Programming

New CMoon USB worm targets Russians in data theft attacks

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

A new self-spreading worm named ‘CMoon,’ capable of stealing account credentials and other data, has been distributed in Russia since early July 2024 via a compromised gas supply company website.

According to Kaspersky researchers who discovered the campaign, CMoon can perform a broad range of functions, including loading additional payloads, snapping screenshots, and launching distributed denial of service (DDoS) attacks.

Judging from the distribution channel the threat actors used, their targeting scope is focused on high-value targets rather than random internet users, which indicates a sophisticated operation.

Distribution mechanism

Kaspersky says the infection chain begins when users click on links to regulatory documents (docx, .xlsx, .rtf, and .pdf) found on various pages of a company’s website that provides gasification and gas supply services to a Russian city.

The threat actors replaced the document links with links to malicious executables, which were also hosted on the site and delivered to the victims as self-extracting archives containing the original document and the CMoon payload, named after the original link.

“We have not seen other vectors of distribution of this malware, so we believe that the attack is aimed only at visitors to the particular site,” reports Kaspersky.

After the gas firm was notified of this compromise, the malicious files and links were removed from its website on July 25, 2024.

However, due to CMoon’s self-propagation mechanisms, its distribution may continue autonomously.

CMoon is a .NET worm that copies itself to a newly created folder named after the antivirus software it detected on the compromised device or one resembling a system folder if no AVs are detected.

The worm creates a shortcut on the Windows Startup directory to ensure it runs on system startup, securing persistence between reboots.

To avoid raising suspicions during manual user checks, it alters its files’ creation and modification dates to May 22, 2013.

The worm monitors for newly connected USB drives, and when any are hooked up on the infected machine, it replaces all files except for ‘LNKs’ and ‘EXEs’ with shortcuts to its executable.

CMoon also looks for interesting files stored on the USB drives and temporarily stores them in hidden directories (‘.intelligence’ and ‘.usb’) before these are exfiltrated to the attacker’s server.

CMoon features standard info-stealer functionality, targeting cryptocurrency wallets, data stored in web browsers, messenger apps, FTP and SSH clients, and document files in the USB or user folders that contain the text strings ‘secret,’ ‘service,’ or ‘password.’

An interesting and somewhat unusual feature is the targeting of files that might contain account credentials such as .pfx, .p12, .kdb, .kdbx, .lastpass, .psafe3, .pem, .key, .private, .asc, .gpg, .ovpn, and .log files.

Targeted data — **Targeted directories and data**
*Source: Kaspersky*

The malware can also download and execute additional payloads, capture screenshots of the breached device, and initiate DDoS attacks on specified targets.

Stolen files and system information are packaged and sent to an external server, where they are decrypted (RC4) and verified for their integrity using an MD5 hash.

**Generating the data package for exfiltration**
*Source: Kaspersky*

Kaspersky leaves open the possibility of more sites outside its current visibility distributing CMoon, so vigilance is advised.

No matter how targeted this campaign may be, the fact that the worm spreads autonomously means it could reach unintended systems and create the conditions for opportunistic attacks.

AWS Adds Passkey Support for Enhanced Security, Enforces MFA for Root Users

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

AWS has recently announced two new security features. First, passkeys can now be used for multi-factor authentication (MFA) for root and IAM users, providing additional security beyond just a username and password. Second, AWS now requires MFA for root users, starting with the root user account in an AWS Organization. This requirement will be expanded to other accounts throughout the year.

Sébastien Stormacq, principal developer advocate at AWS, discussed these announcements related to MFA in a blog post. Stormacq stated that a passkey, used in FIDO2 authentication, is a pair of cryptographic keys created on your device when you sign up for a service or website. It consists of two linked cryptographic keys: a public key stored by the service provider and a private key stored securely on your device (like a security key) or synced across your devices through services like iCloud Keychain, Google accounts, or password managers like 1Password.

As another part of the security-related announcement, Stormacq mentioned that AWS is now enforcing multi-factor authentication (MFA) for root users on certain accounts. This initiative, initially announced last year by Amazon’s chief security officer Stephen Schmidt, aims to enhance security for the most sensitive accounts.

AWS has initiated this rollout gradually, starting with a limited number of AWS Organizations management accounts and expanding over time to encompass most accounts. Users without MFA enabled on their root account will receive a prompt to activate it upon login, with a grace period before it becomes mandatory.

To enable passkey MFA, users will need to access the IAM section of the AWS console. After selecting the desired user, locate the MFA section and click “Assign MFA device”. It’s important to note that enabling multiple MFA devices for a user can improve account recovery options.

Source: AWS adds passkey multi-factor authentication (MFA) for root and IAM users

Next, name the device and select “Passkey or security key”. If a password manager with passkey support is in use, it will offer to generate and store the passkey. Otherwise, the browser will provide options (depending on the OS and browser). For example, on a macOS machine using a Chromium-based browser, a prompt to use Touch ID to create and store the passkey within the iCloud Keychain is presented. The experience from this point onward varies based on the user’s selections.

Source: AWS adds passkey multi-factor authentication (MFA) for root and IAM users

In a Reddit discussion regarding the announcement, one of the users noted a potential discrepancy: related to the release documentation mentioning Identity Center over IAM, but the newly-added Passkey support did not appear to extend to Identity Center. The discussion in the thread further concluded that the release primarily added support for FIDO2 Platform Authenticators (Passkeys) in addition to existing support for Roaming Authenticators (security keys).

Passkeys for multi-factor authentication are currently available for AWS users in all regions except China. Additionally, the enforcement of multi-factor authentication for root users is in effect in all regions except the two China regions (Beijing and Ningxia) and AWS GovCloud (US), as these regions operate without root users.

Microsoft Entra Suite Now Generally Available: Identity and Security Based Upon Zero-Trust Models

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

Microsoft has announced the general availability of its Entra Suite. According to the company, the suite provides a solution that integrates identity and security, facilitating a more unified approach to security operations.

The Entra Suite is built to streamline the implementation of zero-trust security models. Zero-trust is a framework where trust is never assumed, and verification is continuously enforced. By integrating identity management with security operations, Microsoft aims to make zero-trust adoption more seamless for organizations.

The company states that the suite focuses on providing secure access for the workforce, marking the second stage in the company’s vision for a universal trust fabric for the era of AI. In an earlier company blog post, Joy Chik writes:

Once your organization has established foundational defenses, the next priority is expanding the Zero Trust strategy by securing access for your hybrid workforce. Flexible work models are now mainstream, and they pose new security challenges as boundaries between corporate networks and the open Internet are blurred. At the same time, many organizations increasingly have a mix of modern cloud applications and legacy on-premises resources, leading to inconsistent user experiences and security controls.

In addition, the company writes in the announcement blog post:

By incorporating the principles of Zero Trust—verify explicitly, use least privileged access, and assume breach—the Microsoft Entra Suite and the Microsoft unified security operations platform help leaders and stakeholders for security operations, identity, IT, and network infrastructure understand their organization’s overall Zero Trust posture.

Microsoft Entra Suite offers several identity-centric solutions, including private access for securing private resources, internet access for protecting against internet threats, ID Governance for automating identity management, ID Protection for real-time identity compromise prevention, and Verified ID for real-time identity verification.

Microsoft Enterprise Suite allows organizations to unify Conditional Access policies, ensure minimal access privileges (least privileges) for all users, enhance the user experience for in-office and remote workers, and reduce the complexity and cost of managing security tools.

Conditional Access Microsoft Entra (Source: Screenshot YouTube First Look on Microsoft Entra Suite)

In a First Look on Microsoft Entra Suite YouTube video, MVP Andy Malone explains the conditional access policies amongst the other features like:

What conditional access does is that it’s part of Microsoft’s Zero Trust Technologies. So, in other words, you have to go to verify every user, every application, and every device on your network. Conditional access policies will help you do that.

The Microsoft Entra Suite is $12 per user per month, and the Microsoft Entra P1 is a licensing and technical prerequisite. The pricing page has more details.

Introducing New SKUs for Microsoft Azure Bastion: Developer and Premium Options Now Available

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

Microsoft recently announced new SKUs for its Azure Bastion service: a Developer SKU that is now generally available (GA) after its public preview last year and a premium SKU being rolled out in a public preview.

Microsoft Azure Bastion is a fully managed Platform as a Service (PaaS) that offers seamless RDP and SSH connectivity to virtual machines accessed directly in the Azure portal. The Developer SKU is designed for Dev/Test users who need secure VM connections without requiring extra features, configuration, or scaling. The new premium SKU offers advanced recording, monitoring, and auditing capabilities for customers managing highly sensitive workloads.

With the Bastion Developer SKU, there’s no need to allocate dedicated resources to your customer VNET. Instead, it uses a shared pool of resources managed internally by Microsoft, ensuring secure connectivity to their VMs. Users can access their VMs directly through the connect experience on the VM blade in the portal, with support for RDP/SSH on the portal and SSH-only for CLI sessions.

Isabelle Morris, a product manager of Azure Networking, explains in a Tech Community blog post:

This service is designed to simplify and enhance the process of accessing your Azure Virtual Machines by eliminating the complexities, high costs, and security concerns often associated with alternative methods.

Overview of the Azure Bastion Developer SKU Architecture (Source: Microsoft Learn)

Aaron Tsang, product manager, Microsoft, writes about the public preview of the premium SKU:

Our first set of features will focus on ensuring private connectivity and graphical recordings of virtual machines connected through Azure Bastion.

Azure Bastion’s private-only enables inbound connections using a private IP address, which is beneficial for customers seeking to minimize public endpoints or adhere to strict organizational policies. This allows private connectivity from on-premises to Azure virtual machines when using ExpressRoute private peering.

Overview of the Azure Bastion Private Only Deployment (Source: Microsoft Learn)

The private-only deployment feature received positive feedback from the community. Joe Parr comments:

A key feature for me is the private-only mode—no more internet-routable deployments of Bastion.

The graphical session recording in Azure Bastion visually records all virtual machine sessions, storing them in a customer-designated storage account for direct viewing in the Azure Bastion resource blade. This feature provides added monitoring for virtual machine sessions, allowing customers to review recordings if any anomalies occur. According to Aquib Qureshi, a technology specialist at Microsoft, the feature was one of the most requested.

Lastly, Azure Bastion pricing is based on hourly rates determined by SKUs, instances (scale units), and data transfer fees. Hourly pricing commences upon Bastion deployment, irrespective of outbound data usage. The pricing page provides more details.

AWS Launches Open-Source Agent for AWS Secrets Manager

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

Amazon Web Services (AWS) has launched a new open-source agent for AWS Secrets Manager. According to the company, this agent simplifies the process of retrieving secrets from AWS Secrets Manager, enabling secure and streamlined application access.

The Secrets Manager Agent is an open-source tool that allows your applications to retrieve secrets from a local HTTP service instead of reaching out to Secrets Manager over the network. It comes with customizable configuration options, including time to live, cache size, maximum connections, and HTTP port, allowing developers to tailor the agent to their application’s specific requirements. Additionally, the agent provides built-in protection against Server-Side Request Forgery (SSRF) to ensure security when calling the agent within a computing environment.

The Secrets Manager Agent retrieves and stores secrets in memory, allowing applications to access the cached secrets directly instead of calling Secrets Manager. This means that an application can retrieve its secrets from the local host. It’s important to note that the Secrets Manager Agent can only make read requests to the Secrets Manager and cannot modify the secrets, while the AWS SDK allows more.

A respondent on a Reddit thread explained the difference between the agent and AWS SDK, which, for instance, allows the creation of secrets:

This one caches secrets so that if the same secret is requested multiple times within the TTL, only a single API call is made, and the cached secret is returned for any subsequent requests.

In addition, on a Hacker News thread, a respondent wrote:

If I looked at what this does and none of the surrounding discussion/documentation, I’d say this is more about simplifying using Secrets Manager properly than for any security purpose.

To use the secret manager “properly,” in most cases, you’ll need to pull in the entire AWS SDK, maybe authenticate it, make your requests to the secret manager, cache values for some sort of lifetime before refreshing, etc.

To use it “less properly,” you can inject the values in environment variables, but then there’s no way to pick up changes, and rotating secrets becomes a _project_.

Or spin this up, and that’s all handled. It’s so simple you can even use it from your shell scripts.

Lastly, there are several open-source secret management tools available in the Cloud, like Infisical, an open-source secret management platform that developers can use to centralize their application configuration and secrets like API keys and database credentials, or Conjur, which provides an open-source interface to securely authenticate, control, and audit non-human access across tools, applications, containers, and cloud environments via robust secrets management. In addition to these, there are proprietary secret management solutions like HashiCorp Vault, Azure Key Vault, Google Secret Manager, and AWS Secrets Manager.

Microsoft Introduces the Public Preview of Flex Consumption Plan for Azure Functions at Build

Posted on August 8, 2024 - August 8, 2024 by Maq Verma

At the annual Build conference, Microsoft announced the flex consumption plan for Azure Functions, which brings users fast and large elastic scale, instance size selection, private networking, and higher concurrency control.

The Flex Consumption Plan is a new Azure Functions hosting plan that uses the familiar serverless consumption-based billing model (pay for what you use). It provides users with more flexibility and customization options without sacrificing existing capabilities. According to the company, users can build serverless functions with this plan, leading to higher throughput, improved reliability, better performance, and enhanced security according to their needs.

Flex Consumption (Source: Tech Community blog post)

Thiago Almeida, who works for the Azure Functions engineering team, writes:

Flex Consumption is built on the latest Functions host especially optimized for scale, a brand-new backend infrastructure called Legion, and a new version of our internal scaling service. It is now available in preview in 12 regions and supports .NET 8 Isolated, Python 3.11 and Python 3.10, Java 17 and Java 11, Node 20 LTS, and PowerShell 7.4 (Preview).

Flex Consumption offers a range of scaling capabilities, including multiple instance memory choices, per-instance concurrency control, per-function scaling, “Always Ready” instances, and the ability to scale out to up to 1000 instances per app. In addition, users can securely access Virtual Network (VNet)-protected services from their function app and secure their function app to their VNet. There is no extra cost for VNet support; users can share the same subnet between multiple Flex Consumption apps.

Besides Flex Consumption’s scaling and networking features, other features are available, including Azure Load Testing integration for Function apps. This integration allows users to set up load tests against their HTTP-based functions easily. Flex Consumption apps can also opt-in to emit platform logs, metrics, and traces using Open Telemetry semantics to Azure Application Insights or other OLTP-compliant endpoints. Finally, it’s important to note that Flex Consumption has no execution time limit enforced by the functions host. However, it’s still essential to write robust functions as there are no execution time guarantees during public preview, and the platform can still cancel function executions.

A cloud solution architect from Germany tweeted on the announcement of the new plan:

Finally… Too late, but better than never. We lost a huge project against AWS-Competitor due to the lack of these capabilities two years ago. We developed one year ago, and the customer decided to switch to AWS due to the lack of possibilities for scale to zero and VNet Integration at once.

While Miroslav Janeski, a technical director at Init Norway, concludes in a blog post:

Azure Functions Flex Consumption represents a significant leap forward in serverless computing. It addresses long-standing challenges while maintaining cost efficiency and scalability benefits. As cloud-native applications evolve, innovations like these will pave the way for even greater advancements.

Lastly, the Flex Consumption Plan operates on a consumption-based pricing model. Charges are applicable for on-demand instances during function execution and for optional “Always Ready” instances. The plan includes a monthly free grant of 250,000 requests and 100,000 GB-s of resource consumption per subscription.