms (CNSP). IaC templates greatly increase the speed at which organisations can deploy business-critical applications, but without proper security oversight, they could also increase the speed in which they open themselves up for malicious attacks.
The various attacks took place after adversaries scanned the internet looking for Salt masters servers used to control minions that carry out tasks for the IaC tool that were both exposed over the internet and vulnerable to the two bugs. Users are vulnerable to exploit only if these conditions are met.
Ghost on May 3reportedan outage affecting its services, later reporting that an actor exploited vulnerabilities in its Salt server management infrastructure to install cryptojacking software. The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately, the blogging platform stated.
In a subsequent update, Ghost said it removed the cryptominer and added multiple new firewalls and security precautions, the introduction of which ironically further disrupted customer blog sites temporarily. At this time there is no evidence of any attempts to access any of our systems or data, Ghost asserted. Nevertheless, all sessions, passwords and keys are being cycled and all servers are being re-provisioned.
Jeremy Rowley, VP of business development at DigiCert, reported via a May 3Google Groups postthat a CT (Certificate Transparency) Log 2 key used to sign Signed Certificate Timestamps was compromised.
We are pulling the log into read-only mode right now, the post said.Although we dont think the key was used to sign SCTs (the attacker doesnt seem to realise that they gained access to the keys and were running other services on the [infrastructure]), any SCTs provided from that log after 7pm MST yesterday are suspect. The log should be pulled from the trusted log list. Rowley later said in an update that the log should be distrusted for everything after 17:00:02 on May 2.
And LineageOSreportedthat on 2 May, a malicious actor accessed its Salt master to gain access to our infrastructure. LineageOSs services were knocked temporarily offline, forcing the developer to restore them in piecemeal fashion. However, signing keys and builds were unaffected.
Researchers with F-Secure, who discovered the flaws, reported last Friday in ablog postand correspondingadvisorythat attackers could exploit the bugs to bypass the authentication and authorisation controls used to regulate access to Salt implementations and then remotely execute code with root privileges on the master, allowing for control of all its minions.
Patch by Friday or compromised by Monday, said F-Secure principal consultantOlle Segerdahl in the blog post.
F-Secure says it conducted its own scan and found 6,000 instances of exposed Salt masters. I was expecting the number to be a lot lower. Theres not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet, said Segerdahl.
However, Alex Peay, SVP of product at SaltStack, characterized the 6,000 instances as a very small portion of the [Salt] install base, adding that Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability.
According to SaltStacks officialadvisory, the two bugs, designated CVE-2020-11651 and CVE-2020-11652, were discovered in the salt-master process ClearFunc class of Salt versions prior to 2019.2.4 and 3000.2. The former bug is due to the improper validation of method calls, and allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions, the advisory states. The other flaw allows access to methods that improperly sanitise paths. These methods allow arbitrary directory access to authenticated users, the advisory continues.
In a patch issued at the end of April, Salt fixed the validation process. However, attackers did not waste time taking advantage of users who did not immediately update one of the patched, secure versions.
Although there was no initial evidence that the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorised users since the release of the patches, said Peay. We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security. It is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations.
James McQuiggan, security awareness advocate atKnowBe4, said that the Salt vulnerabilities can be abused for a lot worse than just the reported cryptomining scam.
If organisations do not update their SaltStack, they are exposed to an attack where malware, ransomware or attack vectors can be initiated to gain control, steal intellectual property or hold an organisations data for ransom, said McQuiggan. Incident response for organisations needs to be swift to implement testing and patching of the servers using SaltStack. If they cannot be updated, additional steps will be required to reduce access on applications, users and systems to only those necessary and required for access.
Quist from Unit offered these key takeaways for IaC users: Trust but verify all network operations. All user access events should be monitored and only authorised users should be given access. Changes or updates to all Salt master or minion nodes need to be vetted to ensure no security risks are present. No changes should be allowed to occur to any Salt IaC template without approval and changes need to be verified for integrity. All requests for change need to be properly authenticated and their integrity needs to be verified.
This article was first published in SC US.
- PAM as a Service: Its All a Matter of Trust - Security Boulevard - June 2nd, 2020
- How To Best Adapt Your Business When The World Is Moving Online - Forbes - June 2nd, 2020
- Cloud computing via satellite to drive 52 Exabytes of traffic by 2029: NSR - SatelliteProME.com - June 2nd, 2020
- Multinational Insurance Company Completes Upgrade of Majesco Policy for P&C from On-Premise to Majesco CloudInsurer to Bolster Growth Strategy -... - June 2nd, 2020
- COVID-19 Impact on Healthcare Cloud Computing Market Marked US$ 13 Bn in forecast Years 2025 - 3rd Watch News - June 2nd, 2020
- Cloud computing, future trends to be followed in the industry - Optocrypto - June 2nd, 2020
- You couldn't do this already? AWS adds size and bandwidth growth to FSx for Windows File Server - Blocks and Files - June 2nd, 2020
- Upstream Security Partners With Amazon Web Services to Enhance Automotive Cybersecurity - PRNewswire - June 2nd, 2020
- Improvements on the verify domain error in Office 365 - TechGenix - June 2nd, 2020
- Digital transformation held back by lack of skilled people - ComputerWeekly.com - June 2nd, 2020
- NTT Com internal cloud server hacked, information on 621 customers stolen - DatacenterDynamics - June 2nd, 2020
- Where is the edge in edge computing? And who gets to decide? - ZDNet - June 2nd, 2020
- Cloud-native architectures will define the vRAN future - 5Gradar - June 2nd, 2020
- Developers recall career 'aha' moments that have shaped their Docker experience - SiliconANGLE News - June 2nd, 2020
- HSBC platform uses AI to analyse trading data thousands of times faster - ComputerWeekly.com - June 2nd, 2020
- CloudBolt Releases Version 9.3 of Its Award-Winning Cloud Management Platform - Container Journal - May 31st, 2020
- Kaminario offers cut-price virtual SAN in the cloud - ComputerWeekly.com - May 31st, 2020
- 4 types of mobile security models and how they work - TechTarget - May 31st, 2020
- Increased cybersecurity for the transportation industry - Commercial Carrier Journal - May 31st, 2020
- Cloud-Based Firewalls Are Key to Protecting Employees While Working Remotely - Security Boulevard - May 31st, 2020
- Cloud storage 101: File, block and object storage in the cloud - ComputerWeekly.com - May 31st, 2020
- Cloud Transition During the COVID-19 Exposing the Enterprise Vulnerabilities - EnterpriseTalk - May 31st, 2020
- The Role of Artificial Intelligence in Ethical Hacking | EC-Council Official Blog - EC-Council Blog - May 31st, 2020
- Shelves are well-stocked with cloud-native tools, but simplicity remains a moving target - SiliconANGLE - May 31st, 2020
- Uncover and overcome cloud threat hunting obstacles - TechTarget - May 26th, 2020
- This extraordinary motherboard is being used by server CPU scavengers - TechRadar India - May 26th, 2020
- VMware reduces hardware footprint of its shiny new K8s-on-vSphere toys - The Register - May 26th, 2020
- How Zoom plans to better secure meetings with end-to-end encryption - TechRepublic - May 26th, 2020
- VMware, Dell level up their combined on-prem cloud with much more computing grunt - The Register - May 26th, 2020
- Accelerator Card Market Will Witness Substantial Growth in the Upcoming years by 2027 - WaterCloud News - May 26th, 2020
- Uber India deploys Canon information management solution- Therefore for operational workflow - CRN.in - May 26th, 2020
- Potential Impact of COVID-19 on Research Report prospects the Server Backup Software Market - Cole of Duty - May 26th, 2020
- Do You Know Where Your Servers Come From? Heres Why Securing The Supply Chain Matters - Forbes - May 26th, 2020
- Live analytics without vendor lock-in? It's more likely than you think, says Redis Labs - The Register - May 26th, 2020
- Latest Forecast on Government Cloud Market Emerging Industries, Growth, Remarkable Developments and Key Players| Global Future Prospects 2025 - 3rd... - May 26th, 2020
- Cloud Accounting Software Market Research Report Comprising Development Trends 2020, Key Manufacturers and Competitive Landscape to 2025 - Cole of... - May 26th, 2020
- Gartner: How and why cloud providers need to support their customers through Covid-19 - Cloud Tech - May 22nd, 2020
- The Connection Between Cloud Service Providers and Cyber Resilience - Security Intelligence - May 22nd, 2020
- Google And Dell Pave The Way For File Data In The Cloud - The Next Platform - May 22nd, 2020
- Veeam teams up with Kasten for containerised app backup Blocks and Files - Blocks and Files - May 22nd, 2020
- Hybrid cloud: The key to surviving and thriving during the pandemic - WTOP - May 22nd, 2020
- Global Bare Metal Cloud Market : Industry Analysis and Forecast... - Azizsalon News - May 22nd, 2020
- Exabeam sees more than half of new and add-on recurring revenue from cloud offering - Help Net Security - May 22nd, 2020
- OnShip Brings its Parcel & Freight Shipping Transportation Management Platform to the Cloud with Cameyo - Supply and Demand Chain Executive - May 22nd, 2020
- 'What is Dropbox?': How to use the cloud-based file-storage service for collaboration - Business Insider - Business Insider - May 22nd, 2020
- Couchbase Announces $105 Million Equity Investment Led by GPI Capital to Fuel Its Next Phase of Growth and Cloud Innovation - GlobeNewswire - May 22nd, 2020
- The Register calls for aid, and Microsoft's Rohan Kumar will answer... our questions about SQL Edge and Azure Synapse - The Register - May 22nd, 2020
- What are the different types of cloud load balancing? - TechTarget - May 22nd, 2020
- How data centers will become automated and self-reliant - TechHQ - May 22nd, 2020
- Masayoshi Son says AWS and Microsoft will buy more chipsets from the SoftBank Vision Fund-backed Arm, and not - Business Insider India - May 22nd, 2020
- Chinese IPOs hang in the balance as Senate and Nasdaq change rules - Data Economy - May 22nd, 2020
- Portworx upbeat on container storage revenues Blocks and Files - Blocks and Files - May 22nd, 2020
- New study Global Managed Servers Market 2019 | Growth Opportunities, Investment Feasibility, Market Share And Forecast 2025 - Cole of Duty - May 22nd, 2020
- New Study Finds that IT Pros Are Worried About Corporate Data Security - Database Trends and Applications - May 19th, 2020
- Get your head in the cloud: why cloud is crucial for sustainable business - New Zealand News Centre - Microsoft - May 19th, 2020
- The Global Public Cloud Services Market is expected to grow by $ 221.84 billion during 2020-2024 progressing at a CAGR of 19% during the forecast... - May 19th, 2020
- Traditional or Cloud Antivirus Solutions Which is Best? - PC Tech Magazine - May 19th, 2020
- Moving beyond Covid-19: what does the future of work look like? - ETCIO.com - May 19th, 2020
- AWS unleashes custom Arm processor the Graviton2 in new EC2 M6g instance type - The Register - May 14th, 2020
- Pandemic Shows The Value Of The Public Cloud - The Next Platform - May 14th, 2020
- Jigsaw24 Expands Via24 Cloud Services With Deployment of EditShares EFSv - Broadcasting & Cable - May 14th, 2020
- The age of the ethical cloud is green and for everyone Intelligent CIO Europe - Intelligent CIO Africa - May 14th, 2020
- The Future of Artificial Intelligence: Edge Intelligence - Analytics Insight - May 14th, 2020
- How cloud is accelerating the growth of digital payments - TechHQ - May 14th, 2020
- Live Webinar Preview: Commands & Custom Scripting for Remote Application Installs - Security Boulevard - May 14th, 2020
- Private Cloud Server Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Swarm Theory: Lessons from nature in the advancement of robotics - Techerati - May 14th, 2020
- What are the Differences Between IaaS, PaaS, and SaaS? - stopthefud - May 14th, 2020
- Zoom Settles with NY AG over Privacy and Security Concerns - Security Magazine - May 14th, 2020
- Codestone helps shipping agent to cloud-based infrastructure - Codestone - May 14th, 2020
- Server sales went through the roof in the first three months of 2020. Enjoy it while it lasts, Dell, HPE, and pals - The Register - May 14th, 2020
- Global Cloud Infrastructure Testing Market Research Report 2020 By Size, Share, Trends and Analysis up to 2025. - Cole of Duty - May 14th, 2020
- Digital Harmonic to Bring its Powerful AI-Driven Image and Video Enhancing Solution to the Federal Market - Business Wire - May 14th, 2020
- Sorry if this seems latency obvious, but... you can always scale out your storage with end-to-end NVMe - The Register - May 14th, 2020
- The role of the data centre in the future of Data Management - Data Economy - May 14th, 2020
- We'd love to come up with a Harbor container ship pun but we're too corona-frazzled. Version 2.0 is out - The Register - May 14th, 2020
- Edge Intelligence: The Next Wave of AI - EE Times India - May 14th, 2020
- Serverless Exists In The Cloud and Both Need Servers - Computer Business Review - May 6th, 2020
- Analysis on Impact of COVID-19- Rugged Servers Market 2020-2024 | Increased Adoption of Cloud Applications to Boost Growth | Technavio - Business Wire - May 6th, 2020
- Privitar Announces New Native Integration With Google Cloud Platform - Business Wire - May 6th, 2020